Introduction
The following page explains the networking information and requirements that must be considered if the jtel Container Stack is located OnPrem.
General Information
During the basic installation of a jtel Container Stack, a firewall is configured locally. This firewall blocks all incoming traffic unless specifically instructed otherwise.
To connect SBCs, PBXs or SIP-Trunks. the IP-Address must be specifically allowed in the firewall rules.
Outgoing traffic is generally not blocked.
Glossary
| Hostname (Alias) | Function |
|---|---|
| acd-stack | The jtel Container Stack |
| sbc | The SBC |
| pbx | The PBX |
| trunk | SIP Trunk |
| fw | The Firewall/s |
| fqdn | Fully Qualified Domain Name Example: jtelacd.jtel.online |
| vscode | VS Code Server Provides Fileshare access to maintenance staff |
DNS Requirements
The customer must provide a Fully Qualified Domain Name (FQDN) for the stack, as well as
- DNS A record pointing FQDN to the VM's IP address
- DNS must be resolvable from both internal network and internet (if external access required)
- Wildcard or additional DNS records for subdomains:
vscode.<FQDN>(VS Code Server, optional)<FQDN>(main web interface)
Firewall - Required Inbound Ports
The customer's network firewall must allow the following inbound traffic to the VM:
Administrative Access
| Port | Protocol | Purpose | Source |
|---|---|---|---|
| 22 | TCP | SSH (system administration) | JTEL support IPs or customer admin network |
Web Interface
| Port | Protocol | Purpose | Source |
|---|---|---|---|
| 80 | TCP | HTTP (redirects to HTTPS) | End users (agents, supervisors) |
| 443 | TCP | HTTPS (main web interface) | End users (agents, supervisors) |
SIP Telephony (Primary FreeSWITCH)
| Port | Protocol | Purpose | Source |
|---|---|---|---|
| 5060 | TCP/UDP | SIP signaling (unencrypted) | SIP trunks, PBX, softphones |
| 5061 | TCP | SIP over TLS (encrypted signaling) | SIP trunks, PBX, softphones |
| 30000-34999 | UDP | RTP media streams (voice/audio) | SIP endpoints, media gateways |
Note: RTP port range (30000-34999) = 5000 ports = supports up to ~2500 concurrent calls
Session Border Controller (Optional)
| Port | Protocol | Purpose | Source |
|---|---|---|---|
| 15060 | TCP/UDP | SBC SIP signaling | External SIP trunks (if SBC is used) |
| 15000-15059 | UDP | SBC RTP media streams | External SIP endpoints (if SBC is used) |
When to use SBC
- Connecting to external/untrusted SIP trunks
- NAT traversal required
- Security boundary between internal PBX and external carriers
Firewall - Required Outbound Access
The VM requires unrestricted outbound internet access for the following:
Container Registry Access
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
dockerhub.jtel.de or jtelacr.azurecr.io | 443 | HTTPS | Pull Docker container images |
Critical: Without registry access, the stack cannot start or update.
Azure Blob Storage (Backup)
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
*.blob.core.windows.net | 443 | HTTPS | Daily automated backups, disaster recovery |
Git Repository Access
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
bitbucket.org | 22 | SSH | Fetch configuration updates, GitOps workflow |
Note: Used during initial provisioning and for configuration management.
Let's Encrypt (SSL Certificates)
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
acme-v02.api.letsencrypt.org | 443 | HTTPS | Automatic SSL certificate issuance and renewal |
Operating System Updates
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
deb.debian.org, security.debian.org | 80, 443 | HTTP/HTTPS | Security updates, package installation |
Azure OAuth2 (Optional)
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
login.microsoftonline.com | 443 | HTTPS | Azure AD authentication for VS Code Server |
AI Services
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
api.openai.com | 443 | HTTPS | GPT-based summarization, RAG chatbot (if enabled) |
api.mistral.ai | 443 | HTTPS | Alternative LLM provider (if enabled) |
Note: AI services are disabled by default (DONT_PULL_HEAVYWEIGHTS=true). Enable only if customer subscribed to AI features.
Proxy Configuration
Direct Internet Access Required
The current stack version does NOT support HTTP/HTTPS proxy configuration. The VM requires:
- Direct outbound access to all destinations listed in section 3.4
- No transparent proxy
- No SSL/TLS inspection
Future Enhancement: Proxy support may be added in future versions.
3.6 NAT Considerations
Outbound NAT: Supported (VM can be behind NAT for outbound traffic)
Inbound NAT/Port Forwarding:
- If VM is on private network, configure port forwarding on firewall/router
- Map external ports to VM's internal IP
- Ensure RTP port range (30000-34999) is correctly forwarded
- Hairpin NAT must be supported if external users call each other
Specific Systems
Connections that every system uses.
| Description | Protocol | Source | Port | Destination | Ports / Portrange | Description |
|---|---|---|---|---|---|---|
| https Access | TCP | Any (jtel Support) | Any | acd-stack | 443 | https Access to Webservers and SOAP / REST APIs via Load-Balancer. |
| SIP | TCP / UDP | PBX / SBC / SIP Trunk | Any | acd-stack | 5060 | SIP communication port for telephony signalling. |
| SIPS | TCP | PBX / SBC / SIP Trunk | Any | acd-stack | 5061 | SIPS communication port for telephony signalling. |
| haproxy Web | TCP | Any (jtel Support) | Any | acd-stack | 7777 | Port used for HTTP access to the HaProxy admin GUI. |
| RTP | UDP | PBX / SBC / SIP Trunk | Any | acd-stack | 30000-34999 | RTP communication ports for audio / video data. |
Specific Systems
Connections that specific systems use, depending on the additional modules being used.
| Description | Protocol | Source | Port | Destination | Ports / Portrange | Description |
|---|---|---|---|---|---|---|
| Websocket Chat | TCP | Any | Any | acd-stack | 3000 | The chat-server port if http is being used to access the chat server from external. |
| Websocket Chat | TCP | Any | Any | acd-stack | 3003 | The chat-server port if https is being used to access the chat server from external. |
| Reporting API | TCP | Any Reporting API users | Any | acd-stack | 3306-3308 | Used to provide reporting API access to the database for BI applications. |
Outgoing Traffic
The traffic documented here is a general overview. Some components may not apply to your installation.
Legacy
Windows Machines
In some cases, for example TAPI Monitoring services, a windows machine might still be installed. In this case, the following ports must be opened to enable the jtel service to access this machine
| Description | Protocol | Source | Port(s) | Destination | Port(s) | Description |
|---|---|---|---|---|---|---|
| Remote Access | TCP + UDP | jtel Support | Any | All Windows | 3389 | RDP remote Access to Windows Systems. |
| Description | Protocol | Source | Port | Destination | Port(s) | Required for Non-Redundant Systems | Required for Redundant Systems | Description |
|---|---|---|---|---|---|---|---|---|
| pcs Cluster | TCP | ACD-LB | Any | ACD-LB | 2224 | No | Yes | Ports used for communication between the pcs cluster members. Required on all nodes (needed by the |
| Chat Server | TCP | ACD-LB | Any | ACD-CHAT | 3000 | Yes | Yes | Websocket for chat server |
| Database Access | TCP | Any | Any | ACD-LB | 3306 | No | Yes | Redirect port to master database |
| Database Access | TCP | Any | Any | ACD-LB | 3307 | No | Yes | Redirect port to slave database used for real-time reporting |
| Database Access | TCP | Any | Any | ACD-LB | 3308 | No | Yes | Redirect port to slave database used for historical reporting |
| pcs Cluster | TCP | ACD-LB | Any | ACD-LB | 3121 | No | Yes | Ports used for communication between the pcs clusters members. Required on all nodes if the cluster has any Pacemaker Remote nodes. Pacemaker's |
| Telephony Servers | UDP | PBX / SBC / SIP Trunk | Any | ACD-TEL | 5060 | Yes | Yes | Port used for SIP |
| pcs Cluster | TCP | ACD-LB | Any | ACD-LB | 5403 | No | Yes | Ports used for communication between the pcs clusters members. Required on the quorum device host when using a quorum device with |
| pcs Cluster | UDP | ACD-LB | Any | ACD-LB | 5404 | No | Yes | Ports used for communication between the pcs clusters members. Required on corosync nodes if |
| pcs Cluster | UDP | ACD-LB | Any | ACD-LB | 5405 | No | Yes | Ports used for communication between the pcs clusters members. Required on all corosync nodes (needed by |
| Hazelcast Cluster | TCP | ACD-DBM | Any | ACD-DBM | 5701 - 5801 | Yes | Yes | Hazelcast cluster ports. |
| Web Server Access | TCP | Any | Any | ACD-JB | 8080 | Yes | Yes | http server port for accessing the webserver. |
| REST Service Access | TCP | ACD-LB | Any | ACD-REST | 8091 | Yes | Yes | Rest interface |
| pcs cluster | TCP, UDP | ACD-LB | Any | ACD-LB | 9929 | No | Yes | Required to be open on all cluster nodes and booth arbitrator nodes to connections from any of those same nodes when the Booth ticket manager is used to establish a multi-site cluster. |
| Telephony Servers | UDP | ACD-TEL | Any | ACD-TEL | 20202 | No | Yes | If building a cluster with more than one telephony server, this is the broadcast port used for interchassis communication and discovery. |
| Web Server Communication | UDP | ACD-JB | Any | ACD-JB | 20640 | Yes | Yes | When changing slides in the presentation, this port is used to send the information to the other web servers. The 8-Server sends information to the web servers so that the information of the current conference call is displayed in the browser. This setting can be found in the parameters: ConfServer.WebServer.UDP.Port |
Webserver conference control of telephony | UDP | ACD-JB | Any | ACD-TEL | 20641 | Yes | Yes | Used for controlling telephone conferences from the web application. ConfServer.Daemon.UDP.r5 must be running on the target telephony server. The actual destination for the message is determined dynamically by the web application. This setting can be found in the parameters: ConfServer.Daemon.UDP.Port |
| Telephony Servers - TTS generation | UDP | Any | Any | ACD-TEL | 20643 | Yes | Yes | IP address and port of the telephony server on which the TTS daemon is running (only for installations with TTS installed). Used to initiate ad-hoc tts generation. This setting can be found in the parameters: Portal.Daemon.TTS.UDP.Address |
| Event generation for APIs | UDP | Any | Any | ACD-JB | 20644 | Yes | Yes | Communication from event producers to the hazelcast cluster on change of various status for signaling events via the APIs or internally. The PlatformUDPListener must run on the corresponding target computers. If running on the source itself, no port will need to be opened between the servers. This setting can be found in the parameters: ACD.UDP.MediaEventsListener.Address |
| Call initiation and call control | UDP | Any | Any | ACD-TEL | 20645 | Yes | Yes | Communication from servers to the daemon process for ACD and call control. Note: The daemon ACD.Daemon.UDP.r5 must run on the corresponding ACD-TEL server. This setting can be found in the parameters: dialler.8Servers.IPs |
| TAPI call forwarding and redirection control | UDP | Any | Any | ACD-TEL | 40404 | Yes | Yes | Used to control the call forwarding settings in the PBX via the PBX connector (usually ECSTA or a multi-line TAPI). This setting can be found in the parameters: Portal.JTELTAPIServer.UDP.Address |
| Call initiation via PBX connector | UDP | ACD-JB | Any | ACD-TEL | 40406 | Yes | Yes | The IP address of the PBX-Connector, if outdials are to be initiated via the PBX connector and not via the telephony server. This setting can be found in the parameters: dialler.ClickToCall.UDP.Connector.Host Recommendation: set dialler.ClickToCall.UDP.Connector.Host EMPTY if the telephony server is to be used for outdial requests. Otherwise when set then ALL click-to-cial commands will be sent directly to the PBX connector. |