OneCloud General Network Guidelines | OneCloud Support Portal
Purpose
This document
describes how to configure your network for use with OneCloud
Services. Firewall and Network terminology varies between different
venders so some language used may not fit with your
exact configuration. This document does not cover the specifics of different
firewall or switch vendors; If you need specific information regarding your firewall
or switch you can check our other knowledgebase articles for commonly used equipment. If you have any questions or need
additional assistance, please open a
ticket at https://support.onecloud.us for clarification.
Terms
IP Network Alias – A group of IP addresses used in firewall rules for simpler firewall rules.
Voice Network – The network used by the physical phones, analog adapters, and session border controllers.
Data Network – The internal LAN network(s) used by users to access OneCloud from their computer.
SIP ALG – An Application Layer Gateway used by many modems and firewalls to modify SIP packets also known as “SIP Transformations”
Hybrid ports – This is a switch port that is configured with a native VLAN that sends untagged traffic as well as tagged VLANs.
Double NAT - Double NAT occurs when two or more routers on a network are performing Network Address Translation (NAT)
Firewall
It is recommended that an IP Network Alias be created with all OneCloud IP addresses and used for the firewall rules however port filtering is also acceptable. For a current list of the OneCloud IP addresses please contact us at https://support.onecloud.us. The voice network should be configured so that the firewall does not modify the source port.
This is generally called “Static port mapping” or “Consistent NAT”
All SIP ALG services should be disabled.
UDP connection timeout or state timeout should be configured for greater than 1 minute
QoS should be configured to give priority to the phone traffic in the event of a saturated network. A good bandwidth assumption is 100Kbps per concurrent call, so if you expect to have 10 concurrent calls during the busiest time then a reservation of 1000Kbps or 1Mbps should be set for the Voice Network.
No Double NAT
Use the below tables for strict firewall policies on the voice network.
Ingress Traffic Allowed
This is traffic
coming from the internet into your firewall. As all registration in initiated from the device; These rules are not generally needed
for a stateful firewall
but may be needed for Intrusion Prevention Systems.
|
Source IP
|
Source
Port
|
Destination IP
|
Destination
Port
|
Protocol
|
Description
|
|
OneCloud IP
Addresses
|
5060-
5069
|
Voice WAN
|
Any
|
UDP/TCP
|
SIP Signaling
|
|
OneCloud IP
Addresses
|
5090
|
Voice WAN
|
Any
|
UDP/TCP
|
SIP Signaling
|
|
OneCloud IP
Addresses
|
80
|
Voice and Data WAN
|
Any
|
TCP
|
HTTP
|
|
OneCloud IP
Addresses
|
443
|
Voice and Data WAN
|
Any
|
TCP
|
HTTPS
|
|
OneCloud IP
Addresses
|
8001
|
Voice and Data WAN
|
Any
|
TCP
|
WSS
|
|
OneCloud IP
Addresses
|
9002
|
Voice and Data WAN
|
Any
|
TCP
|
WSS
|
|
OneCloud IP
Addresses
|
20000-
29999
|
Voice and Data WAN
|
Any
|
UDP
|
RTP
|
|
Any
|
10000
|
Voice and Data
WAN
|
Any
|
UDP
|
Video Conference
|
Egress Traffic Allowed
This is traffic
coming from your local area network to the internet.
|
Source IP
|
Source
Port
|
Destination IP
|
Destination
Port
|
Protocol
|
Description
|
|
Voice WAN
|
Any
|
OneCloud IP Addresses
|
5060-5069
|
UDP/TCP
|
SIP Signaling
|
|
Voice WAN
|
Any
|
OneCloud IP Addresses
|
5090
|
UDP/TCP
|
SIP Signaling
|
|
Voice
and Data WAN
|
Any
|
OneCloud IP
Addresses
|
80
|
TCP
|
HTTP
|
|
Voice
and Data WAN
|
Any
|
OneCloud IP
Addresses
|
443
|
TCP
|
HTTPS
|
|
Voice
and Data WAN
|
Any
|
OneCloud IP Addresses
|
8001
|
TCP
|
WSS
|
|
Voice
and Data WAN
|
Any
|
OneCloud IP
Addresses
|
9002
|
TCP
|
WSS
|
|
Voice
and Data WAN
|
Any
|
OneCloud IP
Addresses
|
20000-29999
|
UDP
|
RTP
|
|
Voice and
Data
WAN
|
Any
|
Any
|
10000
|
UDP
|
Video Conference
|
Local Area Network
- All phones, Session Border Controllers, and other devices using SIP to communicate with OneCloud services should be configured on a separate VLAN or physical network from other applications. Except in a few use cases, there is no reason for the Voice network and the Data network(s) to be routable.
- Most modern switches have dedicated settings for a voice VLAN and we recommend using these settings for your phone network.
- We recommend the following DSCP policies be applied to the switches. We understand that settings vary based on switch manufacturer and model.
- DSCP 46 should be the second highest policy
- DSCP 34 should be the third highest policy
- We recommend using Auto-VoIP, LLDP, or similar features to force the VoIP phones to the voice network automatically. If those technologies are not available, a DHCP boot option will need to be added to the default VLAN DHCP server.
- DHCP option 66 may be needed to tell the phones where to provision. You can open a ticket with support@telware.com to get the specific string for your phone model and services.
- The passthrough port can be used on the phones to allow computers access to the data network if the switches support hybrid ports with both tagged and untagged VLANs on the same port..
Related Articles
OneCloud v44.1 Release Notes | OneCloud Support Portal
OneCloud V44.1 Release Notes New Features Added Snom M500 Button Builder and general support. Now, call blocking rules for the domain user will be applied to any user configured for allow/block. Currently, this only applies to "Users". Increase ...
Analytics Wallboard Guide | OneCloud Support Portal
Welcome to the call center analytics user guide. This article has been designed to help familiarize you with the basic layout, as well as guide you through creating an analytics board and some advanced features. Accessing the Analytics Board Note: To ...
Frequently Asked Questions (FAQ) | OneCloud Support Portal
How do I edit a username on OneCloud? To Change a User’s Name: Navigate to myonecloud.com and log in. From the OneCloud Portal Homepage, click the Users tab. Locate the user of which you’d like to change names. Click the Pencil icon located to the ...
Chats vs. Channels in OneCloud Connect | OneCloud Support Portal
In OneCloud Connect, effective communication is key to productivity and collaboration. Two primary ways to communicate within the platform are through Chats and Channels. This article will help you understand the differences between these two ...
OneCloud v43.0 Release Notes: New Features | OneCloud Support Portal
Configuring Call Recording Across an Entire Domain at Once Call Recording, records audio conversations. OneCloud offers many types of call recordings including: on-demand, mid-call, call queue, and specific user. Domain-wide call recording was ...