Firewall rules and ports for the Pexip Service
This article describes the firewall rules and port requirements for the Pexip Service. It covers:
- SIP devices
- Safelisting domains for endpoint registration
- Video network readiness evaluation test
- H.323 devices
- Pexip app (MMV)
- Safelisting domains for the Pexip app
- Pexip Control Center (PCC)
- One-Touch Join for Pexip Service
- Safelisting domains for One-Touch Join for Pexip Service
- Meeting Controls for Cisco endpoints
We recommend using general firewall rules that allow for outgoing traffic, as shown in the tables below. This will always work in all regions as well as for future upgrades of our infrastructure.
We also recommend turning off any SIP or H.323 application gateways or fixup that may be enabled in the firewall.
For further background information see Additional firewall rules and ports information for the Pexip Service.
SIP devices
This table shows the required ports for SIP endpoints and call control systems:
Source | Transport | Service/Application | Destination ports | Rule | Destination |
---|---|---|---|---|---|
Endpoints / call control system | TCP | SIP, SIPS (SIP registration, SIP signaling) | 5060, 5061 | Outgoing | 176.121.88.0/21 91.240.204.0/22 91.240.195.0/24 185.94.240.0/22 185.124.96.0/22 |
Endpoints / call control system | UDP | RTP, RTCP, BFCP (media) | 10000-65535 | Outgoing | |
Registered endpoints |
TCP | HTTPS (endpoint provisioning) | 443 | Outgoing | |
Registered endpoints (Poly only) |
TCP | Secure LDAP: StartTLS (phonebook directory) | 389 | Outgoing | |
Registered endpoints |
UDP | NTP | 123 | Outgoing | 176.58.109.199/32 |
See SIP calling port ranges for devices not registered to the Pexip Service network for more information about non-registered endpoints.
Safelisting domains for endpoint registration
These are the domains that may need to be safelisted to allow traffic to pass without interference:
Domain | Service/Application |
---|---|
SIP devices | |
*.pexip.me *.videxio.net *.vp.vc |
SIP endpoint provisioning |
Skype for Business | |
*.vmr.vc ms.videxio.com |
Skype for Business |
Video network readiness evaluation test
The Activate Endpoint app can be used to check the suitability of your network environment for registering your endpoint to the Pexip Service. The test evaluates whether your network supports the Pexip services, verifies that no firewalls will block the service, identifies any issues and explains how to resolve them. You can save the report and forward it to your IT administrator.
Here's more information on testing your network for suitability with the Pexip Service.
H.323 devices
This table lists the ports required by H.323 devices to make calls via the Pexip Service:
Source | Transport | Service/Application | Destination ports | Rule | Destination |
---|---|---|---|---|---|
Endpoints / call control system | TCP | H.225 call signaling | 1720 | Outgoing | 176.121.88.0/21 91.240.204.0/22 91.240.195.0/24 185.94.240.0/22 185.124.96.0/22 |
Endpoints / call control system | TCP | H.245 media negotiation signaling | 33000-39999 | Outgoing | |
Endpoints / call control system | UDP | RTP, RTCP (media) | 11050-39999 | Outgoing |
Pexip app (MMV)
These are the port usage rules for the Pexip web and desktop apps:
Source | Transport | Service/Application | Destination ports | Rule | Destination |
---|---|---|---|---|---|
User's client app device | TCP | HTTP/HTTPS (Pexip client app) | 443 | Outgoing | mpg.videxio.net static.videxio.net |
User's client app device | TCP | RTP, RTCP (media) | 443 | Outgoing | 176.121.88.0/21 91.240.204.0/22 91.240.195.0/24 185.94.240.0/22 185.124.96.0/22 |
User's client app device | UDP | RTP, RTCP (media) | 10000 | Outgoing |
Safelisting domains for the Pexip app
These are the domains that may need to be safelisted to allow traffic to pass without interference:
Domain | Service/Application |
---|---|
mpg.videxio.net static.videxio.net prov.videxio.net pexip.me prov.pexip.me *.vp.vc |
App signaling |
Pexip Control Center (PCC)
To use PCC, you need to allow access to the following domains.
Domain | Service/Application |
---|---|
*.vp.vc *.pexip.io |
HTTPS |
control.pexip.io | Your network policy must allow the wss:// protocol via port 443 to this domain (to access the PCC Troubleshooting page) |
One-Touch Join for Pexip Service
These are the port usage rules for One-Touch Join for Pexip Service:
Source | Transport | Service/Application | Destination ports | Rule | Destination |
---|---|---|---|---|---|
Endpoints | TCP | HTTPS | 443 | Outgoing | 185.94.240.0/22 185.124.96.0/22 |
Endpoints |
UDP | NTP | 123 | Outgoing | 176.58.109.199/32 |
Safelisting domains for One-Touch Join for Pexip Service
These are the domains that may need to be safelisted to allow traffic to pass without interference:
Domain | Service/Application |
---|---|
otj.pexip.io | for One-Touch Join for Pexip Service (Cisco & Poly) |
auth.otj.pexip.io cisco-macros.pexip.io |
for One-Touch Join for Pexip Service (Cisco only) |
Meeting Controls for Cisco endpoints
These are the port usage rules for Meeting Controls for Cisco endpoints.
Source | Transport | Service/Application | Destination ports | Rule | Destination |
---|---|---|---|---|---|
Endpoints / call control system | TCP | HTTPS | 443 | Outgoing | meetingcontrol.pexip.io |