...
The customer's network firewall must allow the following inbound traffic to the VM:
Administrative Access
| Port | Protocol | Purpose | Source |
|---|
| 22 | TCP | SSH (system administration) | JTEL support IPs or customer admin network |
Web Interface
| Port | Protocol | Purpose | Source |
|---|
| 80 | TCP | HTTP (redirects to HTTPS) | End users (agents, supervisors) |
| 443 | TCP | HTTPS (main web interface) | End users (agents, supervisors) |
SIP Telephony (Primary FreeSWITCH)
| Port | Protocol | Purpose | Source |
|---|
| 5060 | TCP/UDP | SIP signaling (unencrypted) | SIP trunks, PBX, softphones |
| 5061 | TCP | SIP over TLS (encrypted signaling) | SIP trunks, PBX, softphones |
| 30000-34999 | UDP | RTP media streams (voice/audio) | SIP endpoints, media gateways |
Note: RTP port range (30000-34999) = 5000 ports = supports up to ~2500 concurrent calls
Session Border Controller (Optional)
| Port | Protocol | Purpose | Source |
|---|
| 15060 | TCP/UDP | SBC SIP signaling | External SIP trunks (if SBC is used) |
| 15000-15059 | UDP | SBC RTP media streams | External SIP endpoints (if SBC is used) |
| Info |
|---|
|
- Connecting to external/untrusted SIP trunks
- NAT traversal required
- Security boundary between internal PBX and external carriers
|
...
Container Registry Access
Critical: Without registry access, the stack cannot start or update.
Azure Blob Storage (Backup)
Git Repository Access
| Destination | Port | Protocol | Purpose |
|---|
bitbucket.org | 22 | SSH | Fetch configuration updates, GitOps workflow |
Note: Used during initial provisioning and for configuration management.
Let's Encrypt (SSL Certificates)
Operating System Updates
Azure OAuth2 (Optional)
AI Services
| Destination | Port | Protocol | Purpose |
|---|
api.openai.com | 443 | HTTPS | GPT-based summarization, RAG chatbot (if enabled) |
api.mistral.ai | 443 | HTTPS | Alternative LLM provider (if enabled) |
Note: AI services are disabled by default.
...
