We use cookies from Google so we can see how people come to our site and what pages are visited, Facebook and Twitter so that we can give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the CTi website. However, if you would like to, you can change your cookie settings can at any time. |
For your SpliceCom SV1000 to connect to your VoIP provider(s) and your remote users can register to it, you need to open some ports in your firewall and point them to the SpliceCom SV1000 controller. We strongly recommend the ports are restricted to your VoIP provider's IP address(es) or restricted to UK IP addresses and countries from which your staff work.
We at CTi can configure your Draytek router / firewall for you, for other manufactures router/firewalls please ask an expert in that product.
Notes to help with Fortigate Firewalls
If you are unable to get the changes made to your existing firewall then you will need a separate internet connection for your VoIP service with a router that CTi Communications Ltd will manage for you.
Establish the IP address(es) used by your VoIP provider.
For Andrews and Arnold, they are listed here - https://support.aa.net.uk/VoIP_Firewall
For The Phone Coop, the IP address is 217.10.154.189
For VoiceFlex, the IP range is 93.95.124.0 /24
For Telappliant, SIP is 185.158.58.194 and RTP is 77.240.61.160/27 and 77.240.56.32/27
Set an Open Ports rule and Point it to the SpliceCom SV1000 controller. These ports should be set to only accept traffic from the exchanges
If you have more than one Internet connection you need to set a rule so any traffic to the exchanges goes out via one and will fail over to the other. It is only traffic to the exchange from any source that need the rule
Be careful setting these rule as there are problems if the rules are too restrictive
To function fully and recive updates the phone system and phones need access to various service on the Internet, these are accessed via http, https, SMTP and TIME requests, outgoing requests from your SV1000 system and telephones on these ports must NOT be blocked. The list that the SpliceCom SV1000 and Yealink phones access includes:
max.splicecom.com
validate.splicecom.com
eu-device-scheduler.ymcs.yealink.comfile
download.opensuse.org
cn.pool.ntp.org
DO NOT lock the SpliceCom SV1000 controller to just use one of your Internet connections, as when that connection fails, CTi may need to remotely access the SpliceCom SV1000 controller to tell it that it now has a different Public IP address but with restrictive routing that may not be possible.
When VoIP call is forwarded by the phone system, it just bounces the information back to the exchange. Your firewall sees a call coming in from and going out to the same place. If your firewall only has the exchange set as a source, and the SpliceCom SV1000 controller as destination the call will connect but there will be no audio on forwarded calls.
Make sure SIP ALG is turned off, this meant to help but only gets in the way.
For your remote staff to use the iPCS app or a softphone connected to your SpliceCom SV1000 port 5000 needs to be open and pointing to the SpliceCom Gateway controller for your SpliceCom SV1000 system. We strongly recommend this port is restricted to restricting it to UK IP addresses and countries from which your staff work.
Where a user's Internet connection is poor then they might have poor quality audio, if this is the case the SpliceCom can operate using SRTP but that requires a STUN server to be configured in the settings. If you're unable to use a publicly available STUN server, port 3478 will need to be opened and we recommend restricting it to UK IP addresses and countries from which your staff work.
If you would like to have people working remotely with a Yealink phone on their desk without a site-to-site VPN then there are a number of ports that need opening, restricted to UK IP addresses and countries from which your staff work and pointed to the SpliceCom SV1000 controller.
Config Upload | 80 | TCP |
HTTPS | 443 | TCP |
Secure LDAP | 4100 | TCP/UDP |
Secure Centralised Partner | 4018 | TCP/UDP |
Secure SIP | 5061 | TCP/UDP |
Secure RTP | 6900 to 10899 | TCP/UDP - these ports should now be removed from the Splice Exchanges list, see SIP / RTP tab |
Port 3478 TCP/UDP should be added if you can't use a public STUN server
For support we access the system via https on port 443 and SSH on port 22, this can be via NAT either way these should be locked down to our IP addresses:
giga.cticom.ms 83.151.207.90
aa.cticom.ms 81.187.212.167
helpdesk.cticom.ms 212.159.114.156
Do not lock https if you have remote Yealink phones.
When you have more than one Internet connection and have set an "All Traffic" rule, this can result in the Music-on-hold being streamed out to the Internet so it needs to be blocked with a Firewall rule: