Genesys Cloud CX

 View Only
Discussion Thread View
  • 1.  Do we still need to whitelist all AWS IP address for WebRTC? (if doing IP whitelisting outbound on firewall)

    Posted 01-22-2022 00:48
    It is my understanding that if you are whitelisting (outbound) IP addresses on firewall for WebRTC you need to include all the AWS IP addresses in the region of the Org https://ip-ranges.amazonaws.com/ip-ranges.json .
    Given that we now have the tighter defined CIDR range for media = 52.129.96.0/20 , please can I check if we still need to whitelist the full AWS IP range (+CIDR range) or the CIDR range suffices?
    Resource Centre reference = https://help.mypurecloud.com/articles/ip-addresses-for-the-firewall-allowlist/

    #Telephony

    ------------------------------
    Thanks and regards
    Blair Wilkinson
    CVT Global Enablement
    ------------------------------


  • 2.  RE: Do we still need to whitelist all AWS IP address for WebRTC? (if doing IP whitelisting outbound on firewall)

    Posted 01-22-2022 21:34
    A couple of things we have found.  First, WebRTC initially provisions over Https (port 443) to your ORG's region and a TLS session is pinned up.  Once a call is established, it will transmit audio (RTP) over the media ports (udp/16384-32768) to the Genesys Cloud Media IPs (52.129.96.0/20).  We have had very few customers that have 443 blocked and most of them have no problem hitting the STUN ports on Google.  What I tell customers is to try the WebRTC phone and run the diagnostics first before going through the hassles of getting security to approve ports and IP's.  

    ------------------------------
    Robert Wakefield-Carl
    Avtex Solutions, LLC
    Contact Center Innovation Architect
    robertwc@avtex.com
    https://www.Avtex.com
    https://RobertWC.Blogspot.com
    ------------------------------



  • 3.  RE: Do we still need to whitelist all AWS IP address for WebRTC? (if doing IP whitelisting outbound on firewall)

    Posted 01-23-2022 01:18
    Hello Robert, hope you are well.
    In this case WebRTC is blocked (diagnostics fail), client does IP whitelisting on their firewall outbound and their network team have questioned having to whitelist all AWS IP addresses in region...

    ------------------------------
    Thanks and regards
    Blair Wilkinson
    CVT Global Enablement
    ------------------------------



  • 4.  RE: Do we still need to whitelist all AWS IP address for WebRTC? (if doing IP whitelisting outbound on firewall)

    Posted 01-23-2022 02:09
    That depends on what fails.  If two-way audio is an issue, them opening the /20 range to the RTP ports should be enough.  If registration fails, then opening to the region of your ORG should be enough.  Where is the failure?

    ------------------------------
    Robert Wakefield-Carl
    Avtex Solutions, LLC
    Contact Center Innovation Architect
    robertwc@avtex.com
    https://www.Avtex.com
    https://RobertWC.Blogspot.com
    ------------------------------



  • 5.  RE: Do we still need to whitelist all AWS IP address for WebRTC? (if doing IP whitelisting outbound on firewall)

    Posted 02-22-2022 20:29
    Edited by Mark Goldsmith 02-22-2022 20:29
    Blair,

    Did you happen to learn whether those AWS IP addresses are still required?

    I have run into the same issue and plan to try whitelisting just the Genesys Cloud Media IPs (52.129.96.0/20) because that's an "easy" conversation to have with my security team, versus whitelisting the set of AWS IP addresses which is a short conversation.

    Would love to know if advance whether Genesys Cloud Media IPs was enough in your region.

    Thanks
    Mark


    ------------------------------
    Mark Goldsmith
    NTT Australia Pty Ltd.
    ------------------------------