Firewall/NAT Checklist

« Go Back

Information

 
Answer

Firewall/NAT Checklist

This firewall checklist is a list of ports and services that we know need to be forwarded on the firewall/router where the PBX is located for it to function as designed. Not all of these ports need to be open, it just depends on what type of access the user wants and what services the user is planning on using.

Ports that need to be forwarded on the firewall/router located where the PBX are:
TCP/UDPPort(s)Switchvox Use
UDP5060SIP signaling port needed for phones outside your network
TCP5060SIP Signaling port needed for Switchvox Softphone outside of your network.
UDP5062SIP signaling port needed for phones for configuration communications
UDP55062SIP signaling port needed for Switchvox Softphone for configuration communications
UDP10000-20000RTP audio ports needed for phones outside your network
SIP UDP4000-4999UDPTL ports for T.38 faxing over SIP
IAX UDP4569IAX Signalling Port needed for communicating with IAX provider
TCP80HTTP port for remote web admin, API, and phone-firmware access
TCP443HTTPS port for remote web admin and API access
TCP5222 & 843SMB Systems Only - ports for using the Switchboard remotely
TCP5269SMB Systems Only - port for remote XMPP (Jabber/chat) access (Extensible Messaging and Presence Protocol)
UDP1194Must be open to outgoing traffic for Digium / Switchvox technical support vpn.

Please note that the following ports are used by Switchvox for outgoing connections, your firewall should allow connections to the internet on these ports:
TCP/UDPPort(s)Switchvox Use
UDP1194Must be open to outgoing traffic for Digium / Switchvox technical support vpn.
TCP21FTP when exporting recordings or backups
TCP22SFTP when exporting recordings or backups
TCP25* SMTP when Switchvox sending emails
(*) Please note that SMTP port is a user configurable option

The following ports are used by Switchvox to comunicate with devices within the same network, these ports should never be forwarded at your firewall:
TCP/UDPPort(s)Switchvox Use
TCP143IMAP , these ports allow customers to see their voicemail on their mail software
TCP631Fax Printer
UDP161SNMP in order to track alarms on your Switchvox with an SNMP server. 

* It is recommended to keep ICMP enabled on the network. There are not any currently known issues that affect a system's ability to operate normally if ICMP is disabled. However, if ICMP is disabled by default, then it must be explicitly permitted for subscriptions.switchvox.com and updates.switchvox.com. Failure to do so may result in an error when attempting to check for available updates. 

Digium  Phones Only: This means any Digium phone that is configured by the proxy server within the Switchvox software where the Phone Network has Direct Port Access setting enabled. Even though DPA may be on, the Digium phone will first contact the PBX over port 5060 then once it finds the correct Phone Network the phone will re-configure back to the PBX but this time over port 5062.

Please also check all firewall/routers for the following features. If you see it AND you are experiencing issues such as dropped calls or one-way audio, you may need to disable some or all of these:

SPI (Stateful Packet Inspection)
SIP Transformations  (Sonicwall Firewalls)
SIP ALG (SIP Application Layer Gateway)
SIP FIXUP (Cisco Firewalls)
ALG
NAT Filtering
SIP Inspection
Smart Packet Detection

* Make sure your firewall/router is up-to-date on its firmware version.
* If all else fails, start disabling the security features on your firewall/router one by one to see if you can identify which feature is causing the issue.


We also have accumulated a short list of Specific 3rd party firewall settings for various makes/models that we know to cause issues with the Switchvox software.