What are the wifi calling firewall ports and destination IP addresses
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to get the WiFi calling firewall ports and destination IP addresses to add to my corporate firewall. We are trying to allow our users to make WiFi calls since the Verizon coverage is not very good in out building.
I already know some of the ports are UDP 500 and UDP 4500. I need to know if there are any more ports and what the destination IPs are or if there are or the FQDN would work as well.
This is an example from ATT https://www.att.com/esupport/article.html#!/wireless/KM1114459?gsi=FUwZG6c
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PCOVELL74, We understand the importance of using Wi-Fi calling; we're here to help. The requested information must come from your ISP (Wi-Fi) provider. Is your company using Fios for the Internet?
Trinette_VZW
Follow us on TWITTER @VZWSupport
If my response answered your question please click the _Correct Answer_ button under my response. This ensures others can benefit from our conversation. Thanks in advance for your help with this!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Negative Ghost Rider"
I am the employer, therefor I provide the internet to our employees and say where they can and can not go.
Our company uses multiple ISPs so who provides us internet will make no difference as I am the one under control of our corporate firewall. And I am the one who restricts access through it.
If you don't understand my original question, please step this up to level 2 or 3 support.
This is not that difficult of a question. Both ATT and T-Mobile give this information freely out on the internet. This should not be that hard for Verizon as well.
Here is ATT
https://www.att.com/esupport/article.html#!/wireless/KM1114459?gsi=OTUFR_I
Here is T-mobile
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PCOVELL74, I fully understand your request over the firewall ports and destination IP addresses requested. As you're in charge of helping facilitate the internet connection, I know it's vital you have all the correct configurations on hand so your Verizon users can use Wi-Fi Calling.
At this time,we don't have an internal or public resource I can provide you with to fully confirm all the ports and IP addresses Verizon Wireless may use. Truthfully, no one via Verizon Customer Service or Tech Support would be able to answer this question and I'm the highest level of Tech Support. I wish I had better news and am surprised myself we don't have this information available to the public. Going forward as I do want to see a resolution to this, I will lift this concern up to the appropriate support team so that I can provide you with any information we can gather. Please allow me 2 to 3 business days to follow up with you directly. Thank you.
Alan_VZW
Follow us on TWITTER @VZWSupport
If my response answered your question please click the _Correct Answer_ button under my response. This ensures others can benefit from our conversation. Thanks in advance for your help with this!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found this Verizon article online.Looks to be for Verizon wireless extenders.
Unblock Ports / IP Addresses - Verizon Wireless Network Extender | Verizon Wireless
Some of these ports are the same that T-mobile and ATT are using. 500 and 4500 which are for IKE and IPSEC. That would make since its needed to create the VPN tunnel for the call.
53 is DNS
123 is NTP
5242 I'm not sure about. Must be some random port just used by Verizon.
They are also recommending access to these FQDNs (sg.vzwfemto.com) and (gps.vzwfemto.com) with a list of IP addresses
I'm going to allow outbound access on ports 500,4500, and 5242 only to these domain names and see what it does.
If you guys @ Verizon do some more research to back this up, that would be helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PCOVELL74, Thanks so much for your patience while I did some extra research for your firewall ports and IP addresses request.
The corporate Wi-Fi needs to allow clear access to the Internet and their devices must not have restrictions on Internet access. For Wi-Fi networks that block VPN traffic, they will need to ensure ports 500 and 4500 are open devices to connect to our ePDGs via IPSEC tunnels. IPSEC is the encryption used to secure these calls over the Internet. Corporate firewalls must allow ESP packets on any ports (0-65535) for both outbound and inbound directions.
In addition, to support 911 calls the corporate Wi-Fi also needs to support HTTPS protocol and its associated port 443. The URL the device client uses to register the emergency address is https://spg.vzw.com/SSFGateway/e911Location/changeAddress
The corporate Wi-Fi must also allow DNS access to the ePDG FQDN: wo.vzwwo.com
VoWiFi calls are carried within IPSEC tunnels. The key protocols to support the IPSEC tunnel are IKEv2 (Internet Key Exchange Version 2, RFC 5996), ESP (IP Encapsulating Security Payload, RFC 4303), and UDP Encapsulation of IPsec ESP Packets (RFC 3948). The enterprise Wi-Fi network/ISP must ensure they do not block these protocols and the corresponding ports used by these protocols. This is all the information we have regarding our available IPs, ports and protocol. I hope this information is helpful going forward.
Alan_VZW
Follow us on TWITTER @VZWSupport
If my response answered your question please click the _Correct Answer_ button under my response. This ensures others can benefit from our conversation. Thanks in advance for your help with this!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Surely by now, Verison has gotten their act together. We provide Wi-Fi access to many people in many different locations. We need to be able to block a lot of internet activity for security reasons. We also need to allow Verizon Wi-Fi Calling and Text Messaging. I have been able to get this info from the other 'big 2' companies. Can you please provide a link where this is listed - perhaps in a private message if you are worried about releasing this information. Or perhaps a contact to where we can get this information.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Throw them on a Vlan with IPSec pass through enabled. Or static map the mac's and create a specific rule. If these parameters are too broad, do what the rest of us do and capture ports from the firewall logs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As you may have been able to piece together from the other responses, it would appear that an IPsec (NAT-t) connection is established. I found this to be the case on an (Verizon) iphone, as well as a (Verizon) Android, and even an (non-Verizon) Android.
So it would appear that the phone connects with UDP port 4500, on a server of its choice. I am not sure how to determine what the possible universe of IP addresses that might be used would be. But many firewalls would be able to allow the outgoing "connection", and by virtue of that, also allow the incoming responses to it.
Good luck!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was curious if anyone got this. Have no idea how ATT and TMobile can provide this without issue OPENLY and a EASY google search yet Verizon can't provide this AT ALL.
If anyone has this it would be greatly appreciated. I found some other articles give some other IPs or the network extenders but nothing official from Verizon.
This is what I found in another article but seems like alot of other IPs existed and nothing logical
----------------------------------------------------------------------------------------------------
Still haven't found any official documentation yet but I did some sleuthing and found the following needs to be enabled.
As @Weth noted, the Cisco document recommends the following ports need to be allowed outbound
udp/4500
udp 500
Only 2 Verizon IP addresses appear in the destination list, but not sure if they are regional.
141.207.225.232 - 232.sub-141-207-225.myvzw.com (Appears to be West coast)
141.207.227.232 - 232.sub-141-207-227.myvzw.com (Appears to be East coast)
We've enabled outbound traffic to these addresses on these ports and it works.
YMMV
