Security best practices for external trunks

Use the following Genesys Cloud best practices to provide security for Internet-facing external trunks.

Prerequisites
  • Telephony > Plugin > All permission

Prevent unnecessary Internet visibility

When possible, configure internal network addresses on the network interfaces of your trunks.

 
  1. Obtain the internal network IP address of the server.
  2. Click Admin.
  3. Under Telephony, click Trunks.
  4. Click the External Trunks tab.
  5. Select your trunk.
  6. Under Outbound – SIP Servers or Proxies, enter the IP address for your SIP server or intermediate proxy, and click plus .

Notes:
  • The inbound listen port is used by default. If you want use another port number, enter that port number in the Port field.
  • IP addresses added to the Outbound – SIP Servers or Proxies section are automatically placed on the SIP Access Control Allow list.

sip_security_1

  1. Click Save External Trunk.

Configure an External SIP trunk with a non-default port

Do not use the common default port of 5060 for your trunk. Configure an alternate port. Confirm with your provider that the alternate port is available.

 

  1. Click Admin.
  2. Under Telephony, click Trunks.
  3. Click the External Trunks tab.
  4. Select your external SIP trunk.
  5. In the Listen Port field, enter a port number equal to or greater than 1024.sip-security-2
  6. Click Save External Trunk.

Note: This task does not apply to BYOC Carrier or BYOC PBX external trunks.

Configure the Access Control List (ACL) to allow only specific SIP traffic sources

The SIP Access Control List (ACL) applies to inbound SIP trunk calls only.

    1. Click Admin.
    2. Under Telephony, click Trunks.
    3. Click the External Trunks tab.
    4. Select your trunk.
    5. Under SIP Access Control, do the following:
      • If you are configuring an external SIP trunk, you’ll set Use Source Address to Yes.
        Note: If you are configuring a BYOC Carrier or BYOC PBX trunk, the Use Source Address setting does not appear.
      • To allow an address, enter it in the box under Allow the Following Addresses, and click plus .
      • To deny an address, enter it in the box under Always Deny the Following Addresses, and click plus .
    sip-security-3
    1. At the bottom of the page, click the Save External Trunk button.