Firewall configuration

Firewall configuration

We recommend adding the appropriate URLs and IP addresses to any firewall rules that restrict employee access, and we request that you treat Vonage Contact Center as a business-critical application. By this, we mean optimizing and prioritizing IP traffic to Vonage Contact Center over other non-critical traffic. This is to ensure real-time responses to agent requests are processed in a timely and efficient manner (call steering buttons, call transfers, hold requests, and so on).

You should also review any IP packet inspection or local caching policies to optimize the user experience.

Ports

Outbound

All outbound traffic requires TCP port 443 (HTTPS). Responses are sent to a range of ephemeral ports. This requirement applies to:

• VCC traffic, regardless of whether you use URL or IP allowlisting
• VCC APIs
• WebRTC traffic (see WebRTC sections later in this page for information about other ports required for WebRTC traffic)
• All other third-party traffic (Amplitude, Cloudfront, and NewRelic)

SFTP access to call recordings requires TCP port 44044.

Inbound

All inbound traffic requires access to destination TCP port 443 (HTTPS) on our servers to establish a connection. Responses are sent to a range of ephemeral ports.

Virtual private network (VPN)

We recommend using a split tunnel configuration to ensure that traffic—especially voice traffic—to Vonage services is routed directly from the end user to our platform and not through a VPN. We do not recommend tunneling voice connectivity through a VPN tunnel due to the potential adverse effect on voice quality.

Using URL allowlisting (recommended)

Depending on whether you will use wildcard or fully qualified domain names, add the following URLs to your allowlist:

• Using wildcard domains:
  • *.vonage.com
  • *.cc.vonage.com
  • *.api.cc.vonage.com
  • *.newvoicemedia.com
  • *.api.newvoicemedia.com
  • *.contact-world.net
  • api.amplitude.com
  • bam.nr-data.net
  • js-agent.newrelic.com
  • *.nexmo.com

• Using fully qualified domain names (FQDN):

  Region	URL
  EMEA	emea.cc.vonage.com emea.api.cc.vonage.com emea-message-relay.contact-world.net api-eu.cc.vonage.com prd-emea-lon.contact-world.net prd-emea-fra.contact-world.net prd-emea-lon-app01-message-relay.contact-world.net prd-emea-fra-app01-message-relay.contact-world.net api-prd-emea-lon.contact-world.net api-prd-emea-fra.contact-world.net emea.newvoicemedia.com emea.api.newvoicemedia.com
  APAC	apac.cc.vonage.com apac.api.cc.vonage.com apac-message-relay.contact-world.net api-ap.cc.vonage.com prd-apac-syd.contact-world.net prd-apac-sin.contact-world.net prd-apac-syd-app01-message-relay.contact-world.net prd-apac-sin-app01-message-relay.contact-world.net api-prd-apac-syd.contact-world.net api-prd-apac-sin.contact-world.net apac.newvoicemedia.com apac.api.newvoicemedia.com
  NAM	nam.cc.vonage.com nam.api.cc.vonage.com nam-message-relay.contact-world.net api-us.cc.vonage.com prd-nam-ric.contact-world.net prd-nam-pdx.contact-world.net prd-nam-ric-app01-message-relay.contact-world.net prd-nam-pdx-app01-message-relay.contact-world.net api-prd-nam-ric.contact-world.net api-prd-nam-pdx.contact-world.net nam.newvoicemedia.com nam.api.newvoicemedia.com

• WalkMe traffic

  
  Vonage Contact Center uses a third party tool—WalkMe—to inform supervisors and administrators about new features and guide them when using the portal. To benefit from this functionality, you must add the following domains to your allowlist:

  Critical domains

  Domain	Purpose of Domain	If Access is Blocked
  *.walkme.com	Load the WalkMe product	WalkMe will not function
  s3.walkmeusercontent.com	Images in WalkMe Solutions hosted by WalkMe’s AWS	Images in WalkMe Solutions that are hosted by WalkMe’s AWS will not appear

  Recommended

  Domain	Purpose of Domain	If Access is Blocked
  clients2.google.com/service/update2/crx	Update Chrome extensions	WalkMe Chrome extensions (Player and Editor) will not be able to update
  safari-extensions.apple.com/details/	Update Safari extensions	WalkMe Safari extension (Player and Editor) will not be able to update

  For more information, see https://support.walkme.com/knowledge-base/access-requirements-for-walkme/.

• Adobe Analytics

  Add the URL addresses specified in the following page to any existing firewall permissions: https://experienceleague.adobe.com/docs/analytics/technotes/ip-addresses.html?lang=en

You must also add the IP addresses specified in the following sections to your allowlist:

Inbound VCC traffic

Inbound IP addresses are used when Vonage Contact Center interacts with an external system where IP allowlisting is in place.
Such systems include Salesforce; a customer-owned or managed server or service; and other cloud provider services.

WebRTC traffic

To make our WebRTC solution more resilient, we use two WebRTC providers. You must configure your firewall for both providers.

• Vonage WebRTC provider

  When using WebRTC, you must use IPv4 over IPv6 in prefix policies.

  Purpose	Protocol	Source IP	Source port	Destination port	Destination IP
  Signalling/presence	TCP	Your local network addresses	*Ephemeral range	443	See Destination IP addresses.
  Media	UDP			*Ephemeral range

  *Ephemeral Range: The application will select any available port from a range depending on the operating system. On most machines, the port range is 1,024 to 65,535, with source ports generally up to 20,000 and destination ports generally over 50,000.

  
  

  Destination IP addresses
  Your firewall settings should allow outbound traffic as specified in the following list:
  
• Backup WebRTC provider
  Add all the IP addresses listed in the following pages to your allowlist:
  • https://www.twilio.com/docs/stun-turn/regions
  • https://www.twilio.com/docs/voice/client/javascript/voice-client-js-and-mobile-sdks-network-connectivity-requirements

If your agents use VPN clients, you must also add *.nexmo.com to your allowlist; failure to do so may result in agents not being able to use WebRTC.

Where relevant, you must also add *.nexmo.com to the VPN's proxy bypass list and then restart your agents' clients.

Webhooks API traffic

To use Vonage Contact Center's Webhooks API, your firewall settings should allow inbound traffic as specified in the following list:

Using IP allowlisting

If your firewall does not support URL or DNS allowlisting, add the following IP addresses for your region to any existing firewall permissions.

Inbound VCC traffic

Inbound IP addresses are used when Vonage Contact Center interacts with an external system where IP allowlisting is in place.
Such systems include Salesforce; a customer-owned or managed server or service; and other cloud provider services.

Outbound VCC traffic

If your firewall does not support URL/DNS allowlisting, add the following IP addresses for your region to any existing firewall permissions:

--Amazon Web Services (AWS)

Most of VCC uses Amazon Web Services (AWS).

Add the IP addresses for your region as described in the following page: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.

There might be multiple AWS regions associated with your VCC region:

--Adobe Analytics

Add the IP addresses specified in the following page to any existing firewall permissions: https://experienceleague.adobe.com/docs/analytics/technotes/ip-addresses.html?lang=en

--Amplitude

Add the IP addresses specified in the following page to any existing firewall permissions:

• https://help.amplitude.com/hc/en-us/articles/360024419152

--Cloudfront

Add the IP addresses specified in the following page to any existing firewall permissions:

• http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips.

--NewRelic

Add this range of IP addresses—162.247.240.0/22—to any existing firewall permissions.

--WebRTC traffic

To make our WebRTC solution more resilient, we use two WebRTC providers. You must configure your firewall for both providers.

• Vonage WebRTC provider

  When using WebRTC, you must use IPv4 over IPv6 in prefix policies.

  Purpose	Protocol	Source IP	Source port	Destination port	Destination IP
  Signalling/presence	TCP	Your local network addresses	*Ephemeral range	443	See Destination IP addresses.
  Media	UDP			*Ephemeral range

  *Ephemeral Range: The application will select any available port from a range depending on the operating system. On most machines, the port range is 1,024 to 65,535, with source ports generally up to 20,000 and destination ports generally over 50,000.

  
  

  Destination IP addresses
  Your firewall settings should allow outbound traffic as specified in the following list:
  
• Backup WebRTC provider
  Add all the IP addresses listed in the following pages to your allowlist:
  • https://www.twilio.com/docs/stun-turn/regions
  • https://www.twilio.com/docs/voice/client/javascript/voice-client-js-and-mobile-sdks-network-connectivity-requirements

If your agents use VPN clients, you must also add *.nexmo.com to your allowlist; failure to do so may result in agents not being able to use WebRTC.

Where relevant, you must also add *.nexmo.com to the VPN's proxy bypass list and then restart your agents' clients.

--Webhooks API traffic

To use Vonage Contact Center's Webhooks API, your firewall settings should allow inbound traffic as specified in the following list: