Netwerk Vereisten
Poorten en URL's
In de meest gunstige situatie is er een apart VLAN of netwerk opgezet voor VoIP, waarbij het datanetwerk en het VoIP-netwerk elk een eigen poort op de router of firewall hebben met een eigen subnet. Voor de beveiliging wordt aangeraden een firewall te gebruiken die portscans kan detecteren en negeren. VoIP-toestellen hebben geen algehele toegang tot het internet nodig; toegang tot DNS, NTP, het platform van Cloudoe en Device Provisioning is voldoende.
Inkomend hoeft er niets opengezet te worden; het gebruik van static NAT of Port Address Forwarding (PAT) wordt zelfs afgeraden. De benodigde port mappings worden namelijk automatisch door de firewall gegenereerd zodra een CPE een SIP-registratie uitvoert. De firewall creëert op dat moment een dynamische PAT-sessie, waarna onze SBC's in een tabel bijhouden op welk publiek IP-adres en poortbereik de betreffende CPE bereikbaar is. Om deze sessie in de firewall actief te houden, maken de toestellen gebruik van 'keep-alive' berichten. Hiermee wordt voorkomen dat de firewall de dynamische poort sluit bij inactiviteit, zodat het toestel te allen tijde bereikbaar blijft voor inkomende oproepen.
NAT en mediaverkeer
Het NAT-gedrag van de firewall of router is bepalend voor de bereikbaarheid en stabiliteit van de mediastromen (RTP). Wanneer een gesprek tot stand komt, moet de audio immers ongehinderd tussen het toestel en het platform kunnen vloeien.
Aanbevolen NAT-typen Voor een betrouwbare werking van zowel SIP- als RTP-verkeer wordt het gebruik van Loose NAT of Full Cone NAT sterk aanbevolen. Strikte of symmetrische NAT-configuraties vormen een risico: deze kunnen mediaverkeer blokkeren of resulteren in 'one-way audio' (waarbij slechts één partij de ander hoort).
Ondersteuning voor Symmetric Media Om de meeste NAT-scenario’s te overbruggen, ondersteunt het Cloudoe-platform symmetrisch RTP-gedrag (ook wel symmetric media genoemd). Dit houdt in dat het platform de uitgaande mediastroom pas start zodra het de eerste RTP-pakketten van de klantlocatie (de PBX of het toestel) heeft ontvangen. Het platform gebruikt die inkomende pakketten om te bepalen naar welk publiek IP-adres en welke poort de audio teruggestuurd moet worden. Hoewel dit veel NAT-problemen oplost, blijft Loose / Full Cone NAT de voorkeursoptie voor maximale compatibiliteit.
Aanbevolen configuratie:
Schakel SIP ALG uit: Deze functie op routers en firewalls modificeert SIP-pakketten vaak op een onjuiste manier, wat leidt tot verbroken verbindingen of registratiefouten.
Gebruik Loose NAT / Full Cone NAT: Dit zorgt ervoor dat de poortmapping voorspelbaar blijft voor verschillende bestemmingen.
Lokale SBC: Overweeg de inzet van een lokale Session Border Controller voor mediabeheer in complexe netwerkomgevingen of bij multi-tenant opstellingen.
Host | SIP | SIP Alternative | SIP Alt 2 | SIP Alt 3 | (s)RTP |
| sbc.icvoip.net | UDP-TCP/5060 TLS/5061 | UDP-TCP/5080 TLS/5081 | UDP/40000-65000 | ||
sbc-bria.icvoip.net | UDP-TCP/5060 TLS/5061 | UDP-TCP/5075 TLS/5076 | UDP/40000-65000 | ||
osbc-tls.icvoip.net | UDP-TCP/5060 TLS/5061 | UDP-TCP/5075 TLS/5076 | UDP-TCP/5080 TLS/5081 | UDP-TCP/5090 TLS/5091 | UDP/40000-65000 |
sbc-trunk.icvoip.net | UDP-TCP/5060 TLS/5061 | UDP-TCP/5090 TLS/5091 | UDP/40000-65000 |
Rood is gereserveerd voor toekomstig gebruik.
Platform:
| ws1.icvoip.net | tcp/80 | tcp/443 | tcp/2209 | tcp/8012 |
| ws2.icvoip.net | tcp/80 | tcp/443 | tcp/2209 | tcp/8012 |
| adp5.wbx.icvoip.net | tcp/443 | |||
| adp6.wbx.icvoip.net | tcp/443 | |||
| cti1.wbx.icvoip.net | tcp/8012 | |||
| cti2.wbx.icvoip.net | tcp/8012 |
Device Provisioning:
Cloudoe: | ||||
Zie tabel Platform: | ||||
Yealink: | ||||
d.voice2000.com | tcp/443 | |||
voice2000.com | tcp/443 | |||
| update.yealink.com | tcp/443 | |||
| eu-device-scheduler.ymcs.yealink.com | tcp/443 | |||
| eu-app-scheduler.ymcs.yealink.com | tcp/443 | |||
| redirect.ymcs.yealink.com | tcp/443 | |||
| eu-device.ymcs.yealink.com | tcp/443 | |||
| eu-app.ymcs.yealink.com | tcp/443 | |||
eu-app-req.ymcs.yealink.com | tcp/443 | |||
eu-device-compat-req.ymcs.yealink.com | tcp/443 | |||
rps.yealink.com | tcp/443 | tcp-udp/5061 | ||
rpscloud.yealink.com | tcp/443 | tcp-udp/5061 | ||
20.19.96.56 | tcp/443 | |||
20.19.96.62 | tcp/443 | |||
Gigaset: | ||||
profile.gigaset.net | tcp/80 | tcp/443 | ||
prov.gigaset.net | tcp/80 | tcp/443 | ||
Polycom: | ||||
ztp.polycom.com | tcp/80 | tcp/443 |
Unity:
| portal.unityclient.com | tcp/443 | |||
| im.unityclient.com | tcp/443 | |||
| cs.unityclient.com | tcp/443 | |||
| attach.unityclient.com | tcp/443 | |||
| uatt.ch | tcp/443 | |||
| 52.17.201.131 | tcp/443 | |||
99.80.25.98 | tcp/443 | |||
54.73.202.3 | tcp/443 |
Webex for BroadWorks:
| Webex Services - Port Numbers and Protocols | |||
Destination Port | Protocol | Description | Devices using this rule |
| 443 | TLS | Webex HTTPS signaling. Session establishment to Webex services is based on defined URLs, rather than IP addresses. If you are using a proxy server, or your firewall supports DNS resolution; refer to the section "Domains and URLs that need to be accessed for Webex Services" to allow signaling access to Webex services. | All |
| 444 | TLS | Video Mesh Node secure signaling to establish cascade media connections to the Webex cloud. | Video Mesh Node |
| 123 (1) | UDP | Network Time Protocol (NTP) | All |
| 53 (1) | UDP TCP | Domain Name System (DNS) Used for DNS lookups to discover the IP addresses of services in the Webex cloud. Most DNS queries are made over UDP; however, DNS queries may use TCP as well. | All |
| 5004 and 9000 | SRTP over UDP | Encrypted audio, video, and content sharing on the Webex App and Webex Room devices For a list of destination IP subnets refer to the section "IP subnets for Webex media services". | Webex App Webex Room Devices Video Mesh Nodes |
| 50,000 – 53,000 | SRTP over UDP | Encrypted audio, video, and content sharing – Video Mesh Node only | Video Mesh Node |
| 5004 | SRTP over TCP | Used for encrypted content sharing on the Webex App and Webex Room devices TCP also serves as a fallback transport protocol for encrypted audio and video if UDP cannot be used. For a list of destination IP subnets refer to the section "IP subnets for Webex media services". | Webex App Webex Room Devices Video Mesh Nodes |
| 443 (2) | SRTP over TLS | Used as a fallback transport protocol for encrypted audio, video and content sharing if UDP and TCP cannot be used. Media over TLS is not recommended in production environments For a list of destination IP subnets refer to the section "IP subnets for Webex media services". | Webex App (2) Webex Room Devices (3) |
IP subnets for media services | ||
| 20.50.235.0/24* | 66.114.160.0/20 | |
| 20.53.87.0/24* | 66.163.32.0/19 | |
| 20.57.87.0/24* | 69.26.160.0/19 | |
| 20.68.154.0/24* | 114.29.192.0/19 | |
| 20.76.127.0/24* | 150.253.128.0/17 | |
| 20.108.99.0/24* | 170.72.0.0/16 | |
| 20.120.238.0/23* | 170.133.128.0/18 | |
| 23.89.0.0/16 | 173.39.224.0/19 | |
| 40.119.234.0/24* | 173.243.0.0/20 | |
| 44.234.52.192/26 | 207.182.160.0/19 | |
| 52.232.210.0/24* | 209.197.192.0/19 | |
| 62.109.192.0/18 | 210.4.192.0/20 | |
| 64.68.96.0/19 | 216.151.128.0/19 | |
Cisco Webex Services URLs | ||
Domain / URL | Description | Webex Apps and devices using these domains / URLs |
| *.wbx2.com *.ciscospark.com *.webexapis.com | Webex micro-services. For example : Messaging service File management service Key management service Software upgrade service Profile picture service Whiteboarding service Proximity service Presence service Registration service Calendaring service Search service | All |
| *.webex.com *.cisco.com | Webex Meetings services Identity provisioning Identity storage Authentication OAuth services Device onboarding Cloud Connected UC | All |
| *.webexcontent.com (1) | Webex messaging service - general file storage including: User files, Transcoded files, Images, Screenshots, Whiteboard content, Client & device logs, Profile pictures, Branding logos, Log files Bulk CSV export files & import files (Control Hub) | All Note: File storage using webexcontent.com replaced clouddrive.com in October 2019 Your organization may still be using cloudrive.com to store older files – for more information see (1) |
Additional Webex related services - Cisco Owned domains | ||
URL | Description | Webex Apps and devices using these domains / URLs |
| *.accompany.com | People Insights Integration | Webex Apps |
Additional Webex related services – Third Party domains | ||
URL | Description | Webex Apps and devices using these domains / URLs |
| *.sparkpostmail1.com *.sparkpostmail.com | e-mail service for newsletters, registration info, announcements | All |
| *.giphy.com | Allows users to share GIF images. This feature is on by default but can be disabled in Control Hub | Webex App |
| safebrowsing.googleapis.com | Used to perform safety-checks on URLs before unfurling them in the message stream. This feature is on by default, but can be disabled in Control Hub | Webex App |
*.walkme.com | Webex User Guidance client. Provides onboarding and usage tours for new users For more info see https://support.walkme.com/knowledge-base/access-requirements-for-walkme/ | Webex web based apps |
speech.googleapis.com | Google Speech Services. Used by Webex Assistant to handle speech recognition and text-to-speech. Disabled by default, is opt-in via Control Hub. Assistant can also be disabled on a per-device basis. | Webex Room Kit and Webex Room devices Details of Webex Room devices that support Webex Assistant are documented here: https://help.webex.com/hzd1aj/Enable-Cisco-Webex-Assistant |
| msftncsi.com/ncsi.txt captive.apple.com/hotspot-detect.html | Third-party internet connectivity check to identify cases where there is a network connection, but no connection to the Internet. The Webex app performs its own internet connectivity checks, but can also use these 3rd party URLs as a fallback. | Webex App |
| *.appdynamics.com *.eum-appdynamics.com | Performance tracking, error and crash capture, session metrics (3) | Webex App Webex Web App |
| *.amplitude.com | A/B testing & metrics (3) | Webex Web App Webex Android App |
| *.vbrickrev.com | This domain is used by attendees viewing Webex Events Webcasts | Webex Events |
| *.slido.com *.sli.do *.data.logentries.com slido-assets-production.s3.eu-west-1.amazonaws.com | Used for Slido PPT add-in and to allow Slido webpages to create polls/quizzes in pre-meeting Used for exporting questions and answers, poll results, etc, from Slido | All |
| *.quovadisglobal.com *.digicert.com *.godaddy.com *.identrust.com *.lencr.org | Used to request Certificate Revocation Lists from these Certificate Authorities Note - Webex supports both CRL and OCSP stapling to determine the revocation status of certificates. With OCSP stapling, Webex apps and devices do not need to contact these Certificate Authorities | All |
| *.intel.com | Used to request Certificate Revocation Lists and check the certificate status with Intel’s OCSP service, for certificates sent with background images used by Webex apps and devices | All |
| *.google.com *.googleapis.com | Notifications to Webex apps on mobile devices (e.g. new message) Google Firebase Cloud Messaging (FCM) service https://firebase.google.com/docs/cloud-messaging/concept-options#messaging-ports-and-your-firewall Apple Push Notification Service (APNS) https://support.apple.com/en-us/HT203609 Note - For APNS, Apple only list the IP subnets for this service | Webex App |
| cdnjs.cloudflare.com cdn.jsdelivr.net static2.sharepointonline.com appsforoffice.microsoft.com | URLs for Webex Scheduler for Microsoft Outlook Microsoft Outlook users can use the Webex Scheduler to schedule Webex meetings or Webex Personal Room meetings directly from Microsoft Outlook, in any browser For details see: Click here | All |
| Core Webex services being deprecated (2) | ||
| URL | Description | Webex Apps and devices using these domains / URLs |
| *.clouddrive.com | Webex messaging file storage File storage using webexcontent.com replaced clouddrive.com in Oct 2019 Your organization may still be using cloudrive.com to store older files – for more information see (1) | All |
| *.ciscosparkcontent.com | Log file uploads The log file storage service now uses the *.webexcontent.com domain | Webex App |
| *.rackcdn.com | Content Delivery Network (CDN) for the *.clouddrive.com domain | All |
(1) From October 2019, user files will be uploaded and stored in the Cisco managed webexcontent.com domain.
* This webpage is not instantaneously updated, as AWS makes regular changes to the IP address ranges in their subnets. To dynamically track AWS IP address ranges changes, Amazon recommends subscribing to the following notification service: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#subscribe-notifications
Related Articles
Real-time Transport Control Protocol
Real-time Transport Control Protocol Naar navigatie springen Naar zoeken springen Real-time Transport Control Protocol (RTCP) wordt samen met RTP beschreven in RFC 3550.[1] Het protocol handelt feedback, synchronisatie en de gebruikersinterface af. ...SIP-ALG how to turn off on common routers
SIP ALG uitschakelen Adtran Add the following: no ip firewall alg sip Arris Gateways Go to Advanced > Options. Disable (uncheck) SIP. Click Apply. Arris Gateway IP Address: 192.168.0.1 Username: admin Password: motorola ASA Go to policy-map ...