📄 Firewall Configuration for Cloud One SIP Trunks

Do I need to configure my on-premise firewall for Cloud One SIP Trunks?

Yes , The customer is responsible for a firewall & quality of service configuration at customer site as per the router or firewall vendor recommendations

The following recommendations are guidelines for your router or firewall for Cloud One SIP Trunks

  1. Use multiple reliable DNS servers in your networks i.e 1.1.1.1 , 1.0.0.1 , 8.8.8.8, 8.8.4.4
  2. Cloud One Voice Switch signal & media server host are cs01.cloudone.co.ke or ls02.cloudone.co.ke with UDP port 5060 as signaling
  3. Give priority to voice packets on your network using the DSCP tag with the value 46 (EF 101110).
  4. Whitelist Cloud One Voice Switch signal & media server host on your firewall

  5. Prioritise VoIP packets (Ports as per you IP PBX Vendor requirements) & reserve 128 kbps (High Definition Voice) for each voice channel to Cloud One Voice Switch for QOS

    1. TCP/UDP 5060: SIP registration for VoIP providers/devices.
    2. TCP 5061: Secure SIP (TLS)

    3. RTP (Voice/Media stream)

      1. UDP 10000-12000 - Cloud One Business Communication Suite
      2. UDP 9000-10999 - 3CX
  6. Disable SIP ALG on your firewall - This is mandatory

  7. Multiple ISP Connections MUST be configured correctly to handle VoIP connectivity

    1. Use failover for VoIP packets instead of load balancing to connect to Cloud One Voice Switch
    2. Use manual outbound NAT for each ISP connection
  8. Firewall should be in conservative mode to preserve VoIP session states
  9. Static IP or a Dynamic DNS Service is mandatory for your ISP Connection for whitelisting on our Cloud One central firewall
  10. SIP & RTP port forwarding & inbound NAT for each ISP connection from our Voice Switch host to your IP PBX Local IP for Peer based SIP Trunk
  11. It is Mandatory to inform Cloud One every time on your new or change of ISP static public IP or DDNS hostname for whitelisting on Cloud One's Central firewall. Failure to inform Cloud One will result in your connection getting blacklisted on our network & service becoming unavailable.

  12. Whitelist Cloud One Remote Management Host on your firewall for Cloud One SIP Trunk remote support or paid support tickets

    1. saachi.cloudone.co
    2. remote.cloudone.co
    3. mgmt.cloudone.co
  13. Configure remote management port forwarding for each ISP connection from Cloud One Remote Management Host to IP PBX Local IP.
  14. There are instances where you do not have access to your firewall,  Contact your ISP , managed firewall service provider or firewall vendor for assistance 
    • ISP is managing your firewall
    • You have a managed firewall service from a 3rd party
    • Lost admin access to your firewall

If you are unable to configure your firewall with the above guidelines then your voice connection will not be optimised & voice quality affected

Firewall configuration service is a chargeable  support  service & will be quoted separately depending on the firewall.  We will require admin access to the firewall