Firewall configuration

Firewall configuration

In this section

Version history
 Expand | Collapse

Version Date Comment
Current Version (v. 28) Jun 26, 2024 16:13 Helen Griffith :
Removed legacy APAC URLs and IP addresses
v. 27 Apr 16, 2024 07:32 Helen Griffith
Updated WebRTC destination media ports to ephemeral range
v. 26 Jan 08, 2024 10:55 Helen Griffith
Added Adobe Analytics sections
v. 25 Oct 11, 2023 10:57 Helen Griffith
Added Webhooks IPs that need to be added to allowlist
v. 24 Oct 09, 2023 11:16 Helen Griffith
Updated outbound port for SFTP access
v. 23 Jul 05, 2023 10:17 Helen Griffith
Added that SFTP access to call recordings will need additional port from Oct 1, 23
v. 22 Jun 13, 2023 09:57 Helen Griffith
Removed AWS region us-west-1
v. 21 Jun 13, 2023 09:51 Helen Griffith
Removed references to cloud 16 and 17
v. 20 Jun 12, 2023 10:20 Helen Griffith
Removed old NAM IP addresses
v. 19 May 31, 2023 12:50 Helen Griffith
v. 18 May 31, 2023 12:49 Helen Griffith
v. 17 May 09, 2023 15:24 Helen Griffith
Moved WalkMe traffic into list of URLs to be allowlisted
v. 16 May 04, 2023 12:17 Helen Griffith
Added date by which new APAC IP addresses must be added to allowlist
v. 15 Mar 31, 2023 14:39 Helen Griffith
New IP addresses added for inbound traffic in APAC
v. 14 Jan 04, 2023 17:10 Helen Griffith
Removed stun.l.google.com:19302 domain from WebRTC config section
v. 13 Dec 14, 2022 13:17 Helen Griffith
Added stun.l.google.com:19302 domain to WebRTC config section
v. 12 Oct 17, 2022 09:48 Helen Griffith
Added WalkMe configuration section
v. 11 Jun 29, 2022 13:18 Helen Griffith
Added fully qualified domain names (FQDN) to 'Using URL allowlisting (recommended)' section
v. 10 Feb 14, 2022 14:44 Helen Griffith
Added *.vonage.com and *.cc.vonage.com to list of URLs to allow list
v. 9 Feb 08, 2022 08:50 Helen Griffith
Renamed USA-->NAM, updated NAM section with additional addresses, removed outbound IPs
v. 8 Oct 25, 2021 10:26 Helen Griffith
Removed decommissioned data centers
v. 7 Mar 15, 2021 08:52 Helen Griffith
Added *nexmo.com to list of URLs to allowlist
v. 6 Dec 15, 2020 10:51 Helen Griffith
Added version history section
v. 5 Oct 28, 2020 14:35 Helen Griffith
v. 4 Oct 19, 2020 13:23 Helen Griffith
v. 3 Oct 15, 2020 06:46 Helen Griffith
Removed ambiguous and superfluous sentence from Cloudfront section
v. 2 Oct 14, 2020 10:35 Helen Griffith
Fixing typo in Amplitude URL
v. 1 Sept 28, 2020 13:11 Helen Griffith


About this page

  • You must read this entire section to ensure that you configure your firewall correctly.
  • Inbound and outbound traffic terminology:
    • Inbound describes traffic from VCC.
    • Outbound describes traffic to VCC.

We recommend adding the appropriate URLs and IP addresses to any firewall rules that restrict employee access, and we request that you treat Vonage Contact Center as a business-critical application. By this, we mean optimizing and prioritizing IP traffic to Vonage Contact Center over other non-critical traffic. This is to ensure real-time responses to agent requests are processed in a timely and efficient manner (call steering buttons, call transfers, hold requests, and so on).

You should also review any IP packet inspection or local caching policies to optimize the user experience.

Ports

Outbound

All outbound traffic requires TCP port 443 (HTTPS). Responses are sent to a range of ephemeral ports. This requirement applies to:

  • VCC traffic, regardless of whether you use URL or IP allowlisting
  • VCC APIs
  • WebRTC traffic (see WebRTC sections later in this page for information about other ports required for WebRTC traffic)
  • All other third-party traffic (Amplitude, Cloudfront, and NewRelic)

SFTP access to call recordings requires TCP port 44044.

Inbound

All inbound traffic requires access to destination TCP port 443 (HTTPS) on our servers to establish a connection. Responses are sent to a range of ephemeral ports.

Virtual private network (VPN)

We recommend using a split tunnel configuration to ensure that traffic—especially voice traffic—to Vonage services is routed directly from the end user to our platform and not through a VPN. We do not recommend tunneling voice connectivity through a VPN tunnel due to the potential adverse effect on voice quality.



Using URL allowlisting (recommended)

Depending on whether you will use wildcard or fully qualified domain names, add the following URLs to your allowlist:

  • Using wildcard domains:
    • *.vonage.com
    • *.cc.vonage.com
    • *.api.cc.vonage.com
    • *.newvoicemedia.com
    • *.api.newvoicemedia.com
    • *.contact-world.net
    • api.amplitude.com
    • bam.nr-data.net
    • js-agent.newrelic.com
    • *.nexmo.com
  • Using fully qualified domain names (FQDN):

    RegionURL
    EMEA

    emea.cc.vonage.com

    emea.api.cc.vonage.com

    emea-message-relay.contact-world.net

    api-eu.cc.vonage.com

    prd-emea-lon.contact-world.net

    prd-emea-fra.contact-world.net

    prd-emea-lon-app01-message-relay.contact-world.net

    prd-emea-fra-app01-message-relay.contact-world.net

    api-prd-emea-lon.contact-world.net

    api-prd-emea-fra.contact-world.net

    emea.newvoicemedia.com

    emea.api.newvoicemedia.com

    APAC

    apac.cc.vonage.com

    apac.api.cc.vonage.com

    apac-message-relay.contact-world.net

    api-ap.cc.vonage.com

    prd-apac-syd.contact-world.net

    prd-apac-sin.contact-world.net

    prd-apac-syd-app01-message-relay.contact-world.net

    prd-apac-sin-app01-message-relay.contact-world.net

    api-prd-apac-syd.contact-world.net

    api-prd-apac-sin.contact-world.net

    apac.newvoicemedia.com

    apac.api.newvoicemedia.com

    NAM

    nam.cc.vonage.com

    nam.api.cc.vonage.com

    nam-message-relay.contact-world.net

    api-us.cc.vonage.com

    prd-nam-ric.contact-world.net

    prd-nam-pdx.contact-world.net

    prd-nam-ric-app01-message-relay.contact-world.net

    prd-nam-pdx-app01-message-relay.contact-world.net

    api-prd-nam-ric.contact-world.net

    api-prd-nam-pdx.contact-world.net

    nam.newvoicemedia.com

    nam.api.newvoicemedia.com

  • WalkMe traffic


    Vonage Contact Center uses a third party tool—WalkMe—to inform supervisors and administrators about new features and guide them when using the portal. To benefit from this functionality, you must add the following domains to your allowlist:

    Critical domains

    DomainPurpose of DomainIf Access is Blocked
    *.walkme.comLoad the WalkMe productWalkMe will not function
    s3.walkmeusercontent.comImages in WalkMe Solutions hosted by WalkMe’s AWSImages in WalkMe Solutions that are hosted by WalkMe’s AWS will not appear

    Recommended

    DomainPurpose of DomainIf Access is Blocked
    clients2.google.com/service/update2/crxUpdate Chrome extensionsWalkMe Chrome extensions (Player and Editor) will not be able to update
    safari-extensions.apple.com/details/Update Safari extensionsWalkMe Safari extension (Player and Editor) will not be able to update

    For more information, see https://support.walkme.com/knowledge-base/access-requirements-for-walkme/.

  • Adobe Analytics

    Add the URL addresses specified in the following page to any existing firewall permissions: https://experienceleague.adobe.com/docs/analytics/technotes/ip-addresses.html?lang=en

You must also add the IP addresses specified in the following sections to your allowlist:

Inbound VCC traffic

Inbound IP addresses are used when Vonage Contact Center interacts with an external system where IP allowlisting is in place.
Such systems include Salesforce; a customer-owned or managed server or service; and other cloud provider services.

VCC home region

IP addresses (inbound)

EMEA

3.10.100.255
35.177.29.140
3.126.229.159
18.184.245.197

NAM

3.222.22.251
3.210.155.126
35.86.33.112
54.68.201.219

APAC

13.54.78.128
54.79.123.45
54.169.14.70
13.250.67.212

WebRTC traffic

To make our WebRTC solution more resilient, we use two WebRTC providers. You must configure your firewall for both providers.

Adding an IP address to your outbound firewall enables both inbound and outbound WebRTC traffic so you do not need to add the IP address to your inbound firewall too.  
  • Vonage WebRTC provider

    When using WebRTC, you must use IPv4 over IPv6 in prefix policies.

    PurposeProtocolSource IPSource portDestination portDestination IP
    Signalling/presenceTCPYour local network addresses*Ephemeral range443See Destination IP addresses.
    MediaUDP*Ephemeral range

    *Ephemeral Range: The application will select any available port from a range depending on the operating system. On most machines, the port range is 1,024 to 65,535, with source ports generally up to 20,000 and destination ports generally over 50,000.


    Destination IP addresses
    Your firewall settings should allow outbound traffic as specified in the following list:
  • Backup WebRTC provider
    Add all the IP addresses listed in the following pages to your allowlist:

If your agents use VPN clients, you must also add *.nexmo.com to your allowlist; failure to do so may result in agents not being able to use WebRTC.

Where relevant, you must also add *.nexmo.com to the VPN's proxy bypass list and then restart your agents' clients.

Webhooks API traffic

To use Vonage Contact Center's Webhooks API, your firewall settings should allow inbound traffic as specified in the following list:


Using IP allowlisting

If your firewall does not support URL or DNS allowlisting, add the following IP addresses for your region to any existing firewall permissions.

Inbound VCC traffic

Inbound IP addresses are used when Vonage Contact Center interacts with an external system where IP allowlisting is in place.
Such systems include Salesforce; a customer-owned or managed server or service; and other cloud provider services.

VCC home region

IP addresses (inbound)

EMEA

3.10.100.255
35.177.29.140
3.126.229.159
18.184.245.197

NAM

3.222.22.251
3.210.155.126
35.86.33.112
54.68.201.219

APAC

13.54.78.128
54.79.123.45
54.169.14.70
13.250.67.212

Outbound VCC traffic

Outbound IP addresses

Outbound IP addresses are used for standard web access, for example, agents and supervisors accessing Vonage Contact Center applications. All customers will need to allow outbound IP addresses.

If your firewall does not support URL/DNS allowlisting, add the following IP addresses for your region to any existing firewall permissions:

--Amazon Web Services (AWS)

Most of VCC uses Amazon Web Services (AWS).

Add the IP addresses for your region as described in the following page: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.

This list of addresses is subject to change.

There might be multiple AWS regions associated with your VCC region:

VCC regionAWS region IDAWS region name
EMEA

eu-central-1Frankfurt

eu-west-2London
NAM

us-east-1North Virginia

us-west-2Oregon
APAC

ap-southeast-1Singapore

ap-southeast-2Sydney


--Adobe Analytics

Add the IP addresses specified in the following page to any existing firewall permissions: https://experienceleague.adobe.com/docs/analytics/technotes/ip-addresses.html?lang=en

--Amplitude

Add the IP addresses specified in the following page to any existing firewall permissions:

--Cloudfront

Add the IP addresses specified in the following page to any existing firewall permissions:

Inbound addresses

The IP addresses are all outbound addresses.

--NewRelic

Add this range of IP addresses—162.247.240.0/22—to any existing firewall permissions.

Inbound addresses

The IP addresses are all outbound addresses.

--WebRTC traffic

To make our WebRTC solution more resilient, we use two WebRTC providers. You must configure your firewall for both providers.

Adding an IP address to your outbound firewall enables both inbound and outbound WebRTC traffic so you do not need to add the IP address to your inbound firewall too.  
  • Vonage WebRTC provider

    When using WebRTC, you must use IPv4 over IPv6 in prefix policies.

    PurposeProtocolSource IPSource portDestination portDestination IP
    Signalling/presenceTCPYour local network addresses*Ephemeral range443See Destination IP addresses.
    MediaUDP*Ephemeral range

    *Ephemeral Range: The application will select any available port from a range depending on the operating system. On most machines, the port range is 1,024 to 65,535, with source ports generally up to 20,000 and destination ports generally over 50,000.


    Destination IP addresses
    Your firewall settings should allow outbound traffic as specified in the following list:
  • Backup WebRTC provider
    Add all the IP addresses listed in the following pages to your allowlist:

If your agents use VPN clients, you must also add *.nexmo.com to your allowlist; failure to do so may result in agents not being able to use WebRTC.

Where relevant, you must also add *.nexmo.com to the VPN's proxy bypass list and then restart your agents' clients.

--Webhooks API traffic

To use Vonage Contact Center's Webhooks API, your firewall settings should allow inbound traffic as specified in the following list:

Support and documentation feedback

For general assistance, please contact Customer Support.

For help using this documentation, please send an email to docs_feedback@vonage.com. We're happy to hear from you. Your contribution helps everyone at Vonage! Please include the name of the page in your email.