Minimal Firewall Settings for Using the V10 GoTo Webinar Desktop App

Status: Verified

This document and sample scenarios are recommendations made by the GoTo Engineering team. There are other considerations and configurations on which traffic goes through a proxy or directly through a firewall.

Note: This setup has been tested to work in the GoTo network lab but may not cover all environments and scenarios.

GoTo IP Ranges

All critical media services are tied to these ranges. Ideally, they should go directly through any network perimeter and not through a proxy.

The hypothesis is that all GoTo Meeting traffic not going to these ranges uses plain HTTPS or WebSocket and can easily be redirected through an inspecting HTTPS proxy.

TCP port 443 (Connection)

Connection setup for all media, the download of various application parts, and Telemetry — we use TLS over plain TCP, HTTPS, as well as WebSocket.

Range	Use
23.239.228.0/22 23.239.232.0/23 23.239.234.0/23 23.239.236.0/23	VCS (Video servers)
67.217.64.0/19	VGW (Audio servers)
68.64.0.0/19	VCS (Video servers), VGW and Edge (Audio servers)
78.108.112.0/20	VCS (Video servers)
173.199.0.0/18	VCS (Video servers), VGW and Edge (Audio servers), attendee.gotowebinar.com, global.gotowebinar.com, global.gototraining.com
202.173.24.0/21	MCS (Screen sharing servers)
216.115.208.0/20	VGW (Audio servers), egwglobal.gotomeeting.com, egw.gotomeeting.com (Connection detection)

UDP port 1853, 8200 (Audio/Video)

If these UDP ports are not open, GoTo Meeting will fall back to TCP (which may affect media and connection quality). We run encrypted, non-standard traffic on these connections so any firewall trying to detect something smart will fail.

Range	Use
23.239.228.0/22 23.239.232.0/23 23.239.234.0/23 23.239.236.0/23	VCS (Video servers)
67.217.64.0/19	VGW (Audio servers)
68.64.0.0/19	VCS (Video servers), VGW (Audio servers), see TCP
78.108.112.0/20	VCS (Video servers)
173.199.0.0/18	VCS (Video servers), VGW (Audio servers) see TCP
216.115.208.0/20	VGW (Audio servers)

Domains

The list of domains used by the GoTo Webinar desktop app currently includes (but is not limited to) the following:

	Domain	Use	Points to IP addresses in
1	*.goto.com	Central domain for starting sessions	AWS
2	*.getgo.com	Various services	AWS
3	*.gotomeeting.com	Various services	GoTo/AWS
4	*.expertcity.com	Audio and Screen sharing servers	GoTo
5	*.goto-rtc.com	Audio and Video servers	GoTo
6	*.logmeininc.com	Authentication (critical)	AWS
7	*.gotowebinar.com	Central domain (required for GoToWebinar only)	GoTo/AWS
8	*.gototraining.com	Central domain (required for GoTo Training only)	GoTo
9	*.launchdarkly.com	External service provider for feature enablement (does not work through proxy, not critical)	Google Cloud
10	api-pub.mltree.net	GoTo Marketing (not critical)	AWS

GoTo Opener

This is a separate program used to download and start native GoTo Meeting. It uses the following domains (HTTPS, port 443 TCP).

Domain	Use	Points to IP addresses in
launch.getgo.com	Conference Launch Service	GoTo
join.servers.getgo.com	Conference Launch Service	AWS
builds.cdn.getgo.com	Download CDN for GoTo Meeting builds	AWS
builds.getgocdn.com	Download CDN for GoTo Meeting builds	GoTo

General network configuration modes

In an unrestricted network, GoTo Meeting will open a number of TCP and UDP connections to a variety of ports, some of them essential e.g., to transmit audio data and others non-essential e.g., the one for marketing pop-ups. The first eight (8) domains in the list above need to be excluded from deep packet inspection, if there are any on the network path.

Furthermore, the connections initiated by GoTo Meeting can be split into three (3) categories:

TCP towards GoTo IP ranges
UDP towards GoTo IP ranges
TCP towards other IP ranges (currently AWS and Google Cloud address spaces)

Based on this distinction, there are four (4) different ways to configure your network.

Mode	Pros & Cons	Configuration steps
All TCP using port 443 over HTTPS proxy, no use of UDP	Pros This is the simplest configuration mode. Cons The exclusive use of TCP for media can lead to bad audio and video quality and interruptions (if there is any packet loss on the underlying IP connection from the client machine to the GoTo servers). As the majority of servers are US-based, this will impact customers outside of the United States. Connection establishment takes longer in unrestricted networks due to extended probing.	On your firewall, block the following: All outbound TCP traffic towards port 443, 80, and 8200. All outbound UDP traffic towards port 1853 and 8200. On client computers, configure a HTTPS proxy for port 443.
All TCP using port 443 over HTTPS proxy, UDP goes directly through the firewall	Pros Media can use UDP which improves perceived audio and video quality. It is comparably easier to configure and debug as TCP and UDP is clearly separated. Cons Connection establishment takes longer than in unrestricted networks due to extended probing.	On your firewall, configure the following: Block all outbound TCP traffic towards ports 443, 80, and 8200. Allow outbound UDP traffic towards ports 1853 and 8200 (you may also restrict the address ranges to the GoTo IP ranges for UDP listed above. On client computers, configure a HTTPS proxy.
TCP and UDP towards GoTo IP ranges goes directly through the firewall, TCP to other IP ranges goes through HTTPS proxy	Pros Best media and screen sharing performance, quick connection establishment. Cons Configuration is more complex and harder to debug.	On your firewall, configure the following: Allow outbound TCP traffic towards port 443 only for the address ranges designated in GoTo IP ranges for TCP above. Block all other outbound TCP traffic towards port 443, 80, and 8200. Allow outbound UDP traffic towards port 1853 and 8200 – you may also restrict the address ranges to the GoTo IP ranges for UDP list above. Note: Make sure that inbound return traffic is also passed through (stateful). On client computers, configure a HTTPS proxy.
Run a stateful firewall and allow all outbound TCP and UDP traffic and return traffic based on state	Pros No configuration required as all traffic is initiated from the client. The firewall will open the required inbound connections automatically. Cons This is the default configuration for many firewalls, but rarely used in more complex networks due to additional security requirements.	Does not need additional configuration.

VPN configuration

If you use a VPN, there are several ways to route the different streams. The options reflect the modes listed in the table above; however, you will have to use routing to decide which traffic goes where (which makes it difficult to separate UDP from TCP traffic).

For this reason, we recommend one of the following options:

Route everything through the VPN tunnel.
Allow all GoTo IP ranges to go directly to the Internet (TCP and UDP), send all other traffic through the VPN.
Send only internal traffic (i.e., 10.X.X.X and 192.168.X.X) into the VPN tunnel, and send the rest directly to the internet.

TCP traffic sent through the VPN tunnel may or may not go through a proxy after traversing through the tunnel. There are other configurations that can be discussed with the GoTo Engineering team on a case-by-case basis.

Proxy configuration notes

If your proxy is performing deep packet inspection, please be sure that all domains listed above are allowlisted. Deep packet inspection can impact the initial TLS connection and slow down media streams due to processing delays.

Although GoTo Meeting reads many sources for proxy configuration (e.g., system proxy, Firefox proxy, PAC files, WPAD), the proxy detection might yield unexpected results. One aspect is that the logic used to parse PAC files does not support all variations of possible rules. The other aspect is that proxies stored in the GoTo Meeting registry are sometimes used in the connection detection. As soon as GoTo Meeting finds out it can establish a connection through a stored proxy, it might also use it, although other configurations might indicate another proxy.

The easiest way to verify proxy usage is through the GoTo Meeting log file.

macOS and Mac OS X

Log files are stored here: /Users/username/Library/Logs/com.logmein.GoToMeeting.

To clear existing proxy entries, delete these keys: defaults -currentHost read com.logmein.GoToMeeting |grep ConnectionInfo.

Windows

Log files are stored here: %Temp%\LogMeInLogs\GoToMeeting. Look for the folder with the latest date.

To clear existing proxy entries, delete these keys: HKEY_CURRENT_USER\SOFTWARE\LogMeInInc\GoToMeeting\ConnectionInfo.