Firewall Configuration

To ensure smooth operation of LiveAvatar (powered by LiveKit), your network firewall needs to allow traffic to specific hosts and ports. This guide outlines exactly what to open up for signal and media traffic.

🚪What needs access?

LiveKit uses WebSocket (WSS) and WebRTC (TLS/DTLS) protocols over both TCP and UDP. All connections are encrypted. Please allow the following traffic to support all LiveAvatar use cases.

Minimum Required (Basic Functionality)

We require the following to be supported.

Recommended (Best Performance)

In addition to everything above, please allow the following traffic:

In addition, we recommend:

• ✅ Enabling UDP hole-punching (if supported)
• ❌ Avoid symmetric NAT if possible

Wildcards Not Allowed?

If your corporate firewall does not support wildcard domains (like *.livekit.cloud), you’ll need to allow traffic to specific hostnames.

Please visit: https://docs.livekit.io/home/cloud/firewall/ for latest list of hostnames. LiveAvatar's subdomain can is heygen-feapbkvq. Please replace <your-subdomain> with heygen-feapbkvq.

IT Notes

• TLS encryption (port 443) ensures secure media and signaling.
• UDP is strongly recommended for low-latency audio/video performance.
• If UDP is blocked, TURN over TCP (443) will be used as a fallback but may degrade quality.

Additional Troubleshooting Tools:

Test Browser Compatibility: https://livekit.io/webrtc/browser-test

Test Connections:

1. Note the response from our session start.
   1. Take note of the livekit_url and livekit_client_token.
2. Enter in livekit_url under LIVEKIT URL and the livekit_client_token under ROOM TOKEN here: https://livekit.io/connection-test