Phoneware Edge — Firewall Configuration Guide for IT Administrators

This page lists the hostnames, protocols, and ports required to allow Phoneware Edge voice service through your network firewall. All rules are outbound from your local network. No inbound rules are required.

Voice — SIP signaling

All SIP signaling from phones on your network travels to the Phoneware Edge core servers. Both servers should be allowed — core2 is the failover and phones will attempt it automatically if core1 is unreachable. These are Phoneware-operated servers with static IPs.

Hostname	IP address	Protocol	Ports	Direction
core1-phx.phoneware.zone Primary — Phoenix, AZ	132.226.76.53	TCP and UDP	5060, 5061	Outbound
core2-ord.phoneware.zone Backup — Chicago, IL	170.9.227.213	TCP and UDP	5060, 5061	Outbound

Voice — RTP media (audio)

Audio streams (RTP) travel on dynamically assigned UDP ports in the range 10000–65535. If your firewall is stateful and tracks SIP sessions, it may open media ports automatically — however, we strongly recommend disabling SIP ALG and allowing the UDP range explicitly. SIP ALG is a common cause of one-way audio and registration failures.

Hostname	IP address	Protocol	Port range	Direction
core1-phx.phoneware.zone	132.226.76.53	UDP	10000–65535	Outbound
core2-ord.phoneware.zone	170.9.227.213	UDP	10000–65535	Outbound

Device provisioning — Phoneware

Phones contact these servers at boot and periodically to receive their configuration. All three hostnames should be allowed by FQDN. prov.phoneware.zone is a dynamic hostname that resolves to one of the two endpoint servers depending on availability.

Hostname	Protocol	Ports	Direction
prov.phoneware.zone Dynamic — resolves to either endpoint below	TCP	80, 443	Outbound
endpoints1-phx.phoneware.zone Primary — Phoenix, AZ	TCP	80, 443	Outbound
endpoints2-ord.phoneware.zone Backup — Chicago, IL	TCP	80, 443	Outbound

Device management — Yealink YMCS / RPS

Required if deploying Yealink phones. These are Yealink-operated cloud services for remote provisioning (RPS) and ongoing device management (YMCS). IPs are hosted on cloud infrastructure and subject to change — allow by hostname.

Hostname	Protocol	Ports	Direction
rps.yealink.com	TCP	80, 443	Outbound
dm.yealink.com	TCP	80, 443	Outbound
dmtcp.yealink.com	TCP	80, 443	Outbound
us-ybfe.ymcs.yealink.com Alias: us.ymcs.yealink.com	TCP	80, 443	Outbound

Device management — Grandstream GDMS

Required if deploying Grandstream phones. GDMS uses multiple subdomains across its platform. Allow all subdomains under gdms.cloud if your firewall supports wildcard FQDN rules, or add each hostname individually. IPs are cloud-hosted and subject to change — allow by hostname.

Hostname	Protocol	Ports	Direction
gdms.cloud Main portal / device check-in	TCP	80, 443	Outbound
dm.gdms.cloud Device management	TCP	80, 443	Outbound
api.gdms.cloud API / provisioning	TCP	80, 443	Outbound
provision.gdms.cloud Configuration file delivery	TCP	80, 443	Outbound

Device management — Poly ZTP

Required if deploying Poly phones. Devices contact ztp.poly.com at boot for zero-touch provisioning. IPs are cloud-hosted and subject to change — allow by hostname.

Hostname	Protocol	Ports	Direction
ztp.poly.com Device zero-touch provisioning	TCP	80, 443	Outbound

Network time (NTP)

Phones synchronize their clocks using NTP. Accurate time is required for SIP registration and TLS certificate validation. The pool.ntp.org service rotates IPs continuously — allow by hostname or permit all outbound UDP 123 rather than filtering to specific IPs.

Hostname	Protocol	Port	Direction
pool.ntp.org	UDP	123	Outbound

DNS

Phones resolve all hostnames above using DNS. Standard outbound DNS must be permitted from phone IP addresses to your DNS resolver(s). If your environment uses split DNS or restricts outbound DNS, ensure phones can reach a resolver that handles public hostnames.

Destination	Protocol	Port	Direction
Your DNS resolver(s) Environment-specific	UDP and TCP	53	Outbound