In order to work well, Wire needs to have access to the following domain names:
wire.com, www.wire.com, prod-nginz-https.wire.com, prod-nginz-ssl.wire.com, prod-assets.wire.com, wire-app.wire.com, clientblacklist.wire.com
Wire uses load balancers that return dynamic IP addresses for these domain names, which means that potential whitelisting has to be based on domain names rather than IP addresses. All of these domain names need to be reachable on TCP port 443.
If IP-to-IP connections are not possible, Wire uses TURN servers to relay calls. The list of TURN servers can be obtained by looking up the SRV record of the domain name _turn._udp.prod.wire.com.
TURN servers need to be reachable on all UDP ports for highest reliability. Should that not be possible, TURN servers will be contacted on port 3478 via TCP or port 5349 via TLS. For a more robust calling experience, outbound UDP connections to all IP addresses should be allowed.
For conference calls SFT conferencing servers need to be reachable. Highest call quality will be achieved when clients are able to reach SFT servers directly. If that is not possible TURN servers will be used to relay calls. The same way as for TURN servers, the list of SFT servers can be obtained by looking up the SRV record of the domain name _sft._tcp.prod.wire.com.
Also, some firewalls may require enabling of WebRTC and SRTP Audio/Video protocols in the application control. Further, firewalls may have traffic shaping for UDP traffic enabled to limit the packet throughput. Those rules should be applied very carefully or removed as the number of UDP packets might be quite high, especially for conference calls (up to 1800 packets per second for a large size conference).
Additionally Wire might connect to other domain names, for example when link previews are generated, or when media like YouTube, Vimeo, SoundCloud, etc. are shared.