Port Requirements
Vodia PBX Network Port Configuration
Overview
This document outlines the network ports and external services that must be accessible to ensure proper operation of Vodia PBX. These ports are essential for various PBX functions including web administration, phone & Vodia App provisioning, SIP communication, RTP media streams, directory services, push notifications, and certificate management.
Required Network Ports
| Port(s) | Protocol | Service | Description |
|---|---|---|---|
| 80 | TCP | HTTP | Web administration interface (unencrypted), Phone provisioning (older models), Let's Encrypt HTTP-01 challenge |
| 443 | TCP | HTTPS | Secure web administration interface (encrypted), Phone & Vodia App provisioning |
| 161 | UDP | SNMP | Simple Network Management Protocol for monitoring |
| 2345 | TCP | LDAP StartTLS | LDAP directory service with StartTLS encryption |
| 2346 | TCP | LDAPS | LDAP directory service with TLS encryption |
| 5060 | UDP/TCP | SIP | Session Initiation Protocol (unencrypted) |
| 5061 | TCP | SIP-TLS | Session Initiation Protocol with TLS encryption |
| 49152-64512 | UDP | RTP | Real-time Transport Protocol for voice/video media |
Required External Services
In addition to the ports above, the PBX requires outbound access to the following external services.
Vodia License & Portal
The PBX must be able to reach the Vodia license and portal servers for license validation and management:
license.vodia.comportal.vodia.com
Push Notification Servers
To deliver push notifications to Vodia mobile apps, the PBX communicates with the regional push server appropriate to your deployment:
| Host | Region |
|---|---|
push-au.vodia.net | Asia-Pacific |
push-eu.vodia.net | Europe |
push-na.vodia.net | North America |
Ensure outbound HTTPS (port 443) is permitted to the applicable push server hostname.
TLS Certificate Renewal (Let's Encrypt)
The PBX uses Let's Encrypt for automatic TLS certificate issuance and renewal. Let's Encrypt does not publish fixed IP addresses for its services, so firewall rules should be based on domain names rather than IPs. Refer to the Let's Encrypt community documentation for the current list of hostnames used during the ACME challenge process.
For environments with strict egress filtering, configure your firewall or URL filter to allow:
- Outbound HTTPS to Let's Encrypt ACME endpoints
- Inbound HTTP (port 80) from any source, or specifically from Let's Encrypt validation IPs if your firewall supports URL-based filtering — to allow completion of the HTTP-01 challenge
If inbound access on port 80 must be restricted, a URL-based filter that permits only Let's Encrypt validation requests while blocking all other inbound traffic on port 80/443 is a practical approach.
Telling the PBX What Address to Use
For servers that don't have a public IP address on their local network interface (e.g. EC2), the PBX needs to know what IP address to present to the SIP devices. In admin mode, navigate to Settings → SIP → Settings and set the IP Routing List.
- If you are using the URL for polling the public IP address, you can use the keyword
public, which will be replaced with the actual public IP address. The PBX will automatically determine the public IP address. - If you want to always present a specific public IP address, you can put the IP address directly, for example
23.24.25.26. - If you want to send packets to devices in the private network, you can use the keyword
private. For example,private publicwould check if the destination is a private IP address and the server has a private IP address in that subnet — if so it uses the private address, otherwise the public address.
Using the SIP IP Replacement List is usually not necessary and creates unneeded complexity. If the public IP address keeps changing, the PBX can download the address from a public IP address API (e.g. api.ipify.org). For example, you could use https://api.ipify.org/?format=json in the URL for Polling Public IP Address field. If the address does not change, polling is not necessary. The system will automatically learn its public IP address from the Vodia license server during startup.