HowTo: Network configuration and Firewall rules

Network Requirements

General required network conditions

The key measurement metrics for ensuring optimum voice /video quality over IP includes packet loss, delay and jitter.

Packet loss

The IP Telephony industry usually recommends maximum packet loss figures of around 0.25% as being the most that the average human hear can tolerate without losing sense of a conversation.

Delay

The International Telecommunications Union (ITU) defines a standard for one-way delay as being a maximum of 150 milliseconds before the user starts to perceive the delay.

Jitter

Jitter refers to the mis-spacing of the arrival of packets at the called party telephone end point. Excessive jitter will cause frying sounds to be heard on the call, and should therefore note exceed 15 milliseconds.

DHCP

The DHCP requirements are discussed here

Connection types

Escaux UCS system to Escaux UCS system connection

One voice communication using ILBC encoding and transported in an Inter-Asterisk eXchange (IAX) trunk corresponds with a packet of 90 bytes (IP header + IP payload) sent every 30 ms.

Softphone to Escaux UCS system connection

The softphone can communicate with the Escaux UCS system via the G.711 or ILBC codec. The ILBC codec uses audio compression, resulting in a lower bandwidth requirement. This lower bandwidth consumption can come with the cost of a slightly less good audio quality. Inside a LAN network, where bandwidth is ubiquitous, the G.711 codec is recommended. See hereunder "G.711 codec" or "ILBC codec" for quantitative criteria.

IP Phone to Escaux UCS system connection

IP phones can communicate with the Escaux UCS system via the G.711 or ILBC codec (this depends on the type of IP phone). The ILBC codec uses audio compression, resulting in a lower bandwidth requirement. This lower bandwidth consumption can come with the cost of a slightly less good audio quality. Inside a LAN network, where bandwidth is ubiquitous, the G.711 codec is recommended. See hereunder "G.711 codec" or "ILBC codec" for quantitative criteria.

Voice codecs & bandwidth

The following table provides information about the bandwidth on the Ethernet layer that 1 VoIP call will generate.

Codec & Bit Rate (Kbps) Codec Sample Interval (ms) Voice Payload Size (Bytes) Packets Per Second (PPS) Bandwidth Ethernet (Kbps)
G.711 (64 Kbps) 20 160 50 87,2
G.729 (8 Kbps) 20 20 50 31,2
ILBC (13.33Kbps) 30 50 33,3 28,8

More detailed calculations can be done at http://www.bandcalc.com/

Video codecs & bandwidth

The bandwidth taken by video data for net.Desktop is configurable when media links are configured between SOPs. By default, 128 Kbps is used in the IP payload for one-way video connection through net.Desktop .

Firewall configuration

Introduction

SOP connectivity

Standard firewall configuration

When your SOP is operational, it will contact the SMP by using your internet connection for a number of reasons. This requires opening up some ports on your firewall from the inside (LAN) to the outside (internet). It is likely however that you don't have to change anything on your firewall. Most firewall configurations allow all traffic from the LAN to the internet. In case of a high availability setup (active-standby or active-active) all the IP addresses used by the SOPs must be permitted.

The following firewall configuration is required:

From To Protocol Port Explanation
SOP * TCP SSH (22) Used for authenticated and encrypted management of the SOP
SOP * TCP HTTP (80) Used to query which SMP the SOP should use.
SOP * TCP HTTPS (443) Software and security updates for the SOP.
SOP Customer's SMTP server TCP SMTP (25) Used for voicemail-to-email
SOP * UDP NTP (123) Used for time synchronization
SOP * UDP DNS (53) Used to convert hostnames to IP addresses
Management network SOP TCP HTTP (80) Manage audio prompts, music on hold files and call recordings
Management network SOP TCP HTTPS (443) Manage audio prompts, music on hold files and call recordings

ALERT! HTTP connectivity proxied through your corporate proxy server is NOT supported.

ALERT! MTU (Maximum Transmission Unit) should be 1500 bytes or higher.

Strict firewall configuration

The strict firewall configuration is suitable for customers where the recommended firewall configuration is not possible due to their security policy. In comparison with the recommended firewall configuration, the strict firewall configuration has additional restrictions on outgoing connections. Please note that the current IP ranges 213.246.219.64/27 & 213.246.255.232/29 & 217.111.215.88/29 & 188.118.34.80/32 & 188.118.34.81/32 & 188.118.34.120/32 & 188.118.34.121/32 could change or that IP ranges might be added or removed in the future. You will be informed if and when this happens and will need to change your firewall configuration.

From To Protocol Port Explanation
SOP 213.246.219.64/27 & 213.246.255.232/29 & 217.111.215.88/29 & 188.118.34.80/32 & 188.118.34.81/32 & 188.118.34.120/32 & 188.118.34.121/32 TCP SSH (22) Used for authenticated and encrypted management of the SOP
SOP 213.246.219.64/27 & 213.246.255.232/29 & 217.111.215.88/29 & 188.118.34.80/32 & 188.118.34.81/32 & 188.118.34.120/32 & 188.118.34.121/32 TCP HTTP (80) Used to query which SMP the SOP should use.
SOP 213.246.219.64/27 & 213.246.255.232/29 & 217.111.215.88/29 & 188.118.34.80/32 & 188.118.34.81/32 & 188.118.34.120/32 & 188.118.34.121/32 TCP HTTPS (443) Software and security updates for the SOP.
SOP Customer's SMTP server TCP SMTP (25) Used for voicemail-to-email
SOP Customer's NTP server(s) UDP NTP (123) Used for time synchronization
SOP Customer's DNS server(s) UDP DNS (53) Used to convert hostnames to IP addresses
Management network SOP TCP HTTPS (443) Manage audio prompts, music on hold files and call recordings
Management network SOP TCP HTTP (80) Manage audio prompts, music on hold files and call recordings

ALERT! HTTP connectivity proxied through your corporate proxy server is NOT supported.

ALERT! MTU (Maximum Transmission Unit) should be 1500 bytes or higher.

SIP trunk connectivity to a telecom operator

From To Protocol Port Explanation
SOP Provider's SIP proxy server UDP SIP (5060) Used for SIP Protocol
Provider's SIP proxy server SOP UDP SIP (5060) Used for SIP Protocol
SOP Provider's media gateway UDP 1024-65535 Used for RTP media traffic (1)
Provider's media gateway SOP UDP 1024-65535 Used for RTP media traffic

(1) this range can be modified according to the SIP provider's requirements.

ALERT! Network Address Translation is not supported.

ALERT! Please consult our Security recommendation guide before implementing firewall changes.

Inter-SOP connectivity (clustering + active / active)

Protocol Port Explanation
TCP SSH (22) Cluster synchronisation (prompts, music-on-hold files)
UDP SIP (5060) Mesh SIP trunks
UDP 10000-20000 RTP voice traffic
TCP HTTP (80) Inter-sop API requests
TCP HTTPS (443) Inter-sop API requests
TCP 4445 Application management server sync (phone statuses, profile parameters,...)

There is no specific requirements for an active-active setup.

ALERT! Network Address Translation is not supported.

SMP Phone status & reboot

Phones Web Interface
User PC -> Phones
Reboot feature
SOP -> Phones
Brands Prefix Protocol Port Protocol Port
Aastra SDR HTTP 80 HTTP 80
Budgetone SDB - - - -
Cisco SDC HTTP 80 HTTP 80
Cisco SDS HTTP 80 HTTP 80
Grandstream SDG3 HTTP 80 HTTP 80
Hitachi SDA - - - -
Mitel SDM HTTP 80 SIP 5060
Polycom SDP HTTP 80 SIP 5060
Snom SDO1-7 HTTP 80 SIP 5060
Swiss Voice SDW - - - -
Thomson SDT - - - -
Unidata SDU HTTP 8080 - -

' - ' Reboot and access to web interface aren't supported.

Escaux Connect for UEP 1.1

  • A domain name
  • A valid certificate for the domain

From To Protocol Port
Internet ISAP TCP HTTP (80)
Internet ISAP TCP HTTPS (443)
Internet ISAP TCP WebSocket (8088)
UEP WebRTC UDP SIP (5060)
WebRTC UEP UDP SIP (5060)
UEP WebRTC UDP RTP (10000-20000)
WebRTC UEP UDP RTP (10000-20000)
PBX UEP TCP HTTP (80)
PBX UEP TCP SIP (5060)
PBX UEP TCP RTP (10000-20000)

Connect Me

This application was formally known as Escaux Connect or Fuzer Connect.

Client

For basic functionality:
From To Protocol Port Comment
Client Customer's DNS server UDP 53 (DNS)  
Client Internet TCP 80 (HTTP) Optional : Only used to redirect to HTTPS
Client Internet TCP 443 (HTTPS)  

For softphone functionality:
From To Protocol Port Comment
Client The IP range is dependent on your deployment UDP The port range is dependent on your deployment Only for UEP on customer premises
Client * UDP All high ports: 1024-65535 (RTP) Cloud based customers

For mediabridge direct media (point-to-point video & screen sharing):
From To Protocol Port
Client * UDP All high ports: 1024-65535 (RTP)

For mediabridge relayed media (point-to-point video & screen sharing via TURN server):
From To Protocol Port
Client Internet UDP 49152-65535 (TURN relay)
Client Internet UDP 3478 (TURN)
Client Internet TCP 5349 (TURN over TLS)

Strict
The strict firewall configuration is suitable for customers where the recommended firewall configuration is not possible due their security policy. In comparison with the recommended firewall configuration, the strict firewall configuration has additional restrictions on outgoing connections. Please note that the current IP ranges 213.246.219.64/27 & 213.246.255.232/29 & 217.111.215.88/29 & 188.118.34.80/32 & 188.118.34.81/32 & 188.118.34.120/32 & 188.118.34.121/32 could change or that IP ranges might be added or removed in the future. You will be informed if and when this happens and will need to change your firewall configuration.

For basic functionality:
From To Protocol Port Comment
Client Customer's DNS server UDP 53 (DNS)  
Client 213.246.219.64/27 & 213.246.255.232/29 & 217.111.215.88/29 & 188.118.34.80/32 & 188.118.34.81/32 & 188.118.34.120/32 & 188.118.34.121/32 TCP 80 (HTTP) Optional : Only used to redirect to HTTPS
Client 213.246.219.64/27 & 213.246.255.232/29 & 217.111.215.88/29 & 188.118.34.80/32 & 188.118.34.81/32 & 188.118.34.120/32 & 188.118.34.121/32 TCP 443 (HTTPS)  

For softphone functionality:
From To Protocol Port Comment
Client The IP range is dependent on your deployment UDP The port range is dependent on your deployment Only for UEP on customer premises
Client 213.246.219.64/27 & 213.246.255.232/29 & 217.111.215.88/29 & 188.118.34.80/32 & 188.118.34.81/32 & 188.118.34.120/32 & 188.118.34.121/32 UDP All high ports: 1024-65535 (RTP) Cloud based customers

For mediabridge direct media (point-to-point video & screen sharing):
From To Protocol Port
Client * UDP All high ports: 1024-65535 (RTP)

For mediabridge relayed media (point-to-point video & screen sharing via TURN server):
From To Protocol Port
Client Internet UDP 49152-65535 (TURN relay)
Client Internet UDP 3478 (TURN)
Client Internet TCP 5349 (TURN over TLS)

Server

oAuth

Eth0
From To Protocol Port Comment
ISAP OAuth TCP 7380 oAuth requests

CDG

Eth0 (backend - Escaux)
From To Protocol Port
CDG All FMU UDP SIP 5060
All FMU CDG UDP SIP 5060
CDG All FMU UDP RTP range 10000 - 20000
CDG LS UDP SIP 5060
LS CDG UDP SIP 5060
CDG CAG UDP SIP 5060
CAG CDG UDP SIP 5060
CDG     Standard SOP connectivity

With HLR connectivity:
From To Protocol Port
CDG CAG UDP SIP 5060
CAG CDG UDP SIP 5060

Eth1 (provider) If the connection with the provider is not SIP but ISUP, this section is irrelevant.

From To Protocol Port
CDG MSS and/or PSTN UDP SIP 5060
MSS and/or PSTN CDG UDP SIP 5060
CDG MSS and/or PSTN UDP RTP range (10000- 20000)
CDG     Standard SOP connectivity

CAG
Minimum rules on Escaux interface:

From To Protocol Port
CAG All FMU UDP SIP 5060
All FMU CAG UDP SIP 5060
CAG LS UDP SIP 5060
LS CAG UDP SIP 5060
CAG CDG UDP SIP 5060
CDG CAG UDP SIP 5060
CAG     Standard SOP connectivity

With HLR connectivity:
From To Protocol Port
CAG CDG UDP SIP 5060
CDG CAG UDP SIP 5060

SIGTRAN link with provider: ALERT! SCTP not yet managed by the firewall.

SIP link with provider: on the provider interface:
From To Protocol Port
CAG MSS UDP SIP 5060
MSS CAG UDP SIP 5060

LS

From To Protocol Port
LS CAG UDP SIP 5060
CAG LS UDP SIP 5060
LS CDG UDP SIP 5060
CDG LS UDP SIP 5060
LS     Standard SOP connectivity

ISAP

From To Protocol Port
Internet ISAP TCP HTTP (80)
Internet ISAP TCP HTTPS (443)
Internet ISAP TCP SSH (22)
ISAP UEP TCP HTTP 80 (CardDAV)
ISAP UEP TCP HTTP 7080 (Connect Me)
ISAP UEP TCP HTTP 8080 (UEP API)
ISAP UEP TCP HTTP 9080 (Authentication API)
ISAP File Depot TCP HTTP 5080 (File Depot API)
ISAP WebRTC TCP HTTP 2080 (WebRTC API)
ISAP WebRTC TCP WebSocket 8088 (SIP over Websocket)
ISAP     Standard SOP connectivity

File Depot

From To Protocol Port
ISAP File Depot TCP HTTP 5080 (File Depot API)
File Depot     Standard SOP connectivity

WebRTC

From To Protocol Port
Internet WebRTC UDP RTP port range 10000-20000 (NATed by the firewall). Other ranges can be used.
WebRTC Internet UDP RTP port range 10000-20000 (NATed by the firewall). Other ranges can be used.
WebRTC UEP UDP SIP 5060
UEP WebRTC UDP SIP 5060
WebRTC UEP UDP RTP range (10000-20000)
WebRTC UEP TCP HTTP 8000
WebRTC     Standard SOP connectivity

APN

From To Protocol Port
APN UEP UDP SIP 5060
UEP APN UDP SIP 5060
APN UEP TCP HTTP (8000) (UEP-API)
APN ISAP TCP SSH 22
APN Internet TCP port 2195 (APNS) https://support.apple.com/en-us/HT203609
APN Internet TCP port 443 (APNS) https://support.apple.com/en-us/HT203609
APN     Standard SOP connectivity

GCM (FCM)

From To Protocol Port
GCM (FCM) UEP UDP SIP port 5060
UEP GCM (FCM) UDP SIP port 5060
GCM (FCM) UEP TCP HTTP port 8000 (UEP-API)
GCM (FCM) ISAP TCP SSH port 22
ISAP GCM (FCM) TCP HTTP port 2080 (FCM-API)
GCM (FCM) Internet TCP HTTPS port 443
GCM (FCM)     Standard SOP connectivity

FMU
Three different FMU modes are considered here:
  • standalone mode (FMU directly connected to the customer (UEP))
  • gateway mode 1 interface (when the UEP is in the Escaux solution)
  • gateway mode 2 interfaces (when the UEP is on the client => FMU plays the role of the border route).

Standalone mode: with this mode FMU is directly connected to the customer (no UEP)

ALERT! 2 interfaces are necessary because itÂ’s a border router: one for the customer (eth0) and the second for Escaux side (eth1)

Eth0 (customer):
From To Protocol Port
FMU PABX UDP SIP port 5060 to 9061
PABX FMU UDP SIP port 5060 to 9061
FMU PABX UDP RTP ranges (10000-20000)
FMU primary FMU failover UDP SIP port 5060
FMU failover FMU primary UDP SIP port 5060

Eth1 (Escaux - management):
From To Protocol Port
FMU CDG UDP SIP port 5060
CDG FMU UDP SIP port 5060
FMU CDG UDP RTP ranges (10000-20000)
FMU CAG UDP SIP port 5060
CAG FMU UDP SIP port 5060
FMU primary FMU failover UDP SIP port 5060
FMU failover FMU primary UDP SIP port 5060
FMU     Standard SOP connectivity

Gateway mode 1 interface: in this case there is only one interface, this mode is used when the UEP is in the Escaux solution (UEP is in the cloud).

From To Protocol Port
FMU UEP UDP SIP port 5060 and 5061
UEP FMU UDP SIP port 5060 and 5061
FMU UEP UDP RTP ranges (10000-20000)
FMU CDG UDP SIP port 5060
CDG FMU UDP SIP port 5060
FMU CDG UDP RTP ranges (10000-20000)
FMU CAG UDP SIP port 5060
CAG FMU UDP SIP port 5060
FMU primary FMU failover UDP SIP port 5060
FMU failover FMU primary UDP SIP port 5060
FMU     Standard SOP connectivity

Gateway mode 2 interfaces : this mode is used when the UEP is on the client and the FMU plays the role of the border router.

Eth0 (client)
From To Protocol Port
FMU UEP UDP SIP port 5060 and 5061
UEP FMU UDP SIP port 5060 and 5061
FMU primary FMU failover UDP SIP port 5060
FMU failover FMU primary UDP SIP port 5060
FMU UEP UDP RTP ranges (10000-20000)

Eth1 (Escaux Management)
From To Protocol Port
FMU CDG UDP SIP port 5060
CDG FMU UDP SIP port 5060
FMU CDG UDP RTP ranges (10000-20000)
FMU CAG UDP SIP port 5060
CAG FMU UDP SIP port 5060
FMU primary FMU failover UDP SIP port 5060
FMU failover FMU primary UDP SIP port 5060
FMU     Standard SOP connectivity

UEP

From To Protocol Port
UEP Gateways (WebRTC/APN/GCM/FMU) UDP SIP port 5060
Gateways (WebRTC/APN/GCM/FMU) UEP UDP SIP port 5060
UEP Gateways (WebRTC/APN/GCM/FMU) UDP RTP ranges (10000-20000)
UEP PABX UDP SIP port 5060
UEP PABX UDP RTP ranges (10000-20000)
UEP PABX TCP HTTP port 80
UEP SMP-Web* TCP HTTPS port 443
UEP     Standard SOP connectivity

User agent - SOP

net.Desktop connectivity

If the users have the net.Desktop application running on their computer and a firewall is present between the users' LAN and the SOP, the following firewall configuration is required:

Protocol From To Destination port(s) Explanation
TCP Client SOP 4445 net.Desktop - sop event communication
TCP Client SOP 4446 net.Desktop - sop other communication
TCP Client SOP 4559 Outgoing FAX server communication
TCP Client SOP 25 Outgoing FAX server communication (new since 2.28 when using quick fax)
UDP Client:5060-5070 SOP 5060 SIP net.Desktop User Agent
UDP Client:5060-5070 Client 5060-5070 SIP chat peer to peer
UDP Client:4569 Client 4569 Peer to peer video

Note that there must be a direct IP route between the net.Desktop clients' IPs for the clients to be able to chat. Therefore, net.Desktop clients will not be able to communicate if Network Address Translation is used.

net.Console connectivity

From To Protocol Destination port(s) Explanation
SOP (1) Phone TCP HTTP (80) API requests to phone
SOP Phone UDP SIP (5060) SIP signaling
Phone SOP SIP SIP (5060) SIP signaling
SOP Phone UDP 10000-20000 RTP traffic. The port range can be limited through the resource configuration of certain phones
Phone SOP UDP 10000-20000 RTP traffic. The port range can be limited through the resource configuration of certain phones.
Client SOP TCP SIP over TCP (3040) Control connection
SOP (1) Client TCP SIP over TCP (3040) Control connection

(1) For active/standby architectures, consider the active and standby IP addresses

net.Supervisor connectivity

Protocol From To Destination port(s) Explanation
TCP Client SOP 4445 net.Supervisor - sop event communication
TCP Client SOP HTTP (80) SOP API requests

Desk phone connectivity

Local phone and local SOP
A connection between a desk phone and a locally hosted SOP should be unfirewalled.

ALERT! Network Address Translation is not supported.

Polycom phone over internet

Recommended:

From To Protocol Port Explanation
Phone * UDP NTP (123) Time synchronization
Phone * TCP SIP over TLS (The specific port(s) depend on your specific implementation. Please contact your project manager to know which one(s).) Used for call signalling
Phone * UDP (S)RTP (The specific port(s) depend on your specific implementation. Please contact your project manager to know which one(s).) Used for call voice
Phone * UDP DNS (53) Used to convert hostnames to IP addresses
Phone * TCP HTTPS (443) Connection towards the Pure Cloud provisioning domain

Strict:

The strict firewall configuration is suitable for customers where the recommended firewall configuration is not possible due to their security policy. In comparison with the recommended firewall configuration, the strict firewall configuration has additional restrictions on outgoing connections. Please note that the current IP ranges 213.246.219.64/27 & 213.246.255.232/29 & 217.111.215.88/29 & 188.118.34.80/32 & 188.118.34.81/32 & 188.118.34.120/32 & 188.118.34.121/32 could change or that IP ranges might be added or removed in the future. You will be informed if and when this happens and will need to change your firewall configuration.

From To Protocol Port Explanation
Phone Customer's NTP server(s) UDP NTP (123) Time synchronization
Phone 213.246.219.64/27 & 213.246.255.232/29 & 217.111.215.88/29 & 188.118.34.80/32 & 188.118.34.81/32 & 188.118.34.120/32 & 188.118.34.121/32 TCP SIP over TLS (The specific port(s) depend on your specific implementation. Please contact your project manager to know which one(s).) Used for call signalling
Phone 213.246.219.64/27 & 213.246.255.232/29 & 217.111.215.88/29 & 188.118.34.80/32 & 188.118.34.81/32 & 188.118.34.120/32 & 188.118.34.121/32 UDP (S)RTP (The specific port(s) depend on your specific implementation. Please contact your project manager to know which one(s).) Used for call voice
Phone Customer's DNS server(s) UDP DNS (53) Used to convert hostnames to IP addresses
Phone 213.246.219.64/27 & 213.246.255.232/29 & 217.111.215.88/29 & 188.118.34.80/32 & 188.118.34.81/32 & 188.118.34.120/32 & 188.118.34.121/32 TCP HTTPS (443) Connection towards the Pure Cloud provisioning domain

net.Buzz connectivity

From To Protocol Port Explanation
PC client SOP TCP HTTP (80) Authentication and provisioning
PC client SOP TCP LDAP (389) Corporate directory via default LDAP directory (optional)
PC client Customer's LDAP server TCP LDAP (389) Corporate directory via customer LDAP directory (optional)
PC client SOP UDP SIP (5060) SIP control channel
PC client secure.counterpath.com (alternatively but not recommended, 69.90.51.170 & 216.93.246.170 & 137.135.52.175 ) TCP HTTPS (443) Licensing server
SOP PC Client UDP SIP (5060) SIP control channel
PC client SOP UDP RTP (port range 30000-31000 by default) RTP traffic
SOP PC client UDP RTP (port range 10000-20000 by default) RTP traffic

ALERT! Network Address Translation is not supported.

Counterpath Eyebeam & Bria connectivity

See the firewall requirements for net.Buzz

Copyright © Escaux SA