FAQs: Firewall

Yes. When using  third-party cloud a security platform, such as zScaler, Netskope, or Prisma, Genesys recommends bypassing the Genesys Cloud Media ranges and allowing media to flow directly over the Internet. This reduces latency, prevents issues caused by inspection and inspection, and eliminates a potential failure point. For more information, see the Genesys Cloud Media section of the IP addresses for the firewall allowlist article.

You should work with you cloud security platform vendor to create a compatible configuration to ensure there are no issues with Genesys Cloud media traffic. Especially, if you have internal requirements which require Genesys Cloud media to flow through your cloud infrastructure.

No. Genesys Cloud does not require any ports to be open for inbound access. The majority of the Genesys Cloud open port requirements are only for outbound access – not inbound access. More specifically, all client connections (including BYOC Premises Edges, WebRTC Clients, and hard phones for BYOC Cloud and Genesys Cloud Voice customers) to Genesys Cloud are initiated as outbound connections to Genesys Cloud’s cloud services.

The only use case in which a port would need to be open for inbound access in Genesys Cloud would be if you are using on-premises Edges on separate networks and there is a firewall between those Edges. For more information, see the Intra-Edge Group Communications section of the Ports and services for Edge devices under BYOC Premises article.

While Genesys Cloud configures the edge to work within the 16384-65535 port range for WebRTC communications, the Genesys Cloud WebRTC clients are not restricted to this port range. More specifically, an edge uses a port in the 16384-65535 range as the source port, but the WebRTC clients can use whatever port number is available for the destination port.

This means that if the WebRTC client responds using a port number outside the supported range, the edge still attempts to establish the audio connection using the provided port number. When the port number is outside the supported range, the WebRTC connection still succeeds unless that connection is blocked.

To bypass this problem, you can configure Genesys Cloud to use the TURN Behavior feature along with the GEO-Lookup feature. That way, even if the connection is blocked, the call can still succeed using the TURN service as a Relay. This works because the TURN service will always be within the supported port range. 

However, if the latency costs associated with using a TURN service in your specific region are too great, even with GEO-Lookup, you can use an alternative solution, which involves modifying your firewall settings.

Modifying your firewall settings allows the edge to communicate on whatever destination port the WebRTC client chooses. Making this modification would mean that the source port would be open to any port that the WebRTC client chooses. The destination port is still limited to the 16384-65535 port range. For more information, contact Genesys Cloud Product Support.

Yes, but Genesys Cloud currently only supports this configuration on HTTPS over Port 443 connections to the Genesys Cloud platform. All other connections are not supported by Genesys Cloud at this time.

For more information, see About ports and services for your firewall.

No. The Edge will not allow another device to intercept traffic. The Edge determines that this type of inspection is unsecure and shuts down the connection.

Yes. WebRTC can support this type of configuration, but it is not a practical.

To allow WebRTC to function with this type firewall/security device configuration, you would have to add all domains to your allowlist that the Edge resolves that your firewall/security device considers suspect. Doing so is problematic.

Genesys Cloud best practice specifies:

1. Do not configure your firewall to perform reverse lookups.
2. Do not add domain names to your allowlist.

The name 1e100.net is a valid Google domain name and identifies its servers. For more information, see Google Help.

This firewall issue can occur when an Edge resolves *.l.google.com to make a WebRTC call and then sends the request to the firewall/security device. If the firewall/security device performs a reverse lookup, it receives 1e100.net instead of *.l.google.com and the call fails.

The preferred way to avoid this issue is to disable the reverse lookup functionality on your firewall/security device.
The alternative, adding 1e100.net to your allowlist and all the records that accompany it is possible, but problematic.

Genesys Cloud best practice specifies:

1. Do not configure your firewall to perform reverse lookups.
2. Do not add domain names to your allowlist.

You have two options. You can simply open the required ports, which are outbound only, or you can upgrade your firewall.

This port range only needs to be opened for outbound connections. Genesys Cloud needs access to all of the ports in this range to ensure that the number of possible simultaneous media streams is sufficient. If these ports are not open for outbound connections, then any media that uses RTP may be intermittent or completely unavailable.

Yes, you could very well lose connectivity. The problem with not updating the entries is that issues can occur if some IP destinations are blocked while others are not. This could manifest itself as either a complete loss of service or intermittent loss of service.

Amazon/AWS sets aside a pool of public IP addresses for each region that it supports. Genesys Cloud servers in each of these regions are assigned IP address from those pools. For security and scalability reasons, Genesys Cloud servers are able to be added or removed at any given time. When this occurs, Amazon/AWS reassigns IP addresses to those servers from the respective pools. Therefore, allowing all the IP address ensures that Genesys Cloud servers will always stay connected in a secure and dynamic environment.

For more information, see the Domains and IP Addresses section of About ports and services for your firewall.

It is important to keep in mind that the majority of these open port requirements are only for outbound access – not inbound access. More specifically, all client connections (including BYOC Premises Edges, WebRTC Clients, and hard phones for BYOC Cloud and Genesys Cloud Voice customers) to Genesys Cloud are initiated as outbound connections to Genesys Cloud cloud services. When network access restrictions are used, such as a firewall, Genesys Cloud recommends allowing client outbound access on the specified ports to any IP destination.

Yes and No.

• Yes, Genesys recommends that port 19302 be open for Edges using WebRTC; however, it is not required. Edges use port 19302 to access Google’s STUN servers to get external IP addresses. In some rare circumstances, using the public Google STUN service helps establish calls more quickly. If port 19302 is not open, Genesys Cloud will use Genesys Cloud STUN and TURN services in AWS via port 3478
  
  
• No, port 19302 is not required for WebRTC clients. Each WebRTC client requires a STUN response and will attempt to use Genesys Cloud STUN (UDP/3478) and Google STUN (UDP/19302) in parallel to determine its own external IP address. Only one successful response from either service is required. If port 19302 is not open, WebRTC clients can still succeed with STUN response from the Genesys Cloud STUN servers. Although the port 19302 is optional, there is no way to disable the requests.

For more information, see About ports and services for your firewall.

The BYOC Cloud public SIP IP addresses article specifies that you must add all four of available public SIP IP addresses for your organizations region to your allowlist. If you only add some of them, you will encounter failed call attempts.

For example, if you only add two of the four IP addresses to your allowlist, roughly half of your call attempts will fail.

Genesys Cloud suggests leaving port 80 open to facilitate misconfigured redirects to port 443 (https). Closing port 80 would stop redirects, potentially leaving users with a confusing error state where the browser continues to attempt to connect to port 80 but no message is displayed.

There are various situations outside of our control where a client may attempt to connect through port 80, requiring a redirect. Some browsers may not default to https. Some users may manually enter the non-secure purecloud domain name. In these situations a redirect is required to force https so the client can connect to Genesys Cloud.

Fortunately, allowing port 80 does not introduce security risks since all traffic is redirected to port 443 (https) and Genesys Cloud uses HTTP Strict Transport Security (HSTS) headers.

For more information, see About ports and services for your firewall.

Call signaling and media are handled by separate services for resiliency and scaling purposes. Genesys Cloud’s media services are autoscaling microservice instances, which are instantiated or removed as needed based on platform load. These instances draw IP addresses from a pool of Genesys owned IP ranges, or a large pool of public addresses in AWS depending on the region. For more information, see the Domains and IP Addresses section of the About ports and services for your firewall article.

No. For PCI compliance, the service that executes web services data actions only communicates on port 443.

Genesys Cloud uses a range of ports for the secure transmission of streaming media, including screen recording. For more information, see Ports and services for Genesys Cloud clients.