ONSIGHT FIREWALL CONFIGURATION GUIDE
Librestream Onsight Firewall Configuration Guide Doc #: 400295-01, rev A January 2018 Information in this document is subject to change without notice. Reproduction in any manner whatsoever without the written permission of Librestream is strictly forbidden. Copyright 2006-2018 Librestream Technologies, Incorporated. All rights reserved. Name of Librestream Software: Onsight Connect Copyright Notice: Copyright 2004-2018 Librestream Technologies Incorporated. All Rights Reserved. Patents Notice: United States Patent # 7,221,386, together with additional patents pending in Canada, the United States and other countries, all of which are in the name of Librestream Technologies Inc. Trademark Notice: Librestream, the Librestream logo, Onsight, Onsight Expert, Onsight Mobile, Onsight Connect, Onsight Embedded, Onsight Enterprise, Onsight Platform Manager,Onsight Workspace, Onsight Teamlink, and Onsight Management Suite are either registered trademarks or trademarks of Librestream Technologies Incorporated in Canada, the United States and/or other countries. All other trademarks are the property of their respective owners. 1
TABLE OF CONTENTS 1. Introduction 3 1.1 Onsight Default Configuration 3 1.2 Private SIP Server Configuration 4 2. Push Notifications 6 3. For More Information 6 2
ONSIGHT FIREWALL CONFIGURATION GUIDE INTRODUCTION This guide specifies the ports which need to be opened on a firewall for Onsight Connect services. These ports are based on Onsight Platform Manager Group Client policies for SIP and TeamLink. Most Customers will follow the Onsight Default Configuration. This configuration means you are using Onsight Hosted SIP Services with the option of using TeamLink. This configuration allows access to Onsight Hosted SIP Services through your Firewall. Customers who use their own SIP Infrastructure will use the Private SIP Server Configuration. This configuration includes the option of using TeamLink. This configuration allows access to TeamLink Services through your Firewall. Onsight Connect will utilize your Private SIP server settings in your Onsight Platform Manager domain. Onsight Default Configuration The following is required when using Onsight Connect including Onsight SIP Services. Sections 1.1.1 and 1.1.2 are mandatory for Onsight Services. Section 1.1.3 is required (in addition to 1.1.1 and 1.1.2) when TeamLink is enabled. Note that TeamLink connectivity may be managed by your proxy. SIP Services must be managed by the Firewall. 1.1.1 Table: Onsight User Authentication and Authorization Proxy White list *.librestream.com Server IP addresses onsight.librestream.com 54. 191.82.47 54.191.1.155 54.186.71.157 54.201.2.117 54.148.194.245 54.149.214.249 workspace.librestream.com (required if Workspace is enabled.) 34.210.177.102 52.24.69.118 54.186.104.204 54.201.132.80 54.69.222.113 35.167.21.12 52.89.175.233 54.149.132.101 52.89.207.207 3
1.1.2 Table: Onsight SIP and Media Services Onsight SIP Server IP addresses sip.librestream.com 54.213.166.17 UDP, 3478, STUN* UDP, 58024, STUN* UDP, 58523, STUN* TCP, 5060,SIP TCP, 5061, SIP-TLSv1.2 *Required if TeamLink is enabled. Media Servers IP addresses media 54.200.152.202 54.201.34.23 54.213.38.103 54.218.75.97 54.213.75.101 54.200.248.252 UDP, 15000-65000, RTP, RTCP 1.1.3 Table: TeamLink (SIP Detection Method: SIP Server Full) This section is only required if TeamLink is enabled. The SIP Detection Method must be set to SIP Server Full. TeamLink - Targeted Server: Teamlink#.librestream.com Any one of the following TeamLink servers will be targeted: TeamLink Load Balancer tcm.librestream.com 54.200.211.44 54.201.116.193 54.149.122.185 54.149.14.174 54.149.178.194 54.191.206.117 TeamLink Servers teamlink1.librestream.com 54.200.207.108 Same as above teamlink2.librestream.com teamlink3.librestream.com teamlink4.librestream.com 54.200.203.116 teamlink5.librestream.com teamlink6.librestream.com teamlink7.librestream.com teamlink10.librestream.com 54.201.6.72 4
Private SIP Server Configuration The following configuration is required when using Onsight Connect with a Private SIP Server. Sections 1.2.1 and 1.2.2 are mandatory for Onsight Services. Section 1.2.3 is required (in addition to sections 1.2.1 and 1.2.2) when TeamLink is enabled. Note that TeamLink connectivity may be managed by your proxy. SIP Services must be managed by the Firewall. 1.2.1 Table: Onsight User Authentication and Authorization Proxy White list *.librestream.com Server IP addresses onsight.librestream.com 54. 191.82.47 54.191.1.155 54.186.71.157 54.201.2.117 54.148.194.245 54.149.214.249 workspace.librestream.com (required if Workspace is enabled.) 34.210.177.102 52.24.69.118 54.186.104.204 54.201.132.80 54.69.222.113 35.167.21.12 52.89.175.233 54.149.132.101 52.89.207.207 1.2.2 Table: Private SIP and Media Services Server IP addresses sip.yourcompany.com udp.yourcompany.com server addresses TCP, 5060, SIP TCP, 5061, SIP-TLSv1.2 UDP, port range, RTP, RTCP 5
1.2.3 Table: TeamLink (SIP Detection Method: TeamLink) This section is required only if TeamLink has been enabled. The SIP Detection Method must be set to TeamLink. TeamLink - Targeted Server: Teamlink#.librestream.com Any one of the following TeamLink servers will be targeted: TeamLink Load Balancer tcm.librestream.com 54.200.211.44 54.201.116.193 54.149.122.185 54.149.14.174 54.149.178.194 54.191.206.117 TeamLink Cluster Managers tcm1.librestream.com tcm2.librestream.com tcm3.librestream.com TeamLink Servers 54.200.203.117 54.213.116.106 54.218.72.77 PUSH NOTIFICATIONS Push notifications are used to deliver call invites when Onsight Connect is running in the background. UDP, 3478, STUN UDP, 58024, STUN UDP, 58523 STUN TCP, 5061, SIP-TLSv1.2 TCP, 5060, SIP teamlink1.librestream.com 54.200.207.108 teamlink2.librestream.com teamlink3.librestream.com teamlink4.librestream.com 54.200.203.116 teamlink5.librestream.com teamlink6.librestream.com teamlink7.librestream.com teamlink10.librestream.com 54.201.6.72 Apple push notifications require that your Firewall allow TCP ports 5223, 2195, 2196, and 443 on the entire 17.0.0.0/8 address block. If this is not allowed Onsight Connect will not receive push notifications and will not receive calls when the app is in the background or not running. For more information please visit https://support.apple.com/en-ca/ht203609. Google s Firebase Cloud Messaging (push notifications) use TCP ports 5228, 5229 and 5230 for incoming messages. For details refer to https://firebase.google.com/docs/cloud-messaging/concept-options If your configuration does not fit within these guidelines, please contact Librestream Support for assistance. FOR MORE INFORMATION Please contact support@librestream.com or call 1.800.849.5507 or +1.204.487.0612. 6