Firewall configuration for Cloud SIP¶
Cloud SIP requires that you whitelist the signalling and media IP addresses of Enfonica's edge locations.
You may choose to whitelist Enfonica's edge IP addresses entirely, or only the required port ranges. In either case, you should ensure that you are able to bidirectionally communicate with all edge IP addresses on the documented ports.
This information is general in nature. You should configure your firewall as per your organization's policy.
Whitelisting TLS port 5061¶
Enfonica delivers TLS over TCP. As such, you should whitelist TCP port 5061.
Note that all media is still delivered over UDP.
Whitelisting UDP port 5060¶
While allowing traffic from Cloud SIP IP addresses from port 5060 only will work in most circumstances, you may encounter issues with long UDP messages that are fragmented. This is because fragmented UDP messages only include port numbers in the first fragment, and as such your firewall does not know the source and destination ports of subsequent fragments.
If you can configure your firewall to allow UDP fragments, we recommend doing this.
Otherwise, if supported by your firewall, you can allow all UDP, and in a higher priority rule, block all UDP between 0-5059 and 5061-65535. For example:
1000 allow udp *
990 deny udp 0-5059
990 deny udp 5061-65535
Depending on your firewall, this will allow UDP port 5060 and all fragments.