What is the recommended setup for the PortaSwitch behind a firewall?

Link copied to clipboard

Although PortaSwitch servers are based on the Oracle Linux OS which is designed for high security, it is still reasonable to consider external firewall for better system protection. If you want to position servers behind the firewall for some reason (e.g., your corporate network security policy demands this) follow the recommendations below.

General configuration advice

Link copied to clipboard
  • We suggest positioning all PortaSwitch servers into a dedicated network segment.
  • Interaction between PortaSwitch servers via a private network interface must not be blocked by a firewall.
  • Whatever configuration your private LAN segment has, internal communication between servers (via TCP port 22, etc.) must always be granted.
  • Do not configure a firewall between nodes of the cluster (e.g., PortaSIP cluster, etc.).
  • For PortaSwitch sites that span across geographically dispersed locations, all PortaSwitch servers must be connected via virtual or physical) Layer 2 connection(s) and all PortaSwitch servers should be configured as hosts within a single virtual (or physical) private network.

Ports to be opened

Link copied to clipboard

Logical components (e.g., Admin, Billing, Master DB, Replica DB, PortaSIP) are installed and operating on some hosts. This requires particular ports to be kept open on these hosts, depending on which components are running on each of them. To find out which open ports are required by each component, see the table below:

Ports to be opened

Description

All servers: public interface

TCP 22

This is used for server administration via SSH.

Configuration server: private interface

TCP/UDP 5667 5668

This is required for NSCA to collect monitoring statistics from the servers and send them to the Configuration server in passive mode.

TCP/UDP 5667 5668

This is required for NSCA to collect monitoring statistics from the servers and send them to the Configuration server in passive mode.

Configuration server: public interface

TCP 8700

This is required for accessing the monitoring system web interface.

Web (admin) server: public interface

TCP 25

This is used for uploading tariffs via email.

TCP 80

This is used for UA provisioning.

UDP 69

This is required by the TFTP service.

TCP 443

This is required for access to the admin interface.

TCP 8442 TCP 8443 TCP 8444 TCP 8445 TCP 8446 TCP 8447 TCP 8448

This is required for access to the self-care web interfaces:

  • Reseller self-care

  • PortaSIP XML/JSON API

  • Customer self-care, distributor self-care

  • Account self-care

  • Reseller’s helpdesk

  • Vendor self-care

  • Representative self-care

TCP 8449

This is required for access to the WiMax session status page.

TCP 8600 TCP 8601

This is required for access to web signup pages:

  • Web signup

  • Multicard web signup

TCP 8901 TCP 8903-8904

This is required to access callback services:

  • Web callback

  • SMS callback

TCP 8943

This is used to access webmail.

RADIUS (billing) server: public interface

UDP 1812 UDP 1813

This is used to serve RADIUS requests from RADIUS clients, such as PortaSIP nodes and web server (required for the Test DialPlan feature):

  • RADIUS authentication

  • RADIUS accounting

TCP 3868

This is used to serve DIAMETER requests (optional).

UDP 5060

This is used to accept SIP requests and responses from the SIP nodes.

PortaSIP dispatching SBC: public interface

UDP 5060

This is used to accept SIP requests and responses from the SIP nodes.

TCP 5061

This is required for SIP over TCP support

TCP 5051

This is required for SIP over TLS support. Disabled by default.

PortaSIP dispatching node: virtual IP address

UDP 5060

This is used to accept SIP requests and responses from the SIP nodes.

TCP 5060

This is required for SIP over TCP support.

UDP 5070

This is used by Limit Controller to accept SIP requests and responses from the SIP nodes.

TCP (TLS) 5051

This is required for SIP over TLS support. Disabled by default.

SMPP 2775

This is required to accept and send SMPP messages.

TCP 8101

This is required for the SMTP transport.

TCP 8081

This is required for the IMAP transport.

TCP 8091

This is required for the IMAPS transport.

PortaSIP processing node: public interface

UDP 35000–65000

This is used for RTP proxying.

MySQL (Master DB, Replica DB) servers: can be configured to use either private or public interfaces

TCP 3306 TCP 3307

This is used to serve database requests from the billing server, web server and PortaSIP servers:

  • MainDB server

  • ReplicaDB server

Oracle DB servers: can be configured to use either private or public interfaces

TCP 9521

This is used to serve database requests from the billing server, web server and PortaSIP servers.

TCP 1158

This is used for Oracle Enterprise Manager access.

All servers: public interface

TCP 22

This is used for server administration via SSH.

Configuration server: private interface

TCP/UDP 5667 5668

This is required for NSCA to collect monitoring statistics from the servers and send them to the Configuration server in passive mode.

TCP 80

This is used for downloading custom patches during the update process and must be kept open permanently.

Configuration server: public interface

TCP 8700

This is required for accessing the monitoring system web interface.

Web (admin) server: public interface

TCP 25

This is used for uploading tariffs via email.

TCP 80

This is used for UA provisioning.

UDP 69

This is required by the TFTP service.

TCP 443

This is required for access to the admin interface.

TCP 8442 TCP 8443 TCP 8444 TCP 8445 TCP 8446 TCP 8447 TCP 8448

This is required for access to the self-care web interfaces:

  • Reseller self-care

  • PortaSIP XML/JSON API

  • Customer self-care, distributor self-care

  • Account self-care

  • Reseller’s helpdesk

  • Vendor self-care

  • Representative self-care

TCP 8449

This is required for access to the WiMax session status page.

TCP 8600 TCP 8601

This is required for access to web signup pages:

  • Web signup

  • Multicard web signup

TCP 8901 TCP 8903-8904

This is required to access callback services:

  • Web callback

  • SMS callback

TCP 8943

This is used to access webmail.

Web (admin) server: private interface

UDP 5405

This is used to serve RADIUS requests from RADIUS clients, such as PortaSIP nodes and web server (required for the Test DialPlan feature):

OCS server: public interface

UDP 1812 UDP 1813

This is used to serve RADIUS requests from RADIUS clients, such as PortaSIP nodes and web server (required for the Test DialPlan feature):

  • RADIUS authentication

  • RADIUS accounting

TCP 3868

This is used to serve DIAMETER requests (optional).

UDP 5060

This is used to accept SIP requests and responses from the SIP nodes.

OCS server: private interface

UDP 5405

This is used by the corosync service for internal communication among cluster nodes. Must be opened if you deploy Diameter cluster.

PortaSIP dispatching SBC: public interface

UDP 5060

This is used to accept SIP requests and responses from the SIP nodes.

TCP 5061

This is required for SIP over TCP support.

TCP 5051

This is required for SIP over TLS support. Disabled by default.

TCP 9442 TCP 9443 TCP 9444 TCP 9445 TCP 9446 TCP 9447 TCP 9448 TCP 9449

This is required for Dual Version PortaSwitch deployment to access the self-care web interfaces:

  • Reseller self-care

  • Administrator self-care

  • Customer self-care, distributor self-care

  • Account self-care

  • Reseller’s helpdesk

  • Vendor self-care

  • Representative self-care

  • Session status interface

TCP 9600 TCP 9601

This is required for Dual Version PortaSwitch deployment to access web signup pages:

  • Web signup

  • Multicard web signup

PortaSIP dispatching node: virtual IP address

UDP 5060

This is used to accept SIP requests and responses from the SIP nodes.

TCP 5060

This is required for SIP over TCP support.

TCP (TLS) 5051

This is required for SIP over TLS support. Disabled by default.

SMPP 2775

This is required to accept and send SMPP messages.

TCP 8101

This is required for the SMTP transport.

TCP 8081

This is required for the IMAP transport.

TCP 8091

This is required for the IMAPS transport.

TCP 8091</