You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Introduction

The following page explains the networking information and requirements that must be considered if the jtel Container Stack is located OnPrem.

General Information

During the basic installation of a jtel Container Stack, a firewall is configured locally. This firewall blocks all incoming traffic unless specifically instructed otherwise.

To connect SBCs, PBXs or SIP-Trunks. the IP-Address must be specifically allowed in the firewall rules.

Outgoing traffic is generally not blocked.

Glossary

Hostname (Alias)Function
acd-stackThe jtel Container Stack
SBC

The SBC/s

Session Border Controller

PBXThe PBX/s
SIP-TrunkSIP Trunk/s
FWThe Firewall/s
FQDN

Fully Qualified Domain Name

Example: jtelacd.jtel.online

VSCode

VS Code Server 

Provides Fileshare access to maintenance staff

DNS Requirements

The customer must provide a Fully Qualified Domain Name (FQDN) for the stack, as well as

  • DNS A record pointing FQDN to the VM's IP address
  • DNS must be resolvable from both internal network and internet (if external access required)
  • Wildcard or additional DNS records for subdomains:
    • vscode.<FQDN> (VS Code Server)
    • <FQDN> (main web interface)

Firewall - Required Inbound Ports

The customer's network firewall must allow the following inbound traffic to the VM:

Administrative Access

PortProtocolPurposeSource
22TCPSSH (system administration)JTEL support IPs or customer admin network

Web Interface

PortProtocolPurposeSource
80TCPHTTP (redirects to HTTPS)End users (agents, supervisors)
443TCPHTTPS (main web interface)End users (agents, supervisors)

SIP Telephony (Primary FreeSWITCH)

PortProtocolPurposeSource
5060TCP/UDPSIP signaling (unencrypted)SIP trunks, PBX, softphones
5061TCPSIP over TLS (encrypted signaling)SIP trunks, PBX, softphones
30000-34999UDPRTP media streams (voice/audio)SIP endpoints, media gateways

Note: RTP port range (30000-34999) = 5000 ports = supports up to ~2500 concurrent calls

Session Border Controller (Optional)

PortProtocolPurposeSource
15060TCP/UDPSBC SIP signalingExternal SIP trunks (if SBC is used)
15000-15059UDPSBC RTP media streamsExternal SIP endpoints (if SBC is used)

When to use SBC

  • Connecting to external/untrusted SIP trunks
  • NAT traversal required
  • Security boundary between internal PBX and external carriers

Firewall - Required Outbound Access

The VM requires unrestricted outbound internet access for the following:

Container Registry Access

DestinationPortProtocolPurpose
dockerhub.jtel.de or jtelacr.azurecr.io443HTTPSPull Docker container images

Critical: Without registry access, the stack cannot start or update.

Azure Blob Storage (Backup)

DestinationPortProtocolPurpose
*.blob.core.windows.net443HTTPSDaily automated backups, disaster recovery

Git Repository Access

DestinationPortProtocolPurpose
bitbucket.org22SSHFetch configuration updates, GitOps workflow

Note: Used during initial provisioning and for configuration management.

Let's Encrypt (SSL Certificates)

DestinationPortProtocolPurpose
acme-v02.api.letsencrypt.org443HTTPSAutomatic SSL certificate issuance and renewal

Operating System Updates

DestinationPortProtocolPurpose
deb.debian.org, security.debian.org80, 443HTTP/HTTPSSecurity updates, package installation

Azure OAuth2 (Optional)

DestinationPortProtocolPurpose
login.microsoftonline.com443HTTPSAzure AD authentication for VS Code Server

AI Services

DestinationPortProtocolPurpose
api.openai.com443HTTPSGPT-based summarization, RAG chatbot (if enabled)
api.mistral.ai443HTTPSAlternative LLM provider (if enabled)

Note: AI services are disabled by default.

Legacy

Windows Machines

In some cases, for example TAPI Monitoring services, a windows machine might still be installed. In this case, the following ports must be opened to enable the jtel service to access this machine


DescriptionProtocolSourcePort(s)DestinationPort(s)Description
Remote AccessTCP + UDP

jtel Support

AnyAll Windows3389

RDP remote Access to Windows Systems.

  • No labels