Firewall rules and ports for the Pexip Service

This article describes the firewall rules and port requirements for the Pexip Service. It covers:

We recommend using general firewall rules that allow for outgoing traffic, as shown in the tables below. This will always work in all regions as well as for future upgrades of our infrastructure.

We also recommend turning off any SIP or H.323 application gateways or fixup that may be enabled in the firewall.

For further background information see Additional firewall rules and ports information for the Pexip Service.

SIP devices

This table shows the required ports for SIP endpoints and call control systems:

Source Transport Service/Application Destination ports Rule Destination
Endpoints / call control system TCP SIP, SIPS (SIP registration, SIP signaling) 5060, 5061 Outgoing 176.121.88.0/21
91.240.204.0/22
91.240.195.0/24
185.94.240.0/22
185.124.96.0/22
Endpoints / call control system UDP RTP, RTCP, BFCP (media) 10000-65535 Outgoing
Registered endpoints * TCP HTTPS (endpoint provisioning) 443 Outgoing
Registered endpoints (Poly only) * TCP Secure LDAP: StartTLS (phonebook directory) 389 Outgoing
Registered endpoints UDP NTP 123 Outgoing 176.58.109.199/32

* Only required by registered/provisioned endpoints. They are not required if you are not registering your endpoints to the Pexip Service.

† Working NTP is required for endpoint registration. You do not need to allow this IP range if you choose to use your own NTP server, however you must inform your Pexip authorized support representative.

See SIP calling port ranges for devices not registered to the Pexip Service network for more information about non-registered endpoints.

Safelisting domains for endpoint registration

These are the domains that may need to be safelisted to allow traffic to pass without interference:

Domain Service/Application
SIP devices
*.pexip.me
*.videxio.net
*.vp.vc
SIP endpoint provisioning
Skype for Business
*.vmr.vc
ms.videxio.com
Skype for Business

Video network readiness evaluation test

The Activate Endpoint app can be used to check the suitability of your network environment for registering your endpoint to the Pexip Service. The test evaluates whether your network supports the Pexip services, verifies that no firewalls will block the service, identifies any issues and explains how to resolve them. You can save the report and forward it to your IT administrator.

Here's more information on testing your network for suitability with the Pexip Service.

H.323 devices

This table lists the ports required by H.323 devices to make calls via the Pexip Service:

Source Transport Service/Application Destination ports Rule Destination
Endpoints / call control system TCP H.225 call signaling 1720 Outgoing 176.121.88.0/21
91.240.204.0/22
91.240.195.0/24
185.94.240.0/22
185.124.96.0/22
Endpoints / call control system TCP H.245 media negotiation signaling 33000-39999 Outgoing
Endpoints / call control system UDP RTP, RTCP (media) 11050-39999 Outgoing

Pexip app (MMV)

These are the port usage rules for the Pexip web and desktop apps:

Source Transport Service/Application Destination ports Rule Destination
User's client app device TCP HTTP/HTTPS (Pexip client app) 443 Outgoing mpg.videxio.net
static.videxio.net
User's client app device TCP RTP, RTCP (media) 443 Outgoing 176.121.88.0/21
91.240.204.0/22
91.240.195.0/24
185.94.240.0/22
185.124.96.0/22
User's client app device UDP RTP, RTCP (media) 10000 Outgoing

Safelisting domains for the Pexip app

These are the domains that may need to be safelisted to allow traffic to pass without interference:

Domain Service/Application
mpg.videxio.net
static.videxio.net
prov.videxio.net
pexip.me
prov.pexip.me
*.vp.vc
App signaling

Pexip Control Center (PCC)

To use PCC, you need to allow access to the following domains.

Domain Service/Application
*.vp.vc
*.pexip.io
HTTPS
control.pexip.io Your network policy must allow the wss:// protocol via port 443 to this domain (to access the PCC Troubleshooting page)

One-Touch Join for Pexip Service

These are the port usage rules for One-Touch Join for Pexip Service:

Source Transport Service/Application Destination ports Rule Destination
Endpoints TCP HTTPS 443 Outgoing 185.94.240.0/22
185.124.96.0/22
Endpoints * UDP NTP 123 Outgoing 176.58.109.199/32

* For OTJ to display meetings at the correct time, the endpoint must have a synched clock. You may use your own NTP server instead of the one provided by Pexip above (and thus you do not need to allow this range), however you must inform your Pexip authorized support representative.

Safelisting domains for One-Touch Join for Pexip Service

These are the domains that may need to be safelisted to allow traffic to pass without interference:

Domain Service/Application
otj.pexip.io for One-Touch Join for Pexip Service (Cisco & Poly)
auth.otj.pexip.io
cisco-macros.pexip.io
for One-Touch Join for Pexip Service (Cisco only)

Meeting Controls for Cisco endpoints

These are the port usage rules for Meeting Controls for Cisco endpoints.

Source Transport Service/Application Destination ports Rule Destination
Endpoints / call control system TCP HTTPS 443 Outgoing meetingcontrol.pexip.io