Learn how to configure firewalls for Connect it

Firewall Configuration

To allow you and your customer to lock down site firewalls, here we document the active ports and their services used by Connect it.  For firewall configurations that allow any outbound traffic, and its returning inbound traffic, you should not need to specify any particular rules in order to use Connect it's platform.


However, please take note of the Application Layer Gateway and UDP Flooding sections below, if you experience any of the following:


  • Unable to REGISTER
  • Unable to Transfer calls
  • Unable to Conference calls
  • Unable to perform a Call Pickup
  • No, or one-way, audio (in either direction) on PSTN or local calls (ie within your LAN)
  • Audio stopping after a given period of time (eg 5 minutes) but the call stays 'up'


 TCP/UDP/Both

 Port

 IP Address

 Description

 Both

 5060

 91.240.178.14

 SIP to the SBC external access interface

 Both

 6050

 91.240.178.14

 Alternate port for SIP to the SBC external access interface
 UDP   11780-11800  91.240.178.14  Yealink RTP OUT (customer -> cit)

 UDP

 16384 - 16482

 91.240.178.14

 Cisco RTP OUT (customer -> cit)

 UDP

 2222 - 2269

 91.240.178.14

 Polycom RTP OUT (customer -> cit)

 UDP

10000 - 20000

 91.240.178.14

 Anywhere RTP OUT (customer -> cit)
 UDP  49152 - 65535
  91.240.178.14  RTP IN (cit - customer)
 TCP  80  91.240.178.140  Polycom Device Management
 (BootROM only)
 TCP
  80  91.240.178.145
 TCP  80

 91.240.178.197
 TCP
  80  91.240.178.198
 TCP  80  91.240.178.202
 TCP  443  91.240.178.140  Polycom/Yealink Device Management
 TCP  443  91.240.178.145
 TCP  443  91.240.178.197
 TCP  443  91.240.178.198
 TCP  443  91.240.178.202
 TCP  443  91.240.178.142  Cisco Device Management
 TCP  443  91.240.178.147
 TCP  443  91.240.178.199
 TCP  443  91.240.178.204
 TCP  2208  91.240.178.141  Broadworks Client API (eg Broadworks Toolbar, Mondago Go Integrator)
 TCP  2208  91.240.178.146
 TCP  2208  91.240.178.198
 TCP  2208  91.240.178.203

 TCP

 443

 217.172.140.162

 Loki Provisioning

 (if you have your own Loki instance, please check your allocated IP Addresses)

 TCP

 443

 217.172.140.163

 Loki User Portal

 (if you have your own Loki instance, please check your allocated IP Addresses)
 TCP  443  91.240.110.141  Broadworks Web Portal, Receptionist and Call Center clients
 TCP  443  91.240.178.146
 TCP  443  91.240.178.197
 TCP  443  91.240.178.198
 TCP  443  91.240.178.203


Application Layer Gateway


Application Layer Gateway's (ALG's), or sometimes called 'SIP Helpers', are software services which are installed and enabled by default on most SOHO grade Routers.  It is designed to aid VoIP to traverse NAT Gateways (ie a Router performing Public IP to Private IP translation) to allow IP Phones sitting behind the gateway to receive calls without opening specific firewall holes.


However, we are able to perform this service (and in a more efficient manner) with our carrier-class Session Border Controller (SBC), which supports all types of NAT Traversal.  Even when one user calls another user behind the same NAT gateway, our SBC will instruct the two endpoints to send RTP to each other over the local LAN, thus avoiding "tromboning" the media up the WAN link to us, and then back down the WAN link.

It is therefore vital to disable any ALG services running on your Router, as they conflict with our SBC (which cannot be bypassed) as they both try to do the same job.


Disabling an ALG


Please see the article Defeating ALG's for information on how to identify and disable ALG's.  It also includes some techniques which can sometimes work around a persistent ALG.


UDP Flooding


RTP audio streams send 40 UDP packets per second, in each direction.  On some Routers, this traffic can be interpreted as a UDP Flood whereby the Firewall application on the Router believes it is under attack, and automatically blocks the traffic from entering the network.  Typically, this occurs after a period of time (eg 5 minutes in the conversation) rather than from the start.  So if your audio appears to stop, particularly inbound to your network, after a predicable period of time, it is most likely due to the Firewall's UDP Flood controls.


Disabling UDP Flood controls


To resolve this issue, consult your device's technical manual and look for "UDP flood". We recommend one of the following actions:


  • Adjust the Flood Control to be greater than (number of simultaneous calls * 41), or
  • Disable UDP Flood controls

    • Related Articles

    • Defeating ALG's

      What is an ALG? ALG's, or Application Layer Gateway's (also sometimes called SIP Helpers), are software components embedded within most routers and firewall's designed for the SOHO or SME market.  Their intention is to allow VoIP traffic to traverse ...

    • SIP ALG: What Is It & Why VoIP Users Should Disable It

      So, you set up your VoIP phone system, but you're experiencing dropped calls, no incoming calls, or your phone keeps ringing after you pick up. The good news is that you will be able to instantly resolve your Voice over IP issues once you disable SIP ...

    • Factory reset a Polycom VVX handset

      Factory reset on Polycom VVX You might be required to perform a factory reset on your Polycom VVX phone. This is sometimes necessary to return the phone to its default factory settings, which then allows it to pull down the correct configuration from ...

    • FORCED FACTORY RESET FOR POLYCOM PHONES

      We would like to bring to your attention an essential maintenance procedure regarding our Polycom handsets. To eliminate all prior programming and ensure optimal performance, it is crucial that a Factory Reset be performed on all Polycom handsets. ...

    • Accessing hunt group voicemail

      In order to log in to a hunt group vmail you can either call the main voice portal number, enter the extension of the hunt group you will then be asked for the vmail pin for the hunt group vmail. You can also log into the hunt group vmail by pressing ...