Minimal Firewall Settings for Using the V10 GoTo Meeting, GoTo Webinar, and GoTo Training Desktop App
Please review the minimal settings for firewall/proxy configuration that outline the IP ranges and DNS domains that must be allowed through the firewall/proxy respectively and excluded from any deep packet inspection. This is for version 10 of the classic GoTo Meeting, GoTo Webinar, and GoTo Training desktop app.
Status: Verified
GoTo IP Ranges
All critical media services are tied to these ranges. Ideally, they should go directly through any network perimeter and not through a proxy.
The hypothesis is that all GoTo Meeting traffic not going to these ranges uses plain HTTPS or WebSocket and can easily be redirected through an inspecting HTTPS proxy.
Range | Use |
---|---|
23.239.228.0/22 23.239.232.0/23 23.239.234.0/23 23.239.236.0/23 |
VCS (Video servers) |
67.217.64.0/19 | VGW (Audio servers) |
68.64.0.0/19 | VCS (Video servers), VGW and Edge (Audio servers) |
78.108.112.0/20 | VCS (Video servers) |
173.199.0.0/18 | VCS (Video servers), VGW and Edge (Audio servers), attendee.gotowebinar.com, global.gotowebinar.com, global.gototraining.com |
202.173.24.0/21 | MCS (Screen sharing servers) |
216.115.208.0/20 | VGW (Audio servers), egwglobal.gotomeeting.com, egw.gotomeeting.com (Connection detection) |
Range | Use |
---|---|
23.239.228.0/22 23.239.232.0/23 23.239.234.0/23 23.239.236.0/23 |
VCS (Video servers) |
67.217.64.0/19 | VGW (Audio servers) |
68.64.0.0/19 | VCS (Video servers), VGW (Audio servers), see TCP |
78.108.112.0/20 | VCS (Video servers) |
173.199.0.0/18 | VCS (Video servers), VGW (Audio servers) see TCP |
216.115.208.0/20 | VGW (Audio servers) |
Domains
Domain | Use | Points to IP addresses in | |
---|---|---|---|
1 | *.goto.com | Central domain for starting sessions | AWS |
2 | *.getgo.com | Various services | AWS |
3 | *.gotomeeting.com | Various services | GoTo/AWS |
4 | *.expertcity.com | Audio and Screen sharing servers | GoTo |
5 | *.goto-rtc.com | Audio and Video servers | GoTo |
6 | *.logmeininc.com | Authentication (critical) | AWS |
7 | *.gotowebinar.com | Central domain (required for GoToWebinar only) | GoTo/AWS |
8 | *.gototraining.com | Central domain (required for GoTo Training only) | GoTo |
9 | *.launchdarkly.com | External service provider for feature enablement (does not work through proxy, not critical) | Google Cloud |
10 | api-pub.mltree.net | GoTo Marketing (not critical) | AWS |
GoTo Opener
Domain | Use | Points to IP addresses in |
---|---|---|
launch.getgo.com | Conference Launch Service | GoTo |
join.servers.getgo.com | Conference Launch Service | AWS |
builds.cdn.getgo.com | Download CDN for GoTo Meeting builds | AWS |
builds.getgocdn.com | Download CDN for GoTo Meeting builds | GoTo |
General network configuration modes
In an unrestricted network, GoTo Meeting will open a number of TCP and UDP connections to a variety of ports, some of them essential e.g., to transmit audio data and others non-essential e.g., the one for marketing pop-ups. The first eight (8) domains in the list above need to be excluded from deep packet inspection, if there are any on the network path.
- TCP towards GoTo IP ranges
- UDP towards GoTo IP ranges
- TCP towards other IP ranges (currently AWS and Google Cloud address spaces)
Mode | Pros & Cons | Configuration steps |
---|---|---|
All TCP using port 443 over HTTPS proxy, no use of UDP | Pros This is the simplest configuration mode.
Cons
|
|
All TCP using port 443 over HTTPS proxy, UDP goes directly through the firewall | Pros
Cons Connection establishment takes longer than in unrestricted networks due to extended probing. |
|
TCP and UDP towards GoTo IP ranges goes directly through the firewall, TCP to other IP ranges goes through HTTPS proxy | Pros Best media and screen sharing performance, quick connection establishment.Cons Configuration is more complex and harder to debug. |
|
Run a stateful firewall and allow all outbound TCP and UDP traffic and return traffic based on state | Pros No configuration required as all traffic is initiated from the client. The firewall will open the required inbound connections automatically.Cons This is the default configuration for many firewalls, but rarely used in more complex networks due to additional security requirements. |
Does not need additional configuration. |
VPN configuration
If you use a VPN, there are several ways to route the different streams. The options reflect the modes listed in the table above; however, you will have to use routing to decide which traffic goes where (which makes it difficult to separate UDP from TCP traffic).
- Route everything through the VPN tunnel.
- Allow all GoTo IP ranges to go directly to the Internet (TCP and UDP), send all other traffic through the VPN.
- Send only internal traffic (i.e., 10.X.X.X and 192.168.X.X) into the VPN tunnel, and send the rest directly to the internet.
TCP traffic sent through the VPN tunnel may or may not go through a proxy after traversing through the tunnel. There are other configurations that can be discussed with the GoTo Engineering team on a case-by-case basis.
Proxy configuration notes
If your proxy is performing deep packet inspection, please be sure that all domains listed above are allowlisted. Deep packet inspection can impact the initial TLS connection and slow down media streams due to processing delays.
Although GoTo Meeting reads many sources for proxy configuration (e.g., system proxy, Firefox proxy, PAC files, WPAD), the proxy detection might yield unexpected results. One aspect is that the logic used to parse PAC files does not support all variations of possible rules. The other aspect is that proxies stored in the GoTo Meeting registry are sometimes used in the connection detection. As soon as GoTo Meeting finds out it can establish a connection through a stored proxy, it might also use it, although other configurations might indicate another proxy.
The easiest way to verify proxy usage is through the GoTo Meeting log file.
Log files are stored here: /Users/username/Library/Logs/com.logmein.GoToMeeting.
To clear existing proxy entries, delete these keys: defaults -currentHost read com.logmein.GoToMeeting |grep ConnectionInfo.
Log files are stored here: %Temp%\LogMeInLogs\GoToMeeting. Look for the folder with the latest date.
To clear existing proxy entries, delete these keys: HKEY_CURRENT_USER\SOFTWARE\LogMeInInc\GoToMeeting\ConnectionInfo.