Cloud Video Platform: firewall guidance for corporate IT services
Updated 19 September 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/how-to-join-a-cloud-video-platform-cvp-hearing/cloud-video-platform-firewall-guidance-for-corporate-it-services
This guide is for IT professionals supporting access to the Cloud Video Platform (CVP) from a corporate network. It includes our firewall rules.
CVP is a browser-based internet service that supports real time video and audio over secure WebRTC.
If you need technical support, call our helpdesk on 0330 808 9405, Monday to Friday from 9am to 5pm.
Camera and microphone access
Users must be able to grant access to their device camera and microphone so that they can carry out a self-test of their device and participate in a video hearing.
Your browser policies must allow camera and microphone access https://meet.video.justice.gov.uk.
Real-time media
Content is served as follows:
- Web traffic is sent using HTTPS over TCP/IP.
- Signalling to client browsers is using WSS/HTTPS.
- Signalling to H323 and SIP video endpoints is over TCP 1720, 5060, 5061 and UDP 1719.
- Video and audio traffic is sent using SRTP over TCP/IP and UDP.
UDP is the preferred method of transit for real time video and audio as it gives better performance and lower latency than TCP/IP.
We recognise that in some cases, corporate firewalls cannot be opened to allow connectivity over UDP. Where WebRTC is unable to arrange a client connection over UDP, the CVP service will use HTTPS port 443 over TCP/IP for video and audio for the client.
Where this method of connectivity is used, the quality of a users’ video and audio will be impacted by their local network connection.
Some corporate firewalls and VPNs have packet filtering or packet inspection implemented. If this is the case, and depending on your configuration, you may need to allow media packets from CVP if you are opting to use HTTPS port 443 for video and audio traffic.
Browsers
You should use the latest version of the operating system on your device.
You should also use the latest version of your internet browser. Which browser you can use depends on your device.
If you are using a Windows-based laptop or desktop computer, you can use:
- Google Chrome
- Microsoft Edge
- Edge Chromium
CVP will not work on any version of Internet Explorer.
If you are using an Apple laptop or device, we recommend you download and use Google Chrome.
IP addresses/ranges
For the service to work, the IP addresses/ranges listed must be allowed as shown in this guide. The full subnet should be allowed as the assigned public addresses will be selected from these ranges.
For the best possible user experience, the IP addresses/ranges listed should be allowed over UDP.
CVP IP subnets
- 91.240.195.0/24
- 91.240.204.0/22
- 176.121.88.0/21
- 185.94.240.0/22
- 185.124.96.0/22
SIP and H323 endpoints
| Required | Service | Host | Transport | Ports | Rule |
|---|---|---|---|---|---|
| Mandatory | Signalling | Any | TCP | 1720, 5060,5061 | Outgoing, established |
| Mandatory | Signalling | Any | UDP | 1719 | Outgoing, established |
| Mandatory | Signalling | Any | TCP | 33000-49999 | Outgoing, established |
| Mandatory | Signalling | Any | UDP | 40000-499991 | Outgoing, established |
WebRTC
| Required | Service | Host | Transport | Ports | Rule |
|---|---|---|---|---|---|
| Mandatory | Normal web/ secure WebRTC | Any | TCP | 80,443 | Outgoing, established |
| Mandatory | Media | Any | UDP | 40000-49999 | Outgoing, established |
| Mandatory | Media | Any | TCP | 40000-49999 | Outgoing, established |