At Daily, we provide global infrastructure to deliver high-quality video and audio communications. Many of our customers operate in security-oriented and regulated verticals such as healthcare, banking and financial services, law, and government services. Our platform includes regional data geofencing, logging and analytics, HIPAA compliance and, now, an Advanced Firewall Control capability.
Over the next few months, we're sharing insights into the various challenges of delivering video and audio to enterprise users. In this post, our Chief Product Technology Officer Dr. Varun Singh discusses our latest offering.
Today we're excited to unveil Daily's Advanced Firewall Control solution, which enables seamless connectivity for users behind highly restrictive enterprise firewalls. Providing a reliable video call experience is the top priority for our customers. Yet restrictive security environments and firewalls, commonplace in some industries, can mean that video calls do not even connect. Unaddressed, systematic call failures deeply impair user satisfaction, retention, and revenue growth.
Daily has long supported our customers in security-oriented and regulated industries with hands-on guidance for configuring firewalls and security rule sets, and with automatic media tunneling via the standard TURN protocol. We’re now extending this support to include two new features, as part of our Infrastructure package add-on:
- Self-hosted IP proxy: Routes all video call signaling traffic via a self-hosted IP proxy
- Self-hosted TURN: Routes media traffic via self-hosted STUN/TURN servers when necessary
In this post, we'll first discuss what occurs at a lower level when your end user is having trouble connecting to calls. Read on to learn more how Daily's IP Proxy solution helps you navigate complex network configurations. You also can view our documentation and pricing.
How firewalls block video calls
WebRTC video and audio calls use at least two network connections. First, the WebRTC client connects to a signaling server that sets up and manages the call state. Second, the client connects to a media server, or directly to the other clients participating in the call, to send and receive video and audio.
The signaling connection generally uses standard HTTP and WebSocket protocols. The media connections are established using a standard set of negotiation and routing protocols called STUN and TURN.
In general, the combination of WebSockets, STUN, and TURN are reliable for a very wide range of network environments. However, network firewalls can be configured to block WebSocket traffic, STUN binding requests, and consequently, video and audio traffic.
It is somewhat common for IT departments for hospitals, law firms, and banks to configure firewalls in this way. For video calls to work behind these “default deny” firewalls, one of two things has to happen.
- The IT department can add the signaling and media servers to firewall allowlists, or
- The IT department can manage proxies for the signaling and media traffic
Unblocking signaling and media traffic: Allowlists
The simplest way to navigate a restrictive firewall is to add Daily’s signaling and media server infrastructure to the firewall “allowlists” maintained by the organization’s IT department. An allowlist is a list of valid hostnames and IP addresses that the network firewall will allow connections out to, in from, or both.
After Daily’s infrastructure is added to the organization’s allowlists, video calls will work perfectly for users behind the enterprise firewall. We document the domains and IP addresses to add to firewall allowlists here. If you work with customers in highly regulated, security-oriented, industries, we strongly recommend working proactively with your end users’ IT departments to add Daily’s infrastructure to your customers’ allowlists. Our support engineers are always available to help with this.
However, IT department policies in some companies and industries can make it difficult to get approval to add third-party hostnames and IP addresses to allowlists. Depending on the culture of the IT department, it can also be challenging to maintain reliable connectivity using the allowlist approach. To better support environments where allowlists are not an ideal solution, we have launched two new features: self-hosted IP proxy and self-hosted TURN.
Navigating corporate firewalls with hosted proxies
Daily’s self-hosted IP proxy feature enables you to route Daily's signaling traffic through an HTTP and WebSocket proxy hosted within a corporate network or in your cloud environment. This is particularly beneficial in situations where web proxies are already set up for customers. Daily’s signaling traffic can flow through these existing proxies.
Using our self-hosted IP proxy feature only requires configuring a proxy URL to point at a standard HTTP proxy. After configuring a proxy URL, the connections from the client SDK will route through the proxy instead of attempting to connect directly to Daily. If the proxy is part of the organization’s trusted infrastructure we can expect 100% connectivity rates.
Daily’s self-hosted TURN feature enables you to route video and audio traffic through specific TURN servers instead of through Daily’s distributed global TURN infrastructure. Here, again, if the TURN URLs are properly configured we can expect 100% connectivity rates even for clients behind restrictive firewalls.
For comprehensive instructions and examples, consult our documentation for allowlists, proxy URL, and TURN URLs. You can learn about the Infrastructure add-on, as well as our range of support and enterprise offerings, on our pricing page. Or contact us for hands-on help or to connect with sales. Whether you’re a developer implementing video features or a product owner with responsibility for delivering seamless, reliable video services, we’re here to support you and your team.
Top comments (0)