The iCap Realtime Closed Captioning System uses the flexibility of today’s high-bandwidth IP connections to enable a wide range of innovative new features in closed caption authoring, encoding, and monitoring. iCap does this without requiring either broadcasters or caption service providers to open up public IP addresses, VPNs, or port-forwarding tunnels. iCap customers only need a reliable and secure outbound connection to one or more pre-approved trusted server sites. This document describes the networking requirements that exist for making iCap connections, and briefly explains why iCap provides far better data security than legacy dial-up modem caption systems.
Outbound Connections Model
All iCap connections travel outbound to a trusted server specified by the operator, or by the default configuration files EEG provides at each software installation. The iCap software is like a web browser. It can fetch data from places outside your network, but without a need for your PC or caption encoder to be accessible from outside your local network. For example you do not need to make it accessible through a globally routable IP address, VPN tunnel, or port forwarding rule. If your firewall does not place restrictions on outbound TCP or UDP connections, you will have no problem operating iCap and no need to change any settings.
If your firewall has a is configured to allow outbound connections to only a limited set of IP addresses or ports, see the Destination Allow List section.
Since 2019, iCap encoders and software allow TCP connections over SSL. We recommend all customers use SSL. If you have been using non-SSL TCP connections for iCap, you may need to change the outbound ports in your iCap allow list before you configure your products to use SSL. Typically this means adding TCP port 9738
to existing allow list configurations.
Eventually we will require all customers to use SSL to protect their iCap traffic, but EEG has not yet set a requirement date this transition.
Destination Allow List
Some firewalls place restrictions on outbound connections, They only allow connections to a limited list of allowed destination IP addresses and ports. If this describes your configuration, you must modify your allow lists to permit the computers and caption encoders running iCap to communicate to the following destinations:
Destination Ports
- Ports
9736
,9738
, and9744
(TCP) and6900-6910
(UDP) for standard iCap connections. This applies all hardware encoders, Alta software encoders, or PC captioning software. -
8080
(TCP/HTTP) is required when synchronizing ComCC systems to the remote iCap server.
Destination IP Addresses
Configure your systems' allow lists with the IP addresses that are most appropriate for their location. All addresses for each region are required.
USA (East)
- 54.235.150.124
- 54.84.222.79
- 54.85.144.87
USA (West)
- 54.193.101.112
- 52.11.108.94
-
54.190.84.5
- 44.229.71.136
- 18.236.34.114
- 13.52.203.48
Australia
- 54.206.1.214
-
52.63.83.165
-
13.237.107.245
Additional Considerations
A final consideration is whether your network requires use of proxy servers to make outbound connections. These systems are found mainly in very large-scale IT infrastructures. Support for the SOCKS5 proxy protocol is currently available in the iCap Captioner and iCap Broadcast Monitor software To access it from the top toolbar, navigate to Tools > Options > Proxy Settings.
SOCKS4 is not supported, because it includes no standardized mechanism for handling UDP traffic.
Alta products also may require connections with EEG’s Network Licensing Activation system. For details about this system, including an additional whitelist address, please see Network Activated Licensing Requirements.
QoS for iCap Traffic
iCap traffic includes real-time, latency-sensitive audio data. These data is often much more sensitive to networking issues like packet loss, latency, and jitter than many types of common office traffic like file downloads, email, web browsing, etc. iCap is most similar in requirements to a VoIP phone system; these systems are often placed on a separate network from other office devices, or given QoS priority with the local router. When possible, QoS and isolation are also good practices for optimizing iCap performance, particularly if you are experiencing problems such as low audio quality, audio re-syncs, or full connection drops.
EEG support may also be able to help with these problems if you provide your outbound IP address and geographic location. It may be possible to prioritize your account for routing to a local iCap server location that will give you a shorter network path than other servers.
Monitoring for iCap
EEG strongly recommends broadcasters and large captioning agencies set up monitoring of iCap network traffic. Monitoring bandwidth and availability to iCap server locations can help quickly pinpoint any problems to on-duty staff, and will provide valuable information to EEG support if the problem appears to be outside of your network. Logging data, such as traceroutes, makes it much easier to determine whether there are any trouble points on your network path to specific iCap server locations.
Security Model for Trusted iCap Servers
The iCap service connection software has a built-in Kerberos-style authentication model. Your software connects to a server with a known address and sends authentication information encrypted with an iCap public key. After authentication, your client may receive additional encrypted “tickets” which can be used to exchange data with other iCap server locations.
A copy of the iCap public key is included with your iCap software installation. The corresponding private key, which your software requires in order to read and respond to your login data, is kept secure by EEG and installed only on the selected iCap servers listed in Destination IP Addresses. The complete system guarantees that your client will only send sensitive data once it has received confirmation that the remote server it is contacting is truly an EEG-authorized iCap service point. This also guarantees that only an authorized iCap server can access your private login data.
Since all of the iCap peer clients that you exchange data with must go through the same authentication protocol, you can be sure that only users who have been authenticated as valid members of groups specifically authorized to do business with you can send data to your iCap clients, or receive data sent by them from your network.
Health Monitoring
Please see https://statuspage.eegcloud.tv/ for automatically updated health on the public iCap cloud server availability, status updates, and incident notifications. This information is also available via HTTP API from https://eegicap.com/api/docs/#health.