We use cookies from Google so we can see how people come to our site and what pages are visited, Facebook and Twitter so that we can give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the CTi website. However, if you would like to, you can change your cookie settings can at any time.

Sales and Advice
01242 621641
sales@cti-uk.com

Support
01242 621644
support@cti-uk.com

Home | FAQs | Firewall Settings for SV1000

Firewall Settings for SV1000

For your SpliceCom SV1000 to connect to your VoIP provider(s) and your remote users can register to it, you need to open some ports in your firewall and point them to the SpliceCom SV1000 controller. We strongly recommend the ports are restricted to your VoIP provider's IP address(es) or restricted to UK IP addresses and countries from which your staff work.

We at CTi can configure your Draytek router / firewall for you, for other manufactures router/firewalls please ask an expert in that product.

Notes to help with Fortigate Firewalls

If you are unable to get the changes made to your existing firewall then you will need a separate internet connection for your VoIP service with a router that CTi Communications Ltd will manage for you.

SIP / RTP

  1. Establish the IP address(es) used by your VoIP provider.
    For Andrews and Arnold, they are listed here - https://support.aa.net.uk/VoIP_Firewall
    For The Phone Coop, the IP address is 217.10.154.189

  2. Set an Open Ports rule and Point it to the SpliceCom SV1000 controller. These ports should be set to only accept traffic from the exchanges

  3. If you have more than one Internet connection you need to set a rule so any traffic to the exchanges goes out via one and will fail over to the other. It is only traffic to the exchange from any source that need the rule

Draytek open port configuration for VoIP exchanges

Be careful setting these rule as there are problems if the rules are too restrictive

To function fully and recive updates the phone system and phones need access to various service on the Internet, these are accessed via http, https, SMTP and TIME requests, outgoing requests from your SV1000 system and telephones on these ports must NOT be blocked. The list that the SpliceCom SV1000 and Yealink phones access includes:

  • max.splicecom.com

  • validate.splicecom.com

  • dmtcp.yealink.com

  • download.opensuse.org

  • cn.pool.ntp.org

DO NOT lock the SpliceCom SV1000 controller to just use one of your Internet connections, as when that connection fails, CTi may need to remotely access the SpliceCom SV1000 controller to tell it that it now has a different Public IP address but with restrictive routing that may not be possible.

When VoIP call is forwarded by the phone system, it just bounces the information back to the exchange. Your firewall sees a call coming in from and going out to the same place. If your firewall only has the exchange set as a source, and the SpliceCom SV1000 controller as destination the call will connect but there will be no audio on forwarded calls.

Make sure SIP ALG is turned off, this meant to help but only gets in the way.

iPCS / Softphone

For your remote staff to use the iPCS app or a softphone connected to your SpliceCom SV1000 port 5000 needs to be open and pointing to the SpliceCom Gateway controller for your SpliceCom SV1000 system. We strongly recommend this port is restricted to restricting it to UK IP addresses and countries from which your staff work.

Ports required for the iPCS and Softphone

Where a user's Internet connection is poor then they might have poor quality audio, if this is the case the SpliceCom can operate using SRTP but that requires a STUN server to be configured in the settings. If you're unable to use a publicly available STUN server, port 3478 will need to be opened and we recommend restricting it to UK IP addresses and countries from which your staff work.

Ports required for iPCS and Softphone to use SRTP

 

Remote Yealink Phones

If you would like to have people working remotely with a Yealink phone on their desk without a site-to-site VPN then there are a number of ports that need opening, restricted to UK IP addresses and countries from which your staff work and pointed to the SpliceCom SV1000 controller.

Config Upload80TCP
HTTPS443TCP
Secure LDAP4100TCP/UDP
Secure Centralised Partner4018TCP/UDP
Secure SIP5061TCP/UDP
Secure RTP6900 to 10899TCP/UDP - these ports should now be removed from the Splice Exchanges list, see SIP / RTP tab
Ports required for remote Yealink phones

Port 3478 TCP/UDP should be added if you can't use a public STUN server

Add STUN port if you can't use a public STUN server

 

CTi Remote Support

For support we access the system via https on port 443 and SSH on port 22, this can be via NAT either way these should be locked down to our IP addresses:

  • giga.cticom.ms 83.151.207.90

  • aa.cticom.ms 81.187.212.167

Do not lock https if you have remote Yealink phones.

Ports for CTi Remote Support

 

Other

When you have more than one Internet connection and have set an "All Traffic" rule, this can result in the Music-on-hold being streamed out to the Internet so it needs to be blocked with a Firewall rule:

Block MOH being streamed to the Internet

 


All prices exclude VAT and should only be used as a guide.
Website ©CTi Communications 2024