This guide describes the network ports and configuration requirements for a Alleo application connecting to the primary Alleo Cloud endpoint (*.withalleo.com).
Assumptions and Prerequisites
Customer’s network environment must support HTTPS web traffic via port 443.
No inbound firewall rules are required. All network communication originates from the Alleo web application.
Communications to the Alleo cloud targeting port 80 are immediately redirected and enforce secure HTTPS via port 443.
Network Port Requirements
Alleo leverages a modern web client-server software architecture. The IP-based communication between Alleo web app and the Alleo Cloud leverages a RESTful API. This API enforces strict HTTPS to ensure that all traffic is encrypted.
Below is a chart of the Alleo application network communication. In each case, the source is the end user client application.
| Port | Protocol | Destination | Direction | Network Interface | Description |
443 | HTTPS/WSS | api.withalleo.com | Bidirectional | Internet | Client server API through which all authentication, collaboration, and file transfer occurs |
443 | HTTPS | meet.withalleo.com | Unidirectional | Internet | Access to Alleo application |
443 | HTTPS | admin.withalleo.com | Unidirectional | Internet | Access to Alleo Admin Portal for user and device administration |
443 | HTTPS | widgets.withalleo.com | Unidirectional | Internet | This is required if external widgets are used |
443 | HTTPS | display.withalleo.com | Unidirectional | Internet | Access to Alleo Rooms Client (web version) |
443 | HTTPS | dc.services.visualstudio.com | Unidirectional | Internet | Optional for Azure logging (using Insights) |
443 | HTTPS | support.withalleo.com | Unidirectional | Internet | Alleo Support Portal |
443 | HTTPS | help.withalleo.com | Unidirectional | Internet | Alleo Help Center |
443 | HTTPS/WSS/TCP | *.tokbox.com *.opentok.com | Bidirectional | Internet | Live audio / live video / screenshare |
3478 | UDP | *.tokbox.com *.opentok.com | Bidirectional | Internet | Recommended for better WebRtc experience |
1025 - 65535 | UDP | *.tokbox.com *.opentok.com | Bidirectional | Internet | Recommended for best possible WebRtc experience |
Dynamic IP Addresses
Alleo services are dynamically assigned IP addresses which are perpetually subject to change within Microsoft Azure. Customer firewall rules should specify the fully qualified domain name (FQDN) to mitigate the risk of required traffic being blocked as a result of an assigned IP address changing.
Alleo Rooms Application Requirements
Security firewalls and other related software can interfere with Alleo connections. If you are experiencing difficulties, try whitelisting the Alleo Rooms application within your security software.
Frequently Asked Questions
Are all listed ports required for Alleo to function?
Port 443 (HTTPS/WSS) is required for all core application functionality, including authentication, collaboration, and file transfer.
Ports 3478 UDP and 1025–65535 UDP are strongly recommended to support real-time features such as audio, video, and screen sharing. If these UDP ports are restricted, Alleo will fall back to TCP over port 443, which may result in increased latency and reduced media quality.
Can firewall rules be restricted to specific IP addresses instead of “any” internet traffic?
Alleo services and its real-time media infrastructure use dynamic cloud scaling, meaning IP addresses and specific hostnames frequently change and cannot be reliably allowlisted.
Firewall rules should instead allow traffic to the following domains:
*.withalleo.com*.tokbox.com*.opentok.com
These domain-based rules ensure traffic is limited to Alleo and its media infrastructure while remaining compatible with dynamic scaling.
What happens if UDP ports are blocked?
If UDP ports (3478 and 1025–65535) are blocked, Alleo will attempt to route media traffic over TCP (port 443). While this allows sessions to connect, it can introduce higher latency, lower video/audio quality, and reduced reliability—especially in larger or high-bandwidth sessions.
Are inbound firewall rules required?
Alleo communication is client-initiated outbound traffic only, and no inbound firewall rules are required.
Comments
0 comments
Please sign in to leave a comment.