Hosted VoIP, Firewall, Security and Network Considerations Administrator Guide Revision 5.0 Document version 1.0, dated August 2017
Hosted VoIP, Firewall, Security and Network Considerations 2 Frontmatter information Cloud Direct has taken care to ensure the accuracy and completeness of this document, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. The information in this document is subject to change without notice. The Cloud Direct logo and Cloud Direct are registered trademarks of On Direct Business Services Limited. All other trademarks and registered trademarks are the property of their respective owners. This document and the information in it are provided in confidence, for the sole purpose of managing services provided by Cloud Direct, and may not be disclosed to any third party or used for any other purpose without the express written permission of On Direct Business Services Limited. Acknowledgements The content herein is based on the following document provided to Cloud Direct as a service provider and reseller of this product: Wavenet Hosted Voice, Firewall, Security and Network Considerations Administrator Guide, Revision 5.0, 22 December 2015, Wavenet Limited. The original document remains untouched, with the following exceptions which have been made to ensure a positive experience for customers of Cloud Direct: Where appropriate, contact details and web links amended to reflect Cloud Direct. Contacting Cloud Direct For Phone To speak with Alternatively email Upgrades & additional services. Partnering & referral programs. New product information. 0800 0315966 Sales sales@clouddirect.net Pre-sales enquiries. General enquiries. New service provisioning. Account reviews. 0800 0789437 Customer Services Billing enquiries. Technical support. Setup & usage advice. Password resets. 24/7 support for emergencies. 0800 0789438 Technical Support TechServices@clouddirect.net
Wavenet Hosted Voice Firewall, Security and Network Considerations Administrator Guide Revision 5.0 3 The Green Stratford Road Shirley, Solihull West Midlands B90 4LA www.wavenetuk.com Wavenet Limited Firewall Security and Network Consideratiosn Guide Version 5.0 22/12/2015 1 of 11
Administrator Guide Copyright Notice Copyright 2015 Wavenet Ltd All rights reserved. Any technical documentation that is made available by Wavenet Limited, is proprietary and confidential and is considered the property of Wavenet. This publication is distributed under the Wavenet Non-Disclosure Agreement only. No part of this publication may be duplicated or shared with any other 3 rd party, without the express written permission of Wavenet, 3 The Green, Stratford Road, Solihull, Shirley, West Midlands, B90 4LA. It is explicitly for the use of contracted partners only. Wavenet reserves the right to make changes without prior notice. Wavenet Limited Firewall Security and Network Consideratiosn Guide Version 5.0 22/12/2015 2 of 11
Document Revision History Release Version Reason for Change Date Author 1.0 Document Created 01/01/2010 Support 2.0 Update to SIP 01/02/2011 Support 2.1 Branding Change 01/06/2012 Support 2.2 Added MobileOffice details Added Call Recorder details Added CRM Connect details Added Panasonic details Added Cisco SPA112/122 2.3 Updated DNS resolved IP Address to linksys.yourservices.co.uk and soundpoint.yourservices.co.uk 2.4 Updated csb.yourservices.co.uk to include Cisco SPA 51x IP phones 3.0 Added an additional IP address (85.119.63.17) for SIP and RTP for IP Phones, ATAs and IADs which use an INTERNET CONNECTION. This new IP address is being introduced to provide for capacity upgrades on the platform. 17/09/2012 Support 11/12/2012 Support 18/11/2013 Support 18/08/2014 Support 4.0 Device added Yealink DECT 16/10/2015 Support 5.0 Updated Applications UC Office Proxy List: Added uk.ic.mobile.hipcom.co.uk Added uk.ic.56mobile.hipcom.co.uk Added uk.ic.7mobile.hipcom.co.uk 22/12/2015 Support Wavenet Limited Firewall Security and Network Consideratiosn Guide Version 5.0 22/12/2015 3 of 11
Table of Contents DOCUMENT REVISION HISTORY... 3 1 INTRODUCTION... 5 2 OVERVIEW... 5 3 PORT REQUIREMENTS... 5 3.1 IP Phones, ATA s and IADS s INTERNET CONNECTION... 6 3.2 IP Phones, ATA s and IAD s DIRECT CONNECTION... 7 3.3 Registering Sip IP PBX s and s INTERNET CONNECTION... 8 3.4 Registering Sip IP PBX s and s DIRECT CONNECTION... 8 3.5 Static SIP Ip PBXs and s... 9 3.6 Web Portal Access... 9 3.7 Applications...10 Wavenet Limited Firewall Security and Network Consideratiosn Guide Version 5.0 22/12/2015 4 of 11
1 Introduction This document provides an overview of the required protocols for Wavenet Hosted Voice, as well as the ports thats are used. Identifying the protocols and ports that are to be used is the first step in desigining a security policy using firewalls and/or access control lists (ACL) to restrict access to only the required ports. As part of successful Customer Premises Equipment (CPE) deployment and operation all required devices, features and applications should be located in the sections below and the corresponding LAN/WAN requirements should be implemented and tested. 2 Overview Not all firewall configurations need ports to be opened. If the customer is running inside to outside rules the ports should be opened to allow the Wavenet Hosted Voice protocols out. There should be no reason for the customer to open ports inbound on the firewall. IMPORTANT NOTE: If a router and/or firewall is SIP Aware / has a SIP ALG enabled, we recommend that this functionality be turned OFF. 3 Port Requirements This section identifies all TCP/UDP ports that are required for proper Wavenet Hosted Voice operation. The next sections will be brocken down to different Network elements and required protocols. Some sections below are split into INTERNET CONNECTION and DIRECT CONNECTION. INTERNET CONNECTION means that the device operates with Wavenet Hosted Voice over the Internet, for example from a standard Business DSL Service. DIRECT CONNECTION means that the device operates VIA Wavenet Hosted Voice s VPN connectivity service, Wavenet s VPN Connectivity service provides a way to connect your MPLS VPN network to Wavenet next generation voice application. Wavenet Limited Firewall Security and Network Consideratiosn Guide Version 5.0 22/12/2015 5 of 11
Some CPE such as Ip PBX s are brocken down into Registering and Non- Registering clasifications and operate with specific destination Wavenet Hosted Voice IP addresses. 3.1 IP Phones, ATA s and IADS s INTERNET CONNECTION Device Protocol Destination Destination Port uk.ic.hnt.hipcom.co.uk 85.119.63.1 and 85.119.63.17 SIP uk.ic.56hnt.hipcom.co.uk 85.119.63.1 and 85.119.63.17 uk.ic.7hnt.hipcom.co.uk 85.119.63.17 UDP/TCP 5060 to RTP obp.yourservices.co.uk 85.119.60.1 85.119.63.17 85.119.63.1 85.119.60.1 NTP europe.pool.ntp.org UDP / TCP 123 Cisco and Linksys IP Phone / ATA / IAD Cisco SPA112/122 ATA Polycom IP Phone Panasonic IP Phone Yealink DECT DNS Supplied Locally UDP / TCP 53 HTTP / HTTP / HTTP/ linksys.yourservices.co.uk 85.119.59.8 csb.yourservices.co.uk 85.119.59.19 soundpoint.yourservices.co.uk 85.119.59.22 panasonic.yourservices.co.uk 85.119.59.16 yealink.yourservices.co.uk 85.119.59.44 TCP 80 / TCP 80 / TCP 80 / Wavenet Limited Firewall Security and Network Consideratiosn Guide Version 5.0 22/12/2015 6 of 11
Legacy Polycom IP Phone FTP 85.119.62.10 TCP 21 3.2 IP Phones, ATA s and IAD s DIRECT CONNECTION Device Protocol Destination Destination Port uk.dc.hnt.hipcom.co.uk 85.119.61.3 SIP uk.dc.56hnt.hipcom.co.uk 85.119.61.3 UDP/TCP 5060 to RTP 85.119.61.3 uk.dc.7hnt.hipcom.co.uk 85.119.61.3 NTP europe.pool.ntp.org UDP / TCP 123 Cisco and Linksys IP Phone / ATA / IAD DNS Supplied Locally UDP / TCP 53 linksys.yourservices.co.uk 85.119.59.8 Cisco SPA112/122 ATA csb.yourservices.co.uk 85.119.59.19 Panasonic IP Phone Polycom IP Phone HTTP / HTTP / panasonic.yourservices.co.uk 85.119.59.16 soundpoint.yourservices.co.uk 85.119.59.22 TCP 80 / TCP 80 / Wavenet Limited Firewall Security and Network Consideratiosn Guide Version 5.0 22/12/2015 7 of 11
3.3 Registering Sip IP PBX s and s INTERNET CONNECTION Device Protocol Destination Destination Port uk.ic.sipconnect.hipcom.co.uk 85.119.63.4 SIP RTP obp.yourservices.co.uk 85.119.60.1 85.119.63.4 85.119.60.1 UDP/TCP 5060 to UDP 49152 to 65535 NTP Supplied Locally or europe.pool.ntp.org UDP / TCP 123 DNS Supplied Locally UDP / TCP 53 3.4 Registering Sip IP PBX s and s DIRECT CONNECTION Device Protocol Destination Destination Port uk.dc.sipconnect.hipcom.co.uk UDP/TCP 5060 to SIP 85.119.61.4 RTP 85.119.61.4 NTP Supplied Locally or europe.pool.ntp.org UDP / TCP 123 DNS Supplied Locally UDP / TCP 53 Wavenet Limited Firewall Security and Network Consideratiosn Guide Version 5.0 22/12/2015 8 of 11
3.5 Static SIP Ip PBXs and s Static SIP Trunk IP PBXs and s are issued specific termination details as part of their setup process. With this in mind the following details are still applicable regardless of the access network type. Device Protocol Destination Destination Port UDP/TCP 5060 to SIP Deployment Specific RTP Deployment Specific NTP Supplied Locally or Europe.pool.ntp.org UDP / TCP 123 DNS Deployment Specific UDP / TCP 53 3.6 Web Portal Access Web Portal Protocol Destination Destination Port Call Recorder callrecorder.yourservices.co.uk 85.119.59.2 Service Provisioning Application and portal.yourservices.co.uk 85.119.59.2 Business Portal Wavenet Limited Firewall Security and Network Consideratiosn Guide Version 5.0 22/12/2015 9 of 11
3.7 Applications Application Protocol Destination Destination Port Toolbar Salesforce Connector Receptionist Proprietary Proprietary Proprietry applications.yourservices.co.uk 85.119.62.3 85.119.62.4 applications.yourservices.co.uk 85.119.62.3 85.119.62.4 applications.yourservices.co.uk 85.119.62.3 85.119.62.4 TCP 2208 TCP 2208 TCP 2208 UC-Connect SIP 85.119.62.34 TCP 5060 CRM Connect Proprietary applications.yourservices.co.uk 85.119.62.3 85.119.62.4 TCP 2208 CRM Connect ccusage.yourservices.co.uk 85.119.59.2 MobileOffice mobileoffice.yourservices.co.uk 85.119.59.2 MobileOffice SIP uk.ic.hnt.hipcom.co.uk uk.ic.56hnt.hipcom.co.uk 85.119.63.1 85.119.63.17 UDP/TCP 5060 to MobileOffice RTP 85.119.63.1 85.119.63.17 MobileOffice DNS Supplied Locally UDP/TCP 53 MobileOffice secure.counterpath.com 64.34.98.132 UC Office ucoffice.yourservices.co.uk 85.119.59.31 webcollab.ucoffice.eu Wavenet Limited Firewall Security and Network Consideratiosn Guide Version 5.0 22/12/2015 10 of 11
89.149.156.64/27 ucoffice.eu 89.149.156.64/27 UC Office XMPP ucoffice.eu 89.149.156.64/27 TCP 5222 and 1081 UC Office UC Office SIP RTP Desktop: uk.ic.hnt.hipcom.co.uk uk.ic.56hnt.hipcom.co.uk 85.119.63.1 85.119.63.17 Mobile: uk.ic.mobile.hipcom.co.uk uk.ic.56mobile.hipcom.co.uk uk.ic.7mobile.hipcom.co.uk 85.119.63.18 Desktop: uk.ic.hnt.hipcom.co.uk uk.ic.56hnt.hipcom.co.uk 85.119.63.1 85.119.63.17 Mobile: uk.ic.mobile.hipcom.co.uk uk.ic.56mobile.hipcom.co.uk uk.ic.7mobile.hipcom.co.uk 85.119.63.18 UDP/TCP 5060 to UC Office DNS Supplied Locally UDP/TCP 53 Wavenet Limited Firewall Security and Network Consideratiosn Guide Version 5.0 22/12/2015 11 of 11