Configure SIP Access Control

Prerequisites
  • Telephony > Plugin > All permission

When you are configuring SIP Access Control, you are essentially controlling what entities on the Internet can contact Genesys Cloud using either an External SIP trunk, a SIP Phone trunk, or a BYOC Cloud trunk.

Notes:
  • The SIP Access Control List (ACL) applies to inbound and outbound SIP trunk calls. 
  • When you are configuring an external trunk, any IP addresses that you add to the SIP Servers or Proxies section are automatically added to the Allow the Following Addresses list.

External SIP trunk or SIP Phone trunk

For an External SIP trunk or a SIP Phone trunk, you configure SIP Access Control by building an allowlist or denylist consisting of IP or CIDR addresses that are either allowed to or prevented from using the External SIP or SIP phone trunk.

While you can enter addresses in both lists, it is a Genesys Cloud best practice to try to configure SIP Access Control List primarily using an allowlist via the Allow the Following Addresses list. The reason being is that allowlist operations take place early in the system processing and require less overhead relative to the denylist operations.

  1. Click Admin.
  2. Under Telephony, click Trunks.
  3. Click the appropriate tab: External Trunks or Phone Trunks.
  4. From the list, select the trunk you want to configure.
  5. Under SIP Access Control > Use Source Address 
    • Set the switch to Yes, if you want the ACL matching to use the SIP message source address.
    • Set the switch to No, if you want to the ACL matching to use the VIA header originating address.
  6. To add an address to the Allow the Following Addresses list, enter that address in the Add an IP or CIDR address box and click Plus .
  7. To add an address to the Always Deny the Following Addresses list, enter that address in the Add an IP or CIDR address box and click Plus .
  8. Leave the Allow All check box blank.
  9. Click Save External Trunk or Save Phone Trunk.

Note: If you are not sure of the exact addresses that you want to allow, you can select the Allow All check box. When you do so, you see a warning message informing you that allowing all addresses is a security risk because any entity on the Internet can contact Genesys Cloud using the trunk. As an example, enabling Allow All could put your organization at risk of receiving a denial of service attack.

BYOC Cloud trunk

For a BYOC Cloud trunk (BYOC Carrier or BYOC PBX), you configure SIP Access Control by building an allowlist consisting of IP or CIDR addresses that are allowed to use the BYOC Cloud trunk. There isn’t a denylist for BYOC Cloud trunks.

  1. Click Admin.
  2. Under Telephony, click Trunks.
  3. Click the External Trunks tab.
  4. From the list, select the BYOC Cloud trunk you want to configure.
  5. Under SIP Access Control, add an address to the Allow the Following Addresses list by entering that address in the Add an IP or CIDR address box and clicking Plus .
  6. Click Save External Trunk.