Recommended Firewall Settings

Recommended settings for Non-managed//Home Users//BYOB customers

Options 1.) DNS 1 = USE Customer's ISP
Options 2.) DNS 1 = USE Customer's ISP

For fully redundant services it is required to utilize a DNS resolver that will resolve SRV/NAPTR records. All FQDNs are Geo-Redundant between our north and south servers. They resolve to more than one IP/port.

Hosted customers should whitelist the following FQDNs:
south1.hosted.sip.global
south2.hosted.sip.global
blf-south1.hosted.sip.global
blf-south2.hosted.sip.global

north1.hosted.sip.global
north2.hosted.sip.global
blf-north1.hosted.sip.global
blf-north2.hosted.sip.global

generic-south.hosted.sip.global
generic-north.hosted.sip.global

mobile.hosted.sip.global

tls-south1.hosted.sip.global

tls-north1.hosted.sip.global



SIP Trunking customers should whitelist the following FQDN:
reg-gw.hosted.sip.global



DNS service like OpenDNS or your ISP's DNS can be used if you are not managing your own DNS server.

If you do manage your own DNS Server then please make sure it is SRV/NAPTR capable.

We want to make sure the following (however it references it is OFF)
SIP INSPECTION, SIP Transformations, SIP Aware, SIP ALG, SIP/Session Helper, or SIP PASSIVE (disable any version of this)

UPNP should be disabled

Networks QOS (quality of service) should be configured to prioritize the traffic for your phones over data traffic. Specifically we use DSCP Value 46 also known as EF (expedited forwarding).

Enabling and opening the following UDP and TCP Ports and IP ranges:
80
443
XMPP port: 5222

Note: The following ports need to not only be open for UDP and TCP, but also Pinhole Timeout Value needs updated from 30 to 300.

5060
5061
5075
5077
4444
44444

The following ports are used at random to set up RTP streams for audio/media/voice paths:

RTP Port Range: 1024 to 65535 (random)

All of these IP ranges need to be open as well for services provided by Inteliquent/Voyant to function properly:

Network Pop Usage
198.174.211.0/24 Plymouth ATLAS and Provisioning
198.74.62.80/28 Plymouth Configuration servers
198.174.62.0/24  Plymouth DMZ can include USS/UMS, XSPs for Device management and Clients, etc
137.192.1.0/24 Plymouth DMZ can include USS/UMS, XSPs for Device management and Clients, etc
137.192.76.0/24 Dallas DMZ can include USS/UMS, XSPs for Device management and Clients, etc
137.192.77.0/24 Dallas DMZ can include USS/UMS, XSPs for Device management and Clients, etc
204.220.52.0/24 Plymouth DMZ can include USS/UMS, XSPs for Device management and Clients, etc
204.220.62.0/24 Dallas DMZ can include USS/UMS, XSPs for Device management and Clients, etc
206.144.2.0/24 Plymouth DMZ can include USS/UMS, XSPs for Device management and Clients, etc
206.144.244.0/24 Dallas DMZ can include USS/UMS, XSPs for Device management and Clients, etc
137.192.78.0/24 Dallas SBC 6300 Carrier and Access
137.192.80.0/24 Plymouth SBC 6300 Carrier and Access



subnet:
255.255.255.240 = /28
255.255.255.0 = /24