SIP call between ProCall App for Web in the external network and an internal or external telephone
| State of knowledge | March 2025 |
|---|---|
| Product info | estos ProCall 8 Enterprise estos ProCall App for Web |
Szenario
- In the estos ProCall App for Web, a call is initiated on its SIP subscriber line; the remote station is any internal or external telephone.
- Both call partners communicate via this connection.
- The estos ProCall App for Web is located in an external network from the point of view of the ProCall Enterprise Server and there is no VPN connection between the external and internal (company) network.
- The external estos ProCall participants are connected via estos UCConnect.
Explanations
An estos ProCall Enterprise Client (ProCall Enterprise Client for Windows, ProCall Mobile App, ProCall App for Web) is never in direct communication with the telephone system.
Direct media connection between estos UC Media Server and estos ProCall App for Web
The following topology diagram shows a typical ProCall Enterprise installation including estos UCConnect connection assuming unrestricted communication between estos ProCall App for Web and estos UC Media Server via UDP.
Diagram/topology: PBX - UCServer service - UCConnect services - ProCall App for Web - SRTP audio/video via STUN
Both ProCall App for Web and estos ProCall Enterprise Server establish a connection to estos UCConnect TCP port 443 via a dynamically assigned TCP port and establish WebSocket communication on these connections.
ProCall App for Web Client and the UCServer use this connection to exchange requests and events via UCConnect in order to process telephony events or carry out telephony activities.
For the exchange of RTP media packets during a SIP call, the estos UC Media Server and the estos ProCall App for Web negotiate a connection via UDP(WebRTC standard) as shown in the diagram above via ICE handshake. Communication takes place on the Internet route between two srflx or prflx candidates. UDP ports from the range 1024 to 65535 are used (all ports with the exception of the well-known ports).
The ICE protocol (ICE Interactive Connectivity Establishment according to RFC 8445) integrated in WebRTC attempts to determine the optimal route between estos UC Media Server and estos ProCall App for Web when establishing a connection. ICE also verifies the best route in the background during an existing connection. If a route turns out to be better than the one currently being used due to a change in the situation on the Internet, the route may be changed one or more times between these two end points during the course of a call.
The exchange of RTP media packets between estos UC Media Server and the telephone system - i.e. the audio stream from and to the remote station - is agreed in the SDP exchanged between the UC Media Server and the telephone system.
Firewall rules
In the case described above, no restrictions regarding the UDP protocol are required. This requirement has therefore not been taken into account in the following rule table; the rules shown here only represent the required TCP releases.
| Regel # | Aufgabe | Richtung | Quell IP:Port | Ziel IP:Port | Protokoll | Remarks |
|---|---|---|---|---|---|---|
| 1 | Anbindung des ProCall Enterprise Servers an estos UCConnect | OUT | <UCServer-Host>:any | *.ucconnect.de:443 | TCP | The WebSocket protocol must be supported. |
| 2 | Abruf der Anwendung estos ProCall App for Web | OUT | <ProCallAppforWebClient-Host>:any | *.procall.de:443 | TCP | |
| 3 | Anbindung von estos ProCall App for Web an estos UCConnect | OUT | <ProCallAppforWebClient-Host>:any | *.ucconnect.de:443 | TCP | The WebSocket protocol must be supported. |
Medienverbindung via estos UCConnect TURN Server
Wird via ICE Protokoll identifiziert, dass über die Firewall bzw. NAT-Router ein Austausch von Audiopaketen zwischen LAN und Internet nicht möglich ist, kann dies zu einer Medienverbindung zwischen UC Media Server und ProCall App for Web via TURN-Server führen. Inwiefern es sich im Detail um eine relay-srflx-/prflx-Verbindung oder auch um eine relay-relay-Verbindung handelt, wird hier nicht weiter betrachtet. So zeigt das folgende Topologiediagramm die Führung der Medienströme über den in estos UCConnect integrierten TURN-Server bei maximal restriktiven Kommunikationsbeschränkungen in einer relay-relay-Verbindung.
Schaubild/Topologie: PBX - UCServer Dienst - UCConnect Dienste - ProCall App for Web - SRTP Audio/Video via TURN
Firewall-Regeln
The firewall rules listed here represent the minimum release rules required for network communication. If these minimum authorisations are not granted or these maximum permissible restrictions are exceeded, fundamental communication faults are to be expected.
| Rule # | Task | Direction | Source IP:Port | Destination IP:Port | Protocol | Notes |
|---|---|---|---|---|---|---|
| 1 | Connection of the ProCall Enterprise Server to estos UCConnect | OUT | <UCServer-Host>:any | *.ucconnect.de:443 | TCP | The WebSocket protocol must be supported. |
| 2 | Calling up the estos ProCall App for Web application | OUT | <ProCallAppforWebClient-Host>:any | *.procall.de:443 | TCP | |
| 3 | Connection of estos ProCall App for Web to estos UCConnect | OUT | <ProCallAppforWebClient-Host>:any | *.ucconnect.de:443 | TCP | The WebSocket protocol must be supported. |
| 4 | Media stream between UC Media Server Determination of the srflx and relay address via estos UCConnect STUN / TURN Server. | OUT | <UCServer-Host>:any | *.ucconnect.de:3478 | UDP | |
| 5 | Media stream between estos ProCall App for Web and estos UCConnect TURN Server, Determination of srflx and relay address via estos UCConnect STUN / TURN server. | OUT | <ProCallAppforWebClient-Host>:any | *.ucconnect.de:3478 | UDP |