Business Support: VoIP

Configuring your firewall for Hosted VoIP service

A firewall is an appliance that controls the incoming and outgoing network traffic based on an applied rule set and establishes a barrier between a trusted, secure LAN and/or WAN network(s) and the Internet (not secure, nor trusted).

CenturyLink recommends a LAN architecture in which the voice traffic bypasses the firewall, as shown below:

If a firewall feature is configured, it must allow the following traffic to pass. The IP address of the CenturyLink session border controller (SBC) varies and can be provided by the CenturyLink provisioner working the order.

The following must be allowed between all Hosted VoIP phones and the CenturyLink SBC (in both directions):

  • Allow TCP/UDP ports 5060, 5061, and 5068 (for SIP)
  • Allow UDP ports 8500–59999 (for RTP)1
  • Allow UDP port 123 (for NTP)
  • Allow TCP port 80 (for HTTP)
  • Allow TCP port 2208 (for HTTP: Business Communicator)
  • Allow TCP port 443–450 (for HTTP)

1. Some firewalls will dynamically open and close UDP ports for RTP and control signaling as required and do not need the entire range of UDP ports for RTP opened all the time. If the firewall is configured to build dynamic lists based on traffic that originated inside the firewall then it is not necessary to perform any configuration on the firewall.