...
- DNS A record pointing FQDN to the VM's IP address
- DNS must be resolvable from both internal network and internet (if external access required)
- Wildcard or additional DNS records for subdomains:
vscode.<FQDN>(VS Code Server, optional)<FQDN>(main web interface)
...
The customer's network firewall must allow the following inbound traffic to the VM:
Administrative Access
| Port | Protocol | Purpose | Source |
|---|---|---|---|
| 22 | TCP | SSH (system administration) | JTEL support IPs or customer admin network |
Web Interface
| Port | Protocol | Purpose | Source |
|---|---|---|---|
| 80 | TCP | HTTP (redirects to HTTPS) | End users (agents, supervisors) |
| 443 | TCP | HTTPS (main web interface) | End users (agents, supervisors) |
SIP Telephony (Primary FreeSWITCH)
| Port | Protocol | Purpose | Source |
|---|---|---|---|
| 5060 | TCP/UDP | SIP signaling (unencrypted) | SIP trunks, PBX, softphones |
| 5061 | TCP | SIP over TLS (encrypted signaling) | SIP trunks, PBX, softphones |
| 30000-34999 | UDP | RTP media streams (voice/audio) | SIP endpoints, media gateways |
Note: RTP port range (30000-34999) = 5000 ports = supports up to ~2500 concurrent calls
Session Border Controller (Optional)
| Port | Protocol | Purpose | Source |
|---|---|---|---|
| 15060 | TCP/UDP | SBC SIP signaling | External SIP trunks (if SBC is used) |
| 15000-15059 | UDP | SBC RTP media streams | External SIP endpoints (if SBC is used) |
...
| title | When to use SBC |
|---|
...
Firewall - Required Outbound Access
...
Container Registry Access
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
dockerhub.jtel.de or jtelacr.azurecr.io | 443 | HTTPS | Pull Docker container images |
Critical: Without registry access, the stack cannot start or update.
Azure Blob Storage (Backup)
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
*.blob.core.windows.net | 443 | HTTPS | Daily automated backups, disaster recovery |
Git Repository Access
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
bitbucket.org | 22 | SSH | Fetch configuration updates, GitOps workflow |
Note: Used during initial provisioning and for configuration management.
Let's Encrypt (SSL Certificates)
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
acme-v02.api.letsencrypt.org | 443 | HTTPS | Automatic SSL certificate issuance and renewal |
Operating System Updates
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
deb.debian.org, security.debian.org | 80, 443 | HTTP/HTTPS | Security updates, package installation |
Azure OAuth2 (Optional)
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
login.microsoftonline.com | 443 | HTTPS | Azure AD authentication for VS Code Server |
AI Services
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
api.openai.com | 443 | HTTPS | GPT-based summarization, RAG chatbot (if enabled) |
api.mistral.ai | 443 | HTTPS | Alternative LLM provider (if enabled) |
Note: AI services are disabled by default (DONT_PULL_HEAVYWEIGHTS=true). Enable only if customer subscribed to AI features.
Proxy Configuration
Direct Internet Access Required
The current stack version does NOT support HTTP/HTTPS proxy configuration. The VM requires:
- Direct outbound access to all destinations listed in section 3.4
- No transparent proxy
- No SSL/TLS inspection
NAT Considerations
Outbound NAT: Supported (VM can be behind NAT for outbound traffic)
Inbound NAT/Port Forwarding:
...
Legacy
Windows Machines
| Info |
|---|
In some cases, for example TAPI Monitoring services, a windows machine might still be installed. In this case, the following ports must be opened to enable the jtel service to access this machine |
...