Ports and services to configure on your company firewall


On this page you’ll find detailed information on the ports and services that you’ll need to configure on your company firewall based on your product/source(client). Just locate the header pertaining to your product and expand the appropriate section. Then, where applicable, select the tab matching the service you are using. On each tab, you’ll find a table that provides the following information:

  • Transport/Port (Application)

The transport protocol is a description of the type of network traffic used for the application. Most applications use either TCP or UDP as a transport, and sometimes both, which depends on how the application operates. Most applications’ protocols have standard ports selected, which are commonly used for that service on the public Internet. PureCloud typically uses the standard port for each application protocol.

  • Destination

The destination device is the server which is listening for “inbound” requests to the application port. Inbound requests are received from the client from its transmission port.

  • Description

The description contains additional information about the connectivity requirement.

Note: The WAN network interface port must connect to a network that supports external DNS resolution to ensure Cloud Connectivity.


General

Transport/Port (Application) Destination Description
udp/53 (DNS) *

tcp/53 (DNS) *

  † DNS provides name resolution for network connections. DNS is used by most applications, it converts names like “mypurecloud.com” to IP addresses required for connectivity.

These settings apply to:

  • Workstations / PureCloud client (browser or desktop app)
  • Mobile / PureCloud mobile app (iOS and Android)
  • VoIP phones
  • Edge devices
  • Bridge Servers

* Typical. If your network is configured for private or internal DNS, then port 53 is not required.

† Third-party service; not hosted by PureCloud.


Transport/Port (Application) Destination Description
udp/123 (NTP) time.nist.gov* NTP provides time synchronization. Devices that use NTP will automatically set their clock from the network source and occasionally update their time for accuracy.

These settings apply to:

  • VoIP phones
  • Edge devices
  • Bridge Servers

* Third-party service; not hosted by PureCloud.


Co-browse, chat, video chat, screen share, screen recording


Transport/Port (Application) Destination Description
tcp/443 (HTTPS) PureCloud, Amazon AWS The secure connection from your client (desktop, web, mobile) to the PureCloud Services on the public Internet.

Transport/Port (Application) Destination Description

tcp/3478 (STUN)

udp/3478 (STUN

tcp/19302 (STUN)

udp/19302 (STUN)

PureCloud, Amazon AWS

Google*

Session Traversal Utilities for NAT (STUN) is an egress connection that informs a host of its public IP address used for media-based communications.
udp/49152–65535 (SRTP) PureCloud, Amazon AWS The secured transmission of streaming media (audio and video).

* Third-party service; not hosted by PureCloud.



Transport/Port (Application) Destination Description
tcp/443 (HTTPS) PureCloud, Amazon AWS The secure connection from your client (desktop, web, mobile) to the PureCloud Services on the public Internet.

Transport/Port (Application) Destination Description
tcp/5222 (XMPP) PureCloud, Amazon AWS The secure connection from your client (desktop, web, mobile) to the PureCloud Services on the public Internet.



Bridge Server



Transport/Port (Application) Destination Description
tcp/443 (HTTPS) PureCloud, Amazon AWS The secure connection from your premises Bridge Server to the PureCloud Services on the public Internet.

Transport/Port (Application) Destination Description

tcp/389 (LDAP)*

tcp/636 (LDAPS)*

Corporate Active Directory environment The connection from your Bridge server to the corporate Active Directory environment.

* LDAP Ports are only required if your solution uses the PureCloud Bridge Server for Active Directory integration. 



PureCloud Edge


Transport/Port (Application) Destination Description
tcp/443 (HTTPS) PureCloud, Amazon AWS The secure connection from your premise Edge devices (LDM) to the PureCloud Services on the public Internet.

Transport/Port (Application) Destination Description

tls/8063

Edge devices in the same Edge Group The connection for Edges to communicate with each other. The connection can optionally be secured.

Transport/Port (Application) Destination Description
tcp/5060-5061 PureCloud, Amazon AWS The connection for Edges to connect to the PureCloud services for WebRTC softphones.

Transport/Port (Application) Destination Description

tcp/3478 (STUN)

udp/3478 (STUN)

tcp/19302 (STUN)

udp/19302 (STUN)

PureCloud, Amazon AWS

Google

Session Traversal Utilities for NAT (STUN) is an egress connection that informs a host of its public IP address used for media-based communications.

† Third-party service; not hosted by PureCloud.

Transport/Port (Application) Destination Description

udp/16384-32768 (SRTP/TURN)

udp/49152–65535* (SRTP/TURN)

*This upper range is no longer needed for TURN, but is still supported for backward compatibility.

PureCloud Edge devices (premise), PureCloud, and Amazon AWS

The transmission of secured streaming media (audio).

For more information, see Ports and services for WebRTC.

Transport/Port (Application) Destination Description

udp/5060 (SIP)*

tcp/5060 (SIP)*

tcp/5061 (SIPS) [without FENT]*

VoIP phones The connection for VoIP signaling (dialing, ringing, etc. for inbound and outbound calls). The connection can optionally be secured.
vendor specified (SIP)* Telephony SIP Provider (PSTN) † The connection for VoIP signaling (dialing, ringing, etc. for inbound and outbound calls). The connection can optionally be secured.

* Default ranges; ports can be changed in the PureCloud configuration.

† Third-party service; not hosted by PureCloud.

Transport/Port (Application) Destination Description
udp/4000+ (RTP/SRTP)* VoIP phones The transmission of streaming media (audio). The connection can optionally be secured.
vendor specified (RTP/SRTP)* Telephony SIP Provider (PSTN) † The connection for VoIP signaling (dialing, ringing, etc. for inbound and outbound calls). The connection can optionally be secured.

* Default ranges; ports can be changed in the PureCloud configuration.

† Third-party service; not hosted by PureCloud.



PureCloud Voice

Transport/Port (Application) Destination Description
tcp/443 (HTTPS) Polycom ZTP The secure connection an unconfigured Polycom device will make to discover its initial configuration.

† Third-party service; not hosted by PureCloud.

Transport/Port (Application) Destination Description

tcp/80 (HTTP)

tcp/443 (HTTPS)

PureCloud Global Phone Provisioning (AWS) The connection a phone makes for organization level configuration. The connection can optionally be secured.

tcp/80(HTTP)*

tcp/443 (HTTPS)*

PureCloud Edge devices The connection a phone makes for VoIP configuration. The connection can optionally be secured.

* Default ranges; ports can be changed in the PureCloud configuration.

Transport/Port (Application) Destination Description

tcp/8061 (SIPS)*

PureCloud Edge devices The connection for VoIP signaling (dialing, ringing, etc. for inbound and outbound calls). The connection can optionally be secured.

* Default ranges; ports can be changed in the PureCloud configuration.

Transport/Port (Application) Destination Description
udp/16384-32768 (RTP/SRTP) PureCloud Edge devices The transmission of streaming media (audio). The connection can optionally be secured.

Transport/Port (Application) Destination Description
tcp/443 (HTTPS) PureCloud, Amazon AWS The secure connection for VoIP signaling (dialing, ringing, etc. for inbound and outbound calls).

tcp/3478 (STUN)

udp/3478 (STUN

tcp/19302 (STUN)

udp/19302 (STUN)

PureCloud, Amazon AWS

Google*

These ports must be opened for both the client and Edges. These are used for the srflx and relay candidates. If they are closed, calls will have a high rate of failure.

* Third-party service; not hosted by PureCloud.

Transport/Port (Application) Destination Description

udp/16384-32768 (SRTP/TURN)

udp/49152–65535* (SRTP/TURN)

*This upper range is no longer needed for TURN, but is still supported for backward compatibility.

PureCloud Edge devices, PureCloud, Amazon AWS

The transmission of secured streaming media (audio).

For more information, see Ports and services for WebRTC.

BYOC Premises

Transport/Port (Application) Destination Description
tcp/443 (HTTPS) Polycom ZTP The secure connection an unconfigured Polycom device will make to discover its initial configuration.

† Third-party service; not hosted by PureCloud.

Transport/Port (Application) Destination Description

tcp/80 (HTTP)

tcp/443 (HTTPS)

PureCloud Global Phone Provisioning (AWS) The connection a phone makes for organization level configuration. The connection can optionally be secured.

tcp/8088 (HTTP)* [legacy]

tcp/8089 (HTTPS)*[legacy]

tcp/80 (HTTP)*

tcp/443 (HTTPS)*

PureCloud Edge devices The connection a phone makes for VoIP configuration. The connection can optionally be secured.

* Default ranges; ports can be changed in the PureCloud configuration.

Transport/Port (Application) Destination Description

udp/8060 (SIP)*

tcp/8060 (SIP)*

tcp/8061 (SIPS)*

PureCloud Edge devices The connection for VoIP signaling (dialing, ringing, etc. for inbound and outbound calls). The connection can optionally be secured.

* Default ranges; ports can be changed in the PureCloud configuration.

Transport/Port (Application) Destination Description
udp/16384-32768 (RTP/SRTP) PureCloud Edge devices The transmission of streaming media (audio). The connection can optionally be secured.

Transport/Port (Application) Destination Description
tcp/443 (HTTPS) PureCloud, Amazon AWS The secure connection for VoIP signaling (dialing, ringing, etc. for inbound and outbound calls).

tcp/3478 (STUN)

udp/3478 (STUN

tcp/19302 (STUN)

udp/19302 (STUN)

PureCloud, Amazon AWS

Google*

These ports must be opened for both the client and Edges. These are used for the srflx and relay candidates. If they are closed, calls will have a high rate of failure.

* Third-party service; not hosted by PureCloud.

Transport/Port (Application) Destination Description

udp/16384-32768 (SRTP/TURN)

udp/49152–65535* (SRTP/TURN)

*This upper range is no longer needed for TURN, but is still supported for backward compatibility.

PureCloud Edge devices, PureCloud, and Amazon AWS

The transmission of secured streaming media (audio).

For more information, see Ports and services for WebRTC.


Transport/Port (Application) Destination Description

udp/5060*

tcp/5060*

tcp/5061*

Edge devices (LDM/premise) The connection for VoIP signaling (dialing, ringing, and so on for inbound and outbound calls). The connection can optionally be secured.

* Default ranges; ports can be changed in the PureCloud configuration.

Transport/Port (Application) Destination Description
udp/16384-32768 (RTP/SRTP) Edge devices (LDM/premise) The transmission of streaming media (audio). The connection can optionally be secured.


BYOC Cloud


You will need to make sure that your carrier allows traffic from these addresses. 

If you are using a 3rd-party premises-based carrier or PBX device/service, then you need to make sure that connectivity to these addresses is allowed.

Note: Also see the Amazon AWS IP address information in the Domains and IP Addresses section of this article.

Domain byoc.mypurecloud.com
DNS SRV and SIP FQDN <customer prefix>.byoc.mypurecloud.com

Server DNS 

(If SRV not supported)

us-east-1

lb01.byoc.us-east-1.mypurecloud.com

lb02.byoc.us-east-1.mypurecloud.com

lb03.byoc.us-east-1.mypurecloud.com

lb04.byoc.us-east-1.mypurecloud.com


eu-west-1

lb01.byoc.eu-west-1.mypurecloud.ie

lb02.byoc.eu-west-1.mypurecloud.ie

lb03.byoc.eu-west-1.mypurecloud.ie

lb04.byoc.eu-west-1.mypurecloud.ie


eu-central-1

lb01.byoc.eu-central-1.mypurecloud.de

lb02.byoc.eu-central-1.mypurecloud.de

lb03.byoc.eu-central-1.mypurecloud.de

lb04.byoc.eu-central-1.mypurecloud.de


ap-southeast-2

lb01.byoc.ap-southeast-2.mypurecloud.com.au

lb02.byoc.ap-southeast-2.mypurecloud.com.au

lb03.byoc.ap-southeast-2.mypurecloud.com.au

lb04.byoc.ap-southeast-2.mypurecloud.com.au


ap-northeast-1

lb01.byoc.ap-northeast-1.mypurecloud.jp

lb02.byoc.ap-northeast-1.mypurecloud.jp

lb03.byoc.ap-northeast-1.mypurecloud.jp

lb04.byoc.ap-northeast-1.mypurecloud.jp



Note: Firewall settings for BYOC Cloud will be provided by your carrier.

Domains and IP Addresses

Owner Domain Region Description
PureCloud  *.mypurecloud.com North America Provides the PureCloud interface for users and admins; domains are region-specific and each PureCloud organization exists within only one region. Entities with multiple organizations may be deployed in various regions.
*.mypurecloud.com.au Australia & New Zealand

*.mypurecloud.ie

*.mypurecloud.de

Europe
*.mypurecloud.jp Japan
*.ininpcv.com North America  Provides voice and configuration services for PureCloud Voice phones. (PureCloud Voice customers only). This domain is legacy and not used for new customers.
Amazon AWS *.cloudfront.net All Provides static content for PureCloud applications.

*.s3.amazonaws.com

*.s3.{region}.amazonaws.com

where {region} is the domain for your particular region.

All Provides S3 download links.
Google *.googleapis.com All Provides cascading style sheet (CSS) and font information.
*.gstatic.com All Provides static content, mainly images.
*.google-analytics.com All Provides Google analytics.
*.l.google.com All Provides STUN services for Edge devices, VoIP phones, WebRTC softphones, and Collaborate multimedia.
New Relic *.js-agent.newrelic.com All Requests made by client-side New Relic analytics browser applications.
*.bam.nr-data.net All Requests made by client-side New Relic analytics browser applications.
National Institute of Standards and Technology (NIST)

time.nist.gov

All (The global address time.nist.gov is resolved to all of the appropriate server addresses.) The NIST servers listen for an NTP request on port 123, and respond by sending a udp/ip data packet in the NTP format. The data packet includes a 64-bit timestamp.
Polycom *.ztp.polycom.com All Provides zero-touch phone provisioning for Polycom VoIP phones.

† Third-party service; not hosted by PureCloud.

An asterisk (*) prefix indicates that services may exist in one or more subdomains of the defined domain.

PureCloud is deployed in a public cloud environment where IP addresses are expected to change. The IP addresses used by PureCloud are provided by our vendor from their public IP pool, which contains many IP addresses used by many other organizations. All client connections to PureCloud are initiated as outbound connections to PureCloud cloud services. When network access restrictions as used, such as a firewall, PureCloud recommends allowing client outbound access on the specified ports to any IP destination.

The table below lists each vendor and, where available, provides a list of potential IP addresses its services use.

Note: Vendors may update the lists at any time without notice.

Owner Services IP addresses Description
Amazon AWS PureCloud
Amazon AWS (CloudFront, S3, and others)
https://ip-ranges.amazonaws.com/ip-ranges.json Amazon AWS utilizes a large set of IP address ranges. Services deployed in AWS can use any of these addresses, and addresses are subject to change frequently. Amazon provides and maintains a list of available IP addresses, which is subject to change. More details are available here: http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
Google Google does not provide a list of potential IP addresses its services use.
New Relic NewRelic provides IP and domain details here: https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/networks
Polycom Polycom does not provide a list of potential IP addresses its services use.

Note: PureCloud does not own any of the IP addresses it uses, rather all addresses come from third-party service provider IP pools. The availability of potential IP address lists depends on each provider providing those IP addresses. IP lists that are provided do not only list IP in use by PureCloud, but will include IP addresses used by other non-PureCloud services.

PureCloud strongly recommends that the Edges sit behind a NAT that follows the Internet best current practice for UDP as defined in RFC4787. PureCloud requires the NAT to provide “endpoint-independent mapping” behavior. If both peers of a WebRTC media session sit behind NATs that do not provide endpoint-independent mapping behavior, the media traffic often requires a relay through a TURN server. Relay through a TURN server results in increased latency and impairs the WebRTC user experience.

Revision history


Date

Revision

November 21, 2018

Removed Pendo references from Domains and IP Addresses section. PureCloud no longer supports Pendo.

October 31, 2018

Added links to the Ports and services for WebRTC article to the following sections:

PureCloud Edge>Edge Devices>WebRTC

PureCloud Voice>WebRTC Phones

BYOC Premises>WebRTC Phones

August 24, 2018

Added region directive to the Domains and IP Addresses>Domains section in the Amazon AWS row to specify that regional domain names are now needed to provide the S3 download links. 

*.s3.{region}.amazonaws.com

where {region} is the domain for your particular region.

July 12, 2018

Added *.mypurecloud.de to the Domains and IP Addresses>Domains section to reflect that we have a new region in Europe: eu-central-1.

June 26, 2018

Reworded the Description of *.cloudfront.net under the Domains and IP Addresses>Domains section to indicate that this domain covers a host of PureCloud applications. For example, in addition to the PureCloud user interface, it covers client integrations, such as PureCloud for Salesforce, and plugins, such as co-browse.

June 25, 2018

Added Transport/Port/Application information to the PureCloud Voice>WebRTC Phones>WebRTC Signaling and
BYOC Premises>WebRTC Phones>WebRTC Signaling sections. (This information was already in the article under the PureCloud Edge>Edge devices>WebRTC>WebRTC Station Trunk section.)

April 2, 2018

Reorganized the layout of the article using new headings and expandable sections containing information broken out in tabs to make is easier to find the configuration details required for particular configuration. The reorganization also allowed the incorporation of new content from the addition of BYOC. See About BYOC.

January 8, 2018

Added Co-browse to the table in the Chat and Video section.

May 30, 2017

In the Destination column, changed PureCloud (AWS) to PureCloud, Amazon AWS to illustrate we connect to PureCloud and Amazon AWS owned domains and Amazon AWS owned IP addresses.

May 3, 2017

Added firewall firewalls firewall firewalls firewall port port port for search results

March 9, 2017

Added NIST server address info to Core Services and Domain and IP Addresses sections.

January 31, 2017

Complete redo of page based on feedback from development.

December 21, 2016

Deleted tables that listed the exact IP addresses.

December 16, 2016

The port for Network Time Protocol (NTP) changed to time.nist.gov.

December 19, 2016

Edge group communication port 8062 and 8063 added to Telephony table.

November 30, 2016

Added note to Domains and IP Addresses section.

November 21, 2016

Added ztp.polycom.com to Domains and IP addresses table.

November 17, 2016

Added specific IP addresses to WebRTC services table.

November 16, 2016

Added specific IP addresses to Collaboration services table.

November 15, 2016

Added Note about ports open for both Edge and agent networks to WebRTC table.

Added WebSocket info to Collaboration services table.

November 10, 2016

Added Specific IP addresses used by Telephony services table to Telephony services section.

October 31, 2016

Added New Relics info to Domains and IP addresses table

October 25, 2016

Added port 123 for NTP server to the Telephony services table

October 24, 2016

Added IP address 8.8.8.8 to Domains and IP addresses table

October 20, 2016

Added DNS port 53 to multiple tables

October 19, 2016

Added Revision history table