Versions Compared

Old Version 1

changes.mady.by.user Kelli Higdon

Saved on

compared with

New Version Current

changes.mady.by.user Kelli Higdon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. 80 & 8080 TCP - web admin panel, and certain HUD config functions.  (http)

  2. 123 UDP - time for deskphones.  (ntp)

  3. 443 TCP - HUD authentication.  (https)

  4. 4000-4031 UDP - audio for HUDmobile. (pending)

  5. 5060 UDP - call setup and teardown for desk phones.  (sip)

  6. 5060 TCP & UDP - call setup and teardown for HUDweb and HUDmobile softphones.

  7. 5222 TCP - HUD status and control.

  8. 5269 TCP - (optional) HUD external chat contacts such as Jabber and Google Chat.

  9. 10000-20000 UDP - RTP voice traffic.  (audio travels over a randomly selected pair of ports in this range)

...

  1. 5060 UDP - SIP registration, used by remote phones and VoIP carriers.
    (initiate, pick up, and end calls - call signalling and setup/teardown)

  2. 5060 TCP & UDP - SIP for HUDweb and HUDmobile softphones.

  3. 10000-20000 UDP - RTP voice traffic.
    (audio travels over a randomly selected pair of ports in this range)

  4. 5222 TCP - HUD, used by remote HUD3 clients, HUDweb, and HUDMobile.
    (5269 TCP is additionally used for external chat contacts and linked servers)

  5. 4569 UDP - IAX2 registration and audio, for linked servers.

  6. 4000-4031 TCP & UDP - only if you have HUDMobile.
    (audio travels over a randomly selected pair of ports in this range)

  7. 443 TCP - Don't forward by default, but if HUDmobile is not connecting, try forwarding this.

  8. 8997 TCP - only if you have HUD Desktop screen sharing.  (legacy)

...

  • 21 TCP - FTP for phone config downloads (and server updates, if premise-based).

  • 53 TCP/UDP - DNS, or Domain Name Service.  Used for resolving hostnames such as "vpn1.fonality.com".

  • 80 & 8080 TCP - HTTP.  Required for the PBXtra to determine its public IP address, and download updates/patches.  Also occasionally used for certain HUD config functions.

  • 123 UDP - NTP, or Network Time Protocol.  Used for time and date settings.

  • 443 TCP - HTTPS.  HUD clients also use this when first setting up their username.

  • 8000 TCP - VPN tunnel.  Required by the Web Admin Panel - the PBX establishes a couple of SSH VPN tunnels back to the Fonality datacenter on this port.
    (some larger firewalls block outbound traffic on TCP port 8000 unless you add an exception.)

...

  1. Don't forward port 22 SSH.
    If port 22 is forwarded to the PBX without IP restrictions, it will be subjected to thousands of brute-force username/password combination attacks per second.  Fonality disables root password login on port 22 by default (unless someone has set a root password), but it should not be exposed in any case.  If you need to log in on port 22, restrict it to only certain specific remote IP addresses, and use a strong password (many hacked servers thought they had a strong password).
    Likewise, ports 21 (FTP), 69 (TFTP), and 80 (HTTP) should not be forwarded inbound.
     

  2. Enable SIP brute force detection.
    (requires PBX software version 2010.1.20+)  We recommend enabling this on the Web Admin Panel under the Options: Settings tab.  For example: after 20 incorrect attempts, block the IP address for 1 hour.  This should at least cut down on people blocking themselves out because they typed their softphone password wrong, but most brute-force attacks will block themselves in under a second.
     

  3. Whitelisting - only allow certain IPs to connect to port 5060 SIP.
    If your router/firewall supports it, restrict what IP addresses can connect to SIP port 5060 (UDP). 
    Admittedly, this may not be as practical if you have remote users on dynamic IP addresses, but consider whitelisting their ISP.  Then IP addresses from another ISP or country can't try to break in.

    1. Side note: How do I determine what IPs to whitelist?
      ----
      If you wish to whitelist a VoIP provider, ping the host listed on the Options: voip page.  This should allow you to continue receiving incoming calls on UDP port 5060.  Be aware, there is no guarantee that the VoIP provider will *always* use that IP, unless they explicitly say so.

  4. Avoid placing the PBX in a DMZ. 
    We do not recommend placing the PBX, a phone, or any server in a de-militarized zone, as a DMZ exposes all running services on it to potential attack.  It's sometimes useful for troubleshooting phone registration issues, but should not be used in a production environment.
     

  5. Don't forward ports you don't need. 
    A common sense rule - for example, if there's no VoIP carrier (purely T1/PRI or analog) and all of your phones are on-site (no remote sofphonessoftphones), it's unnecessary to forward port 5060.
     

...

Typically just the "9+011." dialplan (be careful not to affect 9+11 emergency).  See editing dialplans.

 

Can I still contact Fonality Support for help?

...

For testing, if one is not remote oneself, one can have a remote coworker attempt to register a phone (be sure to add the "x" after the Server ID - see Remote Phone Directions), and if that's unsuccessful, after a few tries, ask Fonality Support if they can check.