Netwerk Vereisten
Poorten en URL's
Waar mogelijk een firewall gebruiken die portscans kan detecteren en dan de scans negeert. Voor VoIP hoeven telefoons niet overal toegang toe te hebben op het internet.
In de meest gunstige situatie is er een apart VLAN of netwerk opgezet voor VoIP. Het datanetwerk heeft een poort op de router waar de switches van het datanetwerk op aangesloten zitten. Het VoIP netwerk heeft zijn eigen poort op de firewall met een ander subnet. Dat subnet hoeft in feite alleen maar toegang te hebben tot één of twee DNS servers naar keuze en één of twee NTP servers naar keuze. Om goed te kunnen werken hebben telefoons en applicaties toegang tot onderstaande netwerk destinaties nodig. Normaal gesproken hoeft er geen inkomend verkeer open gezet te worden.
SIP(s)/(s)RTP:
Host | SIP | SIP Alternative | SIP Alt 2 | SIP Alt 3 | (s)RTP |
| sbc.icvoip.net | UDP-TCP/5060 TLS/5061 | UDP-TCP/5080 TLS/5081 | UDP/40000-65000 | ||
sbc-bria.icvoip.net | UDP-TCP/5060 TLS/5061 | UDP-TCP/5075 TLS/5076 | UDP/40000-65000 | ||
osbc-tls.icvoip.net | UDP-TCP/5060 TLS/5061 | UDP-TCP/5075 TLS/5076 | UDP-TCP/5080 TLS/5081 | UDP-TCP/5090 TLS/5091 | UDP/40000-65000 |
sbc-trunk.icvoip.net | UDP-TCP/5060 TLS/5061 | UDP-TCP/5090 TLS/5091 | UDP/40000-65000 |
Rood is gereserveerd voor toekomstig gebruik.
Platform:
| ws1.icvoip.net | tcp/80 | tcp/443 | tcp/2209 | tcp/8012 |
| ws2.icvoip.net | tcp/80 | tcp/443 | tcp/2209 | tcp/8012 |
| adp5.wbx.icvoip.net | tcp/443 | |||
| adp6.wbx.icvoip.net | tcp/443 | |||
| cti1.wbx.icvoip.net | tcp/8012 | |||
| cti2.wbx.icvoip.net | tcp/8012 |
Device Provisioning:
Cloudoe: | ||||
Zie tabel Platform: | ||||
Yealink: | ||||
d.voice2000.com | tcp/443 | |||
voice2000.com | tcp/443 | |||
| update.yealink.com | tcp/443 | |||
| eu-device-scheduler.ymcs.yealink.com | tcp/443 | |||
| eu-app-scheduler.ymcs.yealink.com | tcp/443 | |||
| redirect.ymcs.yealink.com | tcp/443 | |||
| eu-device.ymcs.yealink.com | tcp/443 | |||
| eu-app.ymcs.yealink.com | tcp/443 | |||
eu-app-req.ymcs.yealink.com | tcp/443 | |||
eu-device-compat-req.ymcs.yealink.com | tcp/443 | |||
rps.yealink.com | tcp/443 | tcp-udp/5061 | ||
rpscloud.yealink.com | tcp/443 | tcp-udp/5061 | ||
20.19.96.56 | tcp/443 | |||
20.19.96.62 | tcp/443 | |||
Gigaset: | ||||
profile.gigaset.net | tcp/80 | tcp/443 | ||
prov.gigaset.net | tcp/80 | tcp/443 | ||
Polycom: | ||||
ztp.polycom.com | tcp/80 | tcp/443 |
Unity:
| portal.unityclient.com | tcp/443 | |||
| im.unityclient.com | tcp/443 | |||
| cs.unityclient.com | tcp/443 | |||
| attach.unityclient.com | tcp/443 | |||
| uatt.ch | tcp/443 | |||
| 52.17.201.131 | tcp/443 | |||
99.80.25.98 | tcp/443 | |||
54.73.202.3 | tcp/443 |
Webex for BroadWorks:
Voor Webex is aanvullend is er voor uitgaand verkeer nog het volgende nodig. (alleen indien er resticties zijn aan uitgaand verkeer op de IDS/IPS Firewall).
| Webex Services - Port Numbers and Protocols | |||
Destination Port | Protocol | Description | Devices using this rule |
| 443 | TLS | Webex HTTPS signaling. Session establishment to Webex services is based on defined URLs, rather than IP addresses. If you are using a proxy server, or your firewall supports DNS resolution; refer to the section "Domains and URLs that need to be accessed for Webex Services" to allow signaling access to Webex services. | All |
| 444 | TLS | Video Mesh Node secure signaling to establish cascade media connections to the Webex cloud. | Video Mesh Node |
| 123 (1) | UDP | Network Time Protocol (NTP) | All |
| 53 (1) | UDP TCP | Domain Name System (DNS) Used for DNS lookups to discover the IP addresses of services in the Webex cloud. Most DNS queries are made over UDP; however, DNS queries may use TCP as well. | All |
| 5004 and 9000 | SRTP over UDP | Encrypted audio, video, and content sharing on the Webex App and Webex Room devices For a list of destination IP subnets refer to the section "IP subnets for Webex media services". | Webex App Webex Room Devices Video Mesh Nodes |
| 50,000 – 53,000 | SRTP over UDP | Encrypted audio, video, and content sharing – Video Mesh Node only | Video Mesh Node |
| 5004 | SRTP over TCP | Used for encrypted content sharing on the Webex App and Webex Room devices TCP also serves as a fallback transport protocol for encrypted audio and video if UDP cannot be used. For a list of destination IP subnets refer to the section "IP subnets for Webex media services". | Webex App Webex Room Devices Video Mesh Nodes |
| 443 (2) | SRTP over TLS | Used as a fallback transport protocol for encrypted audio, video and content sharing if UDP and TCP cannot be used. Media over TLS is not recommended in production environments For a list of destination IP subnets refer to the section "IP subnets for Webex media services". | Webex App (2) Webex Room Devices (3) |
IP subnets for media services | ||
| 20.50.235.0/24* | 66.114.160.0/20 | |
| 20.53.87.0/24* | 66.163.32.0/19 | |
| 20.57.87.0/24* | 69.26.160.0/19 | |
| 20.68.154.0/24* | 114.29.192.0/19 | |
| 20.76.127.0/24* | 150.253.128.0/17 | |
| 20.108.99.0/24* | 170.72.0.0/16 | |
| 20.120.238.0/23* | 170.133.128.0/18 | |
| 23.89.0.0/16 | 173.39.224.0/19 | |
| 40.119.234.0/24* | 173.243.0.0/20 | |
| 44.234.52.192/26 | 207.182.160.0/19 | |
| 52.232.210.0/24* | 209.197.192.0/19 | |
| 62.109.192.0/18 | 210.4.192.0/20 | |
| 64.68.96.0/19 | 216.151.128.0/19 | |
* Azure data centers – used to host Video Integration for Microsoft Teams (aka Microsoft Cloud Video Interop) services
Cisco Webex Services URLs | ||
Domain / URL | Description | Webex Apps and devices using these domains / URLs |
| *.wbx2.com *.ciscospark.com *.webexapis.com | Webex micro-services. For example : Messaging service File management service Key management service Software upgrade service Profile picture service Whiteboarding service Proximity service Presence service Registration service Calendaring service Search service | All |
| *.webex.com *.cisco.com | Webex Meetings services Identity provisioning Identity storage Authentication OAuth services Device onboarding Cloud Connected UC | All |
| *.webexcontent.com (1) | Webex messaging service - general file storage including: User files, Transcoded files, Images, Screenshots, Whiteboard content, Client & device logs, Profile pictures, Branding logos, Log files Bulk CSV export files & import files (Control Hub) | All Note: File storage using webexcontent.com replaced clouddrive.com in October 2019 Your organization may still be using cloudrive.com to store older files – for more information see (1) |
Additional Webex related services - Cisco Owned domains | ||
URL | Description | Webex Apps and devices using these domains / URLs |
| *.accompany.com | People Insights Integration | Webex Apps |
Additional Webex related services – Third Party domains | ||
URL | Description | Webex Apps and devices using these domains / URLs |
| *.sparkpostmail1.com *.sparkpostmail.com | e-mail service for newsletters, registration info, announcements | All |
| *.giphy.com | Allows users to share GIF images. This feature is on by default but can be disabled in Control Hub | Webex App |
| safebrowsing.googleapis.com | Used to perform safety-checks on URLs before unfurling them in the message stream. This feature is on by default, but can be disabled in Control Hub | Webex App |
*.walkme.com | Webex User Guidance client. Provides onboarding and usage tours for new users For more info see https://support.walkme.com/knowledge-base/access-requirements-for-walkme/ | Webex web based apps |
speech.googleapis.com | Google Speech Services. Used by Webex Assistant to handle speech recognition and text-to-speech. Disabled by default, is opt-in via Control Hub. Assistant can also be disabled on a per-device basis. | Webex Room Kit and Webex Room devices Details of Webex Room devices that support Webex Assistant are documented here: https://help.webex.com/hzd1aj/Enable-Cisco-Webex-Assistant |
| msftncsi.com/ncsi.txt captive.apple.com/hotspot-detect.html | Third-party internet connectivity check to identify cases where there is a network connection, but no connection to the Internet. The Webex app performs its own internet connectivity checks, but can also use these 3rd party URLs as a fallback. | Webex App |
| *.appdynamics.com *.eum-appdynamics.com | Performance tracking, error and crash capture, session metrics (3) | Webex App Webex Web App |
| *.amplitude.com | A/B testing & metrics (3) | Webex Web App Webex Android App |
| *.vbrickrev.com | This domain is used by attendees viewing Webex Events Webcasts | Webex Events |
| *.slido.com *.sli.do *.data.logentries.com slido-assets-production.s3.eu-west-1.amazonaws.com | Used for Slido PPT add-in and to allow Slido webpages to create polls/quizzes in pre-meeting Used for exporting questions and answers, poll results, etc, from Slido | All |
| *.quovadisglobal.com *.digicert.com *.godaddy.com *.identrust.com *.lencr.org | Used to request Certificate Revocation Lists from these Certificate Authorities Note - Webex supports both CRL and OCSP stapling to determine the revocation status of certificates. With OCSP stapling, Webex apps and devices do not need to contact these Certificate Authorities | All |
| *.intel.com | Used to request Certificate Revocation Lists and check the certificate status with Intel’s OCSP service, for certificates sent with background images used by Webex apps and devices | All |
| *.google.com *.googleapis.com | Notifications to Webex apps on mobile devices (e.g. new message) Google Firebase Cloud Messaging (FCM) service https://firebase.google.com/docs/cloud-messaging/concept-options#messaging-ports-and-your-firewall Apple Push Notification Service (APNS) https://support.apple.com/en-us/HT203609 Note - For APNS, Apple only list the IP subnets for this service | Webex App |
| cdnjs.cloudflare.com cdn.jsdelivr.net static2.sharepointonline.com appsforoffice.microsoft.com | URLs for Webex Scheduler for Microsoft Outlook Microsoft Outlook users can use the Webex Scheduler to schedule Webex meetings or Webex Personal Room meetings directly from Microsoft Outlook, in any browser For details see: Click here | All |
| Core Webex services being deprecated (2) | ||
| URL | Description | Webex Apps and devices using these domains / URLs |
| *.clouddrive.com | Webex messaging file storage File storage using webexcontent.com replaced clouddrive.com in Oct 2019 Your organization may still be using cloudrive.com to store older files – for more information see (1) | All |
| *.ciscosparkcontent.com | Log file uploads The log file storage service now uses the *.webexcontent.com domain | Webex App |
| *.rackcdn.com | Content Delivery Network (CDN) for the *.clouddrive.com domain | All |
(1) From October 2019, user files will be uploaded and stored in the Cisco managed webexcontent.com domain.
If you wish to limit inbound and outbound SIP signaling and related media traffic to and from the Webex cloud. Configure your firewall to allow traffic to the IP subnets for Webex media (refer to the section "IP subnets for Webex media services") and following AWS regions: us-east-1, us-east-2, eu-central-1, us-gov-west-2, us-west-2. The IP address ranges for these AWS regions can be found here: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
* This webpage is not instantaneously updated, as AWS makes regular changes to the IP address ranges in their subnets. To dynamically track AWS IP address ranges changes, Amazon recommends subscribing to the following notification service: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#subscribe-notifications
* This webpage is not instantaneously updated, as AWS makes regular changes to the IP address ranges in their subnets. To dynamically track AWS IP address ranges changes, Amazon recommends subscribing to the following notification service: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#subscribe-notifications
Related Articles
Real-time Transport Control Protocol
Real-time Transport Control Protocol Naar navigatie springen Naar zoeken springen Real-time Transport Control Protocol (RTCP) wordt samen met RTP beschreven in RFC 3550.[1] Het protocol handelt feedback, synchronisatie en de gebruikersinterface af. ...SIP-ALG how to turn off on common routers
SIP ALG uitschakelen Adtran Add the following: no ip firewall alg sip Arris Gateways Go to Advanced > Options. Disable (uncheck) SIP. Click Apply. Arris Gateway IP Address: 192.168.0.1 Username: admin Password: motorola ASA Go to policy-map ...