Local Network Setup FAQ

[administrator]

Network Basics
All phones need to be able to communicate out to the following destination ports and protocols.

UDP: 5060, 5080, 10000 - 20000
TCP: 80, 443, 5061, 5081

These outbound connections will originate from random source ports at each device. The connection must not be closed by your firewall for a minimum of 150 seconds, the longer the better. If the connection is closed, then the inbound signaling traffic to the phone will not reach the phone resulting in missed phone calls, inability to answer ringing calls, and/or unpredictable BLF (busy lamp field) behavior among many other things.
If needed, a list of Q5 public IP addresses currently in use can be provided, but it is not advisable to limit outbound traffic of the phones based upon destination IP to prevent future problems as new data-centers and/or network providers are added.
Encryption
Whenever and where ever possible we use encryption on our signaling and audio traffic. DO NOT ALLOW YOUR FIREWALL TO ATTEMPT TO DECRYPT THE TRAFFIC FOR INSPECTION. This traffic is extremely sensitive to delay and this will result in many problems. There may also be times, for troubleshooting purposes we will need to disable encryption. In this event, it is imperative that VoIP/SIP fix-ups and transformations not be applied by the firewall. This is typically a simple on/off setting which should always be off.
Basic “QoS”
Traffic shaping / bandwidth management can be used to attempt to limit occurrences of high internet usage interfering with your voice traffic. 200kbps per phone should be more than adequate provided that your ISP is providing reliable throughput on your internet connection.
Advanced QoS
If your network equipment allows, traffic traversing the firewall to the specified ports except for 80, and 443 should be assigned and treated with the highest priority. The phones automatically assign DSCP of 46 (101110) class EF, but traffic coming in on your internet connection will likely have this data removed, and if possible should be re-assigned upon ingress to ensure proper handling inside your network.
Other
DO NOT LOAD BALANCE VOICE TRAFFIC. In order to accommodate devices behind a NAT, we send RTP(voice) packets to the IP address, and destination port which we receive the traffic from. It is a different port pair from the signaling which sets up the call, therefore we will not be able to associate the audio of a call coming from a different IP address than the signaling.