Re: Optimal Firewall Configuration Information

GlennD · ‎08-27-2015

If you or your company uses firewall whitelist to restrict network access to only specific websites or software, then you can use the information below to ensure that your service can connect. (updated 1/2/19)

Ports

Our LogMeIn products are configured to work with the following ports.

Port	Purpose
Outbound TCP 443	Required, used by all products. Needs to support WebSocket connections over HTTPS
Outbound TCP 80	Recommended, used for in-session communication
UDP 8200	Recommended, used for integrated Voice over IP (VoIP) and in-session communication
UDP 1853	Recommended, used for integrated webcam video support and Voice over IP (VoIP) and in-session communication
TCP 1720 TCP 3000-4000 UDP 3000-4000	Used for InRoom Link video conference systems Can be closed when not using InRoom Link All GoToMeeting Telepresence Gateway IPs are listed below
UDP 45000-49999	Used by GoToRoom for STUN traffic
UDP 123	Used by GoToRoom devices for time synchronization
SIP 5060 SIP 5061	Used for GoToRoom, InRoom Link video conference systems, and Jive
Inbound connections	Not required

Domains

For most firewall or proxy systems, we recommend specifying a allowlist of DNS names for LogMeIn services so that outbound connections can be made. The list of LogMeIn domains currently includes (but is not limited to) the lists below.

Universally Required Allowlisting

Domain	Description/Purpose
api.filepicker.io	Third-party file-hosting service This will soon change to *.filestackapi.com.
*.cdngetgo.com	CDN used by multiple products
*.clientstream.launchdarkly.com	Third-party feature testing service
*.cloudfront.net	Third-party CDN
*.expertcity.com	Corporate domain used by multiple products
*.filestackapi.com	Third-party file-hosting service (NEW! FilePicker has changed their name)
*.getgo.com	Product domain used by multiple products
*.getgocdn.com	CDN used by multiple products
*.getgoservices.com	Product domain used by multiple products
*.getgoservices.net	Product domain used by multiple products
*.goto-rtc.com	Real-time communication service used by multiple products
*.launchdarkly.com	Third-party feature testing service
*.logmein.com	Corporate domain used by multiple products
*.logmeininc.com	Corporate domain used by multiple products
*logmein.eu	Corporate domain used by multiple products
*.raas.io	Real-time communication service used by multiple products
*accounts.logme.in	Corporate domain used by multiple products
*internap.net	Powers updates to mulitple products
*internapcdn.net	Powers updates to mulitple products

GoToMeeting

GoToMeeting Domains
*.gotomeet.at
*.gotomeet.me
*.gotomeeting.com
*.joingotomeeting.com
*.openvoice.com

GoToMeeting In-Room Link

GoToMeeting Telepresence Gateway IPs (used for In-Room Link)
18.204.185.138	34.198.211.44	35.163.21.126	52.89.244.74
18.206.130.144	34.206.8.154	35.166.83.0	54.186.65.8
18.211.0.202	34.228.176.67	50.112.11.246	54.203.109.236
18.211.229.161	34.234.40.144	52.25.211.189	54.203.115.241
18.211.247.213	35.153.82.243	52.27.246.42	54.203.143.218
18.211.9.229	52.2.173.223	52.27.40.170	54.203.206.175
18.213.41.148	52.206.127.145	52.27.43.192	54.214.61.16
18.213.73.2	52.5.71.46	52.34.131.227	54.214.78.209
34.193.160.65	52.7.210.26	52.37.50.38	54.218.221.152
34.193.181.152	52.72.27.55	52.41.250.106	54.71.117.16

GoToRoom

Please note that you must also allowlist all domains listed for GoToMeeting.

GoToRoom Domains
*.dolbyvoice.com (for GoToRoom with Dolby Voice only)
*.google-analytics.com
*.gotoconference.com
*.gotoroom.com
*.jive.com
*.jiveip.net
*.jmp.tw

GoToWebinar

GoToWebinar Domains
*.gotowebinar.com
*.joinwebinar.com
*.webinar.com
*.gotostage.com
*.cdn.walkme.com

GoToTraining

GoToTraining Domains
*.gototraining.com
*.jointraining.com
*.firebaseio.com
*.firebaseapp.com
*.cdn.walkme.com

OpenVoice

OpenVoice Domains
*.openvoice.com

GoToConnect

GoToConnect Domains
*.jive.com

GoToConnect IP Range Blocks

For more detailed information, please see What are GoToConnect's IP blocks?

Description	Block	Netmask	Wildcard
GoToConnect Block 1	`199.36.248.0/22`	`255.255.252.0`	`0.0.3.255`
GoToConnect Block 2	`199.87.120.0/22`	`255.255.252.0`	`0.0.3.255`
GoToConnect Block 3	`162.250.60.0/22`	`255.255.252.0`	`0.0.3.255`
GoToConnect IPv6	`2606:CB00::/32`	—	—

GoToAssist

GoToAssist Domains
*.assist.com
*.fastsupport.com
*.go2assist.me
*.gofastchat.com
*.gotoassist.com
*.gotoassist.at
*.gotoassist.me
*.helpme.net
*logmeinrescue.com
*.tokbox.com
static.opentok.com
enterprise.opentok.com
api.opentok.com
anvil.opentok.com
hlg.toxbox.com

GoToMyPC

GoToMyPC Domains
*.gotomypc.com

Rescue

Rescue Domains
*.LogMeIn123.com
*.123rescue.com
*.support.me
*.logmeinrescue.com
*.logmeinrescue.eu
*.logmeinrescue-enterprise.com (Powers account-specific Rescue features, not required for standard accounts)
*.logmein-gateway.com

Rescue Lens

Rescue Lens Domains
*.logmeinrescue.com
*.logmeinrescue-enterprise.com (only required for Enterprise accounts)

LastPass

LastPass Domains
*.lastpass.com
*.lastpass.eu

Join.me

Join.me Domains
*.join.me

BoldChat

BoldChat Domains
*.boldchat.com
*.bold360.com

Hamachi

Hamachi Domains
*.hamachi.cc

LogMeIn Pro & Central

LogMeIn Pro/Central Domains	Feature Supported
*.logmeinusercontent	For files stored and shared using the LogMeIn Pro Files feature
*.browse.logmeinusercontent.com	For files stored and shared using the LogMeIn Pro Files feature
lmi-antivirus-live.azureedge.net	For LogMeIn Central - Antivirus
lmi-appupdates-live.azureedge.net	For LogMeIn Central - Application updates

Important considerations for allowlisting by IP Ranges

It is recommended to use wildcard rules whenever possible while allowlisting or blocking any LogMeIn services on your network as sub-domains of the domains listed above are included. Also, the client-to-host connection uses peer-to-peer connections, encrypted within a 256-bit AES tunnel.

Use of IP ranges instead of domain names for the firewall configuration is discouraged unless absolutely necessary because our IP ranges and those of our provider networks need to be periodically audited and modified, creating additional maintenance for your network. These changes are necessary to continue to provide the maximum performance for our LogMeIn products. Maintenance and failover events within our infrastructure may cause you to connect to servers within any of the ranges.

If your firewall includes a content or application data scanning filter, this may cause a block or latency, which would be indicated in the log files for the filter. To address this problem, verify that the domains or IP ranges will not be scanned or filtered by specifying exception domains or IP ranges. If your security policy requires you to specify explicit domain or IP ranges, then configure your firewall exceptions for outbound TCP ports 8200, 443, and 80 as well as UDP ports 8200 and 1853 for the LogMeIn domains or IP ranges, including those of our third-party provider networks.

LogMeIn server / Data Center IP addresses for use in firewall configurations

Equivalent specifications in 3 common formats

Assigned Range by Block	Numeric IP Address Range	Netmask Notation	CIDR Notation
Block 1	216.115.208.0 – 216.115.223.255	216.115.208.0 255.255.240.0	216.115.208.0/20
Block 2	216.219.112.0 – 216.219.127.255	216.219.112.0 255.255.240.0	216.219.112.0/20
Block 3	67.217.64.0 – 67.217.95.255	67.217.64.0 255.255.224.0	67.217.64.0/19
Block 4	173.199.0.0 – 173.199.63.255	173.199.0.0 255.255.192.0	173.199.0.0/18
Block 5	206.183.100.0 – 206.183.103.255	206.183.100.0 255.255.252.0	206.183.100.0/22
Block 6	68.64.0.0 – 68.64.31.255	68.64.0.0 255.255.224.0	68.64.0.0/19
Block 7	23.239.224.0 – 12.239.255.255	23.239.224.0 255.255.224.0	23.239.224.0/19
Block 8	202.173.24.0 – 202.173.31.255	202.173.24.0 255.255.248.0	202.173.24.0/21
Block 9	78.108.112.0 – 78.108.127.255	78.108.112.0 255.255.240.0	78.108.112.0/20
Block 10	185.36.20.0 – 185.36.23.255	185.36.20.0 255.255.252.0	185.36.20.0/22
Block 11	188.66.40.0 – 188.66.47.255	188.66.40.0 255.255.248.0	188.66.40.0/21
Block 12	45.12.196.0 – 45.12.199.255	45.12.196.0 255.255.252.0	45.12.196.0/22
Block 13	162.250.60.0 – 162.250.63.255	162.250.60.0 255.255.252.0	162.250.60.0/22
Block 14	199.36.248.0 – 199.36.251.255	199.36.248.0 255.255.252.0	199.36.248.0/22
Block 15	199.87.120.0 – 199.87.123.255	199.87.120.0 255.255.252.0	199.87.120.0/22
Block 16	66.151.158.0 – 66.151.158.255	66.151.158.0 255.255.255.0	66.151.158.0/24
Block 17	66.151.150.160 – 66.151.150.191	66.151.150.160 255.255.255.224	66.151.150.160/27
Block 18	64.74.80.0 – 64.74.80.255	64.74.80.0 255.255.255.0	64.74.80.0/24
Block 19	103.15.16.0 – 103.15.19.255	103.15.16.0 255.255.252.0	103.15.16.0/22
Block 20	64.74.17.0 – 64.74.17.255	64.74.17.0 255.255.255.0	64.74.17.0/24
Block 21	64.74.18.0 – 64.74.19.255	64.74.18.0 255.255.254.0	64.74.18.0/23
Block 22	64.74.103.0 – 64.74.103.255	64.74.103.0 255.255.255.0	64.74.103.0/24
Block 23	64.94.18.0 – 64.94.18.255	64.94.18.0 255.255.255.0	64.94.18.0/24
Block 24	64.94.46.0 – 64.94.47.255	64.94.46.0 255.255.254.0	64.94.46.0/23
Block 25	64.95.128.0 – 64.95.129.255	64.95.128.0 255.255.254.0	64.95.128.0/23
Block 26	66.150.108.0 – 66.150.108.255	66.150.108.0 255.255.255.0	66.150.108.0/24
Block 27	69.25.20.0 – 69.25.21.255	69.25.20.0 255.255.254.0	69.25.20.0/23
Block 28	69.25.247.0 – 69.25.247.255	69.25.247.0 255.255.255.0	69.25.247.0/24
Block 29	95.172.70.0 – 95.172.70.255	95.172.70.0 255.255.255.0	95.172.70.0/24
Block 30	111.221.57.0 – 111.221.57.255	111.221.57.0 255.255.255.0	111.221.57.0/24

IPv6 addresses space

Assigned by Block	Classless Inter-Domain Routing (CIDR) format
Block 1	2620:0:c70::/48
Block 2	2a04:6660::/30

Data Centers

We scale our services with third-party cloud and carrier networks for improved performance. To ensure continuous up-time, we also maintain data centers in the following regions:

U.S.: Nevada, Virginia, Michigan
Global: Germany, Australia
Global Public Cloud (including, but not limited to): California, Oregon, Virginia, Singapore, Australia, Japan
Content Delivery Public Cloud (including, but not limited to): California, Washington, Texas, Indiana, Missouri, New Jersey, Brazil, United Kingdom, Amsterdam, Germany, France, Italy, Hong Kong, Japan, Singapore

Third-party provider IP ranges

IP ranges for the content delivery network (CDN)

IP ranges for other services (audio, video and screen sharing)

IP ranges for Microsoft Azure

IP ranges for Cloudflare (specific to GoToMyPC)

Email domains

customerService@s.logmein.com
@s.logmein.com
@Care.gotomeeting.com
@Care.gotomypc.com
@Care.gotoassist.com
@Care.gotowebinar.com
@Care.gototraining.com
@m.join.me
@t.join.me
@m.logmein.com
@t.logmein.com
@m.lastpass.com
@t.lastpass.com

Glenn is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!

GlennD · ‎05-27-2017

Updated 5/26/2017

Glenn is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!

GlennD · ‎11-15-2017

Updated 11/15/2017

Glenn is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!

james2484 · ‎12-11-2017

Hi Glenn,

Can you confirm if TCP 8200 needs to be unblocked, or will it just use 443 and 80 instead?

Thanks

James

GlennD · ‎12-11-2017

Hi James,

Our software will test all 3 ports and use which ever allows outbound communication.

Glenn is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!

james2484 · ‎12-11-2017

Great, thanks Glen.

Is there a way to prevent file sharing within the application? And is it compatible with both SOCKS and NTLM proxy servers?

Thanks

James

GlennD · ‎12-11-2017

@james2484 GoToMeeting, GoToWebinar and GoToTraining do not have a file transfer feature. For the Proxy you maybe asked to provide your credentials before our sofware will be allowed to connect, we also have a Connection Wizard that can be run on Windows PCs to trigger this if needed.

I would recommend starting with our System Check page here: https://support.logmeininc.com/gotowebinar/system-check-attendee There is a test session that you can try to join to test out the flow. You can download and run our Connnection Wizard from here: https://support.logmeininc.com/article/g2m050025

Glenn is a member of the LogMeIn Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!

james2484 · ‎02-05-2018

Hi,

Is it possible to join a test session from the G2M setup MSI multi user installer? We use this in conjucntion with the GoToMeetingMultiUserOpener.

We have a relatively high secuirty environment, and the installed application doesn't seem to be running.

2948 _createProcess: ...

14:50:52 2948 E: Installer launch failed; command was: "C:\Users\BLAMPI~1\AppData\Local\Temp\CCCED23B-8675-4859-85EC-

for the test, it seems to be trying to download a component? Surely it shouldn't be trying to use this location?

Thanks

James

AshC · ‎02-06-2018

Hi James,

Yes, we do attempt to install the GoToMeeting endpoint through the AppData folder.

To join a test session, we have this page available: GoToMeeting Test Session

james2484 · ‎02-19-2018

Hi,

During our testing, we’ve found that the G2M multi-client makes connections to *.expertcity.com as LocalSystem. This only occurs during live webinars, not pre-recorded ones.

As a result, we’ve had to whitelist the URL above on a per machine basis, which is a bit of a management headache.

Moving forward, we’d like to make this a global exception, but we’re unwilling to do so without understanding exactly what is going on here behind the scenes.

Cna you please clarify?

Thanks

James