The information below contains various network requirements to make your VoIP Installation a success. The first section of the document covers general network requirements that apply to most networks when implementing Voice over IP (VoIP). Please review these and any Vendor KBs that might apply to your solution.
VoIP General Network Requirements
The below requirements apply to all VoIP solutions and should be reviewed before proceeding with any implementation of VoIP Services.
Packet Inspection
All traffic to and from these VoIP systems and clients must be allowed and unmodified. This includes both hosting and client sites. Many firewalls have features that inspect, filter, other otherwise alter packets passing through for security purposes. These features must be disabled for the VoIP services provided to function correctly. Especially when relating to SIP, H323, or H225. These features can have different names depending on the firewall manufacturer. Below is a list of some of the names from popular manufacturers:
- Application-Level Gateway
- ALG
- Application Layer Gateway
- Application Gateway
- Application Proxy
- Application-Level Proxy
- Firewall Proxy
- Inspection
- Application Control
- Web Filtering (ESP Streaming Media)
- Deep Packet Inspection
- Session Helper
Outbound Traffic
All traffic from the client (IP phone, softphone, smartphone) to the server(s) is defined as outbound traffic. If outbound port filtering/whitelisting is a requirement of your organization, the outbound traffic will match the port definitions specified and will only need to be allowed to the destination server(s). See specific requirement documents for a list of ports in the tabs below.
It is assumed that the local firewall or router allows all outbound traffic from the office or home network to pass through and allows all symmetric traffic. That is, if the phone sends RTP/RTCP to a public IP address and port, it will be able to receive RTP/RTCP from that same IP address and port. If this is not the case, any configuration required of the user's router to support that is not covered by this documentation.
Multi-WAN / SD-WAN
When using multiple external circuits, all traffic from the client must originate from the same IP address. If any of the traffic from the client starts originating from another external IP address, the voice services may behave unexpectedly or not work at all.
In the event of a fail-over (the primary circuit goes down, and traffic must come from a backup circuit for a period of time), clients may need to re-register to the server from the new IP address to regain functionality, depending on the solution. For phones, this can be accomplished via a reboot if required. In these situations, failing back to the primary may also require re-registering due to the IP change.
Vulnerability Scanning
We recommend that vulnerability scanning tools on your network are not configured to scan VoIP phones directly. In our experience, including VoIP devices in automated vulnerability scans can lead to degraded performance such as registration loss, general connectivity issues, or even unexpected reboots of the phones.
If scanning these devices is required as part of your organization’s security posture, we suggest configuring a single test phone on the network and scanning only that device. This approach helps validate security requirements while preserving service stability across all other phones.
Vendor KBs
Below are some helpful resources on common firewall vendors. Note that these links are provided as a best effort and may no longer be relevant to your situation or not contain all the information required to make VoIP work in your environment. When in doubt, a Google search for "VOIP on VENDOR" and "disable sip alg on VENDOR" usually turns up with the correct information.
Sonicwall
How to Troubleshoot VoIP
How to Configure Quality of Service
Palo Alto
How to Disable SIP ALG
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEsCAK
Ubiquiti
Disable SIP and H323 ALG
https://community.ui.com/questions/Disable-SIP-ALG-on-USG/6ce1f278-e658-4ac8-8063-2c60696cbcb6
Cisco ASA
Disable SIP ALG
https://community.cisco.com/t5/network-security/asa-ho-do-i-disable-sip-alg/td-p/2329095
Persona Connect Servers
| Server Name | IP |
|---|---|
| portal-mci.personacloud.net | 76.76.30.203 |
| core1-mci.personacloud.net | 76.76.30.200 |
| core1-grr.personacloud.net | 155.130.141.193 / 2605:5240:2410:1020::9b82:8dc1 |
| core2-mci.personacloud.net | 76.76.30.201 |
| core1-ord.personaplatform.net | 64.181.211.116 |
| core2-phx.personaplatform.net | 129.153.199.150 |
| core3-iad.personaplatform.net | 129.159.64.66 |
Softphone/Device Registrations and Audio
Connect Softphone & Devices will use the below servers and ports for SIP Registration. Please add these servers and ports to your allowlist.
Ports
| Server Names | Port/s | Protocol/s | Description |
|---|---|---|---|
| core1-mci|core1-grr|core2-mci | 4060 | UDP & TCP | Must be allowed, Signaling Port to the Servers Above |
| core1-mci|core1-grr|core2-mci | 4061 | TCP | Only Required for TLS, Signaling Port to the Servers Above |
| core1-mci|core1-grr|core2-mci | 20000-27999 | UDP | Must be allowed. Used for RTP audio streams of established calls to the Media IPs above. |
| core1-ord|core2-phx|core3-iad | 5080 | UDP & TCP | Must be allowed, Signaling Port to the Servers Above |
| core1-ord|core2-phx|core3-iad | 5082 | TCP | Only Required for TLS, Signaling Port to the Servers Above |
| core1-ord|core2-phx|core3-iad | 20000-27999 | UDP | Must be allowed. Used for RTP audio streams of established calls to the Media IPs above. |
Connect Portal & WebRTC
The Connect Portal & WebRTC information below will be used for allowing the Portal & WebRTC to function through the firewall. This enables the Connect Portal & Connect Web applications to function in our geo-redundant solution.
Connect Portal URL - https://portal.personacloud.net/portal/home
| Port/s | Protocol/s | Servers/IPs | Description |
|---|---|---|---|
| 443 | TCP | Persona Connect Servers Above | Needed for secure web content and secure provisioning over HTTPS |
| 80 | TCP | Persona Connect Servers Above | Used for GUI redirection to HTTPS and Endpoint Configuration files over HTTP |
| 9002 | TCP | Persona Connect Servers Above | Required for Connect Web & Connect Meet Applications |
| 8001 | TCP | Persona Connect Servers Above | Required for the Connect Portal to provide Dynamic Updates |
| 8000 & 3001 | TCP & UDP | 44.212.88.215, 54.70.235.134 | Text-to-Speech and Speech-to-Text services. |
| 3443 | UDP | 54.188.133.147, 3.130.158.184, 35.183.150.146 | Connect Meet licensing and recording services. |
Endpoints
For Endpoints please refer to this article. Depending on the devices your network may have different requirements.
Preparing Your Network for VOIP
Connect SIP Trunking
The corporate LAN hosting the VoIP system requires a public IP address that is routed to the LAN interface of the VoIP system configured for remote SIP trunks. All servers below are required for a redundant setup to the platform.
Registered SIP Trunks can be provided upon request.
SIP Trunk NAT Requirements:
NOTE FOR SIP TRUNKS ONLY: The following ports required for SIP trunks should only be allowed inbound to the phone system from the following IP networks
| Server Name | IP |
|---|---|
| core1-mci.personacloud.net | 76.76.30.200 |
| core1-grr.personacloud.net | 155.130.141.193 / 2605:5240:2410:1020::9b82:8dc1 |
| core2-mci.personacloud.net | 76.76.30.201 |
| core1-ord.personaplatform.net | 64.181.211.116 |
| core2-phx.personaplatform.net | 129.153.199.150 |
| core3-iad.personaplatform.net | 129.159.64.66 |
Media IPs
The above servers also provide media on the calls.
Media & Signaling Ports
| Server Names | Port/s | Protocol/s | Description |
|---|---|---|---|
| core1-mci|core1-grr|core2-mci | 4060 | UDP & TCP | Must be allowed, Signaling Port to the Servers Above |
| core1-mci|core1-grr|core2-mci | 4061 | TCP | Only Required for TLS, Signaling Port to the Servers Above |
| core1-mci|core1-grr|core2-mci | 20000-27999 | UDP | Must be allowed. Used for RTP audio streams of established calls to the Media IPs above. |
| core1-ord|core2-phx|core3-iad | 5080 | UDP & TCP | Must be allowed, Signaling Port to the Servers Above |
| core1-ord|core2-phx|core3-iad | 5082 | TCP | Only Required for TLS, Signaling Port to the Servers Above |
| core1-ord|core2-phx|core3-iad | 20000-27999 | UDP | Must be allowed. Used for RTP audio streams of established calls to the Media IPs above. |