Firewall requirements for Zoom Mesh

While the Zoom Mesh service utilizes the Zoom Client for the eCDN service, there are firewall rules that must be added to ensure there are no issues when utilizing the Zoom Mesh service.

Internal network requirements for Zoom Mesh

Note: These firewall rules are for both incoming and outgoing traffic, except for Parent-Child Discovery.

Purpose

ProtocolPorts

Parent-Child Discovery

UDP (Multicast)224.1.1.1:36699

Parent-Child Control Traffic

TCP (TLS)

18801-19800

Parent-Child Media Relay

UDP

18801-19800

Note: Multicast is used within the network segment for discovery. However, multicast routing is not required or suggested.

Firewall requirements for the Zoom Client utilizing Zoom Mesh

SourceDestinationDirection

Protocol

PortPurpose
Zoom Clients within an internal networkZoom Cloud IP rangeOutgoingTCP443Authentication and joining (Direct TLS or Web Proxy**)
Zoom Clients within an internal networkZoom Cloud IP rangeOutgoingTCP443Client Signaling (TLS)
Zoom Clients within an internal networkZoom Cloud IP rangeOutgoingUDP***8801*Client Media (AES 256 GCM)
Zoom Clients within an internal networkLocal subnetOutgoing and incomingUDP (Multicast to 224.1.1.1)**36699Mesh Discovery
Zoom Clients within an internal networkZoom Clients within an internal networkOutgoing and incomingTCP18801-19800Mesh Control
Zoom Clients within an internal networkZoom Clients within an internal networkOutgoing and incomingUDP18801-19800Mesh Media

*Note: Port separation for media (UDP 8801-8803) is supported. Adjust the firewall rule to include 8802 and 8803 if port separation is enabled.

**Note: Multicast is used within the network segment for discovery. However, multicast routing is not required or suggested.

***Note: The Zoom Client will fall back to TCP 443 if UDP 8801 is unavailable.