- Veuillez consulter les consigne générale pour les pare-feu ci-dessous "Firewall 101"(en anglais seulement pour le moment).
- Vous trouverez aussi en bas de la page quelques modèles de pare-feu pour lesquels nous avons préparé des guides spécifiques (en anglais pour le moment) sur ce qu'il faut configurer, car ils ont quelques paramètres spécifiques à modifier.
Si vous n'êtes pas certain que votre pare-feu soit configuré correctement, n'hésitez pas à nous envoyer un email à service@cloudli.com avec les détails de votre appareil et votre question.
Note:
Si vous utilisez notre service Affaires (PBX en Nuage), assurez vous aussi que les ports 8445-8447 sont ouvertes pour du traffic du type protocole TCP.
Ceci assurera que la configuration du compte de l'utilisateur sera initialisé correctement lors du démarrage du téléphone IP.
Firewall 101
(traduction à venir)
Can I use Cloudli devices from behind my firewall?
Yes. However, for some firewalls you may need to make a minor adjustment to avoid a rare situation where incoming calls can be blocked by your firewall. If unsure of how to make the recommended changes below, refer to the firewall help or contact your firewall provider for assistance.
Consistent NAT:
Firewalls that do not use a Consistent NAT can block incoming calls. In this situation the firewall keeps changing the public IP port used to communicate with Cloudli. If a call arrives at that moment, before Cloudli is notified of the new IP port assigned by the firewall, then that call will not reach your device. To avoid this, change your firewall setting to enable Consistent NAT.
SIP aware firewalls:
SIP aware firewalls can prevent calls from reaching your device. If this is the situation, disable the SIP awareness option on the firewall.
Strict firewalls:
In the case of very strict firewalls, such as the ones allowing traffic only on limited well known IP ports, your calls may be blocked. Modify rules to allow UDP packets from and to the <Outbound_Proxy> address in your Cloudli SIP Parameters to be redirected to your device for incoming packets.
Firewall (deeper) considerations
In most cases you can use your SIP device or IP-PBX with Cloudli whether it is placed in a public domain or privately behind a firewall.
Where a firewall is in place the overall quality of service should not be affected provided the firewall can handle the extra traffic without degrading throughput and introducing significant latency. The other important factor is that the Network Address Translation (NAT) functionality of the firewall must use a Consistent NAT behavior model.
With Consistent NAT outbound UDP traffic is consistently assign the same remapped public IP address and public UDP port pair to each internal private IP address and private UDP port pair.
Without Consistent NAT, the remapped port would change with every REGISTER message the SIP device sends to Cloudli, providing no consistency, and no predictability as to where Cloudli should send an INVITE for a new incoming call.
Unless Consistent NAT is used, a problem may happen where a port change takes place and a call happens at that moment, before Cloudli is notified of the new port number. In this situation, the call will not get to the device because Cloudli will have sent the INVITE to the wrong port and the firewall will simply ignore it.
To ensure this problem does not happen, change the firewall setting to enable Consistent NAT. If unsure, check with your firewall provider for information on how to accomplish this.
For strict firewall, you will need your firewall administrator to adjust the configuration.
See example below:
Firewall configuration example on Strict-firewalls
Where in most cases, SIP ports XXXX and port TTTT will be 5060, also RTP ports range YYYYY-ZZZZZ will be equivalent to port range UUUUU-VVVVV, although ports used are dependent on your device and firewall configuration.
Source | Source Port(s) | Destination | Destination Port(s) | Protocol | Direction | Action |
Your device IP address | XXXX (device/configuration dependent, often 5060) | <Outbound_Proxy> | 5065 | SIP/UDP | Inside to Outside | Allow |
Your device IP address | YYYYY-ZZZZZ (device/configuration dependent) | <Outbound_Proxy> | 10000-40000 | (RTP/T38) /UDP | Inside to Outside | Allow |
<Outbound_Proxy> | 5065 | Your Public IP address | TTTT (firewall/configuration dependent, often 5060) | SIP/UDP | Outside to Inside | Allow |
<Outbound_Proxy> | 10000-40000 | Your Public IP address | UUUUU-VVVVV (firewall/configuration dependent, often equal to YYYYY- ZZZZZ). | (RTP/T38) /UDP | Outside to Inside | Allow |
Note: To find the <Outbound_Proxy> for your account, go to the following menu in your web portal: