Network configuration ensures that members are able to fully leverage all aspects of the BetterUp® platform, including email delivery, video coaching sessions, and AI coaching features.
🚨 Important 🚨
Configuration must be completed at least 2 weeks prior to your launch date.
Please review all sections in this guide before launch! Depending on your organization's network security policies, some or all of the configuration steps below may be required. On restrictive or corporate-managed networks, skipping a section can cause specific features to fail silently — for example, members may be unable to use voice or microphone features in AI coaching if Voice AI endpoints are not safelisted. We recommend reviewing every section with your IT team to determine what applies to your environment.
BetterUp offers both US and EEA-based platform instances and configuration settings differ. If you're not sure, contact your BetterUp Account Team for clarification.
- 🇺🇸 US instance is hosted in Virginia, USA
- 🇪🇺 EEA instance is hosted in Frankfurt, Germany
Need help? General questions about completing the guide or support troubleshooting can be sent to tech-ipm@betterup.co.
Jump to: Firewall Configuration | Email Enablement | Marketing Communications | Video Session Enablement | Voice AI Services | Edge Cases
Firewall Configuration
We highly recommend that you enable a wildcard domain to your firewall allowed domain list so that any and all BetterUp features and content can be accessed by your members.
| US Instance | EEA Instance |
| *.betterup.co | *.betterup.eu |
If you would prefer to not enable a wildcard domain, then you will need to allow access to the following subdomains. It is possible that subdomains may be added to this list in the future and you will need to update your allow list to ensure that members have uninterrupted access to the BetterUp platform.
| Purpose | US Instance | EEA Instance |
| BetterUp website | www.betterup.com and betterup.com | www.betterup.com and betterup.com |
| Allows access to the BetterUp application | app.betterup.co | app.betterup.eu |
| Allows for video coaching sessions | video.betterup.co | video.betterup.eu |
| Allows for viewing activities (including AI activities like Role Play) | ai-internal.betterup.co | ai-internal.betterup.eu |
| Allows communications and in-app messages via our service provider, Braze | mail.betterup.co | mail.betterup.eu |
| Allows for Content Delivery Network (CDN) url for static assets | cdn.betterup.co | N/A |
| Allows for universal app deep links in order to direct to content within our application | email.betterup.co | email.betterup.eu |
| Allows hosting workshops | studioworkshops.betterup.co | N/A |
| Allows in-app communication with our customer support team via our service provider, Zendesk | betterup.zendesk.com | mail.betterup.eu |
| Allows for viewing of content videos hosted on Vimeo | *.vimeo.com / *.vimeocdn.com | *.vimeo.com / *.vimeocdn.com |
| Allows BetterUp's cookie consent functionality (Relyance) | consent.app.relyance.ai | consent.app.relyance.ai |
| Allows BetterUp's in-app user research features (Sprig) | cdn.sprig.com / app.sprig.com | cdn.sprig.com / app.sprig.com |
Testing the Firewall Configuration
By following the steps above, members should not have any issues when accessing and using BetterUp applications. If you have any questions or need support during the setup process, please reach out to tech-ipm@betterup.co.
Jump to: Top | Email Enablement | Marketing Communications | Video Session Enablement | Voice AI Services | Edge Cases
Email Enablement
All emails delivered by the platform follow industry-standard configurations including: SPF, DKIM, and DMARC.
- Emails coming from the BetterUp platform to members (e.g., invite emails) will be sent from support@betterup.co.
- Emails coming from our custom email service provider, Braze, will be sent from team@mail.betterup.co or support@mail.betterup.co.
- Operational emails and other engagement emails may be sent from noreply@mail.betterup.co.
- Calendar invites and session notifications for Group Coaching sessions, including those delivered via Microsoft Teams will be sent from system@notifications.betterupcoaches.co
In order for email delivery and interaction to operate as smoothly as possible, we recommend allowing the following email domains:
| US Instance | EEA Instance |
| email.betterup.co | email.betterup.eu |
| mail.betterup.co | mail.betterup.eu |
Note: the above are email domains, not mail server hostnames.
Server Hostnames
To ensure messages aren't blocked or quarantined, partners should also allow the following wildcard hostnames:
- *.mail.betterup.co
- *.email.betterup.co
This includes subdomains like o2740.abmail.mail.betterup.co, which are used by our third-party email providers.
Sender Address Safelisting
To ensure all user-facing communication is reliably delivered, please also safelist the following email addresses and domains:
- support@betterup.co
- system@notifications.betterupcoaches.co
- *@mail.betterup.co
- *@email.betterup.co
Firewall Configuration (if needed)
Depending on your firewall rules, it may be necessary to allow the following IP addresses:
| Provider | US Instance | EEA Instance |
| AWS SES | — |
199.255.192.0/22 199.127.232.0/22 54.240.0.0/18 69.169.224.0/20 23.249.208.0/20 23.251.224.0/19 76.223.176.0/20 54.240.64.0/19 54.240.96.0/19 52.82.172.0/22 |
| Marketo | — | 199.15.213.50 |
| Sendgrid | 168.245.60.202 | — |
Jump to: Top | Firewall Configuration | Marketing Communications | Video Session Enablement | Voice AI Services | Edge Cases
Marketing Communications
BetterUp uses HubSpot for marketing email delivery and social post tracking. HubSpot automatically rewrites outbound URLs using its own link shortener domains — meaning links in marketing emails will route through these domains before reaching their destination.
On enterprise or regulated networks with strict egress policies, these domains may be blocked by default because they aren't recognized as BetterUp infrastructure. If members report that links in marketing emails aren't resolving, this is the most likely cause.
To ensure marketing email links work correctly, please safelist the following HubSpot tracking domains:
Domain |
Purpose |
|---|---|
|
HubSpot URL shortener (primary) |
|
HubSpot URL shortener (alternate) |
|
HubSpot URL shortener (alternate) |
These are third-party domains managed by HubSpot, not BetterUp infrastructure — your IT team may need to add them to your organization's allowed domain list separately from BetterUp-owned domains.
Note: This applies to both US and EEA platform instances.
If you've safelisted these domains and members are still unable to follow links in marketing emails, contact tech-ipm@betterup.co.
Jump to: Top | Firewall Configuration | Email Enablement | Video Session Enablement | Voice AI Services | Edge Cases
Video Session Enablement
BetterUp members meet with their coaches through live video sessions powered by Vonage.
The following actions need to be taken to ensure video and audio work reliably on your network:
| Step | US Instance | EEA Instance |
| Open firewall ports (outbound) that Vonage uses for secure HTTP communication | TCP port 443 | TCP port 443 |
| Ensure access to these domains | *.tokbox.com / *.opentok.com / *.vonage.com | *.tokbox.com / *.opentok.com / *.vonage.com |
| If it is not possible to allow these domains, allow these IP addresses |
168.100.64.0/18 216.147.0.0/18
(These IP addresses are subject to change) |
168.100.64.0/18 216.147.0.0/18
(These IP addresses are subject to change) |
| Allowing these HTTPS verification servers for the Vonage HTTPS certificate will help avoid browser console warnings. (However, these warnings should not affect the session.) | ocsp.godaddy.com / crl.godaddy.com | ocsp.godaddy.com / crl.godaddy.com |
In addition to the minimum requirements above, opening UDP Port 3478 will improve the experience. UDP is highly recommended over TCP for better quality audio and video. The protocol favors timeliness over reliability which is consistent with the human perceptive preferences; where we can fill in gaps but are sensitive to time-based delays.
This port only accepts inbound traffic after an outbound request is sent. The connection is bidirectional but is always initiated from the corporate network/client so it is not possible for an external entity to send malicious traffic in the opposite direction. For the best possible experience, we recommend opening UDP ports 1025 - 65535.
See the official Vonage support documentation for more detailed instructions on firewall configuration to support video calls.
Video/Audio Quality Check
Once the above domains have been allowed you should perform the Vonage pre-call check, save the test data, and send back to BetterUp for review — this will help us get ahead of any potential call quality-related issues.
Jump to: Top | Firewall Configuration | Email Enablement | Marketing Communications | Video Session Enablement | Voice AI Services | Edge Cases
Voice AI Services
BetterUp's AI coaching experience includes features that use real-time audio, such as voice mode (live voice conversations with your AI coach) and voice-enabled activities (like Role Play). These capabilities rely on three external services working together. All three must be safelisted for audio features to function normally.
If these endpoints are not accessible from your network, members will be unable to use voice or microphone features in AI coaching and may encounter errors or connection or load failures.
| Service | What it does | Why it needs network access |
| OpenAI | Provides voice capabilities for AI coaching experiences, including generating spoken responses and powering real-time voice conversations in activities like Role Play. | The platform establishes connections to OpenAI's API for real-time audio processing over secure WebSocket and HTTPS connections. |
| Deepgram | Converts members' spoken input into text that the AI coach can process. Also powers the microphone/dictation feature in AI coaching. | Audio captured from the member's microphone is streamed to Deepgram's API in real time for transcription. |
| LiveKit | Provides the real-time audio connection for live voice conversations with the AI coach, enabling natural turn-taking and interruption handling. | LiveKit establishes real-time media connections for streaming audio. It requires WebSocket access for session setup and, for best performance, UDP access for audio transport. |
Note: These services support audio features across the BetterUp platform, including voice mode in AI coaching and voice-enabled AI activities. Safelisting these endpoints ensures all current and future audio-powered features work correctly.
OpenAI & Deepgram
BetterUp uses OpenAI for real-time voice processing in AI coaching features, including Role Play. OpenAI's Realtime API uses UDP port 3478 for voice traffic. UDP is strongly preferred — if unavailable, TCP port 443 will be used as a fallback, but voice quality and latency may be affected.
All connections use TCP (HTTPS/WSS) except where noted.
| Service | US Instance | EEA Instance | Port | Protocol |
| OpenAI | api.openai.com | eu.api.openai.com | 443 | TCP |
| OpenAI Voice (UDP) | See IP list below | See IP list below | 3478 | UDP |
| Deepgram | api.deepgram.com | api.eu.deepgram.com | 443 | TCP |
Supported on EU Endpoint: Speech-to-Text, Text-to-Speech, Text Intelligence (excludes Whisper models).
OpenAI Voice IP Ranges (UDP port 3478)
These IP addresses are maintained by OpenAI and updated on an ongoing basis. For the current list, see openai.com/chatgpt-voice.json.
As of May 2026, the ranges are:
102.37.57.54/32 · 13.71.25.29/32 · 135.220.40.201/32 · 172.203.39.49/32 · 172.207.173.200/32 · 172.214.226.198/32 · 191.233.251.27/32 · 20.162.96.163/32 · 20.168.48.117/32 · 20.184.36.134/32 · 20.203.144.245/32 · 20.74.221.21/32 · 4.151.200.38/32 · 4.155.146.196/32 · 4.197.172.116/32 · 4.217.235.100/32 · 4.245.198.13/32 · 40.118.236.137/32 · 51.4.112.173/32 · 52.143.181.161/32 · 68.155.152.41/32 · 72.146.20.246/32 · 74.248.148.7/32
LiveKit
Minimum Required — voice sessions will connect, but may experience reduced audio quality or higher latency on restrictive networks:
| Host | Port | Protocol | Purpose |
| *.livekit.cloud | 443 | TCP | WebSocket signaling |
| *.turn.livekit.cloud | 443 | TCP | TURN/TLS fallback |
Recommended for Best Performance — enables direct audio paths and lower latency. If your network permits UDP traffic, these entries will noticeably improve voice quality:
| Host | Port | Protocol | Purpose |
| *.livekit.cloud | 443 | TCP | WebSocket signaling |
| *.turn.livekit.cloud | 443 | TCP | TURN/TLS fallback |
| *.host.livekit.cloud | 3478 | UDP | TURN/UDP connectivity |
| All hosts | 50000–60000 | UDP | WebRTC media |
| All hosts | 7881 | TCP | WebRTC TCP fallback |
Static IP Ranges (US and India only):
| IP Block |
| 143.223.88.0/21 |
| 161.115.160.0/19 |
Note: Other regions require wildcard domains. Enable UDP hole-punching for best performance.
Additional Documentation: LiveKit Cloud Firewall Configuration
Voice AI Summary
| Service | Region | Host | Port | Protocol |
| OpenAI | US | api.openai.com | 443 | TCP |
| OpenAI | EU | eu.api.openai.com | 443 | TCP |
| Deepgram | US | api.deepgram.com | 443 | TCP |
| Deepgram | EU | api.eu.deepgram.com | 443 | TCP |
| LiveKit | Global | *.livekit.cloud | 443 | TCP |
| LiveKit TURN | Global | *.turn.livekit.cloud | 443 | TCP |
| LiveKit TURN | Global | *.host.livekit.cloud | 3478 | UDP |
| LiveKit Media | Global | All | 50000–60000 | UDP |
| LiveKit Fallback | Global | All | 7881 | TCP |
| Open AI Voice UDP | Global | All | 3478 | UDP |
Troubleshooting
If members report that voice mode is unavailable, the microphone button isn't working, or AI activities (like Role Play) fail to load audio, verify that all three services above are safelisted. All three are required — safelisting only one or two will result in partial or complete failure of audio features.
If you have confirmed all endpoints are safelisted and issues persist, please reach out to tech-ipm@betterup.co.
Jump to: Top | Firewall Configuration | Email Enablement | Marketing Communications | Video Session Enablement | Edge Cases
Edge Cases
Additional configuration steps may be required depending on your organization's policies. These could include, but are not limited to the following:
- Not allowing deep links
- Emails over a certain quantity being quarantined
- TLS interception enabled
If this is the case for your organization please reach out to tech-ipm@betterup.co and we will work with you to find a solution.
Jump to: Top | Firewall Configuration | Email Enablement | Marketing Communications | Video Session Enablement | Voice AI Services
Updated: May 2026