Required inbound ranges
The current production guide requires TCP 80 and 443 and UDP 16384–32768 to be accessible. Port 80 is also used during common certificate workflows before traffic settles on HTTPS.
Public hostname and TLS
WebRTC camera and microphone access requires a valid secure origin in modern browsers. Use a public hostname with a trusted certificate rather than exposing the application only by IP address.
TURN for restrictive networks
Some corporate, school or carrier networks block direct media paths. A TURN relay provides an alternative route, at the cost of additional bandwidth through the relay.
Test from the user side
A local firewall check is not enough. Validate from representative networks and monitor real meetings so that NAT, upstream filtering and asymmetric routing problems are visible.
The operational reality
BigBlueButton capacity depends on how people use media. Hardware specifications help narrow the choice, but your own load test, monitoring and failure plan turn that choice into a production design.