Firewall Configuration

Do I need to configure my on-premise firewall for Cloud One SIP Trunks?

Yes , The customer is responsible for a firewall & quality of service configuration at customer site as per the router or firewall vendor recommendations

The following recommendations are guidelines for your router or firewall for Cloud One SIP Trunks

1. Use multiple reliable DNS servers in your networks i.e 1.1.1.1 , 1.0.0.1 , 8.8.8.8, 8.8.4.4
   
2. Cloud One Voice Switch signal & media server host are cs01.cloudone.co.ke or ls02.cloudone.co.ke with UDP port 5060 as signaling 
3. Whitelist Cloud One Voice Switch signal & media server host on your firewall
   
4. Prioritise VoIP packets (SIP UDP Port 5060 & RTP UDP Ports as per you IP PBX Vendor requirements) & reserve 128 kbps (High Definition Voice) for each voice channel to Cloud One Voice Switch for QOS
5. Disable SIP ALG on your firewall - This is mandatory
6. Multiple ISP Connections should be configured correctly to handle VoIP connectivity
   1. Use failover for VoIP packets instead of load balancing to connect to Cloud One Voice Switch
   2. Use manual outbound NAT for each ISP connection
7. Firewall should be in conservative mode to preserve VoIP session states
8. Static IP or a Dynamic DNS Service is mandatory for your ISP Connection for whitelisting on our Cloud One central firewall
9. SIP & RTP port forwarding & inbound NAT for each ISP connection from our Voice Switch host to your IP PBX Local IP for Peer based SIP Trunk
10. It is Mandatory to inform Cloud One every time on your new or change of ISP static public IP or DDNS hostname for whitelisting on Cloud One's Central firewall. Failure to inform Cloud One will result in your connection getting blacklisted on our network & service becoming unavailable.
11. Whitelist Cloud One Remote Management Host on your firewall for Cloud One SIP Trunk remote support or paid support tickets
    1. saachi.cloudone.co
    2. remote.cloudone.co
    3. mgmt.cloudone.co
12. Configure remote management port forwarding for each ISP connection from Cloud One Remote Management Host to IP PBX Local IP.
13. There are instances where you do not have access to your firewall,  Contact your ISP , managed firewall service provider or firewall vendor for assistance 

• • ISP is managing your firewall
  • You have a managed firewall service from a 3rd party
  • Lost admin access to your firewall

If you are unable to configure your firewall with the above guidelines then your voice connection will not be optimised & voice quality affected

Firewall configuration service is a chargeable  support  service & will be quoted separately depending on the firewall.  We will require admin access to the firewall

Do I need to configure my on-premise firewall for Cloud One hosted phone system?

Yes , Customer is responsible for your voice optimised firewall & QOS configuration at customer site as per the router or firewall vendor recommendations

The following recommendations are guidelines for your router or firewall for the hosted phone system.

1. Use multiple reliable DNS servers in your networks i.e 1.1.1.1 , 1.0.0.1 , 8.8.8.8, 8.8.4.4
   
2. To ensure quality of service - Prioritise voice packets (SIP, Tunnel & RTP Ports) & reserve 128 kbps for each user to your phone system host FQDN i.e customer.cloudone.co.ke or customer.3cx.uk
3. Whitelist the phone system host on your firewall
   
4. Disable SIP ALG on your firewall
5. Multiple ISP Connections should be configured correctly to handle VoIP connectivity
   1. Use Failover instead of load balancing to connect to your phone system host  
   2. Use Manual outbound NAT
6. Firewall should be in conservative mode to preserve VoIP session states
7. If you are connecting your telephone lines using a VoIP Gateway at your premise. you will also need to do the following:
   1. This setup requires a static IP from your ISP or subscribe to a Dynamic DNS Service for all your ISP connections 
   2. Configure SIP & RTP port forwarding & inbound NAT for each ISP connection from your phone system host to VoIP Gateway Local IP
   3. It is Mandatory to inform Cloud One every time on your new or change of ISP static public IP or DDNS hostname for whitelisting on Cloud One's Central firewall & phone system host. Failure to inform Cloud One may result in your connection getting blacklisted on our network & service becoming unavailable.
   4. To ensure quality of service for your telephone lines - Prioritise voice packets (Both SIP & RTP) & reserve 128 kbps for each line to your phone system host ---VoIP Gateway Local IP & VoIP Gateway Local IP -- phone system host
      
   5. If you are using a VoIP GSM Gateway, ensure it is installed where there is maximum signal reception from the mobile operator. Bad signal reception will result in bad quality telephone line connections. You can improve signal reception by installing an external GSM antenna for for GSM line
8. 3rd Party SIP Trunk Support or paid support tickets requires the below configuration on your firewall
   1. Whitelist Cloud One Remote Management Host on your firewall.
      • saachi.cloudone.co
      • mgmt.cloudone.co
        
      • remote.cloudone.co
   2. Configure remote management port forwarding for each ISP connection from Cloud One Remote Management Host to VoIP Gateway Local IP

There are instances where you do not have access to your firewall

Contact your ISP , managed firewall service provider or firewall vendor for assistance 

• ISP is managing your firewall
• You have a managed firewall service from a 3rd party
• Lost admin access to your firewall

If you are unable to configure your firewall with the above guidelines then your voice connection will not be optimised & voice quality affected

Firewall configuration service is a chargeable  support  service & will be quoted separately depending on the firewall.  We will require admin access to the firewall