Learn how to configure firewalls for Connect it

Firewall Configuration

To allow you and your customer to lock down site firewalls, here we document the active ports and their services used by Connect it.  For firewall configurations that allow any outbound traffic, and its returning inbound traffic, you should not need to specify any particular rules in order to use Connect it's platform.


However, please take note of the Application Layer Gateway and UDP Flooding sections below, if you experience any of the following:


  • Unable to REGISTER
  • Unable to Transfer calls
  • Unable to Conference calls
  • Unable to perform a Call Pickup
  • No, or one-way, audio (in either direction) on PSTN or local calls (ie within your LAN)
  • Audio stopping after a given period of time (eg 5 minutes) but the call stays 'up'


 TCP/UDP/Both

 Port

 IP Address

 Description

 Both

 5060

 91.240.178.14

 SIP to the SBC external access interface

 Both

 6050

 91.240.178.14

 Alternate port for SIP to the SBC external access interface
 UDP   11780-11800  91.240.178.14  Yealink RTP OUT (customer -> cit)

 UDP

 16384 - 16482

 91.240.178.14

 Cisco RTP OUT (customer -> cit)

 UDP

 2222 - 2269

 91.240.178.14

 Polycom RTP OUT (customer -> cit)

 UDP

10000 - 20000

 91.240.178.14

 Anywhere RTP OUT (customer -> cit)
 UDP  49152 - 65535
  91.240.178.14  RTP IN (cit - customer)
 TCP  80  91.240.178.140  Polycom Device Management
 (BootROM only)
 TCP
  80  91.240.178.145
 TCP  80

 91.240.178.197
 TCP
  80  91.240.178.198
 TCP  80  91.240.178.202
 TCP  443  91.240.178.140  Polycom/Yealink Device Management
 TCP  443  91.240.178.145
 TCP  443  91.240.178.197
 TCP  443  91.240.178.198
 TCP  443  91.240.178.202
 TCP  443  91.240.178.142  Cisco Device Management
 TCP  443  91.240.178.147
 TCP  443  91.240.178.199
 TCP  443  91.240.178.204
 TCP  2208  91.240.178.141  Broadworks Client API (eg Broadworks Toolbar, Mondago Go Integrator)
 TCP  2208  91.240.178.146
 TCP  2208  91.240.178.198
 TCP  2208  91.240.178.203

 TCP

 443

 217.172.140.162

 Loki Provisioning

 (if you have your own Loki instance, please check your allocated IP Addresses)

 TCP

 443

 217.172.140.163

 Loki User Portal

 (if you have your own Loki instance, please check your allocated IP Addresses)
 TCP  443  91.240.110.141  Broadworks Web Portal, Receptionist and Call Center clients
 TCP  443  91.240.178.146
 TCP  443  91.240.178.197
 TCP  443  91.240.178.198
 TCP  443  91.240.178.203


Application Layer Gateway


Application Layer Gateway's (ALG's), or sometimes called 'SIP Helpers', are software services which are installed and enabled by default on most SOHO grade Routers.  It is designed to aid VoIP to traverse NAT Gateways (ie a Router performing Public IP to Private IP translation) to allow IP Phones sitting behind the gateway to receive calls without opening specific firewall holes.


However, we are able to perform this service (and in a more efficient manner) with our carrier-class Session Border Controller (SBC), which supports all types of NAT Traversal.  Even when one user calls another user behind the same NAT gateway, our SBC will instruct the two endpoints to send RTP to each other over the local LAN, thus avoiding "tromboning" the media up the WAN link to us, and then back down the WAN link.

It is therefore vital to disable any ALG services running on your Router, as they conflict with our SBC (which cannot be bypassed) as they both try to do the same job.


Disabling an ALG


Please see the article Defeating ALG's for information on how to identify and disable ALG's.  It also includes some techniques which can sometimes work around a persistent ALG.


UDP Flooding


RTP audio streams send 40 UDP packets per second, in each direction.  On some Routers, this traffic can be interpreted as a UDP Flood whereby the Firewall application on the Router believes it is under attack, and automatically blocks the traffic from entering the network.  Typically, this occurs after a period of time (eg 5 minutes in the conversation) rather than from the start.  So if your audio appears to stop, particularly inbound to your network, after a predicable period of time, it is most likely due to the Firewall's UDP Flood controls.


Disabling UDP Flood controls


To resolve this issue, consult your device's technical manual and look for "UDP flood". We recommend one of the following actions:


  • Adjust the Flood Control to be greater than (number of simultaneous calls * 41), or
  • Disable UDP Flood controls

    • Related Articles

    • Network & Firewall Configuration Guide

      Connect-it Services – Network Configuration Guide Version 1 – June 25 This guide is designed for administrators who need to make changes to the configuration of their network to enable Connect-it services. Background This guide details the required ...

    • Defeating ALG's

      What is an ALG? ALG's, or Application Layer Gateway's (also sometimes called SIP Helpers), are software components embedded within most routers and firewall's designed for the SOHO or SME market.  Their intention is to allow VoIP traffic to traverse ...

    • Connect-it Anywhere Admin Portal

      Connect-it Anywhere Admin Portal This article is designed for administrators managing Connect-it services. It provides an overview of the Anywhere Portal features. ? Tip: The best way to learn how to configure your service is through the ucSKILLS ...

    • Managing Connect-it Ecommerce Services

      Managing Connect-it Services This guide is designed for administrators managing Connect-it services. It will help you understand the key features available in the Connect-it Portal. All changes to your account—such as adding users and admins, ...

    • Getting Started with Business Voice

      Getting Started with Business Voice This guide is designed specifically for all users of Connect-it services. It will help you understand what you get with Business Voice. How to Get Started with Webex for Business Voice Download the Webex app for ...