⚙️ Firewall configuration for Cloud One Hosted Phone System
⚙️

Do I need to configure my on-premise firewall for Cloud One hosted phone system?

Yes , Customer is responsible for your voice optimised firewall & QOS configuration at customer site as per the router or firewall vendor recommendations

The following recommendations are guidelines for your router or firewall for the hosted phone system.

  1. Use multiple reliable DNS servers in your networks i.e 1.1.1.1 , 1.0.0.1 , 8.8.8.8, 8.8.4.4

  2. To ensure quality of service - Prioritise voice packets to your phone system host FQDN i.e customer.cloudone.co.ke or customer.3cx.uk or customer.cloudone.co & reserve 128 kbps for each voice user to your phone system host (refer to your PBX documentation for details)

    1. TCP 80/443: Web Service (HTTP/HTTPS) for administration portal and provisioning.
    2. TCP/UDP 5060: SIP registration for VoIP providers/devices.
    3. TCP 5061: Secure SIP (TLS)

    4. RTP (Voice/Media stream)

      1. UDP 10000-12000 - Cloud One Business Communication Suite
      2. UDP 9000-10999 - 3CX

    5. Tunnel Ports. UDP/TCP

      1. TCP/UDP 8111 Cloud One Simu Connect Client Log In
      2. TCP/UDP 1090 Cloud One Business Communication Suite Tunnel
      3. TCP/UDP 5090 - 3CX

    6. Other Ports (Disabled by default , enable if you use these services)

      1. AMI Port for third party to access the AMI of PBX. 5038
      2. Database Grant Port for third party to access the PBX database. 3306
      3. LDAP Port Port for LDAP Client to access the PBX LDAP Server via LDAP protocol. 389
      4. FTP Port for file sharing. 21
      5. TFTP Port for uploading or downloading files to/from specific PBX file folder. 69
      6. SSH SSH port is used to access the PBX underlying configurations to debug the system. 8022 
  3. Give priority to voice packets on your network using the DSCP tag with the value 46 (EF 101110). This tag is carried by all packets coming in and out of the Cloud One Simu Connect app.
  4. Whitelist the phone system host on your firewall
  5. Disable SIP ALG on your firewall

  6. Multiple ISP Connections MUST be configured correctly to handle VoIP connectivity

    1. Use Failover instead of load balancing to connect to your phone system host  
    2. Use Manual outbound NAT
  7. Firewall should be in conservative mode to preserve VoIP session states

  8. If you are connecting your telephone lines using a VoIP Gateway at your premise. you will also need to do the following:

    1. This setup requires a static IP from your ISP or subscribe to a Dynamic DNS Service for all your ISP connections 
    2. Configure SIP & RTP port forwarding & inbound NAT for each ISP connection from your phone system host to VoIP Gateway Local IP
    3. It is Mandatory to inform Cloud One every time on your new or change of ISP static public IP or DDNS hostname for whitelisting on Cloud One's Central firewall & phone system host. Failure to inform Cloud One may result in your connection getting blacklisted on our network & service becoming unavailable.
    4. To ensure quality of service for your telephone lines - Prioritise voice packets (Both SIP & RTP) & reserve 128 kbps for each line to your phone system host ---VoIP Gateway Local IP & VoIP Gateway Local IP -- phone system host
    5. If you are using a VoIP GSM Gateway, ensure it is installed where there is maximum signal reception from the mobile operator. Bad signal reception will result in bad quality telephone line connections. You can improve signal reception by installing an external GSM antenna for for GSM line

  9. BYOC SIP Trunk Support or paid support tickets requires the below configuration on your firewall

    1. Whitelist Cloud One Remote Management Host on your firewall.

      • saachi.cloudone.co
      • mgmt.cloudone.co
      • remote.cloudone.co
    2. Configure remote management port forwarding for each ISP connection from Cloud One Remote Management Host to VoIP Gateway Local IP

There are instances where you do not have access to your firewall

Contact your ISP , managed firewall service provider or firewall vendor for assistance 

  • ISP is managing your firewall
  • You have a managed firewall service from a 3rd party
  • Lost admin access to your firewall

If you are unable to configure your firewall with the above guidelines then your voice connection will not be optimised & voice quality affected

Firewall configuration service is a chargeable support service & will be quoted separately depending on the firewall.  We will require admin access to the firewall