Daily uses a variety of domains, IP addresses, ports, and protocols to connect calls. If you're trying to make calls to and from a network behind a corporate firewall, or through a VPN, you'll need to make sure you can access the following domains:
*.daily.co if possible. If not, you'll need to be able to reach these domains in addition to your account's subdomain.daily.co:
[b.daily.co](<http://b.daily.co>) and [c.daily.co](<http://c.daily.co>) for javascript, images, sounds, and fonts[gs.daily.co](<http://gs.daily.co>) for room status updates*.wss.daily.co for SFU media connections. The first hostname will usually resemble an AWS IP, such as ip-172-31-10-133-ec2.wss.daily.co.prod-ks.pluot.blue (a Daily-owned server used for ICE negotiation)*.twilio.com (STUN server/TURN relay for coordinating peer-to-peer calls)*.xirsys.com (STUN server/TURN relay for coordinating peer-to-peer calls)Additionally, you'll want to make sure you can access *.daily.co on port 443, as it's used for a variety of fallback connection types.
If you have a VPN, Daily calls will have much better quality if you can configure Daily's traffic to bypass it. You can usually do that by configuring split tunneling. You'll at least want to exempt port 443 for the Twilio IP ranges listed below, and possibly for the Xirsys IPs as well. If you can exempt UDP traffic altogether, that's even better.
Twilio's IP ranges: https://www.twilio.com/docs/stun-turn/regions
Xirsys's IP ranges: https://docs.xirsys.com/?pg=ip-whitelist
If you have a firewall, you should allow UDP hole punching, which is essentially the standard behavior for most firewalls. If you're explicitly allowing or denying UDP ports, you'll definitely need to open port 3478 for signaling and media tunneling. You'll also need to open UDP ports 40000-65534 for all hosts in order for peer-to-peer calls to work correctly.
If you have a network appliance that provides threat-based IP whitelisting/blacklisting (such as Cisco Talos), you may run into occasional connection issues based on your blacklist entries. Daily uses Amazon public cloud resources, so our call servers get assigned random IPs from Amazon’s address range. Occasionally, these IPs make it on to security blacklists because hackers use AWS too. When this happens, your users may experience some of the issues described in this document:
When you're in a call with 4 or fewer people, Daily uses direct peer-to-peer connections for your audio and video for maximum quality. When the fifth person joins, the call automatically switches to routing everyone's audio and video through a centralized Daily server.
To test whether SFU mode resolves a user's connection issues, you can use the setNetworkTopology() method to switch a call to server-based mode.
await callFrame.setNetworkTopology({ topology: 'sfu' });
Please note that this method is only for testing. For more details, please refer to our docs: https://docs.daily.co/reference#setnetworktopology