Although PortaSwitch servers are based on the Oracle Linux OS which is designed for high security, it is still reasonable to consider external firewall for better system protection. If you want to position servers behind the firewall for some reason (e.g., your corporate network security policy demands this) follow the recommendations below.
General configuration advice
- We suggest positioning all PortaSwitch servers into a dedicated network segment.
- Interaction between PortaSwitch servers via a private network interface must not be blocked by a firewall.
- Whatever configuration your private LAN segment has, internal communication between servers (via TCP port 22, etc.) must always be granted.
- Do not configure a firewall between nodes of the cluster (e.g., PortaSIP cluster, etc.).
- For PortaSwitch sites that span across geographically dispersed locations, all PortaSwitch servers must be connected via virtual or physical) Layer 2 connection(s) and all PortaSwitch servers should be configured as hosts within a single virtual (or physical) private network.
Ports to be opened
Logical components (e.g., Admin, Billing, Master DB, Replica DB, PortaSIP) are installed and operating on some hosts. This requires particular ports to be kept open on these hosts, depending on which components are running on each of them. To find out which open ports are required by each component, see the table below:
Ports to be opened |
Description |
---|---|
All servers: public interface |
|
TCP 22 |
This is used for server administration via SSH. |
Configuration server: private interface |
|
TCP/UDP 5667 5668 |
This is required for NSCA to collect monitoring statistics from the servers and send them to the Configuration server in passive mode. |
TCP 80 |
This is used for downloading custom patches during the update process and must be kept open permanently. |
Configuration server: public interface |
|
TCP 8700 |
This is required for access to the Configuration server and the monitoring system web interface (via a separate link on the Configuration server). |
TCP 80 |
This is required to sign auto generated certificates by LetsEncrypt certification authority (to pass LetsEncrypt HTTP-01 challenge). |
TCP 9443 |
This is required for accessing the Portainer web interface where you can manage available containerized applications. |
TCP 3005 |
This is required for accessing the Billing Admin Logs UI application where you can view the logs of periodic tasks such as invoice calculation, taxation, periodic payments, and scheduled reports. |
Web (admin) server: public interface |
|
TCP 25 |
This is used for uploading tariffs via email. |
TCP 80 |
This is used for UA provisioning. |
UDP 69 |
This is required by the TFTP service. |
TCP 443 |
This is required for access to the admin interface. |
TCP 8442 TCP 8443 TCP 8444 TCP 8445 TCP 8446 TCP 8447 TCP 8448 |
This is required for access to the self-care web interfaces:
|
TCP 8449 |
This is required for access to the WiMax session status page. |
TCP 8600 TCP 8601 |
This is required for access to web signup pages:
|
TCP 8901 TCP 8903-8904 |
This is required to access callback services:
|
TCP 8943 |
This is used to access webmail. |
Web (admin) server: private interface |
|
TCP 2224 TCP 3121 UDP 5404 UDP 5405 |
This is used by the corosync service for internal communication among cluster nodes. |
RADIUS (billing) server: public interface |
|
UDP 1812 UDP 1813 |
This is used to serve RADIUS requests from RADIUS clients, such as PortaSIP nodes and web server (required for the Test DialPlan feature):
|
TCP 3868 |
This is used to serve DIAMETER requests (optional). |
UDP 5060 |
This is used to accept SIP requests and responses from the SIP nodes. |
PortaSIP dispatching SBC: public interface |
|
UDP 5060 |
This is used to accept SIP requests and responses from the SIP nodes. |
TCP 5061 |
This is required for SIP over TCP support |
TCP 5051 |
This is required for SIP over TLS support. Disabled by default. |
TCP 9442 TCP 9443 TCP 9444 TCP 9445 TCP 9446 TCP 9447 TCP 9448 TCP 9449 |
This is required for Dual Version PortaSwitch deployment to access the self-care web interfaces:
|
TCP 9600 TCP 9601 |
This is required for Dual Version PortaSwitch deployment to access web signup pages:
|
PortaSIP dispatching node: virtual IP address |
|
UDP 5060 |
This is used to accept SIP requests and responses from the SIP nodes. |
TCP 5060 |
This is required for SIP over TCP support. |
UDP 5070 |
This is used by Limit Controller to accept SIP requests and responses from the SIP nodes. |
TCP (TLS) 5051 |
This is required for SIP over TLS support. Disabled by default. |
SMPP 2775 |
This is required to accept and send SMPP messages. |
TCP 8101 |
This is required for the SMTP transport. |
TCP 8081 |
This is required for the IMAP transport. |
TCP 8091 |
This is required for the IMAPS transport. |
PortaSIP dispatching node: private interface |
|
TCP 2224 TCP 3121 UDP 5404 UDP 5405 |
This is used by the corosync service for internal communication among cluster nodes. |
PortaSIP processing node: public interface |
|
UDP 35000–65000 |
This is used for RTP proxying. |
MySQL (Master DB, Replica DB) servers: can be configured to use either private or public interfaces |
|
TCP 3306 TCP 3307 |
This is used to serve database requests from the billing server, web server and PortaSIP servers:
|
Oracle DB servers: can be configured to use either private or public interfaces |
|
TCP 9521 |
This is used to serve database requests from the billing server, web server and PortaSIP servers. |
TCP 1158 |
This is used for Oracle Enterprise Manager access. |
OCS server: public interface |
|
UDP 1812 UDP 1813 |
This is used to serve RADIUS requests from RADIUS clients, such as PortaSIP nodes and web server (required for the Test DialPlan feature):
|
TCP 3868 |
This is used to serve DIAMETER requests (optional). |
UDP 5060 |
This is used to accept SIP requests and responses from the SIP nodes. |
OCS server: private interface |
|
TCP 2224 TCP 3121 UDP 5404 UDP 5405 |
This is used by the corosync service for internal communication among cluster nodes. Must be opened if you deploy Diameter cluster. |
CQTracker node: private interface (no more than one per cluster, IP can be combined with any other node) |
|
TCP 17160 |
This is used for PortaAdmin requests for getting finished call data. |
TCP 17161 |
This is used for incoming HEP messages encapsulating RTP, RTCP, and RFC6035 messages. |
TCP 17162 |
This is used for interaction with B2BUA processes and other CQTs. |
These are default ports that can be changed using the Configuration server WI. Please note that this list may be extended in the future.
Outgoing connections
All servers must be granted permanent access to the following PortaOne servers in order to ensure that services function correctly:
Server |
Protocol |
Port |
---|---|---|
license1.portaone.com |
TCP |
443 |
license2.portaone.com |
TCP |
443 |
For your servers’ health monitoring purposes, the Configuration server must be granted access to the PortaOne monitoring servers:
Server |
Protocol |
Port |
---|---|---|
monitor1.portaone.com |
TCP/UDP |
5667, 5668 |
monitor2.portaone.com |
TCP/UDP |
5667, 5668 |
In order to send the new configuration to the monitoring servers, the Configuration server must be granted access to:
Server |
Protocol |
Port |
---|---|---|
monitor1.portaone.com |
TCP |
443 |
monitor2.portaone.com |
TCP |
443 |
For performing updates to newer releases and for troubleshooting purposes, all servers must be granted access to:
Server |
Protocol |
Port |
---|---|---|
packages.portaone.com |
TCP |
80, 443 |
git.portaone.com |
TCP |
29418 |
In order to automatically submit call logs to PortaOne’s support ticketing system grant access from your web server to the following:
Server |
Protocol |
Port |
---|---|---|
smtp-in.portaone.com (MX record for portaone.com) |
TCP |
25 |
Make sure that your servers are able to connect to any server from the pool of time servers for time synchronization. You can find the list of NTP pool time servers on the NTP site:
http://support.ntp.org/bin/view/Servers/NTPPoolServers
Port should be opened for NTP service on all servers of the installation:
Server |
Protocol |
Port |
---|---|---|
Any server from the pool of time servers for time synchronization |
UDP |
123 |
If you wish to use your own NTP server, please notify us and we’ll adjust the configuration of the NTP service.
The Docker container images are stored at registry.portaone.com. To launch the Docker services and container, grant access from all of your servers to the following:
Server |
Protocol |
Port |
---|---|---|
registry.portaone.com |
TCP |
443 |
git.portaone.com |
TCP |
29999 |
The Geo-IP database in your installation is regularly updated to ensure that the Geo-IP Fraud Prevention feature works correctly. Allow your RADIUS servers to establish connections to the MaxMind’s downloadable databases (updates.maxmind.com) via HTTP/HTTPS protocol. If you are running a firewall, geo-update requires that the DNS and HTTPS (443) ports be open.
Incoming connections
For troubleshooting purposes, allow incoming connections to your servers from the following PortaOne IP addresses:
- 217.182.15.214
- 217.182.15.215
- 217.182.15.216
- 34.209.225.48
- 52.209.93.49