Jamvee Unified Communications Enterprise Firewall/ Proxy Server Guidelines
Jamvee Unified Communications Enterprise Firewall/Proxy Server Guidelines This guide provides information required to provision the corporate Internet firewall and proxy servers to ensure the enterprise network has been properly configured to allow internal endpoints/devices within the enterprise network to access the jamvee Unified Communications Service. Contents: TCP/UDP Port configuration needed for jamvee UC service... 4 Jamvee UC Desktop (PC/Mac), Mobile (ios) and Guest (PC/Mac) app... 4 WebRTC app (Google Chrome browser access)... 5 Video Conferencing (VC) endpoints... 6 Federated Microsoft Skype for Business* connections... 7 Proxy Server Domain Enablement... 8 Proxy server configuration... 8 12
Figure 1: Jamvee Unified Communications: Firewall settings 13
TCP/UDP Port configuration needed for the jamvee UC service In order to properly prepare for providing internal enterprise users with access to the jamvee Unified Communications Service, your organization will need to open the following ports on the corporate network firewall dependent on the access methods and clients you require. Jamvee UC Desktop (PC/Mac), Mobile (ios) and Guest (PC/Mac) app The following ports need to be allowed for OUTGOING & on the corporate firewall: Jamvee Services XMPP Service access to jamvee Edge Server for jamvee UC Apps TURN Service used to locate nearest jamvee Edge Server 5222 TCP - XMPP Client 3478 UDP - STUN Signalling + Tunnelled Media Media 50,000-51,000 Jamvee UC Services Jamvee UC Signalling and Media IP Address Ranges Jamvee Signalling & Media IP Addresses New York: 64.86.68.0/23 Singapore:180.87.138.0/23 London: 195.219.126.0/23 Sydney: 180.87.117.0/24 Figure 1: jamvee UC icon Figure 2: jamvee UC login screen Figure 3: Example of jamvee UC app in operation 14
WebRTC app (Google Chrome browser access) There are two methods available to enable jamvee UC communications using the Google Chrome browser-based WebRTC app in an enterprise environment UDP-based and TCP-based. UDP Access Method: The following ports need to be allowed for OUTGOING & on the corporate firewall: Jamvee Services Web Service access to jamvee Edge Server for jamvee UC Apps 80 TCP - HTTP (non-secure conferences) 443 TCP- HTTPS (secure conferences) 5222 TCP For User sign-in support, not Guest access TURN Service used to locate closest jamvee Edge Server 3478 UDP - STUN Signalling + Tunnelled Media Media 50,000-51,000 The jamvee Signalling and Media IP addresses must be used. Please see Signalling and Media IP address table below. TCP Access Method: The following ports need to be allowed for OUTGOING & on the corporate firewall: Jamvee Services Firewall Ports 80 TCP - HTTP (non-secure conferences) 443 TCP- HTTPS (secure conferences) 5222 TCP For User sign-in support, not Guest access The jamvee Signalling and Media IP addresses must be used. Please see Signalling and Media IP address table below. Signalling and Media IP addresses (required for both methods) Jamvee UC Services Jamvee UC Signalling and Media IP Address Ranges Jamvee Signalling & Media IP Addresses New York: 64.86.68.0/23 Singapore:180.87.138.0/23 London: 195.219.126.0/23 Sydney:180.87.117.0/24 Figure 4: Runs within Chrome browser 15
Video Conferencing (VC) endpoints In order to provide internal enterprise users with access to the jamvee Unified Communications service using the VC endpoints and without a SBC, the following ports need to be opened on the corporate network firewall 1. Note: The below does not apply for Non VC endpoints (ie Jamvee UC Desktop, Mobile, Guest APP Clients, WebRTC app Clients Google Chrome Browser, MS Lync) Jamvee UC Services VC H.323 Gateway Service using H.323 endpoints to access the service Signalling Ports UDP 1719 H323ls TCP 1720 H323cs TCP 15,000 to 19,999 (H.225/Q.931/H.245) Media Ports UDP 1024 65,535 RTP/RTCP (SIP or SIP & H323) UDP 50,000 52,399 RTP (H323 Only) VC/TP SIP Gateway Service using SIP endpoints to access the service Signalling Ports TCP 5060 (SIP) UDP 5060 (SIP) TCP 5061 (SIP/TLS) Media Ports UDP 1024-65535 RTP/RTCP (SIP or SIP & H323) Jamvee Signalling & Media IP Addresses New York: 64.86.68.0/23 Mumbai: 115.114.63.0/24 Singapore:180.87.138.0/23 London: 195.219.126.0/23 Sydney: 180.87.117.0/24 Some examples of supported VC endpoints Latest compatibility list available at: https://enterprise.jamvee.com/partners/enterprise.jamvee.com/resources/jamveeuc_compatibility_list.pdf 1 Please note in most cases these ports would already be open if your organization already provides outbound Internet dialing for the VC estate. 16
Federated Microsoft Skype for Business* connections The jamvee Unified Communications service leverages and requires standard Microsoft Skype for Business(SfB)/Lync federation with an external enterprise Skype for Business/Lync Edge Server. Once you have provisioned and integrated the SfB/Lync Edge Server with the internal Lync deployment, all the necessary firewall/proxy server setting are part of that architecture. Provisioning and setting the federation architecture within the enterprise perimeter network (DMZ) is the responsibility of the customer. There is nothing additional that is required for federated Lync access to jamvee, other than provisioning the SfB/Lync Edge Server to federate with the jamvee Unified Communications service (if required). Please note that a separate document is available that covers Microsoft SfB/Lync federation to the jamvee Unified Communications platform. Jamvee Signalling & Media IP Addresses New York: 64.86.68.0/23 Singapore:180.87.138.0/23 London: 195.219.126.0/23 Sydney: 180.87.117.0/24 Signalling Ports TCP 5061 TCP 443 UDP 3478 Media Ports** RTP (TCP & UDP) 50,000-59,999 ** Required range by Microsoft for Lync Federated traffic For more details on Microsoft Lync federation please read the separate guide available: https://enterprise.jamvee.com/partners/enterprise.jamvee.com/resources/jamveeuc_lync_federation.pdf 17
Proxy Server Domain Enablement If the enterprise is using a proxy server to block internet access for internal users, in addition to opening the required firewall ports in the IP ports tables, the following DNS Domains must be enabled in the proxy server: Jamvee Access Gateways Domain DNS Domains list of DNS domains/subdomain used to access the jamvee Unified Communications Service jamvee.com standard jamvee domain for access with a specified Call-ID (i.e. with a URI or URL) join.jamvee.com access with prompted Call-ID lyncfed.jamvee.com access edge service (FQDN) for Lync federation (only for Lync federation provisioning) Proxy server configuration The PC, ios and Mac Clients use standard XMPP for the connection, while the associated media utilises a TURN server. Therefore, if the proxy server supports XMPP, your IT department will need to determine what settings need to be configured on the proxy server to support this arrangement. 18