For StarLeaf endpoints to be able to access the StarLeaf Cloud service, certain ports on the public IP addresses of StarLeaf Cloud must be reachable for outbound connections through your firewall. It is not necessary to open up any ports for inbound connections. The port requirement is the same regardless of whether you are installing Breeze or a hardware endpoint. Most firewalls, operating at a normal level of security, already meet these requirements.
|Protocol||Source IP||Source Port||Destination IP||Destination Port||Description|
|TCP||Internal SL endpoint||Any||config.starleaf.com||443||StarLeaf authentication and automatic service discover|
|TCP||Internal SL endpoint||Any||config.starleaf.com||443||StarLeaf tunnel for registration, provisioning, call signalling, and media|
|UDP||Internal SL endpoint||Any||config.starleaf.com||24704||StarLeaf tunnel for registration, provisioning, call signalling, and medi|
All StarLeaf endpoints require
TCP port 443
And the following is recommended for best-quality calls, but not required
UDP: one of any of these ports: 24704, 3478, 1194, 500, 123
Refer to Example firewall configuration, above.
StarLeaf endpoints all use TCP for some call control messages, but for call media, StarLeaf endpoints prefer to use UDP if possible because that provides superior call quality. Therefore, a StarLeaf endpoint (both hardware and Breeze) will attempt to connect using UDP first. If the UDP connection is not possible, then the connection will be an HTTPS connection using port 443
Browser-based calls require TCP port 443. For best-quality calls, but not required, browser-based calls require UDP media port range:16384-24575. Firefox users must have access to this range of UDP ports as currently, Firefox browser calling does not work with TCP port 443.
Your StarLeaf endpoints make outbound connections to only two IP hosts. These hosts are:
If the local network to which your endpoints are connected has a very restrictive firewall policy for outbound connections, you might need to whitelist access to these destinations. One indication that you need to do this is that StarLeaf Breeze clients will stay fixed on the blue 'Starting...' screen or say that they cannot contact the login or config server. Because the actual IP addresses that these DNS names resolve to can change according to the operational requirements of StarLeaf Cloud, it is preferable to whitelist them by DNS name. If your firewall can only whitelist numeric IP addresses, you can ping the DNS names to find out what the IP addresses are. StarLeaf Support can supply complete ranges of possible IP addresses that your StarLeaf Cloud organization can use, upon request.