Documentation Index
Fetch the complete documentation index at: https://docs.realtalkstudio.com/llms.txt
Use this file to discover all available pages before exploring further.
Why Firewall Configuration is Needed
Simple explanation for stakeholders: Real Talk Studio runs interactive avatars using real-time video streaming. Unlike traditional web applications that only need standard HTTPS access, real-time video requires additional network protocols that corporate firewalls often block by default.
How Real Talk Studio Works
Running interactive avatars on Real Talk Studio requires three types of network connections:- WebSocket connections - For real-time signaling and speech processing
- WebRTC protocols - For low-latency audio and video streaming
- UDP traffic - For optimal video quality (TCP fallback available but may degrade quality)
What Happens Without Proper Configuration
Without the correct firewall rules, Real Talk Studio users will experience:- Avatar video failing to load or appearing as a black screen
- Audio not being captured or transmitted
- Increased latency and choppy video quality
- Connection timeouts and session failures
Quick check: is the corporate firewall the cause?
A simple way to see if the corporate network is blocking Real Talk Studio:- Switch to a personal hotspot — On the same device, disconnect from the corporate Wi‑Fi and use your phone’s personal hotspot. If Real Talk Studio works on the hotspot but not on the corporate network, the firewall is likely the cause.
- Use a personal device — Try Real Talk Studio on a personal device (phone, laptop, or tablet) on home Wi‑Fi or a personal hotspot, not on the corporate network. If it works there but not on a corporate device/network, ask IT to whitelist the required services.
Network Requirements
- Minimum Required
- Optional Services
These are the essential domains and ports needed for Real Talk Studio to work. One table for IT to whitelist.
Additional recommendations: Enable UDP hole-punching if your firewall supports it; avoid symmetric NAT where possible. These settings enable direct peer-to-peer connections with the lowest latency.
All required for Real Talk Studio to work.
| Service | Host | Port | Protocol | Purpose |
|---|---|---|---|---|
| Avatar streaming (LiveKit) | *.livekit.cloud | TCP 443 | WSS | Secure signaling via WebSocket |
| Avatar streaming (LiveKit) | *.turn.livekit.cloud | TCP 443 | TURN/TLS | Relay fallback when UDP is blocked |
| Avatar streaming (LiveKit) | *.host.livekit.cloud | UDP 3478 | TURN/UDP | Establishing peer-to-peer connections |
| Speech Recognition (Deepgram) | api.eu.deepgram.com | TCP 443 | WSS/HTTPS | Speech-to-text and text-to-speech |
| Low-latency speech (Deepgram FLUX proxy) | web-production-8e737.up.railway.app | TCP 443 | WSS | Ultra-low-latency streaming transcription used by interactive avatars and embedded sessions |
| AI Conversation (OpenAI) | api.openai.com | TCP 443 | HTTPS | LLM for conversation generation |
| Recommended (optimal quality) | All hosts | UDP 50000-60000 | WebRTC | Direct media traffic for optimal quality |
| Recommended (optimal quality) | All hosts | TCP 7881 | WebRTC/TCP | WebRTC fallback over TCP |
IT Notes
- TLS encryption (port 443) ensures secure media and signaling.
- UDP is strongly recommended for low-latency audio/video performance.
- If UDP is blocked, TURN over TCP (443) will be used as a fallback but may degrade quality.
- SSL/TLS inspection (DPI) must be disabled for the hosts listed above. Real Talk Studio uses long-lived WebSocket connections; TLS-terminating proxies and SSL decryption appliances (Zscaler, Netskope, Palo Alto, Forcepoint, Defender for Cloud Apps, etc.) commonly break the WebSocket upgrade and cause sessions to fail with no visible error. Add these hosts to your decryption exemption list.
- The FLUX speech proxy (
web-production-8e737.up.railway.app) is a dedicated host used by interactive avatars and embedded sessions to deliver ultra-low-latency transcription. Symptoms of it being blocked: the avatar loads and the microphone permission is granted, but the avatar never appears to “hear” the user.
Explicit Hostnames (No Wildcards)
Full hostname list for strict firewall policies
Full hostname list for strict firewall policies
If your firewall does not support wildcard domains (like
*.livekit.cloud), you will need to whitelist specific hostnames. Real Talk Studio’s LiveKit subdomain is real-talk-studio-muta98vc.For the latest list of hostnames, see the LiveKit firewall documentation and replace your-subdomain with real-talk-studio-muta98vc.LiveKit Signal Servers (TCP 443)
LiveKit TURN Servers (TCP 443)
Troubleshooting
Testing Tools
Browser WebRTC Test
Test if your browser supports WebRTC and can establish connections
Connectivity Test
Run Real Talk Studio’s in-app connectivity test to verify your network can reach all required services
Common Issues
If the firewall steps above are not followed, you may experience the following issues:| Symptom | Likely Cause | Solution |
|---|---|---|
| Avatar video not loading | LiveKit domains blocked | Whitelist *.livekit.cloud on TCP 443 |
| Black screen instead of avatar | WebRTC UDP blocked | Allow UDP 50000-60000 or ensure TURN fallback works |
| Speech not being recognized | Deepgram WebSocket blocked | Whitelist api.eu.deepgram.com on TCP 443 |
| Transcription connects then immediately drops (avatar hears nothing) | FLUX proxy WebSocket blocked or inspected by DPI | Whitelist web-production-8e737.up.railway.app on TCP 443 (WSS). Visiting https://web-production-8e737.up.railway.app/health in a browser on the affected network should return JSON; if it hangs, returns a block page, or shows a corporate certificate, the firewall or SSL inspection is the cause. |
| Session disconnecting frequently | Symmetric NAT or blocked TURN | Check TURN server access and NAT configuration |
| High latency or choppy video | UDP traffic blocked | Allow UDP ports for direct media connections |
Security Information
For security teams: All Real Talk Studio connections are encrypted and client-initiated. No inbound firewall rules are required.
Encryption Standards
- HTTPS/WSS connections - TLS 1.2+ encryption on port 443
- WebRTC media - DTLS (Datagram TLS) encryption for all audio/video
- TURN relay - Encrypted relay when direct connections aren’t possible
Connection Direction
All Real Talk Studio connections are outbound only from the client browser:- No inbound firewall rules required
- No ports need to be opened for incoming traffic
- TURN servers act as secure relays when peer-to-peer isn’t possible
Quick Reference
Copy-Paste Firewall Rules
Minimum Required Domains (TCP 443):Additional Ports for Optimal Performance:
SSL/TLS inspection must be disabled for the hosts above. Real Talk Studio uses long-lived WebSocket connections (WSS); deep packet inspection or TLS-terminating proxies frequently break the WebSocket upgrade handshake and cause sessions to fail silently. If your firewall has an “SSL inspection bypass” or “decryption exemption” list, add these hosts there as well.