StarLeaf Cloud: Port Requirements

For GTmini 3330

For StarLeaf endpoints to be able to access the StarLeaf Cloud service, certain ports on the public IP addresses of StarLeaf Cloud must be reachable for outbound connections through your firewall. It is not necessary to open up any ports for inbound connections. The port requirement is the same regardless of whether you are installing Breeze or a hardware endpoint. Most firewalls, operating at a normal level of security, already meet these requirements. 

GTmini 3330 firewall requirements

Protocol Source IP Source Port Destination IP Destination Port Description
TCP Internal SL endpoint Any 443 StarLeaf authentication and automatic service discover
TCP Internal SL endpoint Any 443 StarLeaf tunnel for registration, provisioning, call signalling, and media
UDP Internal SL endpoint Any 24704 StarLeaf tunnel for registration, provisioning, call signalling, and medi

Outbound port requirements

All StarLeaf endpoints require

TCP port 443


And the following is recommended for best-quality calls, but not required

UDP: one of any of these ports: 24704, 3478, 1194, 500, 123 


Refer to Example firewall configuration, above.

Starleaf endpoints always try UDP port 24704 first, and then the others in descending numerical order. You only need to open one UDP port

StarLeaf endpoints all use TCP for some call control messages, but for call media, StarLeaf endpoints prefer to use UDP if possible because that provides superior call quality. Therefore, a StarLeaf endpoint (both hardware and Breeze) will attempt to connect using UDP first. If the UDP connection is not possible, then the connection will be an HTTPS connection using port 443

Browser click-to-call (WebRTC)

Browser-based calls require TCP port 443. For best-quality calls, but not required, browser-based calls require UDP media port range:16384-24575. Firefox users must have access to this range of UDP ports as currently, Firefox browser calling does not work with TCP port 443.

IP Adresses

Your StarLeaf endpoints make outbound connections to only two IP hosts. These hosts are: 


  1. - the configuration server that tells an endpoint which StarLeaf Cloud organization it belongs to, and
  2. [your organization name] - any calls your endpoint makes or receives are tunneled through this host. 


If the local network to which your endpoints are connected has a very restrictive firewall policy for outbound connections, you might need to whitelist access to these destinations. One indication that you need to do this is that StarLeaf Breeze clients will stay fixed on the blue 'Starting...' screen or say that they cannot contact the login or config server. Because the actual IP addresses that these DNS names resolve to can change according to the operational requirements of StarLeaf Cloud, it is preferable to whitelist them by DNS name. If your firewall can only whitelist numeric IP addresses, you can ping the DNS names to find out what the IP addresses are. StarLeaf Support can supply complete ranges of possible IP addresses that your StarLeaf Cloud organization can use, upon request.