2025-11-06 –, Room A
According to their documentation, modern WebRTC based conferencing solutions require literally thousands of open ports to hundreds of thousands IP addresses to play.
How come they still work in todays super restrictive corporate networks - when they were conceived at a time were the Internet was still an idyllic place and a firewall just a clean cut packet filter.
And how you can fix them, in case they don't cooperate
I invite you to my journey of finding this out and I'll show you my implements ;-)
We will look at the big players
• Zoom Web
• Teams
• Google Meet
• Webex
• GotoWebinar (not big, but what my company does)
What do the specs say wrt IPS/Ports/Domains ?
What is the (tested) minimum ?
How do we find out what network requirements they really have?
• Run Wireshark capture in unrestricted network to get a first idea
• Have browser export TLS keys so you can read the setup messages
• Step by step restrict protocols, address ranges, domains to see what still works.
• Live demonstration of test setup
Short sidenote: How WebRTC finds connections - diagrams of the different configurations
Tests
How do they deal with
• Explicit Proxies (SNI)
• No local DNS / DNS sinkholes
• DPI (Fallback from QUIC to force proxies)
• Zscaler connections (split routing)
• Non corporate VPN solutions (wireguard based)
• How many connections are used in total
• IP ranges/domains used
What to do if things fail
common workarounds
• WebRTC fallbacks
• Exclude Signaling from DPI
• Open UDP
• TURN server to rescue
• Faking DNS
Helping customers and engineers to understand problems with communication protocols in their networks.
Debugging communication protocols and analysing log files for a living and having fun with it.
Finding problems in software since the era of punched tapes.
Working for Goto - them makers of GotoWebinar / GoToTraining