Ports Used by the Vodia Phone System
When deploying the Vodia PBX with cloud service providers like AWS, Azure , Google Cloud or Digital Ocean it often becomes necessary to set the firewall up for the PBX. Port forward the following ports in your cloud firewall environment in order for your remote uses to connect and register SIP desktop phone as well as eliminating one way audio. The numbers in the table are the default. They can be changed from the PBX web interface. You can also check with netstat what ports are open on the PBX.
If you want to use only use the Vodia apps from outide of the LAN, you need to open only he HTTPS and the RTP ports. For the apps to work, HTTPS does not have to be on the standard port 443.
| Protocol | Port | Description | Comments | Required For |
|---|---|---|---|---|
| UDP and TCP | 5060 | SIP | Used for SIP signaling internal and external for remote users. | VoIP phones, SIP Trunks |
| TCP | 5061 | SIPS | Used for secure SIP signaling internal and external for remote users | VoIP phones |
| TCP | 80 | HTTP | Port used for web site access and LetsEncrypt robot. For LetsEncrypt to work, this port number must be 80 and cannot be changed. | LetsEncrypt Robot |
| TCP | 443 | HTTPS | Port used for web page access from users and apps | Apps and User Login |
| TCP | 2345,2346 | LDAP | Ports are used by many VoIP phones for looking up address book entries | VoIP phones |
| UDP | 49152-65535 | RTP | Choose a large range of RTP ports to avoid possible conflicts and reduce the risk of outside traffic hitting the ports | VoIP phones and Apps |
Most ports can be changed to random port numbers. This reduces the exposure to scanners. Because in most cases VoIP phones are provisioned automatically, ports 5060 and 5061 can be on random ports. The LDAP ports are by default on non-standard ports. Port 80 needs to be on the standard port to have the LetsEncrypt certicicate service work properly. Port 443 can also run on a non-standard port, the system will automatically redirect from port 80 to the right port. However when users are supposed to log in, it is recommended to keep the standard port 443 so that the URL does not contain a port number.
Telling the PBX what address to use
For servers that don't have a public IP address on their local network interface (e.g. EC2) the PBX needs to know what IP address to present to the SIP devices. In admin mode, navigate to Settings → SIP → Settings and set the IP routing list .
- If you are using the URL for polling the public IP address, you can use the keyword "public" which will be replaced with the actual public IP address. The PBX will automatically determine the public IP address.
- If you want always to present a specific public IP address, you can just put the IP address there, for example "23.24.25.26".
- If you want to send packets to devices in the private network, you can use the keyword "private". For example "private public" would check if the destination is a private IP address and the server has a private IP address in that subnet, then it would use the private IP address. Otherwise it would use the public IP address.
Using the SIP IP replacement list is usually not necessary and creates unneeded complexity and problems. If the public IP address keeps changing, the PBX can download the address from a public IP address API (e.g. api.ipify.org). If the address does not change, the address polling is not neccessary. The system will automatically learn its public IP address from the Vodia license server during startup.
