Why Firewall Configuration is Needed
Simple explanation for stakeholders: Real Talk Studio runs interactive avatars using real-time video streaming. Unlike traditional web applications that only need standard HTTPS access, real-time video requires additional network protocols that corporate firewalls often block by default.
How Real Talk Studio Works
Running interactive avatars on Real Talk Studio requires three types of network connections:- WebSocket connections - For real-time signaling and speech processing
- WebRTC protocols - For low-latency audio and video streaming
- UDP traffic - For optimal video quality (TCP fallback available but may degrade quality)
What Happens Without Proper Configuration
Without the correct firewall rules, Real Talk Studio users will experience:- Avatar video failing to load or appearing as a black screen
- Audio not being captured or transmitted
- Increased latency and choppy video quality
- Connection timeouts and session failures
Quick check: is the corporate firewall the cause?
A simple way to see if the corporate network is blocking Real Talk Studio:- Switch to a personal hotspot — On the same device, disconnect from the corporate Wi‑Fi and use your phone’s personal hotspot. If Real Talk Studio works on the hotspot but not on the corporate network, the firewall is likely the cause.
- Use a personal device — Try Real Talk Studio on a personal device (phone, laptop, or tablet) on home Wi‑Fi or a personal hotspot, not on the corporate network. If it works there but not on a corporate device/network, ask IT to whitelist the required services.
Network Requirements
- Minimum Required
- Optional Services
These are the essential domains and ports needed for Real Talk Studio to work. One table for IT to whitelist.
Additional recommendations: Enable UDP hole-punching if your firewall supports it; avoid symmetric NAT where possible. These settings enable direct peer-to-peer connections with the lowest latency.
All required for Real Talk Studio to work.
| Service | Host | Port | Protocol | Purpose |
|---|---|---|---|---|
| Avatar Streaming (HeyGen + LiveKit) | api.heygen.com | TCP 443 | HTTPS | Avatar API and session management |
| Avatar Streaming (HeyGen + LiveKit) | *.livekit.cloud | TCP 443 | WSS | Secure signaling via WebSocket |
| Avatar Streaming (HeyGen + LiveKit) | *.turn.livekit.cloud | TCP 443 | TURN/TLS | Relay fallback when UDP is blocked |
| Avatar Streaming (HeyGen + LiveKit) | *.host.livekit.cloud | UDP 3478 | TURN/UDP | Establishing peer-to-peer connections |
| Speech Recognition (Deepgram) | api.deepgram.com | TCP 443 | WSS/HTTPS | Speech-to-text and text-to-speech |
| AI Conversation (OpenAI) | api.openai.com | TCP 443 | HTTPS | LLM for conversation generation |
| Recommended (optimal quality) | All hosts | UDP 50000-60000 | WebRTC | Direct media traffic for optimal quality |
| Recommended (optimal quality) | All hosts | TCP 7881 | WebRTC/TCP | WebRTC fallback over TCP |
IT Notes
- TLS encryption (port 443) ensures secure media and signaling.
- UDP is strongly recommended for low-latency audio/video performance.
- If UDP is blocked, TURN over TCP (443) will be used as a fallback but may degrade quality.
Explicit Hostnames (No Wildcards)
Full hostname list for strict firewall policies
Full hostname list for strict firewall policies
If your firewall does not support wildcard domains (like
*.livekit.cloud), you will need to whitelist specific hostnames. Real Talk Studio’s LiveKit subdomain is real-talk-studio-muta98vc.For the latest list of hostnames, see the LiveKit firewall documentation and replace your-subdomain with real-talk-studio-muta98vc.LiveKit Signal Servers (TCP 443)
LiveKit TURN Servers (TCP 443)
Troubleshooting
Testing Tools
Browser WebRTC Test
Test if your browser supports WebRTC and can establish connections
Connectivity Test
Run Real Talk Studio’s in-app connectivity test to verify your network can reach all required services
Common Issues
If the firewall steps above are not followed, you may experience the following issues:| Symptom | Likely Cause | Solution |
|---|---|---|
| Avatar video not loading | LiveKit domains blocked | Whitelist *.livekit.cloud on TCP 443 |
| Black screen instead of avatar | WebRTC UDP blocked | Allow UDP 50000-60000 or ensure TURN fallback works |
| Speech not being recognized | Deepgram WebSocket blocked | Whitelist api.deepgram.com on TCP 443 |
| Session disconnecting frequently | Symmetric NAT or blocked TURN | Check TURN server access and NAT configuration |
| High latency or choppy video | UDP traffic blocked | Allow UDP ports for direct media connections |
Security Information
For security teams: All Real Talk Studio connections are encrypted and client-initiated. No inbound firewall rules are required.
Encryption Standards
- HTTPS/WSS connections - TLS 1.2+ encryption on port 443
- WebRTC media - DTLS (Datagram TLS) encryption for all audio/video
- TURN relay - Encrypted relay when direct connections aren’t possible
Connection Direction
All Real Talk Studio connections are outbound only from the client browser:- No inbound firewall rules required
- No ports need to be opened for incoming traffic
- TURN servers act as secure relays when peer-to-peer isn’t possible
Quick Reference
Copy-Paste Firewall Rules
Minimum Required Domains (TCP 443):Additional Ports for Optimal Performance: