Firewall Settings required by the SpliceCom SV1000
SIP & RTP
For your SpliceCom SV1000 to connect to your VoIP providers you need to open some ports in your firewall and point them to the SpliceCom SV1000 controller, and for security lock access to just your VoIP exchanges.
- Establish the IP addresses used by the exchanges ie:
- Andrews & Arnold IP addresses are listed here https://support.aa.net.uk/VoIP_Firewall
- The Phone Coop's anti-hack IP address is 217.10.154.189
- Set an Open Ports rule and Point it to the SpliceCom SV1000 controller
- These ports should be set to only accept traffic from the exchanges
- If you have more than one Internet connection you need to set a rule so any traffic to the exchanges goes out via one and will fail over to the other.
- It is only traffic to the exchange from any source that need the rule
Be careful setting these rule as there are problems if the rules are too restrictive
To function fully and recive updates the phone system and phones need access to various service on the Internet, these are accessed via http, https, SMTP & TIME requests, outgoing requests from your SV1000 system and telephones on these ports must NOT be blocked. The list that the SpliceCom SV1000 and Yealink phones access includes max.splicecom.com, validate.splicecom.com, dmtcp.yealink.com, download.opensuse.org, cn.pool.ntp.org.
DO NOT lock the SpliceCom SV1000 controller to just use one of your Internet connections, as when that connection fails, CTi may need to remotely access the SpliceCom SV1000 controller to tell it that it now has a different Public IP address but with restrictive routing that may not be possible.
When VoIP call is forwarded by a phone system, it just bounces the information back to the exchange. Your firewall sees a call coming in from and going out to the same place. If your firewall only has the exchange set as a source, and the SpliceCom SV1000 controller as destination the call will connect but no speech will flow on forwarded calls.
Turn OFF SIP ALG, this meant to help, but only gets in the way.
iPCS and SoftPhone
For your remote workers to use the iPCS app or a softphone connected to your SpliceCom SV1000 port 5000 needs to be open without restriction and pointing to the SpliceCom Gateway controller for your SpliceCom SV1000 system.
Remote Yealink Phones
If you intend to have people working remotely with a Yealink phone on their desk without a router to router VPN then there are a number of ports that need opening without restriction and pointed to the SpliceCom SV1000 controller
| Config Upload | 80 | TCP |
| HTTPS | 443 | TCP |
| Secure LDAP | 4100 | TCP/UDP |
| Secure Centralised Partner | 4018 | TCP/UDP |
| Secure SIP | 5061 | TCP/UDP |
| Secure RTP | 6900 to 8899 | TCP/UDP these ports should now be removed from the Splice Exchanges list. |
CTi Remote Support
For support we access the system via https on port 443 and SSH on port 22, this can be via NAT either way these should be locked down to our IP addresses:
| giga.cticom.ms | 83.151.207.90 |
| aa.cticom.ms | 81.187.212.167 |
Do not lock https if you have remote Yealink phones.
Other Settings
When you have more than one Internet connection & have set an "All Traffic" rule, as well as the Music-on-hold being sent out to the phones that can result in it also being streamed out to the Internet. So that needs to be stopped with a Firewall rule:
Obviously we at CTi Communications Ltd, can program your Draytek router for you, for other manufactures router/firewalls please ask an expert in that product.
Notes to help with Fortigate Firewalls.
If you are unable to get the changes made to your existing firewall then you will need a separate Internet connection for your VoIP service with a router that CTi Communications Ltd will manage for you.
