Firewall Settings required by the SpliceCom SV1000
SIP & RTP
For your SpliceCom SV1000 to connect to your VoIP providers you need to open some ports in your firewall and point them to the SpliceCom SV1000 controller, and for security lock access to just your VoIP exchanges.
- Establish the IP addresses used by the exchanges ie:
- Andrews & Arnold IP addresses are listed here https://support.aa.net.uk/VoIP_Firewall
- The Phone Coop's anti-hack IP address is 217.10.154.189
- Telappliant is Port 5060 UDP from 185.158.58.194 and Ports 6900-10899 from 77.240.61.160/27 and 77.240.56.32/27
- VoiceFlex range is 93.95.124.0 /24
- Set an Open Ports rule and Point it to the SpliceCom SV1000 controller
- These ports should be set to only accept traffic from the exchanges you are using.
- If you have more than one Internet connection you need to set a rule so any traffic to the exchanges goes out via one and will fail over to the other.
- It is only traffic to the exchange from any source that need the rule
Be careful setting these rule as there are problems if the rules are too restrictive
To function fully and recive updates the phone system and phones need access to various service on the Internet, these are accessed via http, https, SMTP & TIME requests, outgoing requests from your SV1000 system and telephones on these ports must NOT be blocked. The list that the SpliceCom SV1000 and Yealink phones access includes max.splicecom.com, validate.splicecom.com, dmtcp.yealink.com, download.opensuse.org, cn.pool.ntp.org.
DO NOT lock the SpliceCom SV1000 controller to just use one of your Internet connections, as when that connection fails, CTi may need to remotely access the SpliceCom SV1000 controller to tell it that it now has a different Public IP address but with restrictive routing that may not be possible.
When VoIP call is forwarded by a phone system, it just bounces the information back to the exchange. Your firewall sees a call coming in from and going out to the same place. If your firewall only has the exchange set as a source, and the SpliceCom SV1000 controller as destination the call will connect but no speech will flow on forwarded calls.
Turn OFF SIP ALG, this meant to help, but only gets in the way.
iPCS and SoftPhone
For your remote workers to use the iPCS app or a softphone connected to your SpliceCom SV1000 port 5000 needs to be open without restriction and pointing to the SpliceCom Gateway controller for your SpliceCom SV1000 system.
SoftPhone Users with poor connection
Where a remote user has a poor Internet connection, then they might have poor quality audio, if this is the case Navigate Pro can operate using SRTP but that also requires STUN, you could use stun.l.google.com on Port 19302, or open Port 3478 and use the SV1000's STUN server.
You will need to amend the Open Ports rule and add RTP on 6900 - 10899 and 3478 if you choose STUN on your SpliceCom SV1000.
We recommend restricting access to IP address in the UK + countries from which your staff work by adding two new Firewall rules (see 2 & 3 below).
On the user with the poor Internet connection add the settings to the Soft Phone details page, (see green elements below).
|
Tick SRTP Enable Enter your prefered STUN server Enter port number Click Restart |
|
Remote Yealink Phones
If you intend to have people working remotely with a Yealink phone on their desk without a router to router VPN then there are a number of ports that need opening without restriction and pointed to the SpliceCom SV1000 controller
| Config Upload | 80 | TCP |
| HTTPS | 443 | TCP |
| Secure LDAP | 4100 | TCP/UDP |
| Secure Centralised Partner | 4018 | TCP/UDP |
| Secure SIP | 5061 | TCP/UDP |
| Secure RTP | 6900 to 10899 | TCP/UDP these ports should now be removed from the Splice Exchanges list. |
For added security these ports should be locked to UK IP addressses only see our anti-hacking notes for more on this.
| STUN | 3478 | TCP/UDP But only if you can't use another STUN server. |
For added security these ports should be locked to UK IP addressses only see our anti-hacking notes for more on this.
CTi Remote Support
For support we access the system via https on port 443 and SSH on port 22, this can be via NAT either way these should be locked down to our IP addresses:
| aa.cticom.ms | 81.187.212.167 |
| backup.cticom.ms | 81.187.87.67 |
| giga.cticom.ms | 83.151.200.77 |
| helpdesk.cticom.ms | 212.159.114.156 |
Do not lock https if you have remote Yealink phones.
Other Settings
When you have more than one Internet connection & have set an "All Traffic" rule, as well as the Music-on-hold being sent out to the phones that can result in it also being streamed out to the Internet. So that needs to be stopped with a Firewall rule:
Obviously we at CTi Communications Ltd, can program your Draytek router for you, for other manufactures router/firewalls please ask an expert in that product.
Notes to help with Fortigate Firewalls.
If you are unable to get the changes made to your existing firewall then you will need a separate Internet connection for your VoIP service with a router that CTi Communications Ltd will manage for you.
