Firewall and Proxy Settings

CxEngage and Skylight products require access to various domains for third-party services and integrations. These domains must be made accessible or whitelisted in to ensure proper functioning of your contact center.

CxEngage Requirements

CxEngage requires the following domains to be whitelisted:

Requirement Domain
REST API https://api.cxengage.net
SSO Login https://identity.cxengage.net/
Sentry.io

35.188.42.15/32

Sentry is used for anonymous error reporting.

US-EAST-1 MQTT a1oh2nojq98dtw-ats.iot.us-east-1.amazonaws.com
EU-WEST-1 MQTT a1oh2nojq98dtw-ats.iot.eu-west-1.amazonaws.com
US-EAST-1 SQS sqs.us-east-1.amazonaws.com
EU-WEST-1 SQS sqs.eu-west-1.amazonaws.com
Historical Reporting birst.cxengage.net
SDK sdk.cxengage.net

Recordings and artifacts

s3.amazonaws.com
Fonts
  • fonts.googleapis.com
  • fonts.gstatic.com
WebRTC Signaling for Twilio http://media.twiliocdn.com/sdk/js/client/releases/<version>/twilio.min.js
Twilio's signaling addresses *.twilio.com

Use the following table to identify the DNS addresses that need to be able to reach CxEngage:

DNS Purpose
52.204.4.160 US-EAST-1 VPC
52.204.163.113 US-EAST-1 Lambda
52.18.0.2 EU-WEST-1 VPC
52.213.182.132 EU-WEST-1 Lambda
52.62.242.222 AP-SOUTHEAST-2 VPC
13.236.32.84 AP-SOUTHEAST-2 Lambda
54.172.60.0/23
34.203.250.0/23
Twilio [US-East-1]

104.20.107.27/32

104.20.106.27/32

Twilio [CDN/SDK]

34.192.0.0/12

52.0.0.0/8

AmazonAWS [IoT]

Silent Monitoring

Silent monitoring requires the following domains to be whitelisted:

Requirement Domain
SDK https://sdk.cxengage.net/js/agent/<version>/main.js
Twilio

http://media.twiliocdn.com/sdk/js/client/releases/<version>/twilio.min.js

MQTT

<integration endpoint>.iot.<region>.amazonaws.com

or

<integration endpoint>.iot.<region>-1.amazonaws.com

Examples:

  • North America: a1oh2nojq98dtw-ats.iot.us-east-1.amazonaws.com
  • Europe: a1oh2nojq98dtw-ats.iot.eu-west-1.amazonaws.com
SQS https://sqs.<region>.amazonaws.com
Access to Recordings, Transcripts, Notes, and artifacts https://<region>-prod-cxengagelabs-artifacts.s3.amazonaws.com

Skylight Requirements

Skylight requires the following domains to be whitelisted:

Requirement Domain
Skylight https://skylight.cxengage.net
Skylight Desktop https://skylight-desktop.cxengage.net
CxEngage API https://api.cxengage.net
SDK https://sdk.cxengage.net/js/agent/<version>/main.js
SSO Login https://identity.cxengage.net/
Twilio http://media.twiliocdn.com/sdk/js/client/releases/<version>/twilio.min.js
MQTT

<integration endpoint>.iot.<region>.amazonaws.com

or

<integration endpoint>.iot.<region>-1.amazonaws.com

Examples:

  • North America: a1oh2nojq98dtw-ats.iot.us-east-1.amazonaws.com
  • Europe: a1oh2nojq98dtw-ats.iot.eu-west-1.amazonaws.com
SQS https://sqs.<region>.amazonaws.com
Recordings, transcripts, notes and artifacts https://<region>-prod-cxengagelabs-artifacts.s3.amazonaws.com
Sentry error reporting

https://892f9eb6bb314a9da98b98372c518351@sentry.io/169686

Fonts
  • fonts.googleapis.com
  • fonts.gstatic.com
  • p.typekit.net

Additional Requirements for Skylight for Zendesk

In addition to the requirements for Skylight, Skylight for Zendesk also requires the following domains to be whitelisted:

Requirement Domain
Zendesk https://assets.zendesk.com/apps/sdk/<version>/zaf_sdk.js
Zendesk Widgets
  • https://sdk.cxengage.net/zendesk/<region>-<environment>/ticket.html
  • https://sdk.cxengage.net/zendesk/<region>-<environment>/user.html

Additional Requirements for Skylight for Salesforce

In addition to the requirements for Skylight, Skylight for Salesforce also requires the following domains to be whitelisted:

Requirement Domain
Salesforce (Classic)
  • https://login.salesforce.com/support/console/<version>/integration.js
  • https://login.salesforce.com/support/api/<version>/interaction.js
Salesforce (Lightning) https://login.salesforce.com/support/api/<version>/lightning/opencti_min.js

WebRTC (Twilio Requirements)

Twilio requirements can change without our notice; therefore, we recommend that in addition to following our guidelines, you also refer to Twilio's documentation for information about additional whitelisting of Twilio domains and IP addresses.

Use the following table to identify the Twilio firewall settings for each region:

Gateway Signaling IP Addresses Media IP Addresses
North America Virginia Gateways (US1)

54.172.60.0/30, which translates to:

  • 54.172.60.0
  • 54.172.60.1
  • 54.172.60.2
  • 54.172.60.3

    Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)

  • 54.172.60.0/23
  • 34.203.250.0/23

    Port Range: 10,000 to 20,000 (UDP)

Europe Ireland Gateways (IE1)

54.171.127.192/30, which translates to:

  • 54.171.127.192
  • 54.171.127.193
  • 54.171.127.194
  • 54.171.127.195

Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)

  • 54.171.127.192/26
  • 52.215.127.0/24

    Port Range: 10,000 to 20,000 (UDP)

Europe Frankfurt Gateways (DE1)

35.156.191.128/30, which translates to:

  • 35.156.191.128
  • 35.156.191.129
  • 35.156.191.130
  • 35.156.191.131

    Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)

35.156.191.128/25

Port Range: 10,000 to 20,000 (UDP)

Australia Gateways (AU1)

54.252.254.64/26

Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)

54.252.254.64/26

Port Range: 10,000 to 20,000 (UDP)

Singapore Gateways (SG1)

54.169.127.128/26

Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)

54.169.127.128/26

Port Range: 10,000 to 20,000 (UDP)

Japan Gateways (SG1)

54.65.63.192/26

Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)

54.65.63.192/26

Port Range: 10,000 to 20,000 (UDP)

Brazil Gateways (SG1)

177.71.206.192/26

Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)

177.71.206.192/26

Port Range: 10,000 to 20,000 (UDP)

Domain / Proxy Exclusions

Use the following table to identify the Twilio addresses that CxEngage needs to be able to reach:

Component Address Client-Side Port Server-Side Port Protocol
Signaling
  • chunderw-gll.twilio.com
  • chunderw-vpc-gll.twilio.com
  • au1: chunderw-vpc-gll-au1.twilio.com
  • br1: chunderw-vpc-gll-br1.twilio.com
  • ie1: chunderw-vpc-gll-ie1.twilio.com
  • jp1: chunderw-vpc-gll-jp1.twilio.com
  • sg1: chunderw-vpc-gll-sg1.twilio.com
  • us1: chunderw-vpc-gll-us1.twilio.com
Any 443 TCP
Presence matrix.twilio.com Any 443 TCP
RTP Twilio IP Ranges Any 10,000 - 20,000 UDP
Insights eventgw.twilio.com   443 TCP

Domain / Proxy Exclusions

Use the following table to identify the Twilio addresses that CxEngage needs to be able to reach:

Component Address Client-Side Port Server-Side Port Protocol
Signaling
  • chunderw-gll.twilio.com
  • chunderw-vpc-gll.twilio.com
  • au1: chunderw-vpc-gll-au1.twilio.com
  • br1: chunderw-vpc-gll-br1.twilio.com
  • ie1: chunderw-vpc-gll-ie1.twilio.com
  • jp1: chunderw-vpc-gll-jp1.twilio.com
  • sg1: chunderw-vpc-gll-sg1.twilio.com
  • us1: chunderw-vpc-gll-us1.twilio.com
Any 443 TCP
Presence matrix.twilio.com Any 443 TCP
RTP Twilio IP Ranges Any 10,000 - 20,000 UDP
Insights eventgw.twilio.com   443 TCP

Mitel MiCloud Business Client Firewall Configuration

There are commonly two modes of configuration for the customer firewall to support MiCloud Business IP sets:

  • Less restrictive, simplest configuration
    Configure the firewall to allow all connections to and all responses from the MiCloud Data Center Public IP address Ranges.
  • More restrictive approach
    Configure the firewall to allow the following MiCloud Public address ranges:
    • Bi-directional TCP connection to destination port 6801 and 6802.
    • Bi-directional TCP connections to destination ports 3998 and 6880.
    • Incoming UDP from source ports 20000 to 31000.
    • Outgoing UDP to destination ports 20000 to 31000.
    • Bi-directional TCP connections to destination ports 35001 through 35007.
    • Bi-directional TCP connections to destination ports 36000 through 36009.
    • Incoming and outgoing UDP to port 5060, 5061 and optionally 6050.

MiCloud Public IP Address Ranges are 64.28.118.0/26 and 70.105.88.0/27.

Use the following table to identify the required port filters for CPE Router used with MiCloud Business:

Destination Port Transport Description Function DSCP MiCloud Business
80 TCP HTTP - Browsing Application 0 Yes
443 TCP HTTP - Browsing Application 0 Yes
3998 TCP SAC - Display phones Signalling 26 Yes
5060 TCP SIP Signalling Voice 46 Yes
5061 TCP SIP Signalling - TLS Voice 46 Yes
6050 UDP VOIP Testing Voice 46 Diagnostic
6801 TCP Secure Minet Signalling 26 Yes
6802 TCP Secure Minet Signalling 26 Yes
6806 TCP Console Signalling 26 Yes
6807 TCP Console Signalling 26 Yes
6880 TCP HTTPS - Browsing Application 0 Yes
20000 to 31000 UDP Voice Streaming Voice 46 Yes
30000 to 60000 UDP VOIP Testing
Note that testing ports need only be opened if Mitel VOIP Assessment test is run.
Voice 46 Diagnostic
35001 to 35007 TCP Telephony Applications Signalling 26 Yes
36001 to 36009 TCP Telephony Applications Signalling 26 Yes
20001 UDP TFTP Application 0 Yes
48879 TCP

IPA Monitor

Note that testing ports need only be opened if Mitel VOIP Assessment test is run.

Application 0 Diagnostic
50000 to 50511 UDP Voice Streaming Voice 46 Yes

Destination address ranges: 64.28.118.0/26 and 70.105.88.0/27

Troubleshooting Heartbeat Issues

If your system experiences agent connectivity issues, your installation might be experiencing heartbeat issues. Common examples of agent connectivity issues include agents being randomly logged out, call controls not functioning, or agents unable to wrap up interactions.

CxEngage heartbeat packets are sent every 30 seconds using tcp-443 to api.cxengage.net. To prevent heartbeat issues, ensure that the timeout settings on our firewall are not shorter than 30 seconds.

  • Accept Timeouts ("TCP start timeout")
  • Last ACK Timeouts ("TCP end timeout")

This troubleshooting suggestion is only one of the several approaches to troubleshoot connectivity issues. You could also implement explicit application QoS rules to accommodate the traffic from CxEngage and Twilio. See QoS Considerations for Twilio.

Serenova Logo