Firewalls should allow Hosted VoIP handsets to access HTTP, HTTPS, and UDP traffic on the local network. Hosted VoIP handsets must be allowed to both send and receive TCP and UDP packets on arbitrary ports and to arbitrary IP addresses. Some network ports need to be opened manually.
Jive requires that firewalls allow the following activity for optimal functionality:
|NAT keep-alives must be allowed every 30 seconds. (ports 5060 and 5061)
|HTTP over port 80 must be enabled.
|Multiple UDP connections must be allowed on ports 5060 and 5061.
|Internally-initiated UDP requests must be allowed on ports 20,000-60,000 for audio (including non-T.38 faxing) and video.
|Internally-initiated UDP requests must be allowed on ports 4,000-4,999 for T.38 Faxing.
|UDP traffic must be allowed on port 123 for Network Time Protocol (NTP).
When a Jive Hosted VoIP Handset powers on, it initiates a SIP (UDP) session with Jive Core (in the cloud) on port 5060 or 5061. For service to function correctly, this session must remain open. Once the session has been established, Jive Core will send back NAT keep-alives every 30 seconds to keep that inbound connection active.
If your firewall drops these NAT keep-alives or ‘prunes’ NAT connections more aggressively than every 30 seconds, the handsets will not function properly. They will be able to call out, but will not receive inbound calls (inbound calls will go straight to voicemail). Accordingly, best practice is to ensure that any session expiration timers for these SIP sessions wait 90 seconds before closing a session.
Many routers and firewalls have SIP specific settings that manipulate how SIP traffic is handled. These settings almost always need to be turned off as they (somewhat ironically) will almost always break SIP.