Firewall Configuration
To ensure smooth operation of HeyGen’s Interactive Avatar (powered by LiveKit), your corporate network firewall needs to allow traffic to specific hosts and ports. This guide outlines exactly what to open up for signal and media traffic.
⸻
🚪 What Needs Access?
LiveKit uses WebSocket (WSS) and WebRTC (TLS/DTLS) protocols over both TCP and UDP. All connections are encrypted.
✅ Minimum Required (For Basic Functionality)
| Host | Port | Purpose |
|---|---|---|
*.livekit.cloud | TCP 443 | Secure signaling via WebSocket |
*.turn.livekit.cloud | TCP 443 | TURN over TLS - fallback when UDP is blocked |
*.host.livekit.cloud | UDP 3478 | TURN/UDP for establishing peer-to-peer connections |
*://api.heygen.com | TCP 443 | Avatar API and Signaling via WebSocket and HTTPS |
🌟 Recommended (For Best Performance)
To achieve optimal video/audio quality, allow the following optional traffic:
| Host | Port | Purprose |
|---|---|---|
| all hosts | UDP 50000-60000 | WebRTC media traffic |
| all hosts | TCP 7881 | WebRTC fallback over TCP |
Also:
• ✅ Enable UDP hole-punching (if supported)
• ❌ Avoid symmetric NAT if possible
🔒 Wildcards Not Allowed?
If your corporate firewall does not support wildcard domains (like *.livekit.cloud), you’ll need to allow traffic to specific hostnames.
Please visit: https://docs.livekit.io/home/cloud/firewall/ for latest list of hostnames, replace with heygen-feapbkvq.
🛠️ IT Notes
• TLS encryption (port 443) ensures secure media and signaling.
• UDP is strongly recommended for low-latency audio/video performance.
• If UDP is blocked, TURN over TCP (443) will be used as a fallback but may degrade quality.
Additional Troubleshooting Tools:
Test Browser Compatibility: https://livekit.io/webrtc/browser-test
Test Connections:
- Using the response from: https://docs.heygen.com/reference/new-session#response, take note of the url and access_token.
- Enter in url and access_token here: https://livekit.io/connection-test
Updated about 2 months ago