For outgoing traffic from Telavox:
Create a rule for all UDP and TCP ports for Telavox networks 80.83.208.0/20.
For this rule, there should be a UDP & TCP Timeout of at least 3720 seconds, as our phones contact us every 3600 seconds. If you can not increase your timeout, contact our support and we can reduce the registration interval on the extension to 240 seconds.
Info
Depending of the vendor of your firewall, the name of this parameter can be different. Here you can find some examples:
FortiGate: Session TTL
Cisco ASA: timeout udp/tcp
Palo Alto Networks: Application Timeout
SonicWall: UDP/TCP Connection Timeout
MikroTik: Connection Tracking Timeout
Juniper SRX: Session-Timeout UDP/TCP
WatchGuard: UDP/TCP Timeout
pfSense: State Timeout Values
For incoming traffic to Telavox:
No rules are needed here because the session is initiated from within the network. If the traffic to Telavox is in the firewall, disable all ALG / SIP functions, Application Control, and IPS/IDS/IDP. These usually do more harm than good.
Complete information about our network:
Address: 80.83.208.0
Netmask: 255.255.240.0 = 20T
Wildcard: 0.0.15.255
Network: 80.83.208.0/20
Broadcast: 80.83.223.255
HostMin: 80.83.208.1
HostMax: 80.83.223.254
Hosts / Net: 4094
Terminals and provisioning:
The following IP/ranges and ports need to be open for the zero-touch provisioning to work.
Gigaset redirect server
148.251.91.32 - 148.251.91.63 (148.251.91.32/27) Port: 80, 443
148.251.246.96 - 148.251.246.127 (148.251.246.96/27) Port: 80, 443
148.251.243.128 - 148.251.243.159 (148.251.243.128/27) Port: 80, 443
Yealink redirect server
IP: 52.29.124.181 Port: 443
IP: 3.124.165.251 Port: 443
More info
Snom redirect server
IP: 52.28.89.237 Port: 80, 443
Grandstream redirect server
IP: 52.221.130.73 Port: 443
Akuvox redirect server
IP: 161.117.206.232 Port: 80, 443, 8080
Fanvil redirect server
IP: 119.28.67.228 Port: 80, 443
Poly redirect server
Hostname: ztp.polycom.com Port: 443
More info
Telavox provisioning server:
Gigaset: 80.83.208.0/20 Port: 80
Gigaset IP PRO: 80.83.208.0/20 Port: 1449
Yealink: 80.83.208.0/20 Port: 442
Snom: 80.83.208.0/20 Port: 447
Grandstream: 80.83.208.0/20 Port: 443
Fanvil: 80.83.208.0/20 Port: 443
Poly: 80.83.208.0/20 Port: 443
Protocol
Below are the protocols used by equipment supplied by Telavox, as well as a description of their function. Different terminal types can use different protocols.
Telavox does not recommend blocking traffic to and from terminals based on ports and/or protocols but rather chooses to trust all traffic to and from Telavox networks. Telavox also does not undertake to use only the protocols below for the future, so a restriction of permitted traffic through firewalls based on the following risks affecting delivered services in the event that the specification below changes. Note that the ports listed in all cases are receiver ports, as a rule rather than exceptions, the equipment uses randomly selected sender ports.
HTTPS
Hyper Text Transfer Protocol over Secure Socket Layer, RFC2818, TCP port 443. Used to download terminal configuration and software.
SNTP / NTP
Simple Network Time Protocol, RFC1305 / RFC1361, UDP port 123. Used to set the time/clock in the terminal.
SIP
Session Initiation Protocol, RFC3261, UDP port 5060. Used to hook up and down calls. SIP traffic runs between our SIP server and the phone. This is by far the most important protocol for your telephony to work.
SIP-TLS ( Secure SIP)
Session Initiation Protocol over Transport Layer Security, RFC 3261, TCP 5061. SIP over TLS is used for encrypted SIP signaling This means that SIP messages are sent over TLS (Transport Layer Security). This is more secure than the regular SIP port 5060, which uses UDP/TCP without encryption.
RTP
Real-Time Transfer Protocol, RFC1889, UDP port 1024-65535. The audio stream between the terminal and the phone during a call flows as RTP. The port used is randomized when a call is initiated. All terminals supplied by Telavox use symmetrical RTP, which means that the receiver and sender port for the RTP stream are the same for both incoming and outgoing audio streams. This means that the audio stream that goes from the terminal to us opens the session in the firewall to allow an incoming voice stream over the same session.
SRTP
Secure Real-Time Transfer Protocol. The call is still transported over UDP, but both parties exchanged keys during the connection in the SIP dialogue to enable encryption.
RTCP
Real-Time Control Protocol, RFC3550, UDP port 1024-65535. Some terminals generate RTCP packets that are used in communication between RTP endpoints to convey local statistics and call data, such as information about jitter and any packet losses. This is selected as the RTP port + 1, i.e., if the RTP stream passes port 12480, RTCP will use UDP port 12481.
WSS web socket
WSS is used by our softphone "Telavox desktop" and uses port 8443 against "push servers" and port 443 for SIP.