Minimal Firewall Settings for the GoTo App
Below are the necessary firewall and proxy configuration options that are required to start a session and use audio, video and screen sharing successfully on our GoTo app (desktop and browser versions).
There are more advanced and custom settings that can be applied depending on your product, but again, this article covers the minimum settings needed for you to successfully run the GoTo app. If you are using our legacy app, see the mimimum settings needed here. If you are interested in more advanced custom settings, see our overall allowlist and firewall settings here (which can then be filtered by a specific product as desired).
Version 2.3
Domains
| # | Domain | Use | Protocol | Points to IP addresses in |
|---|---|---|---|---|
| 1 | *.goto.com | Main domain | TCP | — |
| 2 | *.goto-rtc.com | Audio and video servers - uses WebSocket for some connections | UDP/TCP | GoTo/AWS/OCI |
| 3 | *.jive.com | General connections used by GoToConnect | UDP/TCP | — |
| 4 | *.getgo.com | Various services | TCP | AWS/OCI |
| 5 | *.gotomeeting.com | Various services | TCP | GoTo/AWS/OCI |
| 6 | *.logmeininc.com | Authentication (critical) | — | AWS/OCI |
| 7 | *.expertcity.com | Audio and screen sharing servers | TCP | GoTo |
| # | Domain | Use | Protocol | Points to IP addresses in |
|---|---|---|---|---|
| 1 | *.gototraining.com | Central domain (required for GoTo Training only) | TCP | GoTo |
| 2 | *.firebase.app | Editor for creating polls, can be launched in-session | TCP | |
| 3 | apis.google.com | Google drive sharing | TCP | |
| 4 | *.youtube.com *.googlevideo.com | YouTube video sharing | TCP |
| # | Domain | Use | Protocol | Points to IP addresses in |
|---|---|---|---|---|
| 1 | *.gotowebinar.com | YouTube video sharing | TCP | GoTo/AWS/OCI |
| 2 | *.recordingassets.logmeininc.com *.lmiinc.test.expertcity.com | Video playbacks in webinar | TCP | — |
Port usage: Signaling vs. media connections
- Signaling connections —
- TCP port 443. Depending on the function, the protocol used is HTTPS/TLS/SSL/WS.
- Media transport connections (for VOIP, Camera, & Screensharing)—
- UDP port 45000-65535 or
- UDP port 3478 or
- TCP port 3478 or port 443
There are 4 general configuration scenarios for Goto traffic as outlined below in Configuration scenarios.
GoTo owned IP ranges for media traffic
- 68.64.0.0/19
- 173.199.0.0/18
- 78.108.124.0/23
- 202.173.24.0/21
- 23.239.224.0/19
Configuration scenarios
The following scenarios are provided by the GoTo Engineering team. Choose the option best suited for your needs (Each option is detailed below this list):
- Traffic in case of no restrictions — Recommended for best performance
- UDP over TURN — Recommended for best performance
- TCP 3478 / 443 over TURN
- TCP 443 over TURN — Most restricted in call quality due to things such as deep packet inspection
Traffic in case of no restrictions
In this configuration, common to a typical home user, UDP traffic to the port range 45000-65535 can be restricted to the above listed GoTo IP ranges. TCP traffic to port 443 is not restricted. The destination IP ranges for these TCP connections belong to the GoTo/AWS/OCI address space, so it is not useful to run restrictions based on the IP ranges. This setup will also deliver the shortest delays and best error correction in the case of packet loss compared to the scenarios below. However, it requires an unrestricted firewall setup that relies on stateful inspection to open inbound UDP ports as needed. All traffic is initiated from inside the GoTo client network out.
| Protocol | Dst Port | Dst Address | Action |
|---|---|---|---|
| UDP | 45000-65535 | GoTo IP ranges | Allow |
| TCP | 443 | All | Allow |
UDP over TURN (only one port required)
| Protocol | DST Port | DST Addr | Action |
|---|---|---|---|
| UDP | 3478 | GoTo IP ranges | Allow |
| TCP | 443 | All | Allow |
TCP 3478 / 443 over TURN
In this configuration, TCP is used to transport media to the TURN server. Behind the TURN server, UDP is used towards the GoTo infrastructure. Since TURN servers are in the same geolocation as the user, this helps mitigate some of the drawbacks of TCP over long distances. However, it is not as efficient with handling packet loss as UDP is, which means that you can expect a higher amount of dropped audio and a higher delay compared to the above configuration. Whether the TCP 443 traffic is sent through a proxy or not is up to your discretion.
| Protocol | DST Port | DST Addr | Action |
|---|---|---|---|
| TCP | 3478 | GoTo IP ranges | Allow |
| TCP | 443 | All | Allow |
TCP 443 over TURN
This is the most restricted scenario. You may or may not run the TCP 443 traffic through a proxy. Doing so will add additional latency to the connection. It also requires a performant proxy to handle the high amount of traffic, especially for video.
| Protocol | DST Port | DST Addr | Action |
|---|---|---|---|
| TCP | 443 | All | Allow |
Proxy configuration notes
- If your proxy is performing deep packet inspection (DPI), please be sure that all domains listed above are allow listed. DPI can impact the initial TLS connection and slow down media streams due to processing delays.
- It's less of a problem to have DPI in the path for the signaling connections if you have the media sent via UDP. The only potential issue with this is certificate mismatch, which should not happen with correct configuration of certificates on your endpoints.
- GoTo generally uses the configured proxy from the operating system. If a proxy is configured, all TCP traffic will be routed through it. GoTo will nevertheless try to establish UDP connections for media. It is only when these UDP connections fail that TCP media connections over the proxy will be used.
- In order to send GoTo traffic to a specific proxy different from the one for other traffic, you can use a standard proxy.pac file based on the DNS domains listed above.
VPN configuration notes
Generally, the WebRTC used in GoTo will probe all network interfaces on your system for media connections and may decide a path different from the routes in the local routing table if it does connect. This can be a problem with VPN solutions like Cisco AnyConnect, which rely on changes in the routing table to send packets into the VPN tunnel. However, the opposite may also happen where the VPN tunnel is selected in a split tunnel VPN despite a direct connection being available. This is typically due to lower interface metrics set on VPN interfaces.
The only way to force WebRTC to use a certain path is to completely block the other paths for UDP on the aforementioned GoTo IP ranges.
Zscaler specific configurations
If you use Zscaler to filter your traffic, it needs to be configured for GoTo to work with for best performance. As Zscaler config is extremely complex and individual, this is only a starting point for your configuration. If you encounter any trouble, select Contact Support for our support team to get you in touch with our engineering team directly.
View the config switch in the Zscaler config here. This will exclude known GoTo domains and IP ranges as laid out here from some types of inspections.