Configure SIP Access Control


External trunk and SIP Phone trunk configuration

Prerequisites

  • Telephony Admin role

When you are configuring SIP Access Control, you are essentially controlling what entities on the Internet can contact PureCloud using the external/SIP phone trunk. You do so by building Allow and Deny lists consisting of IP or CIDR addresses that are either allowed to or prevented from using the external/SIP phone trunk.

While you can enter addresses in both lists, it is a PureCloud best practice to try and configure SIP Access Control primarily using an allowlist via the Allow the Following Addresses list. The reason being is that Allow list operations take place early in the system processing and requires less overhead relative to the Deny list operations.

Notes:
  • The SIP Access Control List (ACL)only applies to inbound SIP trunk calls. 
  • When you are configuring an external trunk, IP addresses that you add to the SIP Servers or Proxies section are automatically added to the Allow the Following Addresses list.

 


To configure the SIP Access Control settings:

  1. Click Admin.
  2. Under Telephony, click Trunks.
  3. Click the appropriate tab: External Trunks or Phone Trunks.
  4. From the list, select the trunk you want to configure.
  5. Under SIP Access Control > Use Source Address 
    • Set the switch to Yes, if  you want the ACL matching to use the SIP message source address.
    • Set the switch to No, if you want to the ACL matching to use the VIA header originating address.
  6. To add an address to the Allow the Following Addresses list, enter that address in the Add an IP or CIDR address field and click Plus .
  7. To add an address to the Always Deny the Following Addresses list, enter that address in the Add an IP or CIDR address field and click Plus .
  8. Leave the Allow All check box unselected.
  9. Click Save External Trunk or Save Phone Trunk.
Allow All

If you are not sure of the exact addresses that you want to allow, you can select the Allow All check box. When you do so, you’ll see a warning message informing you that allowing all addresses is a security risk because any entity on the Internet can contact PureCloud using the trunk. As an example, enabling Allow All could put your organization at risk of receiving a denial of service attack.