Firewall and Proxy Settings

CxEngage and Skylight products require access to various domains for third-party services and integrations. These domains must be made accessible or allowed to ensure proper functioning of your contact center.

CxEngage Requirements
- Silent Monitoring
Skylight Requirement
- Additional Requirements for Skylight for Zendesk
- Additional Requirements for Skylight for Salesforce
WebRTC (Twilio Requirements)
- Domain/Proxy Exclusions
CxQM Requirements
Mitel MiCloud Business Client Firewall Configuration
Troubleshooting Heartbeat Issues

CxEngage Requirements

CxEngage requires the following domains to be allowed:

Requirement	Domain
REST API	North America: https://api.cxengage.net Europe: https://eu-west-1-prod-api.cxengage.net
SSO Login	https://identity.cxengage.net/
Sentry.io	35.188.42.15/32 Sentry is used for anonymous error reporting.
US-EAST-1 MQTT	a1oh2nojq98dtw-ats.iot.us-east-1.amazonaws.com
EU-WEST-1 MQTT	a1oh2nojq98dtw-ats.iot.eu-west-1.amazonaws.com
US-EAST-1 SQS	sqs.us-east-1.amazonaws.com
EU-WEST-1 SQS	sqs.eu-west-1.amazonaws.com
Configuration UI 2	North America: https://us-east-1-prod-config2.cxengage.net Europe: https://eu-west-1-prod-config2.cxengage.net
Flow Designer	North America: https://us-east-1-prod-designer.cxengage.net Europe: https://eu-west-1-prod-designer.cxengage.net
Historical Reporting	birst.cxengage.net
SDK	sdk.cxengage.net
Recordings and artifacts	s3.amazonaws.com
Fonts	fonts.googleapis.com fonts.gstatic.com
WebRTC Signaling for Twilio	http://media.twiliocdn.com/sdk/js/client/releases/<version>/twilio.min.js
Twilio's signaling addresses	*.twilio.com

Use the following table to identify the DNS addresses that need to be able to reach CxEngage:

DNS	Purpose
52.204.4.160	US-EAST-1 VPC
52.204.163.113	US-EAST-1 Lambda
52.18.0.2	EU-WEST-1 VPC
52.213.182.132	EU-WEST-1 Lambda
52.62.242.222	AP-SOUTHEAST-2 VPC
13.236.32.84	AP-SOUTHEAST-2 Lambda
54.172.60.0/23 34.203.250.0/23	Twilio [US-East-1]
104.20.107.27/32 104.20.106.27/32	Twilio [CDN/SDK]
34.192.0.0/12 52.0.0.0/8	AmazonAWS [IoT]

Silent Monitoring

Silent monitoring requires the following domains to be allowed:

Requirement	Domain
SDK	https://sdk.cxengage.net/js/agent/<version>/main.js
Twilio	http://media.twiliocdn.com/sdk/js/client/releases/<version>/twilio.min.js
MQTT	<integration endpoint>.iot.<region>.amazonaws.com or <integration endpoint>.iot.<region>-1.amazonaws.com Examples: North America: a1oh2nojq98dtw-ats.iot.us-east-1.amazonaws.com Europe: a1oh2nojq98dtw-ats.iot.eu-west-1.amazonaws.com
SQS	https://sqs.<region>.amazonaws.com
Access to Recordings, Transcripts, Notes, and artifacts	https://<region>-prod-cxengagelabs-artifacts.s3.amazonaws.com

Skylight Requirements

Skylight requires the following domains to be allowed:

Requirement	Domain
Skylight	North America: https://skylight.cxengage.net Europe: https://eu-skylight.cxengage.net/
Skylight Desktop	North America: https://skylight-desktop.cxengage.net Europe: https://eu-skylight-desktop.cxengage.net/
Skylight Legal Page	https://legal.cxengage.net
CxEngage API	North America: https://api.cxengage.net Europe: https://eu-west-1-prod-api.cxengage.net
SDK	https://sdk.cxengage.net/js/agent/<version>/main.js
SSO Login	https://identity.cxengage.net/
Twilio	http://media.twiliocdn.com/sdk/js/client/releases/<version>/twilio.min.js
MQTT	<integration endpoint>.iot.<region>.amazonaws.com or <integration endpoint>.iot.<region>-1.amazonaws.com Examples: North America: a1oh2nojq98dtw-ats.iot.us-east-1.amazonaws.com Europe: a1oh2nojq98dtw-ats.iot.eu-west-1.amazonaws.com
SQS	https://sqs.<region>.amazonaws.com
Recordings, transcripts, notes and artifacts	https://<region>-prod-cxengagelabs-artifacts.s3.amazonaws.com
Sentry error reporting	https://892f9eb6bb314a9da98b98372c518351@sentry.io/169686
Fonts	fonts.googleapis.com fonts.gstatic.com p.typekit.net

Additional Requirements for Skylight for Zendesk

In addition to the requirements for Skylight, Skylight for Zendesk also requires the following domains to be allowed:

Requirement	Domain
Zendesk	https://assets.zendesk.com/apps/sdk/<version>/zaf_sdk.js
Zendesk Widgets	https://sdk.cxengage.net/zendesk/<region>-<environment>/ticket.html https://sdk.cxengage.net/zendesk/<region>-<environment>/user.html

Additional Requirements for Skylight for Salesforce

In addition to the requirements for Skylight, Skylight for Salesforce also requires the following domains to be allowed:

Requirement	Domain
Salesforce (Classic)	https://login.salesforce.com/support/console/<version>/integration.js https://login.salesforce.com/support/api/<version>/interaction.js
Salesforce (Lightning)	https://login.salesforce.com/support/api/<version>/lightning/opencti_min.js

WebRTC (Twilio Requirements)

Twilio requirements can change without our notice; therefore, we recommend that in addition to following our guidelines, you also refer to Twilio's documentation for information about additional Twilio domains and IP addresses that must be allowed.

As of January 23, 2024 the Twilio firewall settings will change to the following global settings:

Media Range	UDP Port Range
168.86.128.0/18	10,000 to 60,000

Prior to January 23, 2024, use the following table to identify the Twilio firewall settings for each region:

Gateway	Signaling IP Addresses	Media IP Addresses
North America Virginia Gateways (US1)	54.172.60.0/30, which translates to: 54.172.60.0 54.172.60.1 54.172.60.2 54.172.60.3 Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)	54.172.60.0 - 54.172.61.255 34.203.250.0 - 34.203.251.255 Port Range: 10,000 to 20,000 (UDP)
Umatilla Oregon Gateways (US2)	54.244.51.0/24	54.244.51.0 - 54.244.51.255 Port Range: 1,024 - 65,535 (UDP)
Europe Ireland Gateways (IE1)	54.171.127.192/30, which translates to: 54.171.127.192 54.171.127.193 54.171.127.194 54.171.127.195 Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)	54.171.127.192 - 54.171.127.255 52.215.127.0 - 52.215.127.255 Port Range: 10,000 to 20,000 (UDP)
Europe Frankfurt Gateways (DE1)	35.156.191.128/30, which translates to: 35.156.191.128 35.156.191.129 35.156.191.130 35.156.191.131 Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)	35.156.191.128 - 35.156.191.255 3.122.181.0 - 3.122.181.255 Port Range: 10,000 to 20,000 (UDP)
Australia Gateways (AU1)	54.252.254.64/26 Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)	54.252.254.64 - 54.252.254.127 3.104.90.0 - 3.104.90.255 Port Range: 10,000 to 20,000 (UDP)
Singapore Gateways (SG1)	54.169.127.128/26 Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)	54.169.127.128 - 54.14.169.127.191 3.1.77.0 - 3.1.77.255 Port Range: 10,000 to 20,000 (UDP)
Japan Gateways (JP1)	54.65.63.192/26 Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)	54.65.63.192 - 54.65.63.255 3.112.80.0 - 3.112.80.255 Port Range: 10,000 to 20,000 (UDP)
Brazil Gateways (BR1)	177.71.206.192/26 Ports: 5060 (UDP/TCP), 5061 (TLS), 443 (HTTPS)	177.71.206.192 - 177.71.206.255 18.228.249.0 - 18.228.249.255 Port Range: 10,000 to 20,000 (UDP)

Domain / Proxy Exclusions

Use the following table to identify the Twilio addresses that CxEngage needs to be able to reach:

Component	Address	Client-Side Port	Server-Side Port	Protocol
Signaling	chunderw-gll.twilio.com chunderw-vpc-gll.twilio.com au1: chunderw-vpc-gll-au1.twilio.com br1: chunderw-vpc-gll-br1.twilio.com ie1: chunderw-vpc-gll-ie1.twilio.com jp1: chunderw-vpc-gll-jp1.twilio.com sg1: chunderw-vpc-gll-sg1.twilio.com us1: chunderw-vpc-gll-us1.twilio.com	Any	443	TCP
Presence	matrix.twilio.com	Any	443	TCP
RTP	Twilio IP Ranges	Any	10,000 - 20,000	UDP
Insights	eventgw.twilio.com		443	TCP

CxQM Requirements

These network settings are required for CxQM and need be allowed or reachable:

Component	Details
CxQM Domain	us-east-1-prod-cxqm-web.cxengage.net
IP Addresses	34.202.51.166 52.0.25.143 34.197.43.1 52.21.134.14 18.233.115.114 52.86.217.144 54.152.46.162 18.235.208.235
CxQM Ports	1505, 2303 (TCP/UDP)

Mitel MiCloud Business Client Firewall Configuration

There are commonly two modes of configuration for the customer firewall to support MiCloud Business IP sets:

Less restrictive, simplest configuration
Configure the firewall to allow all connections to and all responses from the MiCloud Data Center Public IP address Ranges.
More restrictive approach
Configure the firewall to allow the following MiCloud Public address ranges:
- Bi-directional TCP connection to destination port 6801 and 6802.
- Bi-directional TCP connections to destination ports 3998 and 6880.
- Incoming UDP from source ports 20000 to 31000.
- Outgoing UDP to destination ports 20000 to 31000.
- Bi-directional TCP connections to destination ports 35001 through 35007.
- Bi-directional TCP connections to destination ports 36000 through 36009.
- Incoming and outgoing UDP to port 5060, 5061 and optionally 6050.

MiCloud Public IP Address Ranges are 64.28.118.0/26 and 70.105.88.0/27.

Use the following table to identify the required port filters for CPE Router used with MiCloud Business:

Destination Port	Transport	Description	Function	DSCP	MiCloud Business
80	TCP	HTTP - Browsing	Application	0	Yes
443	TCP	HTTP - Browsing	Application	0	Yes
3998	TCP	SAC - Display phones	Signalling	26	Yes
5060	TCP	SIP Signalling	Voice	46	Yes
5061	TCP	SIP Signalling - TLS	Voice	46	Yes
6050	UDP	VOIP Testing	Voice	46	Diagnostic
6801	TCP	Secure Minet	Signalling	26	Yes
6802	TCP	Secure Minet	Signalling	26	Yes
6806	TCP	Console	Signalling	26	Yes
6807	TCP	Console	Signalling	26	Yes
6880	TCP	HTTPS - Browsing	Application	0	Yes
20000 to 31000	UDP	Voice Streaming	Voice	46	Yes
30000 to 60000	UDP	VOIP Testing Note that testing ports need only be opened if Mitel VOIP Assessment test is run.	Voice	46	Diagnostic
35001 to 35007	TCP	Telephony Applications	Signalling	26	Yes
36001 to 36009	TCP	Telephony Applications	Signalling	26	Yes
20001	UDP	TFTP	Application	0	Yes
48879	TCP	IPA Monitor Note that testing ports need only be opened if Mitel VOIP Assessment test is run.	Application	0	Diagnostic
50000 to 50511	UDP	Voice Streaming	Voice	46	Yes

Destination address ranges: 64.28.118.0/26 and 70.105.88.0/27

Troubleshooting Heartbeat Issues

If your system experiences agent connectivity issues, your installation might be experiencing heartbeat issues. Common examples of agent connectivity issues include agents being randomly logged out, call controls not functioning, or agents unable to wrap up interactions.

CxEngage heartbeat packets are sent every 30 seconds using tcp-443 to api.cxengage.net. To prevent heartbeat issues, ensure that the timeout settings on our firewall are not shorter than 30 seconds.

Accept Timeouts ("TCP start timeout")
Last ACK Timeouts ("TCP end timeout")

This troubleshooting suggestion is only one of the several approaches to troubleshoot connectivity issues. You could also implement explicit application QoS rules to accommodate the traffic from CxEngage and Twilio. See QoS Considerations for Twilio.