Firewall & VPN configuration
Last updated: June 1, 2026
This page is for IT and network administrators. On most networks Videosync works out of the box over standard HTTPS, but restrictive corporate firewall, proxy, or VPN policies may block parts of it. Below are the domains, protocols, and ports to allow.
Viewer access
Event page
This covers loading the event page and its live functionality (poll results, Q&A, viewer state), which runs over a WebSocket connection.
Allow outbound HTTPS (TCP 443) to *.videosync.fi.
- WebSocket signaling:
socketservice.videosync.fiover WSS (TCP 443). This is covered by the wildcard above, but if your proxy filters by protocol, allow WebSocket upgrades. - Player licensing:
licensing.bitmovin.comover HTTPS (the player still works even if this domain is blocked). - Custom fonts from Typekit (only if used in an event):
use.typekit.netover HTTPS.
HLS stream access
Live and on-demand video is delivered as a multi-bitrate HLS stream over the AWS CloudFront CDN, fetched over HTTPS (TCP 443). Allowing standard outbound 443 covers this.
Multi-bitrate streams generally require up to 5 Mbps of bandwidth per viewer. The maximum automatically selected quality/bitrate can be limited per event. If available bandwidth is constrained, contact support.
Because this is the high-bandwidth traffic, configure split tunneling in your VPN for the video domains if possible, to avoid routing the video through the corporate network.
Allowlist the CDN by domain rather than by IP. CloudFront has no fixed set of IPs, so IP-based rules are unreliable. If your setup requires them, AWS publishes its CloudFront IP ranges (the CLOUDFRONT service) for this case.
For large audiences on the same corporate network, Videosync offers peer-to-peer (P2P) delivery as a separately priced add-on. Viewers share stream segments with each other, which reduces total bandwidth and CDN load. Contact support if this could help your setup.
Real-time stream access (talkback / hand-raise)
Some events have a real-time stream enabled, which may let participants raise their hand and use their own microphone (and optionally camera) to ask questions live during the event.
To check whether a network allows the real-time connection, run the connection test page from that network. It reports which checks (WebRTC, STUN/TURN, WebSocket regions) pass or fail.
The real-time stream uses a WebRTC connection provided by Daily.co, the same infrastructure as Videosync Web Studio. It needs outbound UDP for media (with TCP/443 fallback) and reachability to Daily’s STUN/TURN and signaling endpoints. Do not apply SSL or deep-packet inspection to this traffic; proxies that decrypt and re-encrypt media let users connect to the call but block audio and video. For the exact IP ranges, ports, and protocols to allow, follow Daily’s corporate-network guidance:
https://docs.daily.co/guides/privacy-and-security/corporate-firewalls-nats-allowed-ip-listSpeaker access (Web Studio)
Videosync Web Studio is a separate UI for speakers, powered by Daily.co’s infrastructure. It needs:
- HTTPS (TCP 443) to
*.videosync.fito load the speaker UI. - WebSocket signaling to
socketservice.videosync.fiover WSS (TCP 443). - WebRTC media on Daily.co: outbound UDP (with TCP/443 fallback) and reachability to Daily’s STUN/TURN and signaling endpoints, which a strict firewall or proxy can block. Do not apply SSL or deep-packet inspection to this traffic; proxies that decrypt and re-encrypt media let users connect to the call but block audio and video.
Opening a Web Studio admin or speaker link runs a firewall check in the background and warns the user if connectivity to Daily.co servers is limited. You can also run the connection test page from the speaker’s network to verify the real-time connection before the event.
For the exact IP ranges, ports, and protocols to allow, follow Daily’s corporate-network guidance:
https://docs.daily.co/guides/privacy-and-security/corporate-firewalls-nats-allowed-ip-listLegacy Conference Call speaker link
This applies only to Speakers connecting to the legacy presenter view. If your presenters use Web Studio to connect, see the requirements above instead.
Videosync Conference Call service is powered by TurboBridge.
Legacy Web Call interface for remote presenters is hosted on following domains: https://palvelu.flik.fi/ and https://conference.financialhearings.com/
Users connecting to conference call via browser (remote presenters using Web Call) need to have firewall allowing port 443 TCP Outbound (Signaling Web Sockets) and ports 7800-32000 UDP Outbound (Voice Traffic ports) to 185.167.188.0/22 network.
Additionally, if HTTP proxy is being used, this proxy must allow web socket connections to wss://ws.turbobridge.com
External RTMP encoder
This applies only to the network used by an external encoder (e.g. vMix or OBS), not to viewers or speakers.
Videosync ingests live streams over RTMP. The encoder needs outbound TCP 1935 to Videosync’s RTMP servers. Allowlist these by domain; the IPs are listed for reference and may occasionally change.
| Domain | IP | Ports |
|---|---|---|
| eu-n-1.videosync.fi | 13.49.2.41 | TCP 1935, 443 |
| eu-n-2.videosync.fi | 13.48.36.178 | TCP 1935, 443 |
| eu-w-1.videosync.fi | 52.51.231.171 | TCP 1935, 443 |
If TCP 1935 is blocked, switch the encoder to RTMPS over 443, which enterprise networks sometimes permit by default. Change the ingest URL scheme from rtmp:// to rtmps:// and use port 443: rtmps://xxx.videosync.fi:443/acme_1