...
| Hostname (Alias) | Function |
|---|---|
| acd-stack | The jtel Container Stack |
| sbc | The SBC |
| pbx | The PBX |
| trunk | SIP Trunk |
| fw | The Firewall/s |
Maintenance Access
...
jtel Support
...
SSH Remote Access to Linux Systems.
Incoming Traffic
...
| fqdn | Fully Qualified Domain Name Example: jtelacd.jtel.online |
| vscode | VS Code Server Provides Fileshare access to maintenance staff |
DNS Requirements
The customer must provide a Fully Qualified Domain Name (FQDN) for the stack, as well as
- DNS A record pointing FQDN to the VM's IP address
- DNS must be resolvable from both internal network and internet (if external access required)
- Wildcard or additional DNS records for subdomains:
vscode.<FQDN>(VS Code Server, optional)<FQDN>(main web interface)
Firewall - Required Inbound Ports
The customer's network firewall must allow the following inbound traffic to the VM:
Administrative Access
| Port | Protocol | Purpose | Source |
|---|---|---|---|
| 22 | TCP | SSH (system administration) | JTEL support IPs or customer admin network |
Web Interface
| Port | Protocol | Purpose | Source |
|---|---|---|---|
| 80 | TCP | HTTP (redirects to HTTPS) | End users (agents, supervisors) |
| 443 | TCP | HTTPS (main web interface) | End users (agents, supervisors) |
SIP Telephony (Primary FreeSWITCH)
| Port | Protocol | Purpose | Source |
|---|---|---|---|
| 5060 | TCP/UDP | SIP signaling (unencrypted) | SIP trunks, PBX, softphones |
| 5061 | TCP | SIP over TLS (encrypted signaling) | SIP trunks, PBX, softphones |
| 30000-34999 | UDP | RTP media streams (voice/audio) | SIP endpoints, media gateways |
Note: RTP port range (30000-34999) = 5000 ports = supports up to ~2500 concurrent calls
Session Border Controller (Optional)
| Port | Protocol | Purpose | Source |
|---|---|---|---|
| 15060 | TCP/UDP | SBC SIP signaling | External SIP trunks (if SBC is used) |
| 15000-15059 | UDP | SBC RTP media streams | External SIP endpoints (if SBC is used) |
| Info | ||
|---|---|---|
| ||
|
Firewall - Required Outbound Access
The VM requires unrestricted outbound internet access for the following:
Container Registry Access
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
dockerhub.jtel.de or jtelacr.azurecr.io | 443 | HTTPS | Pull Docker container images |
Critical: Without registry access, the stack cannot start or update.
Azure Blob Storage (Backup)
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
*.blob.core.windows.net | 443 | HTTPS | Daily automated backups, disaster recovery |
Git Repository Access
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
bitbucket.org | 22 | SSH | Fetch configuration updates, GitOps workflow |
Note: Used during initial provisioning and for configuration management.
Let's Encrypt (SSL Certificates)
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
acme-v02.api.letsencrypt.org | 443 | HTTPS | Automatic SSL certificate issuance and renewal |
Operating System Updates
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
deb.debian.org, security.debian.org | 80, 443 | HTTP/HTTPS | Security updates, package installation |
Azure OAuth2 (Optional)
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
login.microsoftonline.com | 443 | HTTPS | Azure AD authentication for VS Code Server |
AI Services
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
api.openai.com | 443 | HTTPS | GPT-based summarization, RAG chatbot (if enabled) |
api.mistral.ai | 443 | HTTPS | Alternative LLM provider (if enabled) |
Note: AI services are disabled by default (DONT_PULL_HEAVYWEIGHTS=true). Enable only if customer subscribed to AI features.
Proxy Configuration
Direct Internet Access Required
The current stack version does NOT support HTTP/HTTPS proxy configuration. The VM requires:
- Direct outbound access to all destinations listed in section 3.4
- No transparent proxy
- No SSL/TLS inspection
Future Enhancement: Proxy support may be added in future versions.
3.6 NAT Considerations
Outbound NAT: Supported (VM can be behind NAT for outbound traffic)
Inbound NAT/Port Forwarding:
- If VM is on private network, configure port forwarding on firewall/router
- Map external ports to VM's internal IP
- Ensure RTP port range (30000-34999) is correctly forwarded
- Hairpin NAT must be supported if external users call each other
Specific Systems
Connections that every system uses.
| Description | Protocol | Source | Port | Destination | Ports / Portrange | Description |
|---|---|---|---|---|---|---|
| https Access | TCP | Any (jtel Support) | Any | acd-stack | 443 | https Access to Webservers and SOAP / REST APIs via Load-Balancer. |
| SIP | TCP / UDP | PBX / SBC / SIP Trunk | Any | acd-stack | 5060 | SIP communication port for telephony signalling. |
| SIPS | TCP | PBX / SBC / SIP Trunk | Any | acd-stack | 5061 | SIPS communication port for telephony signalling. |
| haproxy Web | TCP | Any (jtel Support) | Any | acd-stack | 7777 | Port used for HTTP access to the HaProxy admin GUI. |
| RTP | UDP | PBX / SBC / SIP Trunk | Any | acd-stack | 30000-34999 | RTP communication ports for audio / video data. |
Specific Systems
Connections that specific systems use, depending on the additional modules being used.
...