Configuring your firewall or ACL to whitelist Control Networks
The Control Networks network operates across multiple IP ranges, which you may need to whitelist on your firewall ACL to ensure proper operation of your service.
Multiple IP addresses and origins:
Our network is configured as a complex call distribution fabric, which includes multiple points of load balancing, SIP proxies and media servers (RTP handlers).
On our network, it’s important to be aware that:
- The IP addresses used by particular endpoints may change from time to time
- Different devices, even on the same account, may resolve a different IP address for the same service
- Calls (both SIP and RTP) originating from the Control Networks network to your devices may originate from multiple or mixed IP addresses
- SIP “INVITE” packets can result in devices sending RTP packets being sent to a different IP address (Media Server)
For these reasons, It’s important that when configuring your ACL’s, you include the entirety of our subnets, and not just the individual IP that an endpoint may resolve to at the time of setup.
This includes the configuration on your firewall, as well as any IP address restriction configurations on your devices.
IP Address Ranges:
Please ensure the following subnets are whitelisted:
We recommend adding these to a blanket whitelist, ensuring that all of your SIP devices (including any on-premise PBX’s or handsets) can access any IP on the Control Networks network.
Referring to IP addresses in device configuration:
We do not recommend or support using IP addresses in your configuration. Doing so may work in the short term, but you may encounter issues if our infrastructure changes in the future. A notification will always be sent out when decommissioning an IP address.
For a reliable and supported connection configuration, you must use the DNS hostname as specified in the configuration guide for your device and service.
Firewall Port Forwarding:
Note that we do NOT recommend forwarding ports from your firewall to your VoIP devices. This can create security risks, and is generally unnecessary.
Our network has inherent NAT traversal handling, so under normal circumstances here is no need to forward any ports.