What is the recommended setup for the PortaSwitch behind a firewall?

Link copied to clipboard

Although PortaSwitch servers are based on the Oracle Linux OS which is designed for high security, it is still reasonable to consider external firewall for better system protection. If you want to position servers behind the firewall for some reason (e.g., your corporate network security policy demands this) follow the recommendations below.

General configuration advice

Link copied to clipboard
  • We suggest positioning all PortaSwitch servers into a dedicated network segment.
  • Interaction between PortaSwitch servers via a private network interface must not be blocked by a firewall.
  • Whatever configuration your private LAN segment has, internal communication between servers (via TCP port 22, etc.) must always be granted.
  • Do not configure a firewall between nodes of the cluster (e.g., PortaSIP cluster, etc.).
  • For PortaSwitch sites that span across geographically dispersed locations, all PortaSwitch servers must be connected via virtual or physical) Layer 2 connection(s) and all PortaSwitch servers should be configured as hosts within a single virtual (or physical) private network.

Ports to be opened

Link copied to clipboard

Logical components (e.g., Admin, Billing, Master DB, Replica DB, PortaSIP) are installed and operating on some hosts. This requires particular ports to be kept open on these hosts, depending on which components are running on each of them. To find out which open ports are required by each component, see the table below:

Ports to be opened

Description

All servers: public interface

TCP 22

This is used for server administration via SSH.

Configuration server: private interface

TCP/UDP 5667 5668

This is required for NSCA to collect monitoring statistics from the servers and send them to the Configuration server in passive mode.

TCP/UDP 5667 5668

This is required for NSCA to collect monitoring statistics from the servers and send them to the Configuration server in passive mode.

Configuration server: public interface

TCP 8700

This is required for accessing the monitoring system web interface.

Web (admin) server: public interface

TCP 25

This is used for uploading tariffs via email.

TCP 80

This is used for UA provisioning.

UDP 69

This is required by the TFTP service.

TCP 443

This is required for access to the admin interface.

TCP 8442 TCP 8443 TCP 8444 TCP 8445 TCP 8446 TCP 8447 TCP 8448

This is required for access to the self-care web interfaces:

  • Reseller self-care

  • PortaSIP XML/JSON API

  • Customer self-care, distributor self-care

  • Account self-care

  • Reseller’s helpdesk

  • Vendor self-care

  • Representative self-care

TCP 8449

This is required for access to the WiMax session status page.

TCP 8600 TCP 8601

This is required for access to web signup pages:

  • Web signup

  • Multicard web signup

TCP 8901 TCP 8903-8904

This is required to access callback services:

  • Web callback

  • SMS callback

TCP 8943

This is used to access webmail.

RADIUS (billing) server: public interface

UDP 1812 UDP 1813

This is used to serve RADIUS requests from RADIUS clients, such as PortaSIP nodes and web server (required for the Test DialPlan feature):

  • RADIUS authentication

  • RADIUS accounting

TCP 3868

This is used to serve DIAMETER requests (optional).

UDP 5060

This is used to accept SIP requests and responses from the SIP nodes.

PortaSIP dispatching SBC: public interface

UDP 5060

This is used to accept SIP requests and responses from the SIP nodes.

TCP 5061

This is required for SIP over TCP support

TCP 5051

This is required for SIP over TLS support. Disabled by default.

PortaSIP dispatching node: virtual IP address

UDP 5060

This is used to accept SIP requests and responses from the SIP nodes.

TCP 5060

This is required for SIP over TCP support.

UDP 5070

This is used by Limit Controller to accept SIP requests and responses from the SIP nodes.

TCP (TLS) 5051

This is required for SIP over TLS support. Disabled by default.

SMPP 2775

This is required to accept and send SMPP messages.

TCP 8101

This is required for the SMTP transport.

TCP 8081

This is required for the IMAP transport.

TCP 8091

This is required for the IMAPS transport.

PortaSIP processing node: public interface

UDP 35000–65000

This is used for RTP proxying.

MySQL (Master DB, Replica DB) servers: can be configured to use either private or public interfaces

TCP 3306 TCP 3307

This is used to serve database requests from the billing server, web server and PortaSIP servers:

  • MainDB server

  • ReplicaDB server

Oracle DB servers: can be configured to use either private or public interfaces

TCP 9521

This is used to serve database requests from the billing server, web server and PortaSIP servers.

TCP 1158

This is used for Oracle Enterprise Manager access.

All servers: public interface

TCP 22

This is used for server administration via SSH.

Configuration server: private interface

TCP/UDP 5667 5668

This is required for NSCA to collect monitoring statistics from the servers and send them to the Configuration server in passive mode.

TCP 80

This is used for downloading custom patches during the update process and must be kept open permanently.

Configuration server: public interface

TCP 8700

This is required for accessing the monitoring system web interface.

Web (admin) server: public interface

TCP 25

This is used for uploading tariffs via email.

TCP 80

This is used for UA provisioning.

UDP 69

This is required by the TFTP service.

TCP 443

This is required for access to the admin interface.

TCP 8442 TCP 8443 TCP 8444 TCP 8445 TCP 8446 TCP 8447 TCP 8448

This is required for access to the self-care web interfaces:

  • Reseller self-care

  • PortaSIP XML/JSON API

  • Customer self-care, distributor self-care

  • Account self-care

  • Reseller’s helpdesk

  • Vendor self-care

  • Representative self-care

TCP 8449

This is required for access to the WiMax session status page.

TCP 8600 TCP 8601

This is required for access to web signup pages:

  • Web signup

  • Multicard web signup

TCP 8901 TCP 8903-8904

This is required to access callback services:

  • Web callback

  • SMS callback

TCP 8943

This is used to access webmail.

Web (admin) server: private interface

UDP 5405

This is used to serve RADIUS requests from RADIUS clients, such as PortaSIP nodes and web server (required for the Test DialPlan feature):

OCS server: public interface

UDP 1812 UDP 1813

This is used to serve RADIUS requests from RADIUS clients, such as PortaSIP nodes and web server (required for the Test DialPlan feature):

  • RADIUS authentication

  • RADIUS accounting

TCP 3868

This is used to serve DIAMETER requests (optional).

UDP 5060

This is used to accept SIP requests and responses from the SIP nodes.

OCS server: private interface

UDP 5405

This is used by the corosync service for internal communication among cluster nodes. Must be opened if you deploy Diameter cluster.

PortaSIP dispatching SBC: public interface

UDP 5060

This is used to accept SIP requests and responses from the SIP nodes.

TCP 5061

This is required for SIP over TCP support.

TCP 5051

This is required for SIP over TLS support. Disabled by default.

TCP 9442 TCP 9443 TCP 9444 TCP 9445 TCP 9446 TCP 9447 TCP 9448 TCP 9449

This is required for Dual Version PortaSwitch deployment to access the self-care web interfaces:

  • Reseller self-care

  • Administrator self-care

  • Customer self-care, distributor self-care

  • Account self-care

  • Reseller’s helpdesk

  • Vendor self-care

  • Representative self-care

  • Session status interface

TCP 9600 TCP 9601

This is required for Dual Version PortaSwitch deployment to access web signup pages:

  • Web signup

  • Multicard web signup

PortaSIP dispatching node: virtual IP address

UDP 5060

This is used to accept SIP requests and responses from the SIP nodes.

TCP 5060

This is required for SIP over TCP support.

TCP (TLS) 5051

This is required for SIP over TLS support. Disabled by default.

SMPP 2775

This is required to accept and send SMPP messages.

TCP 8101

This is required for the SMTP transport.

TCP 8081

This is required for the IMAP transport.

TCP 8091

This is required for the IMAPS transport.

TCP 8091

This is required for the IMAPS transport.

PortaSIP dispatching node: private interface

UDP 5405

This is used by the corosync service for internal communication among cluster nodes.

PortaSIP processing node: public interface

UDP 35000–65000

This is used for RTP proxying.

MySQL (Master DB, Replica DB) servers: can be configured to use either private or public interfaces

TCP 3306 TCP 3307

This is used to serve database requests from the billing server, web server and PortaSIP servers:

  • MainDB server

  • ReplicaDB server

Oracle DB servers: can be configured to use either private or public interfaces

TCP 9521

This is used to serve database requests from the billing server, web server and PortaSIP servers.

Oracle DB servers: can be configured to use either private or public interfaces

TCP 1158

This is used for Oracle Enterprise Manager access.

CQTracker node: private interface (no more than one per cluster, IP can be combined with any other node)

TCP 17160

This is used for PortaAdmin requests for getting finished call data.

TCP 17161

This is used for incoming HEP messages encapsulating RTP, RTCP, and RFC6035 messages.

TCP 17162

This is used for interaction with B2BUA processes and other CQTs.

These are default ports that can be changed using Configurator WI. Please note that this list may be extended in the future.

Outgoing connections

Link copied to clipboard

All servers must be granted permanent access to the following PortaOne servers in order to ensure that services function correctly:

Server

Protocol

Port

license1.portaone.com

TCP

80

license2.portaone.com

TCP

80

For your servers’ health monitoring purposes, the Configuration server must be granted access to the PortaOne monitoring servers:

Server

Protocol

Port

monitor1.portaone.com

TCP/UDP

5667, 5668

monitor2.portaone.com

TCP/UDP

5667, 5668

For performing updates to newer releases and for troubleshooting purposes, all servers must be granted access to:

Server

Protocol

Port

packages.portaone.com

TCP

80, 443

git.portaone.com

TCP

29418

In order to automatically submit call logs to PortaOne’s support ticketing system grant access from your web server to the following:

Server

Protocol

Port

smtp-in.portaone.com (MX record for portaone.com)

TCP

25

Make sure that your servers are able to connect to any server from the pool of time servers for time synchronization. You can find the list of NTP pool time servers on the NTP site:

http://support.ntp.org/bin/view/Servers/NTPPoolServers

All PortaSwitch servers can receive time information and synchronize that with the Configuration server and the PortaSIP server.

Port should be opened for NTP service on all servers of the installation

Server

Protocol

Port

Any server from the pool of time servers for time synchronization

UDP

123

If you wish to use your own NTP server, please notify us and we’ll adjust the configuration of the NTP service.

The Docker container images are stored at registry.portaone.com. Thus, in order to launch the Docker container and its included services, grant access from all of your servers to the following:

Server

Protocol

Port

registry.portaone.com

TCP

443

The Geo-IP database in your installation is regularly updated to ensure that the Geo-IP Fraud Prevention feature works correctly. Allow your RADIUS servers to establish connections to the MaxMind’s downloadable databases (updates.maxmind.com) via HTTP/HTTPS protocol. If you are running a firewall, geo-update requires that the DNS and HTTPS (443) ports be open.

Incoming connections

Link copied to clipboard

For troubleshooting purposes, allow incoming connections to your servers from the following PortaOne IP addresses:

  • 217.182.15.214
  • 217.182.15.215
  • 217.182.15.216
  • 34.209.225.48
  • 52.209.93.49

On this page