Client Site Requirements- Office Network

Client Site Requirements- Office Network

Prerequisites from Client site- Office Network

Firewall Requirements:

WebRTC:

WebRTC information below will be used for WebRTC Login and RTP Audio for the agents and
supervisors. This enables the SIP Softphone portion of the client.

DestinationIP Addresses to be whitelisted
169.62.81.186
169.62.101.69

Ports
442 TCP – WebRTC
40000 - 60000 UDP – RTP for Audio over WebRTC

Sites
cxhub.pressone.net

Web Portal:

Web Portal Access from the customer site (Agent Network) to server-side will require the
following domain to be added to your AllowList. This domain will allow access to CNAMEs for
the below applications. If your firewall is unable to add CNAME to the AllowList we have
attached a TXT file to this document with the list of IP's that traffic could be coming from.
Destinations to be whitelisted
cxhub.pressone.net
*.cxhub.pressone.net

Ports
TCP - 80
TCP - 443
TCP - 9797

Purpose
1. Agent Login
2. Live Dashboard
3. Historical Reports
4. Configuration Portal Access
5. API 

Network Requirements: All VoIP

Packet Inspection:
All traffic to and from these VoIP systems and clients must be allowed and
unmodified. This includes both hosting and client sites. Many firewalls have features that
inspect, filter, other otherwise alter packets passing through for security purposes. All of
these features must be disabled for the VoIP services provided to function
correctly. Especially when relating to SIP, H323, or H225. These features can have
different names depending on the firewall manufacturer. Below is a list of some of the
names from popular manufacturers:
  1. Application-Level Gateway
  2. ALG
  3. Application Layer Gateway
  4. Application Gateway
  5. Application Proxy
  6. Application-Level Proxy
  7. Firewall Proxy
  8. Inspection
  9. Application Control
  10. Web Filtering (ESP Streaming Media)
  11. Deep Packet Inspection
  12. Session Helper
Outbound Traffic:
All traffic from the client (IP phone, soft-phone, smart-phone) to the server(s) is defined
as outbound traffic. If outbound port filtering/whitelisting is a requirement of your
organization, the outbound traffic will match the port definitions specified and will only
need to be allowed to the destination server(s). See related requirement documents for a
list of ports.
It is assumed that the local firewall or router allows all outbound traffic from the office or
home network to pass through and allows all symmetric traffic. That is, if the phone sends
RTP/RTCP to a public IP address and port, it will be able to receive RTP/RTCP from that
same IP address and port. If this is not the case, any configuration required of the user's
router to support that is not covered by this documentation.

Multi-WAN / SD-WAN:
When using multiple external circuits, all traffic from the client must originate from the
same IP address. If any of the traffic from the client starts originating from another
external IP address, the voice services will behave unexpectedly or will not work at all.
In the event of a fail-over (primary circuit goes down and traffic must come from a backup
circuit for a time) clients will need to re-register to the server from the new IP address to
regain functionality depending on the solution. For phones, this can be accomplished via
a reboot. In these situations, failing back to the primary will also require reregistering due to the IP change.