Allowlist content streams based on ON24 and ON24 partner URLs and IP addresses to ensure the ports and protocols are allowed.
|
We recommend following this article to receive an email notification when it has been updated. Click the Follow Button next to the article title to follow the article. You must be logged into your Elite account to follow articles. Update notifications are only available for this article. |
Overview
Media streams travel in two directions: (1) from Presenters to ON24, and (2) from ON24 to the Audience. Each source path can be independently authorized to ensure the highest possible quality.
Content from ON24 to an audience is described under Audience Use Cases. Audience stream delivery is scaled using CDNs; URLs for the sources are provided. Many clients can now accept Fully Qualified Domain Names (FQDNs) to indicate traffic to be allowed or split-tunneled for VPN users. We're unable to provide the IP addresses of CDN partners.
Content to ON24 from Presenters is addressed under Presenter Use Cases. This article addresses the use of the Video Presenter Bridge (VPB).
Notes:
- This information is updated as sources in use and CDNs change. This document should be referenced from this page each time the information is needed.
-
For China webinars, please see China Delivery.
Audience Use Cases
If you allowlist domain names, below is a list of source domains.
Static Content: Static Content is console static elements, mainly graphics
- on24static.akamaized.net
- on24static.freetls.fastly.net
- d1ysu7vpbugz5f.cloudfront.net
Attendee Chat: The chat tool within the audience console. Websockets are required for the attendee chat to show in the Audience Console.
- chat.stream-io-api.com
HLS: Streams for live events delivery to desktop, iOS, and Android (mobile) devices
- hlsa.akamaized.net
- hlsb.akamaized.net
- livehlsa.freetls.fastly.net
- livehlsb.freetls.fastly.net
- d2oyl7by3xd3ie.cloudfront.net
- d3829mt7juru5j.cloudfront.net
MPEG-DASH (MPD): Streams for On Demand and Simu-live events delivery to desktop browsers
- dashod.akamaized.net
- on24static.freetls.fastly.net
- d1ysu7vpbugz5f.cloudfront.net
ON24 App Servers:
- on24.com
- Note: If you have an account or event set to use Chinacache CDN for audience streaming, please allow .ccedge.cn
Breakouts, VC, Go Live, Next Generation Video, and Forums also require:
- *.tokbox.com
- *.opentok.com
- If Tokbox/opentok IP addresses are required instead of domain use: 168.100.64.0/18 and 216.147.0.0/18
- Open TCP port 443
-
In addition to the minimum requirements, opening UDP Port 3478 will improve the experience. UDP is recommended over TCP for better audio and video quality. UDP favors timeliness over reliability, which is consistent with human perceptive preferences, where we can fill in gaps but are sensitive to time-based delays.
This port only accepts inbound traffic after an outbound request is sent. The connection is bidirectional but is always initiated from the corporate network/client, so it is not possible for an external entity to send malicious traffic in the opposite direction. For the best possible experience, we recommend opening UDP ports 1025-65535.
Allow the following HTTPS verification servers for our HTTPS certificate. Not doing so may cause console warnings, but should not affect the session.
- ocsp.godaddy.com
- crl.godaddy.com
ON24 IP address range is 199.83.44.0/22, which is 199.83.44.0-199.83.47.255
CDNs do not generally provide IP addresses.
Audience Viewing Experience Analytics
Presenter Use Cases
Webcast Elite
The Presenter UI generally does not require allowlisting, except for those using the Video Presenter Bridge (i.e., webcam or screen sharing). The list of addresses used by Elite Studio are below:
- *.on24.com
- *.millicast.com
- pm.on24.com
- pmelite.on24.com
- turn.fav.on24.com
- turn2.fav.on24.com
- vcu.fav.on24.com
- webrtc.fav.on24.com
- webrtc2.fav.on24.com
- h5live.nanocosmos.de
- webrtc.mediaedit.on24.com
- api.mediaedit.on24.com
- api.tryfigment.com
- turn.mediaedit.on24.com
Breakouts, Virtual Conference, Go Live, Next Generation Video and Forums also require:
- *.tokbox.com
- *.opentok.com
- If Tokbox/opentok IP addresses are required instead of domain use: 168.100.64.0/18 and 216.147.0.0/18
- Open TCP port 443
-
In addition to the minimum requirements, opening UDP Port 3478 will improve the experience. UDP is recommended over TCP for better audio and video quality. UDP favors timeliness over reliability, which is consistent with human perceptive preferences, where we can fill in gaps but are sensitive to time-based delays.
This port only accepts inbound traffic after an outbound request is sent. The connection is bidirectional but is always initiated from the corporate network/client, so it is not possible for an external entity to send malicious traffic in the opposite direction. For the best possible experience, we recommend opening UDP ports 1025 - 65535.
Allow the following HTTPS verification servers for our HTTPS certificate. Not doing so may cause console warnings, but should not affect the session.
- ocsp.godaddy.com
- crl.godaddy.com
Video Presenter Bridge Port Usage
| Protocol | Source-Port | Dest-Port | Description | Device |
| TCP | <ANY> | 443 | HTTPS | WebRTC Signaling |
| TCP/UDP | <ANY> | 40000-49999 | RTP / RTCP / RDP / RTMP | Endpoint Media / WebRTC |
| TCP | <ANY> | 1720 | H.323 (H.224 signaling) | Endpoint H.323 Signaling |
| UDP | <ANY> | 1719 | H.323 (RAS signaling) | Endpoint H.323 RAS Signaling |
| TCP | <ANY> | 33000-39999 | H.323 (Q.931 / H.245 signaling) | Endpoint H.323 Media |
| TCP | <ANY> | 5060 | SIP | Endpoint SIP Signaling |
| TCP | <ANY> | 5061 | SIP / TLS | Endpoint SIP / TLS |
Elite Studio Recording Interface
Protocol |
Destination (IP) |
Forum Specific |
Explanation |
|---|---|---|---|
| 443 | HTTPS | api.mediaedit.on24.com | API calls from browser to server for client/sever communication. |
| 443 | HTTPS/WEBSOCKET | webrtc.mediaedit.on24.com | The backend servers require a range of open ports to manage the media traffic flow between the server and the browser. This is necessary because the server handles multiple concurrent WebRTC connections, each requiring a dedicated port for effective operation. |
| 443 | TURNS/STUN | turn.mediaedit.on24.com | In the event that media transfer fails over the standard UDP ports, the system is configured to automatically switch to using port 443 for all bidirectional TURN traffic between the client network and the server. |
| 40000-49999 | UDP/WEBSOCKET | webrtc.mediaedit.on24.com | The backend servers require a range of open ports to manage the media traffic flow between the server and the browser. This is necessary because the server handles multiple concurrent WebRTC connections, each requiring a dedicated port for effective operation. |
Webcam & Screen Share Issues
The webcam and screen‑share functionality used by presenters relies on a cloud‑based audio/video bridge known as the Video Presenter Bridge (VPB). The VPB accepts incoming audio and video connections, composites them into a unified stream, and encodes it for delivery to the webcast.
Supported Protocols
Different connection types use different protocols:
- Phone audio: SIP
- VCU: H.323 or SIP
- Microsoft Teams: Supported, with network requirements typically addressed during Teams deployment
- Webcam and screen share: WebRTC
The component that most commonly encounters issues in enterprise environments is WebRTC.
Why WebRTC Can Be Challenging in Enterprise Networks
WebRTC requires:
- A control channel over HTTPS (TCP 443)
- Separate bidirectional audio and video channels over UDP high ports
Most corporate networks block high‑port UDP traffic, which prevents WebRTC from establishing its preferred direct media paths.
How WebRTC Negotiates Connections
- The browser initiates a session with the VPB using HTTPS.
- Browser and bridge then attempt to discover viable media paths using a process called ICE candidate discovery.
- ICE identifies available conference nodes and the protocols/ports that can reach them.
This negotiation is visible in the browser’s developer console, making it easy to diagnose.
Native (UDP) Attempts Always Occur First
WebRTC always tries native UDP connections first:
- Uses UDP ports 40000–49999
- Does not support NAT traversal
- Almost always blocked inside enterprise networks
Even when these attempts fail, they are retried at the start of every session.
TURN/TURNS as the Fallback Path
When direct UDP paths fail, WebRTC falls back to a TURN relay server. TURN encapsulates audio/video traffic in TLS over TCP, allowing it to traverse restrictive networks.
We use secure TURN (TURNS), which typically works without additional configuration.
How TURNS Works
- The browser sends A/V traffic over TLS/TCP to the TURN server.
- TURN server relays that traffic to VPB nodes using the expected UDP protocols inside the ON24 network.
- This allows WebRTC to function even when UDP is blocked.
Common Issues and How to Address Them
1. PAC File Not Recognizing TURNS Traffic
Because TURNS traffic is encrypted, it must be routed through the proxy. If the PAC file does not recognize the protocol or destination, traffic may be sent directly to the firewall and blocked.
Required TURN server addresses:
- 199.83.47.94
- 199.83.46.94
FQDNs:
turn.fav.on24.comturn2.fav.on24.com
Protocol URLs:
turns:turn.fav.on24.comturns:turn2.fav.on24.com
A PAC rule must ensure these destinations are routed through the proxy.
2. Palo Alto Networks Firewalls and STUN/TURN
Palo Alto firewalls often require explicit allowance for the STUN application. TURNS is defined within the STUN RFC 5766, so PAN devices classify it under the STUN application signature. Ensuring STUN is permitted typically resolves this issue.
Troubleshooting
Google provides a test tool that will allow enterprise network users to determine whether the required network paths are open, see URL below:
https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
- in the STUN or TURN URI: turns:turn.fav.on24.com:443?transport=tcp (or turns:turn2.fav.on24.com:443?transport=tcp)
- In TURN username: on24user
- In TURN password: nev2Eni@
- Click Add Server and remove any other servers that may be there, then press Gather Candidates
- You have to get a relay response to confirm TURNS is working
Elite Studio fails to display Polls, Slides, etc.
Elite Studio uses WebSockets (wss://) to set up the browser and to interact with the necessary APIs and microservices. If WebSockets are not supported (routed through a proxy as HTTPS traffic would be), Elite Studio will not function at all. Websockets are also required for the attendee chat to show in the Audience Console. Instructions for identifying and fixing are below.
Broadcast Video
For those using the Broadcast Video, your encoder will transmit from the venue to our Ingress servers. These destination addresses are:
- fmseosa.on24.com - 199.83.45.71, 199.83.44.226
- fmseosb.on24.com - 199.83.45.72, 199.83.44.227
The encoder devices require outbound access from your network to the IP addresses above on TCP Port 1935; encoders are not generally proxy-aware. RTMP and RTMPS are both supported at the Ingress servers.
Email Servers (for all products)
ON24 IP Range
199.83.44.0/22, which is 199.83.44.0-199.83.47.255
- p-smtp-wc.on24.com = 199.83.45.18
- p-smtp-wc.on24.com = 199.83.45.110
- p-smtp-wc.on24.com = 199.83.45.111
- p-smtp-wc.on24.com = 199.83.44.57
-
p-smtp-wc.on24.com = 199.83.44.64
- p-smtp-ve.on24.com = 199.83.46.151
- p-smtp-ve.on24.com = 199.83.46.152
-
p-smtp-ve.on24.com = 199.83.46.153
- r-smtp-wc.on24.com = 199.83.45.19
- r-smtp-wc.on24.com = 199.83.47.124
- r-smtp-wc.on24.com = 199.83.47.125
- r-smtp-wc.on24.com = 199.83.45.44
-
r-smtp-wc.on24.com = 199.83.45.45
- r-smtp-ve.on24.com = 199.83.47.151
- r-smtp-ve.on24.com = 199.83.47.152
-
r-smtp-ve.on24.com = 199.83.47.153
- sg.on24event.com
- o4.ptr5304.on24event.com = 159.183.67.9
- o7.ptr9297.sg.on24event.com = 159.183.128.125
Proxy Settings
SSL Decryption should be suppressed. Many enterprise proxies, especially cloud proxies such as those provided by Zscaler, commonly recommend decrypting SSL traffic. While this is generally useful for security inspection, it is not appropriate for webcasting scenarios. For ON24 events in particular, SSL decryption should be suppressed, and ON24 stream sources should be explicitly allowed.
Why SSL Decryption Causes Problems for Webcasts
1. Video Chunking Creates High-Frequency, High-Volume Requests
Our streams deliver video in small chunks, typically around 250 Kbps per segment, with a new segment arriving every 2 seconds. This request pattern is far more frequent than most proxies are tuned for, and it will make SSL decoding queue times more variable than expected. Variable queue delay can cause buffering and lip-sync issues because audio and video are separate data streams.
2. Large-Scale Events Amplify the Problem
In Town Hall–style events, hundreds or thousands of users may be streaming simultaneously. With SSL decryption enabled, the proxy must inspect every chunk for every viewer. This creates a massive inspection backlog, resulting in frequent timing anomalies. The result is a degraded viewing experience across the organization.
3. No Security Benefit to Decrypting ON24 Streams
Decrypting ON24 traffic provides no meaningful security advantage. They are innocuous on their own, and the sources that deliver them are specific to ON24, so not subject to delivering other types of (potentially dangerous) traffic.
Note: If you are using Zscaler, a preconfigured fingerprint is available to ensure ON24 traffic is allowed. Please follow the steps in this article. For more information on using the Zscaler Cloud Application Control policies, please review Zscaler Help Documentation https://help.zscaler.com/zia/adding-sales-marketing-rule-cloud-app-control
Virtual Conference Use Cases
ON24 Virtual Environments provide content from the sources listed below:
- *.on24.com
- hlsvshow.akamaized.net
- on24static.akamaized.net
- *.freetls.fastly.net
Virtual Conferences may optionally include ON24 webcast content; in that case, the settings at the top of this page also need to be included.
Integrations
Below are the required IP addresses for our integration services across the ON24 Marketplace Apps:
52.40.200.248
52.39.10.61
52.26.59.155
52.8.7.130
18.144.153.142
Comments
14 comments
This article has been updated with additional IP addresses under the ON24 Email Servers section. The new IPs are:
p-smtp-wc.on24.com = 199.83.44.57
p-smtp-wc.on24.com = 199.83.44.64
r-smtp-wc.on24.com = 199.83.45.44
r-smtp-wc.on24.com = 199.83.45.45
This article has been updated with additional allow list domains for attendee chat tools:
Attendee Chat - chat tools within the consoles
This article has been updated with an additional IP addresses under the ON24 Email Servers section. The new IPs is:
o4.ptr5304.on24event.com = 159.183.67.9
This article has been updated with additional IP addresses under the ON24 Email Servers section. The new IPs are:
This article has been updated with new Cloudfront CDN domains and the removal of the soon to be deprecated Edgio (Limelight) CDN domains.
Removed legacy split tunneling information.
This article has been updated with the new Fastly CDN domains.
This article has been updated with new China CDN domain: *.ccedge.cn
Removed *.ccindex.cn and legacy split tunneling information.
Added tokbox/opentok IP ranges.
Added telemetry.banuba.cloud and cdn.jsdelivr.net for virtual background capabilities under Presenter Use Cases.
Added information about the new Elite Studio Recording Interface under Presenter Use Cases.
Removed telemetry.banuba.cloud and cdn.jsdelivr.net for virtual background capabilities under Presenter Use Cases. No longer required.
Added requirements for Breakouts, Virtual Conference, Go Live, Next Generation Video, and Forums to Presenter Use Cases.
Please sign in to leave a comment.