Firewall Configuration
To ensure smooth operation of HeyGen’s Interactive Avatar (powered by LiveKit), your corporate network firewall needs to allow traffic to specific hosts and ports. This guide outlines exactly what to open up for signal and media traffic.
⸻
🚪 What Needs Access?
LiveKit uses WebSocket (WSS) and WebRTC (TLS/DTLS) protocols over both TCP and UDP. All connections are encrypted.
✅ Minimum Required (For Basic Functionality)
| Host | Port | Purpose |
|---|---|---|
*.livekit.cloud | TCP 443 | Secure signaling via WebSocket |
*.turn.livekit.cloudz | TCP 443 | TURN over TLS - fallback when UDP is blocked |
*.host.livekit.cloud | UDP 3478 | TURN/UDP for establishing peer-to-peer connections |
*://api.heygen.com | TCP 443 | Avatar API and Signaling via WebSocket and HTTPS |
🌟 Recommended (For Best Performance)
To achieve optimal video/audio quality, allow the following optional traffic:
| Host | Port | Purprose |
|---|---|---|
| all hosts | UDP 50000-60000 | WebRTC media traffic |
| all hosts | TCP 7881 | WebRTC fallback over TCP |
Also:
• ✅ Enable UDP hole-punching (if supported)
• ❌ Avoid symmetric NAT if possible
🔒 Wildcards Not Allowed?
If your corporate firewall does not support wildcard domains (like *.livekit.cloud), you’ll need to allow traffic to specific hostnames.
✅ Signaling Servers (TCP 443)
heygen-feapbkvq.livekit.cloud
heygen-feapbkvq.sfo3.production.livekit.cloud
heygen-feapbkvq.dsfo3a.production.livekit.cloud
heygen-feapbkvq.dsfo3b.production.livekit.cloud
heygen-feapbkvq.dfra1a.production.livekit.cloud
heygen-feapbkvq.dfra1b.production.livekit.cloud
heygen-feapbkvq.dblr1a.production.livekit.cloud
heygen-feapbkvq.dblr1b.production.livekit.cloud
heygen-feapbkvq.dsgp1a.production.livekit.cloud
heygen-feapbkvq.dsgp1b.production.livekit.cloud
heygen-feapbkvq.dsyd1a.production.livekit.cloud
heygen-feapbkvq.dsyd1b.production.livekit.cloud
heygen-feapbkvq.osaopaulo1a.production.livekit.cloud
heygen-feapbkvq.osaopaulo1b.production.livekit.cloud
heygen-feapbkvq.oashburn1a.production.livekit.cloud
heygen-feapbkvq.oashburn1b.production.livekit.cloud
heygen-feapbkvq.omarseille1a.production.livekit.cloud
heygen-feapbkvq.omarseille1b.production.livekit.cloud
heygen-feapbkvq.otokyo1a.production.livekit.cloud
heygen-feapbkvq.otokyo1b.production.livekit.cloud
heygen-feapbkvq.ophoenix1a.production.livekit.cloud
heygen-feapbkvq.ophoenix1b.production.livekit.cloud
heygen-feapbkvq.olondon1a.production.livekit.cloud
heygen-feapbkvq.olondon1b.production.livekit.cloud
heygen-feapbkvq.ochicago1a.production.livekit.cloud
heygen-feapbkvq.ochicago1b.production.livekit.cloud
heygen-feapbkvq.osingapore1a.production.livekit.cloud
heygen-feapbkvq.osingapore1b.production.livekit.cloud
heygen-feapbkvq.odubai1a.production.livekit.cloud
heygen-feapbkvq.odubai1b.production.livekit.cloud
heygen-feapbkvq.ojohannesburg1a.production.livekit.cloud
heygen-feapbkvq.ojohannesburg1b.production.livekit.cloud
heygen-feapbkvq.omumbai1a.production.livekit.cloud
heygen-feapbkvq.omumbai1b.production.livekit.cloud
heygen-feapbkvq.ofrankfurt1a.production.livekit.cloud
heygen-feapbkvq.ofrankfurt1b.production.livekit.cloud
heygen-feapbkvq.ojerusalem1a.production.livekit.cloud
heygen-feapbkvq.ojerusalem1b.production.livekit.cloud
🔁 TURN Servers (TCP 443)
sfo3.turn.livekit.cloud
dsfo3a.turn.livekit.cloud
dsfo3b.turn.livekit.cloud
dfra1a.turn.livekit.cloud
dfra1b.turn.livekit.cloud
dblr1a.turn.livekit.cloud
dblr1b.turn.livekit.cloud
dsgp1a.turn.livekit.cloud
dsgp1b.turn.livekit.cloud
dsyd1a.turn.livekit.cloud
dsyd1b.turn.livekit.cloud
osaopaulo1a.turn.livekit.cloud
osaopaulo1b.turn.livekit.cloud
oashburn1a.turn.livekit.cloud
oashburn1b.turn.livekit.cloud
omarseille1a.turn.livekit.cloud
omarseille1b.turn.livekit.cloud
otokyo1a.turn.livekit.cloud
otokyo1b.turn.livekit.cloud
ophoenix1a.turn.livekit.cloud
ophoenix1b.turn.livekit.cloud
olondon1a.turn.livekit.cloud
olondon1b.turn.livekit.cloud
ochicago1a.turn.livekit.cloud
ochicago1b.turn.livekit.cloud
osingapore1a.turn.livekit.cloud
osingapore1b.turn.livekit.cloud
odubai1a.turn.livekit.cloud
odubai1b.turn.livekit.cloud
ojohannesburg1a.turn.livekit.cloud
ojohannesburg1b.turn.livekit.cloud
omumbai1a.turn.livekit.cloud
omumbai1b.turn.livekit.cloud
ofrankfurt1a.turn.livekit.cloud
ofrankfurt1b.turn.livekit.cloud
ojerusalem1a.turn.livekit.cloud
ojerusalem1b.turn.livekit.cloud
Last updated 4/7/2025. For most up to date list, see livekit site: https://docs.livekit.io/home/cloud/firewall/
🛠️ IT Notes
• TLS encryption (port 443) ensures secure media and signaling.
• UDP is strongly recommended for low-latency audio/video performance.
• If UDP is blocked, TURN over TCP (443) will be used as a fallback but may degrade quality.
Updated 12 days ago