The following acronyms are used in this document:
|ACL||Access Control List||QoS||Quality of Service|
|ALG||Application Layer Gateway||RTP||Real-time Protocol|
|DPI||Deep Packet Inspection||SIP||Session Initiation Protocol|
|DSCP||Differentiated Services Code Point||SPI||Stateful Packet Inspection|
|EF||Expedited Forwarding||TCP||Transport Control Protocol|
|IP||Internet Protocol||UDP||User Diagram Protocol|
|ISP||Internet Service Provider||VLAN||Virtual LAN|
|LAN||Local Area Network||VoIP||Voice over IP|
|NTP||Network Time Protocol||WAN||Wide-Area Network|
Required and Recommended Devices and Configurations
RingCentral requires that the User network supports a minimal set of features to ensure a high-quality VoIP service.
A set of WAN routers has been validated to work properly with the RingCentral VoIP service. The list of recommended routers that have been tested can be found at: ringcentral.com/support/qos-router.html
. Other firewalls and routers have not been tested in an end-to-end RingCentral VoIP solution and may or may not work properly.QoS / Traffic Prioritization
For the reliable transport of media traffic, User routers must support and enable traffic prioritization: routers need to be configured such that VoIP and video traffic are handled with Expedited Forwarding (EF) DSCP 46.QoS / Bandwidth Management
It is advised to set a minimum guaranteed bandwidth in accordance with the maximum number of expected phone and video calls. The required bandwidth and network link capacities can be calculated according to the procedure provided in RingCentral Network Requirements and Recommendations - Expanded version
If VLANs are supported by network switches, then it is recommended (but not required) to define a VLAN specifically for VoIP and video traffic to logically separate these types of traffic from data traffic. This simplifies management of the unified communications infrastructure.
Unsupported Devices and Configurations
Some types of device, device configurations, and network configurations are not supported by the RingCentral VoIP solution, as they are known to cause continuous or intermittent voice quality issues.
Unsupported Devices and Configurations
RingCentral does not support the use of any of the following devices or network configurations to provide VoIP or video service:
• Load Balancers routing VoIP traffic concurrently across more multiple WAN links
• WAN Accelerators
For proper support of the RingCentral Unified Communications Service, the following device settings may need to be disabled on routers, firewalls, and Ethernet switches.
• Router and Firewalls:
• Session Initiation Protocol Application Layer Gateway (SIP ALG)
• Deep Packet Inspection (DPI)
• Stateful Packet Inspection (SPI)
• WAN Acceleration
• SIP Transformation on SonicWall Security Appliance
• Ethernet Switches: Green Ethernet for power saving
NOTE: Disabling the router and firewall functionality can be restricted to the RingCentral addresses provided in the next section.
The table below indicates the source port and destination port numbers that are, besides a source IP address, entered in signaling, media and auxiliary traffic packets by the RingCentral phone and applications residing in the private network. The designation ‘random
’ means that the source port is randomly selected by the host.
For the next considerations, it is assumed that a firewall with Network Address Translation functionality resides at the interface between the private network and ISP-WAN. The notions of inbound and outbound are defined relative to a local private network.
The source (IP address, port number) pair will be translated by the NAT function into a public source (IP address, port number) pair. To allow traffic to be passed from the private network to the ISP-WAN, if not opened by default, the firewall needs to open a set of outbound ports matching the destination ports indicated in the last column of the table.
In a stateful firewall, no inbound ports need to be opened because they are automatically opened upon a reply to outbound traffic. NAT entry expiration timeout must be set to larger than 5 minutes since telephones re-register every 5 minutes and between registrations keep-alive messages need to be transferred from RingCentral call servers to telephones.
For security reasons, it is advised to avoid use of non-stateful firewalls.
*Already in Media Port range
|Traffic Type||Protocols||Source Port Number||Destination Port Number|
|Provisioning||HTTP/TCP and HTTPS/TCP||random||80 and 443|
|Signaling||SIP/UDP||5060-5099||5090, 5091, 5096, 5097|
|Signaling||SIP/TCP and SIP/TLS/TCP||5060-6000, random||5090, 5091, 5096, 5097|
|Media||SRTP/UDP, RTP/UDP, and STUN||4000-5000, 8000-8200, 16384-16482, 20000-60000||5091, 3478-3479, 8801, 20000-64999|
|WebRTC||HTTP/TLS/TCP, STUN/UDP||5060, 6182, 8080, 8083*||5060, 6182, 8080, 8083|
|Network Time Service||NTP/UDP||random||123|
|Mobile App Data Sync||HTTPS||random||443|
|LDAP Directory Service||LDAP-SSL/TCP||random||636|
Routers and firewalls usually supports an Access Control List (ACL) which can be configured to allow or deny inbound traffic based on source/destination IP address or port numbers produced by remote applications. The following inbound ACL rules may be configured in order to disable certain firewall feature such as Deep Packet Inspection (DPI):
• For inbound traffic, the ACL must be set to the following RingCentral originating source IP address ranges:
22.214.171.124/21, 126.96.36.199/22, 188.8.131.52/22, 184.108.40.206/22, 220.127.116.11/24
• Use of “any / any” ACL rules must be avoided to prevent opening too many ports.
You can download a .pdf copy of this document at https://netstorage.ringcentral.com/guides/network_condensed.pdf