Allowlist content streams based on ON24 and ON24 partner URLs and IP addresses to ensure the ports and protocols are allowed.
We recommend following this article to receive an email notification when it has been updated. Click the Follow Button next to the article title to follow the article. You must be logged into your Elite account to follow articles. Update notifications are only available for this article. |
Overview
Media streams flow 1) from Presenters to ON24 and 2) from ON24 to Audience. Sources for both can be separately allowed to ensure a high-quality experience.
Content from ON24 to the audience is described below under Audience Use Cases. Audience stream delivery is scaled using CDNs; URLs for the sources are provided. Many clients can now accept Fully Qualified Domain Names (FQDN) for the purpose of indicating traffic to allow and split tunneling traffic for VPN users. We cannot provide the IP addresses for CDN partners.
If your company cannot allow streams based on FQDN, please contact technical support well in advance of the event to determine if another option can be provided. We can provide some address info and may be able to configure the sources used so that address information to drive split tunneling is available.
Content to ON24 from Presenters is addressed under Presenter Use Cases. This article addresses the use of the Video Presenter Bridge.
Note: This information is updated as sources in use and CDNs change. This document should be referenced from this page each time the information is needed.
Video Presenter Bridge - Port Usage
Protocol | Source-Port | Dest-Port | Description | Device |
TCP | <ANY> | 443 | HTTPS | WebRTC Signaling |
TCP/UDP | <ANY> | 40000-49999 | RTP / RTCP / RDP / RTMP | Endpoint Media / WebRTC / Lync & Skype for Business Media |
TCP | <ANY> | 1720 | H.323 (H.224 signaling) | Endpoint H.323 Signaling |
UDP | <ANY> | 1719 | H.323 (RAS signaling) | Endpoint H.323 RAS Signaling |
TCP | <ANY> | 33000-39999 | H.323 (Q.931 / H.245 signaling) | Endpoint H.323 Media |
TCP | <ANY> | 5060 | SIP | Endpoint SIP Signaling |
TCP | <ANY> | 5061 | SIP / TLS | Endpoint SIP / TLS |
Audience Use Cases
If you allowlist domain names, below is a list of source domains:
Static Content - Static Content is console static elements, mainly graphics
- on24static.akamaized.net
- static.llnw.on24.com
Attendee Chat - chat tools within the consoles
- chat.stream-io-api.com
HLS - streams for live events delivery to desktop and iOS and Android (mobile) devices
- hlsa.akamaized.net
- hlsb.akamaized.net
- livehlsa.llnw.on24.com
- livehlsb.llnw.on24.com
MPEG-DASH (MPD) - streams for On Demand and Simu-live events delivery to desktop browsers
- dashod.akamaized.net
- dashod.llnw.on24.com
ON24 App Servers
*.on24.com
Breakouts, VC, Go Live, Forums also require:
- *.tokbox.com
- *.opentok.com
- Open TCP port 443
-
Along with the minimum requirements, opening UDP Port 3478 will provide a better experience. UDP is recommended over TCP for better quality audio and video. UDP favors timeliness over reliability, which is consistent with human perceptive preferences, where we can fill in gaps but are sensitive to time-based delays.
This port only accepts inbound traffic after an outbound request is sent. The connection is bidirectional but is always initiated from the corporate network/client, so it is not possible for an external entity to send malicious traffic in the opposite direction. For the best possible experience, we recommend opening UDP ports 1025 - 65535.
Allow the following HTTPS verification servers for our HTTPS certificate. Not doing so may cause console warnings, but should not affect the session.
- ocsp.godaddy.com
- crl.godaddy.com
If you require IP addresses, split tunneling configuration, and load-related assistance:
ON24 IP address range is 199.83.44.0/22, which is 199.83.44.0-199.83.47.255
CDNs do not generally provide IP addresses, as noted above.
If you require IP addresses to allow traffic for a Town Hall session (large internal meeting), please submit a case to ON24 at support@on24.com.
Audience Viewing Experience Analytics
Presenter Use Cases
Webcast Elite
The Presenter UI does not generally require allowlisting except for those using the Video Presenter Bridge (i.e., webcam or screen sharing). The list of addresses used by PMXD and Elite Studio are below:
- *.on24.com
- *.millicast.com
- pm.on24.com
- pmelite.on24.com
- turn.fav.on24.com
- turn2.fav.on24.com
- vcu.fav.on24.com
- webrtc.fav.on24.com
- webrtc2.fav.on24.com
- h5live.nanocosmos.de
- webrtc.mediaedit.on24.com
- api.mediaedit.on24.com
- api.tryfigment.com
- turn.mediaedit.on24.com
Breakouts, VC, Go Live, and Forums also require:
- *.tokbox.com
- *.opentok.com
- Open TCP port 443
-
Along with the minimum requirements, opening UDP Port 3478 will provide a better experience. UDP is recommended over TCP for better quality audio and video. UDP favors timeliness over reliability, which is consistent with human perceptive preferences, where we can fill in gaps but are sensitive to time-based delays.
This port only accepts inbound traffic after an outbound request is sent. The connection is bidirectional but is always initiated from the corporate network/client, so it is not possible for an external entity to send malicious traffic in the opposite direction. For the best possible experience, we recommend opening UDP ports 1025 - 65535.
Allow the following HTTPS verification servers for our HTTPS certificate. Not doing so may cause console warnings, but should not affect the session.
- ocsp.godaddy.com
- crl.godaddy.com
Webcam and Screen Share Related Connection Issues (VPB Connections)
The ON24 component webcam/screen share users are making use of is a cloud audio/video bridge (usually referred to as “VPB” for Video Presenter Bridge). The VPB accepts audio connections and video connections then composites them into an image that is encoded for the webcast target. Protocols supported include: Phone Audio uses SIP, VCU uses H.323 or SIP, Skype/Teams are supported, but the network components required to support those products are normally addressed as part of the Teams rollout; Webcam and Screenshare use WebRTC. The problematic component is webRTC.
WebRTC requires a control connection (HTTPS over 443) and separate audio and video stream channels in both directions; audio and video connections over UDP high ports. That doesn't work in most enterprise networks because high ports are blocked. The user (browser on your internal network) sets up a bridge session (using HTTPS, which works); the bridge and browser then looks for usable paths into and out of the network.
To establish the channels through which audio and video are sent, webRTC uses a process called “discovering ICE candidates”. This identifies the conference nodes in the bridge system and the means available (ports addresses, protocols) to reach the nodes. This negotiation process is logged to the console section of the browser dev tools, so it can be easily visualized. The negotiation process first attempts the native protocols (which use UDP High ports 40000-49999 for audio and video transit and do not support NAT). These normally are blocked inside corporate networks, but they are always tried at each session initiation, even after it’s clear that they don’t work. The system then attempts to use a relay (TURN) server, which uses TLS over TCP to move the A/V traffic from the user browser inside the enterprise network to the TURN server. The TURN server then handles the relay of the audio and video via the UDP ports and protocols the VPB conference nodes expect inside the ON24 network while relaying traffic to/from the enterprise network using TLS over TCP.
We use secure TURN (TURNS) which generally works without intervention. There are several issues that can break the configuration:
- Since the TURNS traffic (TCP over TLS) is encrypted, it will go over the proxy path without incident, given that the pac file recognizes the need to send to proxy path. If it does not recognize the TURNS protocol, then the pac file must select the addresses and route them to the proxy. Addresses are 199.83.47.94 and 199.83.46.94; that traffic will likely be flowing to the firewall where it’ll be blocked. We just need a rule in the pac file that’ll pick up the TURNS traffic or the addresses. The FQDN which is the destination giving the two addresses indicated is TURN.FAV.ON24.COM or TURN2.FAV.ON24.COM. With the protocol reference, the URL is turns:turn.fav.on24.com or turn2.fav.on24.com
- Quite frequently, a Palo Alto Networks firewall will require that you allow the STUN protocol. TURNS is a part of the STUN RFC (5766), so PAN recognizes the STUN application spec.
Troubleshooting
Google provides a test tool that will allow enterprise network folks to determine whether the required network paths are open, see URL immediately below.
https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
- in the STUN or TURN URI: turns:turn.fav.on24.com:443?transport=tcp (or turns:turn2.fav.on24.com:443?transport=tcp)
- In TURN username: on24user
- In TURN password: nev2Eni@
- Click Add Server and remove any other servers that may be there, then press Gather Candidates.
- You have to get a relay response to confirm TURNS is working.
Elite Studio fails to display Polls, Slides, etc.
Elite Studio uses WebSockets (wss://) to set up the browser to operate the necessary APIs and microservices. If WebSockets are not supported (routed through a proxy as HTTPS traffic would be) Elite studio will not function at all. Instructions to identify and fix are below.
Broadcast Video Users (Encoding on Site)
For those using the ON24 Broadcast Video, your encoder will transmit from the venue to ON24's Ingress servers. These destination addresses are:
- fmseosa.on24.com - 199.83.45.71, 199.83.44.226
- fmseosb.on24.com - 199.83.45.72, 199.83.44.227
The encoder devices require outbound access from your network to the IP addresses above on TCP Port 1935; encoders are not generally proxy aware. RTMP and RTMPS are both supported at the Ingress servers.
ON24 Email Servers (across all products)
- p-smtp-wc.on24.com = 199.83.45.18
- p-smtp-wc.on24.com = 199.83.45.110
- p-smtp-wc.on24.com = 199.83.45.111
- p-smtp-wc.on24.com = 199.83.44.57
- p-smtp-wc.on24.com = 199.83.44.64
- p-smtp-ve.on24.com = 199.83.46.151
- p-smtp-ve.on24.com = 199.83.46.152
- p-smtp-ve.on24.com = 199.83.46.153
- r-smtp-wc.on24.com = 199.83.45.19
- r-smtp-wc.on24.com = 199.83.47.124
- r-smtp-wc.on24.com = 199.83.47.125
- r-smtp-wc.on24.com = 199.83.45.44
- r-smtp-wc.on24.com = 199.83.45.45
- r-smtp-ve.on24.com = 199.83.47.151
- r-smtp-ve.on24.com = 199.83.47.152
- r-smtp-ve.on24.com = 199.83.47.153
- sg.on24event.com
- o4.ptr5304.on24event.com = 159.183.67.9
- o7.ptr9297.sg.on24event.com = 159.183.128.125
ON24 IP Range
199.83.44.0/22, which is 199.83.44.0-199.83.47.255
Proxy Server Settings
SSL Decryption should be suppressed - Many proxies, especially the Cloud proxies such as provided by Zscaler, routinely recommend decoding SSL traffic. This is a moderately bad call in the webcasting use case for several reasons (see below). The ON24 stream sources should be allow, and SSL decryption disabled.
Note: If you are using Zscaler, there is a pre-configured fingerprint available to ensure ON24 traffic is allowed. Please follow the steps in this article. For more information using the Zscaler Cloud Application Control policies, please review Zscaler Help Documentation https://help.zscaler.com/zia/adding-sales-marketing-rule-cloud-app-control
Reasoning:
- Video chunks, assuming the bit rates used in ON24 streams, will generally be about 250 Kbps per chunk, with a chunk coming every 2 seconds. This volume and frequency are greater than that assumed in configuring proxies, generally, and will cause queue times on the SSL decode to be more highly variable than expected. Variable queue delay gives 1) buffering, and 2) exposure to lip-sync issues, as audio and video chunks are separate data streams.
- In a "Town Hall" scenario, there might be hundreds or thousands of streams being simultaneously pulled through the proxy; if decoding is specified, delivery timing anomalies are likely to be very common.
- There is no benefit to decoding the streams; they are innocuous on their own, and the sources which deliver them are specific to ON24, so not subject to delivering other types of (potentially dangerous) traffic.
Video Creation Tool
-
The Video Creator app uses Google Cloud Storage solutions to store any uploaded content and all the videos produced inside the app, as well as the content imported from the Media Manager. All of the assets are transferred and accessed via secure connections.
-
The address that needs to be allow listed for North America:
VC Use Cases
ON24 Virtual Environments provide content from the sources listed below:
- *.on24.com
- hlsvshow.akamaized.net
- on24static.akamaized.net
Virtual Conferences may optionally include ON24 webcast content, in which case the settings toward the top of this page also need to be included.
Comments
4 comments
This article has been updated with additional IP addresses under the ON24 Email Servers section. The new IPs are:
p-smtp-wc.on24.com = 199.83.44.57
p-smtp-wc.on24.com = 199.83.44.64
r-smtp-wc.on24.com = 199.83.45.44
r-smtp-wc.on24.com = 199.83.45.45
This article has been updated with additional allow list domains for attendee chat tools:
Attendee Chat - chat tools within the consoles
This article has been updated with an additional IP addresses under the ON24 Email Servers section. The new IPs is:
o4.ptr5304.on24event.com = 159.183.67.9
This article has been updated with additional IP addresses under the ON24 Email Servers section. The new IPs are:
Please sign in to leave a comment.