1. Configuration overview
These rules should be applied to the customer firewall for the PBX. Where inbound rules are listed, they must be NATed from the external IP address to the LAN IP address of the PBX.
|
Before you begin Confirm the PBX LAN IP address and the external IP address that will be used for NAT. If you are unsure, contact Telappliant Support before applying the rules. |
2. Outbound rules
Allow all outbound traffic from the IP address of the PBX and Phones.
Direction |
Source |
Destination |
Protocol |
Port(s) |
Action / NAT |
Outbound |
PBX and Phone LAN IP address's |
Any external address |
Any |
Any |
Allow |
3. Inbound rules
3.1 Remote access - onsite PBX only
Allow the following inbound rules for Telappliant remote access. These are required only for onsite PBX deployments.
Direction |
Source |
Destination |
Protocol |
Port(s) |
Action / NAT |
Inbound |
77.240.62.171 |
PBX LAN IP |
TCP |
80 |
NAT / Allow - Web access |
Inbound |
77.240.62.171 |
PBX LAN IP |
TCP |
443 |
NAT / Allow - Web access |
Inbound |
77.240.62.171 |
PBX LAN IP |
TCP |
22 |
NAT / Allow - SSH access |
Inbound |
77.240.53.245 |
PBX LAN IP |
TCP |
80 |
NAT / Allow - Web access |
Inbound |
77.240.53.245 |
PBX LAN IP |
TCP |
443 |
NAT / Allow - Web access |
Inbound |
77.240.53.245 |
PBX LAN IP |
TCP |
22 |
NAT / Allow - SSH access |
3.2 SIP trunk, NAT proxy and RTP media rules
Allow the following rules for SIP signalling, NAT proxy services and RTP media traffic. Where the firewall supports DNS or FQDN objects, also whitelist the NAT proxy domains and the customer-specific gateway registration domain.
| Service | Type | Address / Domain | Notes |
| VoIP gateway | IP range | 77.240.61.160/27 | |
| VoIP gateway | IP range | 77.240.56.32/27 | |
| SIP / NAT proxy | IP address/Domain | sipproxy.telappliant.com/185.158.58.194 | Whitelist where FQDN objects are supported |
| NAT proxy | IP address/Domain | nat.voiptalk.org/77.240.48.201 | Whitelist where FQDN objects are supported |
| NAT proxy | IP address/Domain | nat.draytel.org/185.158.58.201 | Whitelist where FQDN objects are supported |
Please allow both UDP and TCP traffic to the above IP addresses, IP ranges and domains on the following ports.
Direction |
Source |
Destination |
Protocol |
Port(s) |
Action / NAT |
Inbound / Outbound |
VoIP gateway ranges, NAT proxy IPs and NAT proxy domains |
PBX/Phone LAN IP |
TCP/UDP |
5060/5061 |
Allow / NAT - SIP signalling |
Inbound / Outbound |
VoIP gateway ranges, NAT proxy IPs and NAT proxy domains |
PBX/Phone LAN IP |
UDP |
10000-40000 |
Allow / NAT - RTP media |
|
Important If the firewall supports FQDN objects, whitelist nat.voiptalk.org, nat.draytel.org and the domain used by the PBX to register against the gateway. RTP media may be presented from different endpoints depending on call routing; if audio issues occur, allow UDP ports 10000-40000 from any external address to the PBX. |
4. PBX and gateway password security
Weak or reused extension passwords can allow unauthorised registration and fraudulent calls. Passwords should be reviewed and strengthened before SIP services are made live, and whenever extensions are added or changed.
| Control | Minimum requirement | Reason |
| Length | Minimum 10 characters | Longer passwords are harder to guess or brute force |
| Complexity | Use uppercase letters, lowercase letters, numbers and special characters where supported | Mixed character types improve password strength |
| Uniqueness | Use a different password for every extension | Prevents one compromised extension affecting all users |
| Coverage | Apply secure passwords to all extensions, including unused or spare extensions | Unused extensions can still be targeted if enabled |
| Avoid | Do not use short, numeric-only, letter-only or shared passwords | Examples such as 1234, ABCD or identical passwords across extensions are high risk |
|
Implementation guidance Use a secure password generator or password manager to create unique passwords for each PBX or VoIP gateway extension. After changing an extension password on the PBX or gateway, update the matching phone or endpoint so it can continue to register successfully. |
|
Important Where punctuation or special characters are not supported by a handset or platform, generate a different strong password using the strongest supported character set. Do not fall back to short or repeated passwords. |
