Cti Communications Ltd
Call us now for IT support and free advice
01242621621    01242621666  

sales@cticom.ms   support@cticom.ms

Firewall Settings required by the SpliceCom SV1000

SIP & RTP

For your SpliceCom SV1000 to connect to your VoIP providers you need to open some ports in your firewall and point them to the SpliceCom SV1000 controller, and for security lock access to just your VoIP exchanges.

  1. Establish the IP addresses used by the exchanges ie:
  2. Set an Open Ports rule and Point it to the SpliceCom SV1000 controller
    • These ports should be set to only accept traffic from the exchanges
  3. If you have more than one Internet connection you need to set a rule so any traffic to the exchanges goes out via one and will fail over to the other.
    • It is only traffic to the exchange from any source that need the rule
Ports Locked to VoIP Exchanges

Be careful setting these rule as there are problems if the rules are too restrictive

To function fully and recive updates the phone system and phones need access to various service on the Internet, these are accessed via http, https, SMTP & TIME requests, outgoing requests from your SV1000 system and telephones on these ports must NOT be blocked. The list that the SpliceCom SV1000 and Yealink phones access includes max.splicecom.com, validate.splicecom.com, dmtcp.yealink.com, download.opensuse.org, cn.pool.ntp.org.

DO NOT lock the SpliceCom SV1000 controller to just use one of your Internet connections, as when that connection fails, CTi may need to remotely access the SpliceCom SV1000 controller to tell it that it now has a different Public IP address but with restrictive routing that may not be possible.

When VoIP call is forwarded by a phone system, it just bounces the information back to the exchange. Your firewall sees a call coming in from and going out to the same place. If your firewall only has the exchange set as a source, and the SpliceCom SV1000 controller as destination the call will connect but no speech will flow on forwarded calls.

Turn OFF SIP ALG, this meant to help, but only gets in the way.


iPCS and SoftPhone

For your remote workers to use the iPCS app or a softphone connected to your SpliceCom SV1000 port 5000 needs to be open without restriction and pointing to the SpliceCom Gateway controller for your SpliceCom SV1000 system.

iPCS Ports

Remote Yealink Phones

If you intend to have people working remotely with a Yealink phone on their desk without a router to router VPN then there are a number of ports that need opening without restriction and pointed to the SpliceCom SV1000 controller

Config Upload80TCP
HTTPS443TCP
Secure LDAP4100TCP/UDP
Secure Centralised Partner4018TCP/UDP
Secure SIP5061TCP/UDP
Secure RTP6900 to 8899TCP/UDP these ports should now be removed from the Splice Exchanges list.
Yealink Ports

CTi Remote Support

For support we access the system via https on port 443 and SSH on port 22, this can be via NAT either way these should be locked down to our IP addresses:

giga.cticom.ms83.151.207.90
aa.cticom.ms81.187.212.167

Do not lock https if you have remote Yealink phones.

Support Ports

Other Settings

When you have more than one Internet connection & have set an "All Traffic" rule, as well as the Music-on-hold being sent out to the phones that can result in it also being streamed out to the Internet. So that needs to be stopped with a Firewall rule:

Block MoH Ports

Obviously we at CTi Communications Ltd, can program your Draytek router for you, for other manufactures router/firewalls please ask an expert in that product.

Notes to help with Fortigate Firewalls.

If you are unable to get the changes made to your existing firewall then you will need a separate Internet connection for your VoIP service with a router that CTi Communications Ltd will manage for you.



All prices exclude VAT, and were correct on 09/06/2022 15:28:59 , but should only be used as a guide.