Firewall Best Practices

When installing phones at an office, or when installing a new firewall for existing phones, there are some general steps to take to ensure good VoIP service:

  • Ensure that the modem is in Bridge mode, or if that is not an option, set so that it does not do any routing.
  • Disable SIP ALG. This is sometimes called the SIP Module, SIP Transformations, SIP Helper, SIP Proxy, etc. If an option is labeled SIP, it's likely best to disable it. These options are primarily useful to on-premise VoIP systems but can severely hinder cloud based VoIP traffic.
  • Add firewall rules to allow ALL traffic to and from Cytracom Servers
  • Registration & Nodes IP ranges
    • 209.105.249.194-252
    • 184.175.130.161-184.175.130.186
    • 3.208.72.128-3.208.72.158 
    • FQDN: register.cytracom.net
  • Configuration [IP: 3.208.72.130 FQDN: tftp.cytracom.net or provision.cytracom.com]
  • Firmware [IP: 52.90.29.99 FQDN: fw.cytracom.com or firmware.cytracom.net]
  • Mobile Registration [IP: 3.208.72.146 FQDN: mr1.cytracom.net]
  • Presence [FQDN blf.cytracom.net and pres.cytracom.net]
  • If call recording is used and uploaded to a locally hosted FTP server [18.211.94.44]
  • Increase UDP timeout to a minimum of 180 seconds for Global and firewall rules relating to Cytracom services (relative cause of BLF and MWI issues).
  • Add QoS to prioritize traffic, targeting everything being sent from the phones to our system at the above IP range (DSCP Marking [46] or a guarantee of 70-90kbps per device).
  • Keep firmware up to date. While it's usually not imperative to update a firewall every time a new firmware version is released, this should be a go-to step when troubleshooting any widespread problem.

These are general guidelines, and the details will often vary from one firewall to another. Feel free to contact Support if needed: support@cytracom.com.

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request