About ports and services for your firewall

On this page you’ll find detailed information on the ports and services…

CIDR IP address range for cloud media services change

Announced on Takes effect November 4, 2020 March 10, 2021 The November…

About Genesys Cloud WebRTC phones

Genesys Cloud supports WebRTC technology with the Genesys Cloud WebRTC phone. The Genesys…

About Genesys Cloud Voice

Genesys Cloud Voice is an Internet-based telephony service that you can activate…

About BYOC Cloud

The BYOC Cloud solution provides flexibility and interoperability to the Genesys Cloud…

About screen recording

Record an agent's screen during ACD interactions for quality and management purposes. …

About video chat

Video chat lets you hold video conferences with people in your organization.…

Feature deprecations

This article lists the features and functionality that Genesys has removed from…

SIP phone trunk settings

When you configure a phone trunk for SIP phones, you'll need to…

External trunk settings

There are three types of external trunks: BYOC Carrier, BYOC PBX, and…

Cloud media services CIDR IP address range

Feature coming soon: On or after March 10, 2021, Genesys will enable a new public IP address range for media services. To be prepared for this new addition, we recommend that you add the new IP addresses to your firewall’s allowlist now.

Genesys Cloud’s cloud media services /20 CIDR IP range is 52.129.96.0/20.

Genesys Cloud’s cloud media services CIDR block provides a smaller range of IP addresses for outbound connections to and from telephony endpoints. If you currently use any of these Genesys Cloud services:

WebRTC stations
Polycom stations with Genesys Cloud Voice (formerly PureCloud Voice)
BYOC Cloud
ACD screen recording
Video chat

then we recommend that you run the tests listed in the Readiness check section in this article. Doing so allows you to evaluate what you need to do to incorporate the /20 CIDR block of IP addresses for our public-facing cloud media services into your firewall’s allowlist.

Notes:

It is important to understand that Genesys is asking you to add the /20 CIDR block of IP addresses to your existing firewall allowlist. You do not need to remove access to current addresses.
You have to allow the full /20 CIDR block of IP addresses.

Readiness check

To help you prepare to use the CIDR block of IP addresses, Genesys provides you with two ways to confirm whether you are ready to use the CIDR block of IP addresses or need to make further adjustments to your firewall settings.

You can access the Genesys Cloud WebRTC Diagnostics app and run the automated tests found on the Network Test tab.
You can run the set of manual tests described in this article.

Genesys provides you with a set of cloud-based network connectivity diagnostic endpoints that you can use to test against. To perform the manual tests, you can use commonly available network connectivity tools, such as netcat and nmap.

To ensure the entirety of the address range is covered, please run these checks against each one of the following destination FQDNs:

netdiag.use1.pure.cloud
netdiag.usw2.pure.cloud
netdiag.cac1.pure.cloud
netdiag.sae1.pure.cloud
netdiag.euw1.pure.cloud
netdiag.euw2.pure.cloud
netdiag.euc1.pure.cloud
netdiag.apne1.pure.cloud
netdiag.apne2.pure.cloud
netdiag.apse2.pure.cloud
netdiag.aps1.pure.cloud

These tests are for guidance purposes only and are intended for use by a network and firewall expert.

Destination protocol & port	Sample test command	Successful response	Failed response
tcp/3478	`nc -v netdiag.use1.pure.cloud 3478` (Run this from the same network as Genesys Cloud client application)	No specific response is displayed, but a successful connection handshake is indicated.	The connection times out.
udp/3478	`nmap -sU -p 3478 --script stun-info netdiag.use1.pure.cloud` (You must be using nmap version 7.9 or later to run this command.)	The response includes a stun-info section listing an external IP address. This will be followed by: nmap done: 1 IP address (1 host up) scanned in #.## seconds	You receive a “host is down” response.
udp/16384-32768	`echo "Hello" \| nc -uv netdiag.use1.pure.cloud 16384` (Run this from same the network as Genesys Cloud client application.)	The response includes: GoodbyeGoodbyeGoodbyeGoodbyeGoodbye (This command sends five packets, which result in five “Goodbye” responses; one for each packet.)	You do not receive a “Goodbye” response.
tcp/8061 (Run this test if you are using hardware phones with cloud media.)	`echo "Hello" \| nc -v netdiag.use1.pure.cloud 8061` (Run this from same network on which the hardware phones are connected.)	The response includes: Goodbye	You do not receive a “Goodbye” response.
tcp/5061 (Run this test if you are using premises Edge appliances.)	`echo "Hello" \| nc -v netdiag.use1.pure.cloud 5061` (Run this from same network on which the Edge devices are connected.)	The response includes: Goodbye	You do not receive a “Goodbye” response.

Genesys Cloud services

Use the information in this table to gain a detailed understanding of the Genesys Cloud services that will be affected by the addition of the CIDR IP address block. This information helps you to identify the Source, Destination address, and the Destination transport protocol/port associated with each of the affected services.

Services	Source	Destination address	Destination transport protocol/port	Description
WebRTC Client
Signaling	WebRTC Client	52.129.96.0/20	tcp/443	Controls plane signaling between the WebRTC Client and cloud-based XMPP Gateway. Used in both cloud media and premises Edge deployments.
STUN	WebRTC Client	52.129.96.0/20	tcp/3478 udp/3478	Identifies the public IP address of the WebRTC Client.
Media	WebRTC Client	52.129.96.0/20	udp/16384-32768	Media sent to Genesys Cloud TURN or media services.
Managed Hardware Phone
Signaling	Hardware Phone	52.129.96.0/20	tcp/8061	SIP signaling between the hardware phone and cloud-based SIP services.
Media	Hardware Phone	52.129.96.0/20	udp/16384-32768	Media sent to Genesys Cloud media services.
BYOC Cloud
Media	Customer’s Carrier or PBX Device	52.129.96.0/20	udp/16384-32768	Media sent to Genesys Cloud media services.
ACD Screen Recording & Video Chat
Signaling	Genesys Cloud Client	52.129.96.0/20	tcp/443	Control plane signaling between the WebRTC Client and cloud-based XMPP Gateway. Used in both cloud media and premises Edge deployments.
STUN	Genesys Cloud Client	52.129.96.0/20	tcp/3478 udp/3478	Identifies the public IP address of the Screen Recording and Video Chat Client.
Media	Genesys Cloud Client	52.129.96.0/20	udp/16384-32768	Media sent to Genesys Cloud TURN or media services.
Premises Edge Appliance
WebRTC Signaling	Premises Edge Appliance	52.129.96.0/20	tcp/5061	Control plane signaling between the Edge device and cloud-based XMPP Gateway.
WebRTC TURN	Premises Edge Appliance	52.129.96.0/20	udp/16384-32768	Media sent to Genesys Cloud TURN services.
WebRTC STUN	Premises Edge Appliance	52.129.96.0/20	tcp/3478 udp/3478	Used to identify public IP address of the Edge device.

AWS Direct Connect & routing specific information

AWS advertises the Genesys CIDR block both publicly and within Direct Connect.

Direct Connect customers who are not performing route filtering have no additional changes to make. Genesys recommends doing a lookup on the route table to ensure they are seeing the Genesys CIDR block (52.129.96.0/20), which includes anything greater than or equal to /20. For example, AWS may segment the block into /21’s, /22’s, /23’s, /24’s, and so on.
Direct Connect customers who are performing route filtering must permit the Genesys CIDR block (52.129.96.0/20), which includes anything greater than or equal to /20. For example, AWS may segment the block into /21’s, /22’s, /23’s, /24’s, and so on.

For more information on AWS Direct Connect routing and filtering, see AWS Routing policies and BGP communities.

Note: Genesys Cloud currently uses IP addresses found in the Amazon AWS IP address JSON file for many services. Only the services listed on this page will be migrating to the dedicated Genesys-owned CIDR block of IP addresses. Keep in mind that during the migration period Genesys will continue to use these AWS IP addresses while incorporating the new CIDR block IP addresses for the listed services. Once the migration is complete, Genesys will provide guidance on modifying firewall configurations to prevent media-related connections to the Amazon AWS IP ranges while still allowing for HTTPS requests needed by other services.

Revision history

Date	Revision
February, 24, 2021	Added information about the new automated tests in the Genesys Cloud WebRTC Diagnostics app to the Readiness check section. Changed the date from March 3 to March 10 in the Feature coming soon section.
January 27, 2021	Added a Readiness check section that includes a set of cloud-based network connectivity diagnostic endpoints that you can use to test against. This section includes example netcat and nmap commands that you can use confirm whether you are ready to use the CIDR block of IP addresses or indicate that you need to make other changes. Added a section that provides more specific details concerning the Genesys Cloud services that will be affected by the addition of the CIDR IP address block. This section includes a table identifying the Service, Source, Destination address and Destination transport protocol and port. Added a section that describes AWS Direct Connect and routing specific information.
November 25, 2020	Modified the article to add more detail about the affected Genesys Cloud services.
November 04, 2020	Added article to the Resource Center.

Genesys Cloud Resource Center Resource Center

Cloud media services CIDR IP address range

Readiness check

Genesys Cloud services

AWS Direct Connect & routing specific information

Revision history

Still have questions?