The following acronyms are used in this document:
|ACL||Access Control List||QoS||Quality of Service|
|ALG||Application Layer Gateway||RTP||Real-time Protocol|
|DPI||Deep Packet Inspection||SIP||Session Initiation Protocol|
|DSCP||Differentiated Services Code Point||SPI||Stateful Packet Inspection|
|EF||Expedited Forwarding||TCP||Transport Control Protocol|
|IP||Internet Protocol||UDP||User Diagram Protocol|
|ISP||Internet Service Provider||VLAN||Virtual LAN|
|LAN||Local Area Network||VoIP||Voice over IP|
|NTP||Network Time Protocol||WAN||Wide-Area Network|
Required and Recommended Devices and Configurations
RingCentral requires that the User network supports a minimal set of features to ensure a high-quality VoIP service.
A set of SMB class WAN routers has been validated to work properly with the RingCentral VoIP service. The list of routers that have been tested can be found at: ringcentral.com/support/qos-router.html
. In general, Enterprise class routers support all of the QoS capabilities and configuration options described in the Expanded Version of RingCentral Network Requirements and Recommendations
.QoS / Traffic Prioritization
To ensure reliable media traffic transport through the local network to and from all RingCentral endpoints, routers must support and enable traffic prioritization: routers need to be configured such that VoIP and video traffic are handled with Expedited Forwarding (EF) DSCP 46.QoS / Bandwidth Management
It is advised to set a minimum guaranteed bandwidth in accordance with the maximum number of expected phone and video calls. The required bandwidth and network link capacities can be calculated according to the procedure provided on the Expanded Version of RingCentral Network Requirements and Recommendations
If VLANs are supported by network switches, then it is recommended (but not required) to define a VLAN specifically for VoIP and video traffic to logically separate these types of traffic from data traffic. This simplifies management of the unified communications infrastructure.
Unsupported Devices and Configurations
Some types of devices, device settings, and network configurations are not supported by the RingCentral unified communications solution, as they are known to cause continuous or intermittent voice quality issues (high latency, packet loss or jitter).
The following types of device, device configurations, and network configurations are not supported by the RingCentral VoIP solution:
• Load Balancers routing VoIP traffic concurrently across more multiple WAN links
• WAN Accelerators
• Satellite network connections
For proper support of the RingCentral Unified Communication services, the following device configuration settings may need to be disabled on IP devices (layer 3 devices, routers, firewalls), and Ethernet switches:
• IP devices:
• Session Initiation Protocol Application Layer Gateway (SIP ALG), also referred to as SIP Transformations
• Deep Packet Inspection (DPI),
• Application Layer Access Control
• Stateful Packet Inspection (SPI), also called dynamic packet filtering
• Intrusion Detection/Intrusion Prevention System (IDS/IPS)
• WAN Acceleration
• Ethernet switches:
• Green Ethernet for power saving
• Dynamic ARP inspection
NOTE: Enabling these device configuration settings may result in intermittent call problems related to phone and call connectivity (phone registration or call feature operation) or excessive voice quality impairments (high latency and jitter).
The table below indicates the source port and destination port numbers that are, besides a source IP address, entered in signaling, media and auxiliary traffic packets by the RingCentral phone and applications residing in the private network. The designation ‘random
’ means that the source port is randomly selected by the host.
There are no separate ports necessary for Busy Lamp Appearance. BLA uses the signaling ports and uses standard SIP NOTIFY packets. It will use whatever ports all the other messages are using (INVITE, BYE, REGISTER, etc.).
It is assumed that a firewall with Network Address Translation functionality resides at the interface between the private network and ISP-WAN. The notions of inbound and outbound are defined relative to a local private network.
The source (IP address, port number) pair will be translated by the NAT function into a public source (IP address, port number) pair. To allow traffic to be passed from the private network to the ISP-WAN, if not opened by default, the firewall needs to open a set of outbound ports matching the destination ports indicated in the last column of the table.
In a stateful firewall, no inbound ports need to be opened because they are automatically opened upon a reply to outbound traffic initiated by the RingCentral endpoint. NAT entry expiration timeout must be set to larger than 5 minutes since telephones re-register every 5 minutes and between registrations keep-alive messages need to be transferred from RingCentral call servers to telephones. For security reasons, it is advised to use stateful firewalls and TCP session time-out > 300sec
In most stateful firewalls, no inbound ports need to be opened because they are automatically opened upon a reply to outbound traffic initiated by the RingCentral endpoint in the local network. However, tt may still be necessary to open inbound ports on certain stateful firewalls when stateful operation behaves incorrectly (e.g. in some SoHo firewalls).
NAT entry expiration timeout must be set to larger than 5 minutes since IP telephones re-register every 4 minutes (Cisco) or 5 minutes (Polycom).
*Already in Media Port range
|Traffic Type||Protocols||Source Port Number||Destination Port Number|
|Provisioning||HTTP/TCP and HTTPS/TCP||random||80 and 443|
|Signaling||SIP/UDP||5060-5099||5090, 5091, 5096, 5097|
|Signaling||SIP/TCP and SIP/TLS/TCP||5060-6000, random||5090, 5091, 5096, 5097|
|Media||SRTP/UDP, RTP/UDP, and STUN||4000-5000, 8000-8200, 16384-16482, 20000-60000||5091, 3478-3479, 8801, 20000-64999|
|Signaling and Media|
(WebRTC & STUN)
|HTTP/TLS/TCP, STUN/UDP||5060, 6182, 8080, 8083*||5060, 6182, 8080, 8083|
|Network Time Service||NTP/UDP||random||123|
|Mobile App Data Sync||HTTPS||random||443|
|LDAP Directory Service||LDAP-SSL/TCP||random||636|
Routers and firewalls usually support an Access Control List (ACL) which can be configured to allow or deny inbound traffic based on source/destination IP address or port numbers produced by remote applications. The following inbound ACL rules may be configured in order to disable certain firewall feature such as Deep Packet Inspection (DPI):
• For inbound traffic, the ACL must be set to the following RingCentral originating source IP address ranges:
• Avoid use of "any / any" ACL rules to prevent opening too many ports.