Genesys Cloud - Main

Hi All,

Thought I'd re-visit this post to see if anyone recently has done anything to split-tunnel Genesys Cloud traffic away from a VPN.

Noticed that a Community Q&A session asked the question 'What are the best practices when using the WebRTC phone in a split tunnel scenario' (at 22:30 in) with the transcribed audio as:

"Our recommendation is to have all Genesys Cloud traffic outside of the VPN...we realize there are customers who are unable to do this, so the best we can recommend in that case is to opt all of the Genesys Cloud media traffic outside of the VPN at the very least. This can be accomplished because the media services are all running on the Genesys owned CIDR blocks, but really it it would be ideal if all Genesys Cloud traffic could be routed outside of the VPN that way you don't have to worry about what happens when the VPN cycles, or the extra latency introduced by the VPN or any of the other typical split tunnel issues."

So to clarify/validate the 'minimum' recommended would be to have at least just the CIDR address ranges in a split-tunnel? i.e. for Commercial regions by 28 October 2024

• 52.129.96.0/20
• 169.150.104.0/21
• 167.234.48.0/20
• 136.245.64.0/18

Should there be any other other 'minimum' IP's / domains to include as well (such as Google STUN *.l.google.com)?

Hi Jeff,

CIDR ranges should be all you need. it already includes STUN/TURN services and google only serves as backup.

No need to include google stun in your whitelist.

One thing to keep in mind is during WebRTC candidate discovery, the edge will return its IP as one of the HOST candidates.

If the edge IP is somewhat reachable via the VPN tunnel, Genesys client may send connectivity checks to that route and inadvertently bind it if it has the lowest latency among all candidates.

RTP will flow thru tunnel if that happens so just be mindful of that. 

Detailed WebRTC diagram - Genesys Cloud Resource Center (mypurecloud.com)

Hi All,

Thought I'd re-visit this post to see if anyone recently has done anything to split-tunnel Genesys Cloud traffic away from a VPN.

Noticed that a Community Q&A session asked the question 'What are the best practices when using the WebRTC phone in a split tunnel scenario' (at 22:30 in) with the transcribed audio as:

"Our recommendation is to have all Genesys Cloud traffic outside of the VPN...we realize there are customers who are unable to do this, so the best we can recommend in that case is to opt all of the Genesys Cloud media traffic outside of the VPN at the very least. This can be accomplished because the media services are all running on the Genesys owned CIDR blocks, but really it it would be ideal if all Genesys Cloud traffic could be routed outside of the VPN that way you don't have to worry about what happens when the VPN cycles, or the extra latency introduced by the VPN or any of the other typical split tunnel issues."

So to clarify/validate the 'minimum' recommended would be to have at least just the CIDR address ranges in a split-tunnel? i.e. for Commercial regions by 28 October 2024

• 52.129.96.0/20
• 169.150.104.0/21
• 167.234.48.0/20
• 136.245.64.0/18

Should there be any other other 'minimum' IP's / domains to include as well (such as Google STUN *.l.google.com)?

Thanks Niel for the reply - I presume if we are using BYOC Cloud edges these would also be included in the CIDR ranges?

Hi Jeff,

CIDR ranges should be all you need. it already includes STUN/TURN services and google only serves as backup.

No need to include google stun in your whitelist.

One thing to keep in mind is during WebRTC candidate discovery, the edge will return its IP as one of the HOST candidates.

If the edge IP is somewhat reachable via the VPN tunnel, Genesys client may send connectivity checks to that route and inadvertently bind it if it has the lowest latency among all candidates.

RTP will flow thru tunnel if that happens so just be mindful of that. 

Detailed WebRTC diagram - Genesys Cloud Resource Center (mypurecloud.com)

Hi All,

Thought I'd re-visit this post to see if anyone recently has done anything to split-tunnel Genesys Cloud traffic away from a VPN.

Noticed that a Community Q&A session asked the question 'What are the best practices when using the WebRTC phone in a split tunnel scenario' (at 22:30 in) with the transcribed audio as:

"Our recommendation is to have all Genesys Cloud traffic outside of the VPN...we realize there are customers who are unable to do this, so the best we can recommend in that case is to opt all of the Genesys Cloud media traffic outside of the VPN at the very least. This can be accomplished because the media services are all running on the Genesys owned CIDR blocks, but really it it would be ideal if all Genesys Cloud traffic could be routed outside of the VPN that way you don't have to worry about what happens when the VPN cycles, or the extra latency introduced by the VPN or any of the other typical split tunnel issues."

So to clarify/validate the 'minimum' recommended would be to have at least just the CIDR address ranges in a split-tunnel? i.e. for Commercial regions by 28 October 2024

• 52.129.96.0/20
• 169.150.104.0/21
• 167.234.48.0/20
• 136.245.64.0/18

Should there be any other other 'minimum' IP's / domains to include as well (such as Google STUN *.l.google.com)?

We are starting our deployment of Genesys Cloud and are looking also into this.  We are planning to implement split tunneling and this discussion is interesting.  

Thanks Niel for the reply - I presume if we are using BYOC Cloud edges these would also be included in the CIDR ranges?

Hi Jeff,

CIDR ranges should be all you need. it already includes STUN/TURN services and google only serves as backup.

No need to include google stun in your whitelist.

One thing to keep in mind is during WebRTC candidate discovery, the edge will return its IP as one of the HOST candidates.

If the edge IP is somewhat reachable via the VPN tunnel, Genesys client may send connectivity checks to that route and inadvertently bind it if it has the lowest latency among all candidates.

RTP will flow thru tunnel if that happens so just be mindful of that. 

Detailed WebRTC diagram - Genesys Cloud Resource Center (mypurecloud.com)

Hi All,

Thought I'd re-visit this post to see if anyone recently has done anything to split-tunnel Genesys Cloud traffic away from a VPN.

Noticed that a Community Q&A session asked the question 'What are the best practices when using the WebRTC phone in a split tunnel scenario' (at 22:30 in) with the transcribed audio as:

"Our recommendation is to have all Genesys Cloud traffic outside of the VPN...we realize there are customers who are unable to do this, so the best we can recommend in that case is to opt all of the Genesys Cloud media traffic outside of the VPN at the very least. This can be accomplished because the media services are all running on the Genesys owned CIDR blocks, but really it it would be ideal if all Genesys Cloud traffic could be routed outside of the VPN that way you don't have to worry about what happens when the VPN cycles, or the extra latency introduced by the VPN or any of the other typical split tunnel issues."

So to clarify/validate the 'minimum' recommended would be to have at least just the CIDR address ranges in a split-tunnel? i.e. for Commercial regions by 28 October 2024

• 52.129.96.0/20
• 169.150.104.0/21
• 167.234.48.0/20
• 136.245.64.0/18

Should there be any other other 'minimum' IP's / domains to include as well (such as Google STUN *.l.google.com)?