Network requirements

Table of contents

1. Introduction

This document informs enterprises of the network requirements for firewall and web proxy configuration that cloud-based Message Video Phone (RingEX) Unified Communication Services require to operate correctly.

2. IP supernets

The supernets (concatenated subnets) in Table 2.1 are advertised by the RingCentral cloud using the BGP routing protocol to support Unified Communication Services over the internet. These networks can be used to connect to the RingCentral cloud over the internet.
Table 2.1 -  Advertised IP Supernets
 
  • 66.81.240.0/20

  • 80.81.128.0/20

  • 103.44.68.0/22

    103.129.102.0/23

  • 104.245.56.0/21

  • 185.23.248.0/22

  • 192.209.24.0/21

  • 199.68.212.0/22

  • 199.255.120.0/22

  • 208.87.40.0/22

 
Additional requirements apply for enterprises with private connections to the RingCentral cloud. Contact RingCentral for more information.
 
To ensure that RingEX services operate correctly, your enterprise network must accept the supernets at all locations where unified communication services are used.
 
The enterprise network must use the supernets for:
  • Configuring firewall rules for signaling and media ports.
  • Configuring DSCP markings in IP packet headers according to the Quality of Service Guidelines (Section 7).
  • Selectively disabling Layer 7 device functions, such as Deep Packet Inspection for UDP traffic to and from the unified communication cloud (Section 7).

3. Whitelisting of domains, IP addresses, and ports

3.1 Common cloud services

You may need to whitelist the destination ports in Table 3.1.1 for all of your enterprise firewalls and web proxies. Whitelisting these ports allows devices and applications to access supporting cloud services, domain names, and IP addresses.
 
You should whitelist only the set of services that you need. For example, if you don’t use the Analytics portal in Europe, you need not whitelist the analytics.ringcentral.eu domain.
 
The domains that resolve to supernet addresses (indicated as yes in column 3 of Table 3.1.1) do not need to be whitelisted, provided that the supernets are whitelisted in the tables in the endpoint section (Section 3.2).
 
You must always whitelist the following domains:
  • The RingCentral company website, which provides general information about RingCentral and its products, and does not require login.
  • The Service status portal, which provides an overview of RingCentral’s unified communication service availability.
  • The customer support domain, which provides access to resources for phone and app installation and configuration, release notes, community discussions, and escalations.
  • RingCentral Discovery Service API, which:
    • Allows client applications to dynamically discover the correct .com and .biz API domains before users log in.
    • Points to the login process service. After the Login service authenticates an admin or user, the Discovery service API uses configured account data to determine the appropriate API domain.
  • The Account federation management portal, which is only used when a customer has multiple accounts that are federated.
  • Service Web portal, which provides access to unified communication administration services,
  • The RingCentral Administrator/User Account portal, which authenticates admin and user access to underlying communication and administration services, including RingEX and RingCentral Video (RCV).
  • The Analytics portals, which provide account admins with unified communication service data about the RingEX system. This data can help admins understand the current state of the system and troubleshoot specific issues.
Note: 
  • The Administrator/User account portal, Service Web portal, and Analytics portals may be country- or region-specific for compliance purposes. For example, domains that end in .eu refer to non-UK Europe.
Table 3.1.1 - Common cloud services

Purpose

Application protocol

Domain name/IP addresses

Resolves to Supernet address? (yes/no)

Destination ports

Company website

HTTPS

www.ringcentral.com

No

TCP\443

Service status portal

HTTPS

status.ringcentral.com

No

TCP\443

Customer support HTTPS support.ringcentral.com No
TCP\443
Discovery service API HTTPS discovery.ringcentral.biz Yes TCP\443
Account federation management portal HTTPS accounts.ringcentral.com Yes TCP\443
Service Web portal
HTTPS
service.ringcentral.com
Yes
TCP\443
Service Web portal - UK HTTPS service.ringcentral.co.uk Yes TCP\443
Service Web portal - Europe HTTPS service.ringcentral.eu Yes TCP\443
Administrator/User account login portal HTTPS

login.ringcentral.com Yes TCP\443
Administrator/User account login portal - UK
HTTPS
login.ringcentral.co.uk
Yes TCP\443
Administrator/User account portal - Europe HTTPS login.ringcentral.eu Yes TCP\443

Analytics portal

HTTPS

analytics.ringcentral.com

No

TCP\443

Analytics portal - Canada

HTTPS

analytics.ringcentral.ca

 

No

TCP\443

Analytics portal - UK

HTTPS

analytics.ringcentral.co.uk

No

TCP\443

Analytics portal - Europe

HTTPS

analytics.ringcentral.eu

No TCP\443

3.2 Endpoints

This section provides endpoint-specific tables for domain names, supernets, and a range of cloud destination ports for various RingCentral endpoints (app, hardphones, etc.). These tables must be administered in enterprise firewall to allow endpoint access to RingCentral’s unified communication services.
 
Note the following endpoint table guidelines for firewall and web proxy configuration:
  • The RingCentral cloud does not initiate any session toward customer endpoints. All sessions are initiated from an endpoint toward RingCentral’s cloud communication services. For this reason, destination ports are indicated in the endpoint tables. These tables do not specify source ports, since source ports are dynamically selected by the operating system, and their ranges are operating system-dependent.
  • The tables below provide modular sets of requirements for firewall control to support different deployment combinations of RingCentral endpoints. For this reason, a table is provided for each type of endpoint. Consequently, some rows may be duplicated across different tables: for example, in the RingCentral App (Table 3.2.1) and the RingCentral Video App (Table 3.2.2). In principle, firewall rules need to be applied only once for deployed endpoints that have the same row content.
  • In creating your firewall configurations, you need only apply the tables for the endpoints that you actually use. For example, if you don’t use hardphones, you may ignore the hardphone table. Similarly, if you don’t use an app’s desktop or mobile version, you need not whitelist it.
  • Rows in the port table are generally ordered from highest QoS traffic priority (media) to lowest QoS traffic priority (supporting data service).
  • You may use the mobile version of the RingCentral App on a mobile operator network or a private or public WiFi network. On a mobile operator network or a public WiFI network, traffic does not traverse a private enterprise network to RingCentral communication services, so firewall configuration is irrelevant. The appropriate tables must be administered in the enterprise firewall on a private WiFi network (such as a private wired enterprise network).

3.2.1 RingCentral App - web, desktop, and mobile

Table 3.2.1 - RingCentral App - web, desktop, and mobile

Purpose

Application protocol

Domain name/IP addresses

Destination ports

Media/media secured

and media access control

RTP/SRTP (DTLS)
and STUN

IP supernets

UDP\20000-64999

and UDP\19302

Signaling - mobile app

SIP/TCP

IP supernets

TCP\5091

Signaling secured - mobile app

SIP/TLS

IP supernets

TCP\5097

Signaling secured - mobile app

SIP/WSS/TLS

IP supernets

TCP\443

Signaling secured desktop and web app

SIP/WSS/DTLS

IP supernets

TCP\8083

IOVATION SDK for two-factor login

HTTPS

mpsnare.iesnare.com

ringcentral.112.2o7.net

TCP\443

Application file upload and download

HTTPS

glip-vault-1.s3.amazonaws.com

glip-vault-1.s3-accelerate.amazonaws.com

TCP\443

Log file upload

HTTPS

www.filestackapi.com

TCP\443

Application service API 

HTTPS

*.ringcentral.com

TCP\443

Messaging service API

HTTPS

*.glip.com 

mvp.ringcentral.com 

dl.mvp.ringcentral.com

TCP\443

Messaging content support HTTPS
api.giphy.com
media0.giphy.com
media1.giphy.com
media2.giphy.com
media3.giphy.com
Media4.giphy.com
i.embed.ly
TCP\443

Presence status, call log notifications, and voicemail notifications

HTTPS

ringcentral.pubnubapi.com
ringcentral-0.pubnubapi.com

ringcentral-1.pubnubapi.com

ringcentral-2.pubnubapi.com

ringcentral-3.pubnubapi.com

ringcentral-4.pubnubapi.com

ringcentral-5.pubnubapi.com

ringcentral-6.pubnubapi.com

ringcentral-7.pubnubapi.com

ringcentral-8.pubnubapi.com

ringcentral-9.pubnubapi.com

TCP\443

Android app push notifications - mobile app

HTTPS

mtalk.google.com

TCP\443, 5228, 5229, 5230

iOS application push notifications - mobile app

HTTPS

api.push.apple.com

TCP\443, 2197, 5223

Software and provisioning updates

HTTPS

*.cloudfront.net

TCP\443

Help (lower left corner of the app, covers help and video content)

HTTPS

community.ringcentral.com
*.demdex.net
*.coveo.com
*.vimeo.com
*.akamaized.net
www.youtube.com
js-agent.newrelic.com
bam.nr-data.net
cdn.cookielaw.org

TCP\443

RingCentral video mobile, desktop, and web application

Refer to Table 3.2.2

3.2.2 RingCentral Video App - web, desktop, and mobile

  • Read the guidelines at the start of section 3.2 about duplicated rows in Table 3.2.1 and Table 3.2.2.
  • The statistics collector publishes detailed statistics about calls. The Analytics Portal (Table 3.1.1) uses a subset of the data extracted by the statistics collector.
  • You don’t need to whitelist the RCV web client application if you’re only using the desktop and mobile version of the RCV app. 
  • You should whitelist the network connectivity test application to allow RCV app users to test their network connections.
Table 3.2.2 - RingCentral Video app - web, desktop, and mobile

Purpose

Application protocol

Domain name/IP addresses

Destination ports

Media secured

SRTP

IP supernets

UDP\10000-19999

(default)

TCP\443  (when UDP is not available - should not be used regularly, as it can affect voice quality)

Signaling secured

HTTPS/WSS/TLS

IP supernets

TCP\443

Application service API 

HTTPS

v.ringcentral.com

TCP\443

Parser configuration for meeting link verification for mobile phones

HTTPS

media.ringcentral.com

TCP\443

Connect platform API

HTTPS

api-meet.ringcentral.com

api.ringcentral.com 

api-mucc.ringcentral.com (mobile device)

TCP\443

Statistics collector

HTTPS

edr.ringcentral.com

TCP\443

Presence status, call log notifications, and voicemail notifications

HTTPS

ringcentral.pubnubapi.com
ringcentral-0.pubnubapi.com

ringcentral-1.pubnubapi.com

ringcentral-2.pubnubapi.com

ringcentral-3.pubnubapi.com

ringcentral-4.pubnubapi.com

ringcentral-5.pubnubapi.com

ringcentral-6.pubnubapi.com

ringcentral-7.pubnubapi.com

ringcentral-8.pubnubapi.com

ringcentral-9.pubnubapi.com

TCP\443

Application configuration

HTTPS

downloads.ringcentral.com

TCP\443

Application download and update

HTTPS

app.ringcentral.com

TCP\443

Feature enablement control 

HTTPS

*.launchdarkly.com

app.launchdarkly.com

events.launchdarkly.com

clientstream.launchdarkly.com

mobile.launchdarkly.com 

TCP\443

Network connectivity test application - part of RCV

HTTPS

rcv.testrtc.com
which uses:

api.nettest.testrtc.com

kong.testrtc.com

*.turn.testrtc.com

*.speed.testrtc.com

TCP\443

UDP\443

3.2.3 RingCentral Webinar

RingCentral Webinar relies on two clients:
  • Webinar host client: Used by a webinar session’s host, cohosts, and panelists.
  • Webinar attendee client: Used only by webinar attendees.
For both clients, apply the whitelistings from Table 3.2.3 when configuring your enterprise firewall.
 
Note:
  • RingCentral Webinar is based on RingCentral Video.
  • If you’ve already whitelisted Cloudfront for the RingEX mobile, desktop, and web application (Section 3.2.1), you need not whitelist it again.

Table 3.2.3 - RingCentral Webinar host client and attendee client

Purpose

Application Protocol

Domain Name/IP Addresses

Destination Ports

RingCentral Video

Refer to Table 3.2.2

Fetch webinar session live streaming media segments

HTTPS

*.cloudfront.net

TCP\443

 

3.2.4 RingCentral Video Rooms

Table 3.2.4 - RingCentral Video Rooms

Purpose

Application protocol

Domain name/IP addresses

Destination ports

Media secured

SRTP

IP supernets

UDP\10000-19999 (default)

SRTP

IP supernets

TCP\443 (Use only if UDP is not available. Should not be used regularly, as it affects voice quality.)

Signaling secured

HTTPS

IP supernets

TCP\443

SIP registration service

HTTPS/TLS

*.ringcentral.com

TCP\8085-8090

Rooms host device

HTTPS

Internal enterprise assigned private IP address (no WAN firewall traversal)

TCP\9520-9530

Login portal

HTTPS

v.ringcentral.com

TCP\443

Notifications

HTTPS

ringcentral.pubnubapi.com

ringcentral-0.pubnubapi.com

ringcentral-1.pubnubapi.com

ringcentral-2.pubnubapi.com

ringcentral-3.pubnubapi.com

ringcentral-4.pubnubapi.com

ringcentral-5.pubnubapi.com

ringcentral-6.pubnubapi.com

ringcentral-7.pubnubapi.com

ringcentral-8.pubnubapi.com

ringcentral-9.pubnubapi.com

TCP\443

Software and provisioning updates

HTTPS

*.ringcentral.com

TCP\443

3.2.5 RingCentral Video with Room Connector

You must whitelist the relevant region-independent domain name. Domain names need only be whitelisted when a Room Connector is used in the indicated region.

Table 3.2.5 - RingCentral Video with Room Connector

Purpose*

Application protocol

Domain name/IP addresses

Destination ports

Media

RTP/SRTP

IP supernets

UDP\10000-19999

Signaling

SIP

Region-independent: sip.rcv.com

US West: ws.rcv.com

US East: es.rcv.com

Netherlands: nld.rcv.com

Germany: deu.rcv.com

South Africa: zaf.rcv.com

Singapore: sgp.rcv.com

Australia: aus.rcv.com

Japan: jpn.rcv.com

UDP\5060 or

TCP\5060

Signaling secured

SIP/TLS

Region-independent: sip.rcv.com

US West: ws.rcv.com

US East: es.rcv.com

Netherlands: nld.rcv.com

Germany: deu.rcv.com

South Africa: zaf.rcv.com

Singapore: sgp.rcv.com

Australia: aus.rcv.com

Japan: jpn.rcv.com

TCP\5061

* Customer video devices determine whether connectivity is secured or unsecured.

3.2.6 RingCentral Phones - desk, conference, and cordless

  • Some third-party devices, such as the Poly IP7000 speakerphone, do not support signaling or media encryption. Such devices should be avoided in a deployment that requires complete security.
  • No separate ports are specified for Busy Lamp Appearance (BLA) since BLA uses the signaling ports and standard SIP NOTIFY packets.
Table 3.2.6 - RingCentral Phones - desk, conference, and cordless

Purpose

Application protocol

Domain name/IP addresses

Destination ports

Media and media secured

RTP/SRTP

IP supernets

UDP\20000-64999

Signaling

SIP

IP supernets

TCP\5090, TCP\5099**

UDP\5090, UDP\5099**

Signaling secured

SIP/TLS

IP supernets

TCP\5096, TCP\5098**

Network time service

NTP

ntp1.ringcentral.com and ntp2.ringcentral.com
(within the supernets)

UDP\123

LDAP directory service

LDAP

cd.ringcentral.com
(within the supernets)

TCP\636

Poly phones provisioning and firmware update

HTTPS

Provisioning:

pp.ringcentral.com

ztp.polycom.com
Firmware update:

pp.s3.ringcentral.com

TCP\443

Cisco phones provisioning and firmware update

HTTPS

Provisioning:
cp.ringcentral.com
Firmware update:
cp.s3.ringcentral.com

TCP\443

Yealink phones provisioning and firmware update

HTTPS

Provisioning:
rps.yealink.com
yp.ringcentral.com
Firmware update:
yp.s3.ringcentral.com

TCP\443

Avaya phones provisioning and firmware update HTTPS Provisioning and firmware update:
des.avaya.com 
av.ringcentral.com
TCP\443

Unify phone provisioning and firmware update

HTTPS

Provisioning:
cloud-setup.com
Firmware update:
unf.ringcentral.com 

Provisioning:
TCP\18443
Firmware update:
TCP\443

Mitel phones provisioning and firmware update

HTTPS

Provisioning: 
mtl.ringcentral.com
rcs.aastra.com
Firmware update: 
mtl.s3.ringcentral.com

TCP\443

SNOM phones provisioning and firmware update

HTTPS

Provisioning:
snm.ringcentral.com
Firmware update:
snm.s3.ringcentral.com

TCP\443

ALE phones provisioning and firmware update HTTPS
Provisioning:
devices.eds.al-enterprise.com
Firmware update:
ale.ringcentral.com
TCP\443

RingCentral desk, conference and cordless phone

 
**Ports 5098 and 5099 should be opened for Busy Lamp Appearance only when you’re using line sharing.

3.2.7 RingCentral Softphone app - desktop

Table 3.2.7 - RingCentral Softphone App - desktop

Purpose

Application protocol

Domain name/IP addresses

Destination ports

Media and media secured

RTP/SRTP

IP supernets

UDP\20000-64999

Signaling

SIP

IP supernets

TCP\5091

Signaling secured

SIP/TLS

IP supernets

TCP\5097

Presence status, call log notifications, and voicemail notifications

HTTPS

ringcentral.pubnubapi.com

ringcentral-0.pubnubapi.com

ringcentral-1.pubnubapi.com

ringcentral-2.pubnubapi.com

ringcentral-3.pubnubapi.com

ringcentral-4.pubnubapi.com

ringcentral-5.pubnubapi.com

ringcentral-6.pubnubapi.com

ringcentral-7.pubnubapi.com

ringcentral-8.pubnubapi.com

ringcentral-9.pubnubapi.com

TCP\443

Software and provisioning updates

HTTP/HTTPS

*.ringcentral.com

TCP\80

TCP\443

Platform API for user authentication and call features

HTTPS

api-sp.ringcentral.com

TCP\443

Platform API for media services

(for transferring media files: voice recordings, faxes, transcriptions, profile and contact information)

HTTPS

media.ringcentral.com

TCP\443

Google services (contacts and calendar)

HTTPS

accounts.google.com

www.google.com

www.googleapis.com

TCP\443

3.2.8 RingCentral Softphone app - mobile

Table 3.2.8 pertains to the use of the RingCentral mobile softphone app on a WiFi network.

Table 3.2.8 - RingCentral Softphone app - mobile

Purpose

Application protocol

Domain name/IP addresses

Destination ports

Media

RTP/SRTP

IP supernets

UDP\20000-64999

Signaling

SIP

IP supernets

TCP\5091

UDP\5091

Signaling secured

SIP/TLS

IP supernets

TCP\5097
TCP\443

Signaling (IPv6 client)

SIP/TLS

IP supernets

TCP\5090-5098
TCP\443

SIP registration service

HTTPS

*.ringcentral.com

TCP\443

Application presence status, call log notifications, and voicemail notifications - used in Android, not in iOS

HTTPS

ringcentral.pubnubapi.com

ringcentral-0.pubnubapi.com

ringcentral-1.pubnubapi.com

ringcentral-2.pubnubapi.com

ringcentral-3.pubnubapi.com

ringcentral-4.pubnubapi.com

ringcentral-5.pubnubapi.com

ringcentral-6.pubnubapi.com

ringcentral-7.pubnubapi.com

ringcentral-8.pubnubapi.com

ringcentral-9.pubnubapi.com

TCP\443

Data synchronization  with cloud

(e.g., call log info, presence, and voicemails)

HTTPS

api-mob.ringcentral.com

TCP\443

Soft clients software and provisioning updates

HTTPS

*.cloudfront.net

TCP\443

3.3 RingCentral Archiver

RingCentral Archiver is a cloud-side integration that allows administrators to copy call content to a long-term, enterprise-owned repository. Copied content includes recordings, voicemail, fax, and text messages. Archiver ensures that data is retained for a long time, and that it meets local data residency and regulatory retention requirements. Learn more about RingCentral Archiver.

Table 3.3.1 - RingCentral Archiver

Purpose

Application protocol

Domain name/IP addresses

Destination ports

Content archiving 

HTTPS

For Box, Dropbox, Google Drive, and Smarsh archiving systems

TCP\443
(does not traverse enterprise network)

SFTP

For archiving to an enterprise SFTP server, the following SFTP client IP addresses must be whitelisted:

3.211.163.136

3.223.170.110

34.225.218.68

34.226.29.169

34.234.210.244

34.236.210.8

34.239.13.99

35.172.123.110

52.87.7.127

54.80.51.95
54.147.91.15

Any of these IP addresses may dynamically be selected by the RingCentral SFTP client to connect to an enterprise SFTP server.

TCP\22

3.4 SIP trunks

Table 3.4.1 - SIP trunks

Purpose

Application protocol

IP addresses

Destination ports

Media

RTP

Public IP addresses to be provided by RingCentral during project definition.

UDP\1024-65535

Signaling

SIP

UDP\5060

TCP\5061-5065

3.5 Communication integration services

Enterprises can use RingEX and RCV communication integration services to develop soft-endpoint communication clients.
 
Table 3.5.1 summarizes the programmatic communication integration services that allow enterprises to build their own soft endpoint clients.
 
Note:
  • You only need to whitelist the set of services that you use. For example, if you don’t use integration services, you need not whitelist that domain.
  • You must whitelist the Integration service API, the foundation API on which all communication integration services rely.
  • You must whitelist the endpoint registration service, which registers all integration service (WebRTC) endpoints with the RingCentral Cloud Communication Service.
  • The RCV scheduling service is used for creating and managing RCV meetings.
  • The Microsoft Teams and Slack integration services integrate applications, including RingEX and RCV, into Teams and Slack, respectively.
  • The platform APIs can be used to develop stand-alone applications (such as an outbound dialer), or applications embedded into existing business applications.
  • You should whitelist the stand-alone platform API and Embeddable platform API only if you implement applications based on these APIs.
Table 3.5.1 - Communication integration services

Purpose

Application protocol

Domain name/IP addresses

Destination ports

Integration service API

HTTPS

api-rcapps.ringcentral.biz

api-rcapps.ringcentral.com

TCP\443

Endpoint registration service

HTTPS

sip*.ringcentral.com

TCP\8083

Video scheduling service

HTTPS

api-meet.ringcentral.com

TCP\443

Microsoft Teams integration service

HTTPS

teams.ringcentral.com 

TCP\443

Slack integration service

HTTPS

slack.ringcentral.com

TCP\443

Stand-alone platform API

HTTPS

platform.ringcentral.com

TCP\443

Embeddable platform API

HTTPS

platform.ringcentral.com

TCP\443

3.6 RingCentral cloud IP addresses for on-premises Microsoft Exchange server

Enterprises may connect their on-premises Microsoft Exchange server to the RingCentral cloud to synchronize contacts with RingCentral apps. To do so, the enterprise firewall must whitelist RingCentral cloud IP addresses according to Table 3.6.
Table 3.6 RingCentral cloud IP addresses for on-premises Microsoft Exchange server

Region

Domain name/IP addresses

North America

3.223.170.110

54.147.91.15

3.211.163.136

Europe

18.196.95.223

3.122.161.21

3.122.122.53

4. Domain Name Service (DNS)

To function properly, all endpoints and services require access to a public DNS. Endpoints rely on a DNS service to resolve the provisioning service domain name (e.g., pp.ringcentral.com).
 
If you use a private DNS, it must perform forward lookups to an internet-based DNS.

5. Network Address Translation (NAT)

Network Address Translation/Port Address Translation functionality (generically referred to as NAT) is applied at the border between two networks to translate between address spaces, or to prevent the collision of IP address spaces.
 
You must configure a minimum NAT timeout to ensure the proper operation of hardphones:
  • Cisco phones send a follow-up REGISTER refresh message every four minutes. 
  • Poly phones re-register every five minutes. For these phones, you must set NAT entry expiration timeout to greater than five minutes.

6. Security software

You may need to configure your cloud-based security software (network firewalls and web proxies) to whitelist the domains listed in the tables in this document.

7. Quality of Service guidelines

You must follow the Quality of Service guidelines to ensure the proper prioritization of your traffic. Otherwise, either or both parties may experience intermittent issues with call control or media quality.

8. VLAN configuration guidelines

You must follow VLAN configuration guidelines to ensure that your VLANs are properly configured for hardphones (section 3.2.6).
Thanks!
We've sent you a link, please check your phone!
Please allow a full minute between phone number submissions.
There was an issue with SMS sending. Please try again. If the issue persists, please contact support.