Firewall Best Practices

When installing phones at an office, or when installing a new firewall for existing phones, there are some general steps to take to ensure good VoIP service:

  • Ensure that the modem is in Bridge mode, or if that is not an option, set so that it does not do any routing.
  • Disable SIP ALG. This is sometimes called the SIP Module, SIP Transformations, SIP Helper, SIP Proxy, etc. If an option is labeled SIP, it's likely best to disable it. These options are primarily useful to on-premise VoIP systems but can severely hinder cloud-based VoIP traffic.
  • Add firewall rules to allow ALL traffic to and from Cytracom Servers
    • Registration & Nodes IP ranges [FQDN:,]
    • Updates, Configuration, Services and Mobile:
      • Firmware [IP: FQDN: or] 
      • Configuration [IP: FQDN: or]
      • Mobile Registration [IP: FQDN:]
      • Presence [IP: and FQDN: and]
      • FTP [] (If call recording is used and uploaded to a locally or cloud hosted storage solution)
      • Desktop [ FQDN:]
  • Increase UDP timeout to a minimum of 180 seconds for Global and firewall rules relating to Cytracom services (relative cause of BLF and MWI issues).
  • Add QoS to prioritize traffic, targeting everything being sent from the phones to our system at the above IP range (DSCP Marking [46] or a guarantee of 70-90kbps per device).
  • Keep firmware up to date. While it's usually not imperative to update a firewall every time a new firmware version is released, this should be a go-to step when troubleshooting any widespread problem.

These are general guidelines, and the details will often vary from one firewall to another. To view our detailed router and firewall guide, please click here. 

Feel free to contact Support if needed at

Was this article helpful?
6 out of 10 found this helpful