The purpose of this document is to inform enterprises of the network requirements for firewall and web proxy configuration for cloud-based Message Video Phone (MVP) Unified Communication Services to operate correctly.

2. IP supernets

The supernets (concatenated subnets) in Table 2.1 are advertised by the RingCentral cloud using the BGP routing protocol to support Unified Communication Services over the internet. These networks can be used to connect to the RingCentral cloud over the internet.

Table 2.1 - Advertised IP Supernets

66.81.240.0/20
80.81.128.0/20
103.44.68.0/22
104.245.56.0/21
185.23.248.0/22
192.209.24.0/21
199.68.212.0/22
199.255.120.0/22
208.87.40.0/22

Additional requirements apply for enterprises with private connections to the RingCentral cloud. Please contact RingCentral for more information.

To ensure that MVP services operate properly, your enterprise network must accept the supernets at all locations where unified communication services are used.

These supernets must be used by the enterprise network for:

Configuring firewall rules for signaling and media ports.
Configuring DSCP markings in IP packet headers according to the Quality of Service Guidelines (Section 7).
Selectively disabling Layer 7 device functions, such as Deep Packet Inspection for UDP traffic to and from the unified communication cloud (Section 7).

3. Whitelisting of domains, IP addresses, and ports

You may need to whitelist the destination ports in Table 3.1.1 for all of your enterprise firewalls and web proxies. Whitelisting these ports allows devices and applications to access supporting cloud services, domain names, and IP addresses.

You should whitelist only the set of services that you need. For example, if you don’t use the Live Reports portal, you need not whitelist the live.ringcentral.com domain.

You must always whitelist the following domains:

The RingCentral company website, which provides general information about RingCentral and its products, and does not require login.
The RingCentral Administrator/User Account portal, which authenticates admin and user access to underlying communication and administration services, including MVP and RingCentral Video (RCV).
RingCentral discovery service API, which:
- Allows client applications to dynamically discover the correct .com and .biz API domains before a user logs in.
- Points to the Login Process service. After the Login service authenticates an admin or user, the Discovery service API uses configured account data to determine the appropriate API domain.
Service web portal, which provides access to administration and unified communication services.
The Analytics portals, which provide account admins with unified communication service data about the RingCentral MVP system. This data can help admins understand the current state of the system, and to troubleshoot certain issues.
The Live Reports portals, which provide access to real-time call center performance data.

Note: The Analytics and Live Reports portals may be country-specific to comply with data-locality requirements. If you only access these portals for Canadian accounts, for example, then you need only whitelist these portals’ Canadian domain names.

Table 3.1.1 - Common cloud services
Purpose	Application protocol	Domain name/IP addresses	Destination ports
Company website	HTTPS	www.ringcentral.com	TCP\443
Service status portal	HTTPS	status.ringcentral.com	TCP\443
Accounts management portal	HTTPS	accounts.ringcentral.com	TCP\443
Administrator/User account portal	HTTPS	login.ringcentral.com	TCP\443
Discovery service API	HTTPS	discovery.ringcentral.biz	TCP\443
Service web portal	HTTPS	service.ringcentral.com	TCP\443
Analytics portal	HTTPS	analytics.ringcentral.com 35.190.70.192	TCP\443
Analytics portal - Canada	HTTPS	analytics.ringcentral.ca 34.102.174.25	TCP\443
Live Reports portal	HTTPS	live.ringcentral.com 35.190.70.192	TCP\443
Live Reports portal - Canada	HTTPS	live.ringcentral.ca 35.201.103.66	TCP\443

3.2 Endpoints

This section provides endpoint-specific tables for domain names, supernets, and a range of cloud destination ports for various types of communication services traffic, including media, signaling, and registration traffic.

The RingCentral cloud does not initiate any session toward customer endpoints. All sessions are initiated from an endpoint toward RingCentral’s cloud communication services.

Please note the following endpoint table guidelines for firewall and web proxy configuration:

The endpoint tables do not specify cloud destination ports, since port range is operating-system-dependent, and ports are dynamically selected by the operating system.
The tables provide modular sets of requirements for firewall control to support different mixes of RingCentral endpoint deployments. They do not necessarily match 1:1 with RingCentral product definitions since, for example, RingCentral Video can be used with RingCentral MVP as well as a stand-alone product. For this reason, a separate table, Table 3.2.2, lists the endpoints for RingCentral Video mobile, desktop, and web. This table factors out the specific firewall requirements for video service.
In creating your firewall configurations, you need only refer to the tables for the endpoints that you actually use. For example, if you don’t use hardphones, you may ignore the hardphone table.
Rows in the port table are generally ordered from highest QoS traffic priority (media) to lowest QoS traffic priority (supporting data service).
Different endpoint tables may contain the same domain names or port ranges when they are shared. As well, these duplications in different tables ensure that each endpoint can be deployed independent of other endpoint types. If you deploy multiple endpoints that require the same domain and associated ports to be whitelisted, then you need configure only one whitelist or access rule instance in the firewall.
You may use the RingCentral MVP mobile app on a mobile operator network or a WiFi network.
- On a mobile operator network on which traffic only traverses the internet to RingCentral communication services, firewall configuration is irrelevant.
On an enterprise WiFi network on which you’re configuring a firewall for the MVP mobile app, refer to Table 3.2.1.

3.2.1 RingCentral desktop, web, and mobile app

Table 3.2.1 - RingCentral desktop, web, and mobile app
Purpose	Application protocol	Domain name/IP addresses	Destination ports
Media/media secured and media access control	RTP/SRTP (DTLS) and STUN	IP supernets or *.ringcentral.com	UDP\20000-64999 and UDP\19302
Signaling mobile app	SIP/TCP	IP supernets	TCP\5091
Signaling secured mobile app	SIP/TLS	IP supernets	TCP\5097
Signaling secured mobile app	SIP/WSS/TLS	IP supernets	TCP\443
Signaling secured desktop and web app	SIP/WSS/DTLS	IP supernets	TCP\8083
IOVATION SDK for two-factor login	HTTPS	mpsnare.iesnare.com	TCP\443
Application file upload and download	HTTPS	glip-vault-1.s3.amazonaws.com glip-vault-1.s3-accelerate.amazonaws.com	TCP\443
Log file upload	HTTPS	www.filestackapi.com	TCP\443
Application service API	HTTPS	*.ringcentral.com	TCP\443
Messaging service API	HTTPS	*.glip.com mvp.ringcentral.com dl.mvp.ringcentral.com	TCP\443
Presence status, call log notifications, and voicemail notifications	HTTPS	ringcentral.pubnubapi.com ringcentral-0.pubnubapi.com ringcentral-1.pubnubapi.com ringcentral-2.pubnubapi.com ringcentral-3.pubnubapi.com ringcentral-4.pubnubapi.com ringcentral-5.pubnubapi.com ringcentral-6.pubnubapi.com ringcentral-7.pubnubapi.com ringcentral-8.pubnubapi.com ringcentral-9.pubnubapi.com	TCP\443
Android application push notifications	HTTPS	mtalk.google.com	TCP\443, 5228, 5229, 5230
iOS application push notifications	HTTPS	api.push.apple.com	TCP\443, 2197, 5223
Messaging content support	HTTPS	api.giphy.com media0.giphy.com media1.giphy.com media2.giphy.com media3.giphy.com media4.giphy.com	TCP\443
Software and provisioning updates	HTTPS	*.cloudfront.net	TCP\443
RingCentral video mobile, desktop, and web application	Add Table 3.2.2

3.2.2 RingCentral Video mobile, desktop, and web application

Note:

RingCentral Video uses the Connect platform API for user authentication and communication session control.
The Statistics collector publishes detailed statistics about calls. The Analytics Portal (Table 3.1.1) uses a subset of the data extracted by the statistics collector.
You don’t need to whitelist the RCV web client application if you’re only using the desktop and mobile version of the RCV app.
You should whitelist the network connectivity test application to allow RCV app users to test their network connections.

Table 3.2.2 - RingCentral Video mobile, desktop, and web application
Purpose	Application protocol	Domain name/IP addresses	Destination ports
Media secured	SRTP	IP supernets or *.v.ringcentral.com	UDP\10000-19999 (default)
Media secured	SRTP	IP supernets or *.v.ringcentral.com	TCP\443 (when UDP is not available - should not be used regularly, as it can affect voice quality)
Signaling secured	HTTPS/WSS/TLS	IP supernets or*.ringcentral.com	TCP\443
Web client application	HTTPS	v.ringcentral.com	TCP\443
Parser configuration for meeting link verification for mobile phones	HTTPS	media.ringcentral.com	TCP\443
Connect platform API	HTTPS	api-meet.ringcentral.com api.ringcentral.com api-mucc.ringcentral.com (mobile device)	TCP\443
Statistics collector	HTTPS	edr.ringcentral.com	TCP\443
Presence status, call log notifications, and voicemail notifications	HTTPS	ringcentral.pubnubapi.com ringcentral-0.pubnubapi.com ringcentral-1.pubnubapi.com ringcentral-2.pubnubapi.com ringcentral-3.pubnubapi.com ringcentral-4.pubnubapi.com ringcentral-5.pubnubapi.com ringcentral-6.pubnubapi.com ringcentral-7.pubnubapi.com ringcentral-8.pubnubapi.com ringcentral-9.pubnubapi.com	TCP\443
Application configuration	HTTPS	downloads.ringcentral.com	TCP\443
Application download and update	HTTPS	app.ringcentral.com	TCP\443
Feature enablement control	HTTPS	*.launchdarkly.com app.launchdarkly.com events.launchdarkly.com clientstream.launchdarkly.com mobile.launchdarkly.com	TCP\443
Network connectivity test application - part of RCV	HTTPS	rcv.testrtc.com which uses: api.nettest.testrtc.com kong.testrtc.com .turn.testrtc.com .speed.testrtc.com	TCP\443 UDP\443

3.2.3 RingCentral Webinar

RingCentral Webinar relies on two clients:

Webinar host client: Used by a webinar session’s host, cohosts, and panelists.
Webinar attendee client: Used only by webinar attendees.

For both of these clients, apply the whitelistings from Table 3.2.3 when configuring your enterprise firewall.

Note:

RingCentral Webinar is based on RingCentral Video.
If you’ve already whitelisted Cloudfront for the RingCentral MVP mobile, desktop, and web application (Section 3.2.1), then you need not whitelist it again.

Table 3.2.3 - RingCentral Webinar host client and attendee client
Purpose	Application Protocol	Domain Name/IP Addresses	Destination Ports
RingCentral Video	Add Table 3.2.2
Fetch webinar session live streaming media segments	HTTPS	*.cloudfront.net	TCP\443

3.2.4 RingCentral Video Rooms

Table 3.2.4 - RingCentral Video Rooms
Purpose	Application protocol	Domain name/IP addresses	Destination ports
Media secured	SRTP	IP supernets	UDP\10000-19999 (default)
Media secured	SRTP	IP supernets	TCP\443 (if UDP is not available - should not be used regularly, as it affects voice quality)
Signaling secured	HTTPS	IP supernets	TCP\443
SIP registration service	HTTPS/TLS	*.ringcentral.com	TCP\8085-8090
Rooms host device	HTTPS	Internal enterprise assigned private IP address (no WAN firewall traversal)	TCP\9520-9530
Login portal	HTTPS	v.ringcentral.com	TCP\443
Notifications	HTTPS	ringcentral.pubnubapi.com ringcentral-0.pubnubapi.com ringcentral-1.pubnubapi.com ringcentral-2.pubnubapi.com ringcentral-3.pubnubapi.com ringcentral-4.pubnubapi.com ringcentral-5.pubnubapi.com ringcentral-6.pubnubapi.com ringcentral-7.pubnubapi.com ringcentral-8.pubnubapi.com ringcentral-9.pubnubapi.com	TCP\443
Software and provisioning updates	HTTPS	*.ringcentral.com	TCP\443

3.2.5 RingCentral Video with Room Connector

You must whitelist the relevant region-independent domain name. Domain names need only be whitelisted when a Room Connector is used in the indicated region.

Table 3.2.5 - RingCentral Video with Room Connector
Purpose*	Application protocol	Domain name/IP addresses	Destination ports
Media	RTP/SRTP	IP supernets	UDP\10000-19999
Signaling	SIP	Region-independent: sip.rcv.com US West: ws.rcv.com US East: es.rcv.com Netherlands: nld.rcv.com Germany: deu.rcv.com South Africa: zaf.rcv.com Singapore: sgp.rcv.com Australia: aus.rcv.com Japan: jpn.rcv.com	UDP\5060 or TCP\5060
Signaling secured	SIP/TLS	Region-independent: sip.rcv.com US West: ws.rcv.com US East: es.rcv.com Netherlands: nld.rcv.com Germany: deu.rcv.com South Africa: zaf.rcv.com Singapore: sgp.rcv.com Australia: aus.rcv.com Japan: jpn.rcv.com	TCP\5061

* Customer video devices determine whether connectivity is secured or unsecured.

3.2.6 RingCentral desk, conference, and cordless phones

Some third-party devices, such as the Poly IP7000 speakerphone, do not support signaling or media encryption. Such devices should be avoided in a deployment that requires complete security.
No separate ports are specified for Busy Lamp Appearance (BLA), since BLA uses the signaling ports and standard SIP NOTIFY packets.

Table 3.2.6 - RingCentral desk, conference and cordless phone
Purpose	Application protocol	Domain name/IP addresses	Destination ports
Media and media secured	RTP/SRTP	IP supernets	UDP\20000-64999
Signaling	SIP	IP supernets	TCP\5090, TCP\5099 UDP\5090, UDP\5099
Signaling secured	SIP/TLS	IP supernets	TCP\5096, TCP\5098**
Network time service	NTP	ntp1.ringcentral.com and ntp2.ringcentral.com (within the supernets)	UDP\123
LDAP directory service	LDAP	cd.ringcentral.com (within the supernets)	TCP\636
Poly phones provisioning and firmware update	HTTPS	Provisioning: pp.ringcentral.com ztp.polycom.com Firmware update: pp.s3.ringcentral.com	TCP\443
Cisco phones provisioning and firmware update	HTTPS	cp.ringcentral.com	TCP\443
Yealink phones provisioning and firmware update	HTTPS	rps.yealink.com yp.ringcentral.com yp.s3.ringcentral.com	TCP\443
Unify phone provisioning and firmware update	HTTPS	Provisioning: cloud-setup.com Firmware update: unf.ringcentral.com	Provisioning: TCP\18443 Firmware update: TCP\443
Mitel phones provisioning and firmware update	HTTPS	Zero-touch provisioning: rcs.aastra.com Provisioning: mtl.ringcentral.com Firmware update: mtl.s3.ringcentral.com	TCP\443
SNOM phones provisioning and firmware update	NA	NA	NA

RingCentral desk, conference and cordless phone

**Ports 5098 and 5099 should be opened for Busy Lamp Appearance only when you’re using line sharing.

3.2.7 RingCentral desktop softphone application

Table 3.2.7 - RingCentral desktop softphone application
Purpose	Application protocol	Domain name/IP addresses	Destination ports
Media and media secured	RTP/SRTP	IP supernets	UDP\20000-64999
Signaling	SIP	IP supernets	TCP\5091
Signaling secured	SIP/TLS	IP supernets	TCP\5097
Presence status, call log notifications, and voicemail notifications	HTTPS	ringcentral.pubnubapi.com ringcentral-0.pubnubapi.com ringcentral-1.pubnubapi.com ringcentral-2.pubnubapi.com ringcentral-3.pubnubapi.com ringcentral-4.pubnubapi.com ringcentral-5.pubnubapi.com ringcentral-6.pubnubapi.com ringcentral-7.pubnubapi.com ringcentral-8.pubnubapi.com ringcentral-9.pubnubapi.com	TCP\443
Software and provisioning updates	HTTP/HTTPS	*.ringcentral.com	TCP\80 TCP\443
Platform API for user authentication and call features	HTTPS	api-sp.ringcentral.com	TCP\443
Platform API for media services (for transferring media files: voice recordings, faxes, transcriptions, profile and contact information)	HTTPS	media.ringcentral.com	TCP\443
Google services (contacts and calendar)	HTTPS	accounts.google.com www.google.com www.googleapis.com	TCP\443

3.2.8 RingCentral mobile softphone application

Table 3.2.8 pertains to the use of the RingCentral mobile softphone app on a WiFi network.

Table 3.2.8 - RingCentral mobile softphone application
Purpose	Application protocol	Domain name/IP addresses	Destination ports
Media	RTP/SRTP	IP supernets	UDP\20000-64999
Signaling	SIP	IP supernets	TCP\5091 UDP\5091
Signaling secured	SIP/TLS	IP supernets	TCP\5097 TCP\443
Signaling (IPv6 client)	SIP/TLS	IP supernets	TCP\5090-5098 TCP\443
SIP registration service	HTTPS	*.ringcentral.com	TCP\443
Application presence status, call log notifications, and voicemail notifications - used in Android, not in iOS	HTTPS	ringcentral.pubnubapi.com ringcentral-0.pubnubapi.com ringcentral-1.pubnubapi.com ringcentral-2.pubnubapi.com ringcentral-3.pubnubapi.com ringcentral-4.pubnubapi.com ringcentral-5.pubnubapi.com ringcentral-6.pubnubapi.com ringcentral-7.pubnubapi.com ringcentral-8.pubnubapi.com ringcentral-9.pubnubapi.com	TCP\443
Data synchronization with cloud (e.g., call log info, presence, and voicemails)	HTTPS	api-mob.ringcentral.com	TCP\443
Soft clients software and provisioning updates	HTTPS	*.cloudfront.net	TCP\443

3.3 RingCentral Archiver

RingCentral Archiver is a cloud-side integration that allows administrators to copy call content to a long-term, enterprise-owned repository. Copied content includes recordings, voicemail, fax, and text messages. Archiver ensures that data is retained over a long period of time, and that it meets local data residency and regulatory retention requirements.

Table 3.3.1 - RingCentral Archiver
Purpose	Application protocol	Domain name/IP addresses	Destination ports
Content archiving	HTTPS	For Box, Dropbox, Google Drive, and Smarsh archiving systems	TCP\443 (does not traverse enterprise network)
Content archiving	SFTP	For archiving to an enterprise SFTP server, the following SFTP client IP addresses must be whitelisted: 3.211.163.136 3.223.170.110 34.225.218.68 34.226.29.169 34.234.210.244 34.236.210.8 34.239.13.99 35.172.123.110 52.87.7.127 54.80.51.95 54.147.91.15 Any of these IP addresses may dynamically be selected by the RingCentral SFTP client to connect to an enterprise SFTP server.	TCP\22

3.4 SIP trunks

Table 3.4.1 - SIP trunks
Purpose	Application protocol	IP addresses	Destination ports
Media	RTP	Public IP addresses to be provided by RingCentral during project definition.	UDP\1024-65535
Signaling	SIP	UDP\5060 TCP\5061-5065

Table 3.4.1 - SIP trunks

Purpose

Application protocol

IP addresses

Destination ports

Media

RTP

Public IP addresses to be provided by RingCentral during project definition.

UDP\1024-65535

Signaling

SIP

UDP\5060

TCP\5061-5065

3.5 Communication integration services

Enterprises can use MVP and RCV communication integration services to develop soft-endpoint communication clients.

Table 3.5.1 summarizes the programmatic communication integration services that allow enterprises to build their own soft endpoint clients.

Note:

You only need to whitelist the set of services that you use. For example, if you don’t use integration services, you need not whitelist that domain.
You must whitelist the Integration service API, which is the foundation API on which all communication integration services rely.
You must whitelist the endpoint registration service, which registers all integration services (WebRTC) endpoints with the RingCentral Cloud Communication Service.
The RCV scheduling service is used to create and manage RCV meetings.
The Microsoft Teams (Slack) integration service integrates services including MVP and RCV into Teams (Slack).
The platform APIs can be used to develop stand-alone applications (such as an outbound dialer), or applications that are embedded into existing business applications.
You should whitelist the stand-alone platform API and Embeddable platform API only if you actually implement applications based on these APIs.

Table 3.5.1 - Communication integration services
Purpose	Application protocol	Domain name/IP addresses	Destination ports
Integration service API	HTTPS	api-rcapps.ringcentral.biz api-rcapps.ringcentral.com	TCP\443
Endpoint registration service	HTTPS	sip*.ringcentral.com	TCP\8083
Video scheduling service	HTTPS	api-meet.ringcentral.com	TCP\443
Microsoft Teams integration service	HTTPS	teams.ringcentral.com	TCP\443
Slack integration service	HTTPS	slack.ringcentral.com	TCP\443
Stand-alone platform API	HTTPS	platform.ringcentral.com	TCP\443
Embeddable platform API	HTTPS	platform.ringcentral.com	TCP\443

4. Domain Name Service (DNS)

To function properly, all endpoints and services require internet-based DNS. For instance, endpoints rely on a DNS service to resolve the provisioning service domain name (e.g., pp.ringcentral.com).

If you use private DNS, it must perform forward-lookups to internet-based DNS.

5. Network Address Translation (NAT)

Network Address Translation/Port Address Translation functionality (generically referred to as NAT) is applied at the border between two networks to translate between address spaces, or to prevent the collision of IP address spaces.

You must configure a minimum NAT timeout to ensure proper operation of hardphones:

Cisco phones send a follow-up REGISTER refresh message every four minutes.
Poly phones re-register every five minutes. For these phones, you must set NAT entry expiration timeout to greater than five minutes.

6. Security software

You may need to configure your cloud-based security software (network firewalls and web proxies) to whitelist the domains listed in this document’s tables.

7. Quality of Service guidelines

You must follow the Quality of Service guidelines to ensure the proper prioritization of your traffic. Otherwise, either or both parties may experience intermittent issues with call control or media quality.

8. VLAN configuration guidelines

You must follow VLAN configuration guidelines must be followed to ensure that VLANs are properly configured for hard phones (section 3.2.6)

Network requirements | RingCentral MVP

Table of contents

1. Introduction

2. IP supernets

3. Whitelisting of domains, IP addresses, and ports

3.2 Endpoints

3.2.1 RingCentral desktop, web, and mobile app

3.2.2 RingCentral Video mobile, desktop, and web application

3.2.3 RingCentral Webinar

3.2.4 RingCentral Video Rooms

3.2.5 RingCentral Video with Room Connector

3.2.6 RingCentral desk, conference, and cordless phones

3.2.7 RingCentral desktop softphone application

3.2.8 RingCentral mobile softphone application

3.3 RingCentral Archiver

3.4 SIP trunks

3.5 Communication integration services

4. Domain Name Service (DNS)

5. Network Address Translation (NAT)

6. Security software

7. Quality of Service guidelines

8. VLAN configuration guidelines