<aside> ℹ️ This document provides the guidance needed to configure your network to support Daily. The intended audience is IT security and/or Network personnel.

</aside>

Navigating a corporate or restrictive network

Corporate companies deploy firewalls at the boundary between the company's internal network and the external network, typically the internet. These firewalls inspect incoming and outgoing network traffic, acting as a filter to allow or block packets based on predefined rules. To assist our customers that work with companies with restrictive firewalls, we offer three solutions:

  1. IP allowlist: Specify a list of hostnames that a network administrator should not block access to
  2. Static IPs: The IP allowlist involves network administrators whitelisting entire subdomains for *.daily.co and *.wss.daily.co . For companies with strict security policies, we will soon be able to offer static IP addresses for customers on enterprise plans.
  3. IP proxy: Route the signaling traffic via a self-hosted proxy
  4. Self-hosted TURN: Override Daily's default TURN URLs with a self-hosted TURN server URL

Testing & troubleshooting

Please run Dailyʼs network test to see if your network configuration allows for Daily to function. It will test all possible connections methods and will indicate what is and isnʼt working.

IP allowlists

Daily uses a variety of domains, IP addresses, ports, and protocols to connect participants in a call. If you're trying to make calls to and from a network behind a corporate firewall, or through a corporate's Virtual Private Network (VPN), you'll need to make sure to configure the corporate network to allow the following set of domains and IP addresses.

Please see the below resources to understand exactly what domains, IP addresses, ports and protocols you need to unblock to have a successful call on Daily.

Daily network resources

Each section below describes a stage in establishing of a WebRTC call. Theyʼre in a rough order (but not technically precise) of how they happen when a new call is established.

Each stage must work for the call to work overall. Each stage further outlines multiple options, in order of preference, for making this particular stage work.

Daily resources

These are Daily specific resources that must always work.

b.daily.co and c.daily.co must be reachable on TCP/443. Daily SDKs pull in various resources at runtime that arenʼt included in SDKs.

Your Daily domain must also be reachable on TCP/443. Used for various in-meeting communication. For example. If Joe Bloggs made a Daily domain, it might be bloggs.daily.co. So that domain should be reachable on TCP/443 too. The best solution is to whitelist all Daily domains like so *.daily.co

Call initiation