What firewall ports do I need to configure?

Technical FAQs
#1

This depends on the protocols being used. All of the rules mentioned below should be stateful, and allow response packets in or out of the firewall:

  1. A standard PABX install with no external phones or VoIP links will try to use the Internet to keep its internal clock correct. This uses:
    UDP Port 123 (outbound from PABX)

  2. If SIP phones or soft-phones are to be deployed remotely, this should be done using a VPN. The SIP protocol does not traverse firewalls at-all well. If absolutely necessary, the following ports are used:
    UDP Port 5060 (inbound to PABX)
    TCP Port 5061 (inbound to PABX)
    UDP Ports 2000-6000 (outbound from PABX, depending on devices used)
    UDP Ports 10000-20000 (in- and outbound from PABX)
    UDP Ports 4000-4999 (in- and outbound from PABX for T.38)
    Note: Firewalls that use NAT will often cause additional problems with the SIP protocol.

  3. If a SIP trunk is being used to a provider, the same ports as for SIP phones above are used.

  4. If an IAX2 trunk is being used to a provider, then only a single port, which will safely traverse NAT is required: UDP Port 4569 (outbound from PABX)

  5. IMPORTANT: If using a Cisco router or Firewall, you need to disable the SIP ALG (Fixup) module where possible - The Cisco SIP ALG is reportedly not compatible with non-Cisco SIP devices. The IOS commands will resemble the following:


  no inspect sip

  no fixup protocol sip 5060 
  no fixup protocol sip udp 5060

  no ip nat service sip tcp port 5060
  no ip nat service sip udp port 5060

  sip no fixup```

6) To allow IP Cortex Ltd access to our PABX for support or maintenance:
```TCP Port 22``` (inbound to PABX)
This can (and should) be further restricted by specifying that these connections are only allowed from IP Cortex IP addresses.

7) To allow the Remote support Tunnel to function the PABX must have access to the Internet for DNS resolution and to 
```TCP port 122``` (outbound)

8) Using HTTP ```port 80``` is possible, but should be constrained to internal use only. HTTPS ```port 443``` access is most relevant for web administration and keevio access.
#4