Skip to main content
X Series Technical Requirements
8x8 Support

X Series Technical Requirements

Document History

February 20th, 2020  
March 16th, 2020 Add missing TCP port for UCaaS Client when used in non-Secure SIP communications (which is not the default mode) 
April 2nd, 2020 Clarifications on SIP-ALG and SRTP Users
April 8th, 2020 Additional Subnets added due to the expansion of 8x8 Video Meetings (3.235.61.96/27, 44.234.37.64/27, 3.126.60.32/27)
April 21st, 2020 Clarification of Proxy Support, 8x8 only supports proxy of HTTP/HTTPS traffic
April 29th, 2020 changed api.amplitude.com to *.amplitude.com, to accommodate additional FQDNs for amplitude services.

Overview

This document provides a comprehensive guide to the network requirements necessary to enable 8x8 X Series services (Including Contact Center Applications, Virtual Office Desktop and Mobile UCaaS clients, Video Meetings, and current hardware offerings).

Applies To

  • X Series Platforms
  • Virtual Office
  • Technical Requirements

Abbreviations

Abbreviation

Meaning

8x8

8x8, Inc.

ALG

Application Layer Gateway

DNS

Domain Name System

DPI

Deep Packet Inspection

DSCP

Differentiated Services Code Point

EF

Expedited Forwarding

FTPS

FTP Secure (FTP over TLS)

GTM

Global Traffic Manager (8x8 DNS)

HTTP(s)

HyperText Transfer Protocol (Secure) 

IMAP

Internet Message Access Protocol

IP

Internet Protocol

KB

Knowledge Base System

LAN

Local Area Network

LDAP(S)

Lightweight Directory Access Protocol (Secure)

NTP

Network Time Protocol

POP3

Post Office Protocol version 3

QoS

Quality of Service

SIP(S)

Session Initiation Protocol (Secure)

SPI

Stateful Packet Inspection

(S)RTP

(Secure) Real-Time Protocol

TCP

Transport Control Protocol

TLS

Transport Layer Security

UDP

User Datagram Protocol

VCC

8x8 Virtual Contact Center

VLAN

Virtual Local Area Network

VO

8x8 Virtual Office

VOD

Virtual Office Desktop Application

VOM

Virtual Office Mobile Application

WAN

Wide Area Network

Terminology

The following terms are essential in understanding your network requirements for 8x8:

  • Jitter: A measure of the time interval between data packets as they reach their destination. A low degree of jitter indicates a relatively steady stream of data packets.
  • Packet loss: Data, such as a VoIP transmission, is sent over the Internet in the form of packets. Packet loss occurs when some of these packets do not arrive at their destination. For each packet loss, a small amount of speech is cut out. If the degree of packet loss is high, conversation audio can sound very choppy, delayed, or unclear.
  • MOS score: The higher your MOS score, the better your VoIP experience will be. A MOS score is measured on a scale of 1 to 5, in which 5 represents the best possible call quality, and 1 represents the worst possible call quality. The range is subjective and based on normative data collected from experimental trials.

Firewall Guidelines

With regards to Firewall guidelines, It is advisable to either exempt 8x8 traffic from Deep Packet Inspection (DPI) and Intrusion Protection or ensure that appliances performing these operations can inspect the traffic without inducing measurable delay.

Default Recommendations

DNS

When using a Voice Only VLAN (a Virtual LAN with only Hard Phones, and no computers on it), 8x8 recommends that you set the 8x8 GTMs, 8.28.0.9 and 192.84.18.11 as the Primary and Secondary DNS servers in the VLANs DHCP Scope. An alternate option is to implement conditional forwarding of 8x8.com and packet8.net on your local DNS servers to 8.28.0.9 and 192.84.18.11, which are 8x8's DNS servers. It is not recommended to set conditional forwarding on your Data VLAN, and/or if you have only one network. If your network only consists of a single LAN (you are not using VLANs), 8x8 can set the DNS of your hard phones to the GTMs. This ensures proper Geo Routing of your 8x8 traffic to the closest 8x8 data center for each location. 

8x8 UCasS Clients use the 8x8 GTMs directly (with a fall back of the local DNS); thus, no additional work is needed to ensure proper routing of the traffic for UCaaS Clients. 

NTP

8x8's recommendation for NTP is to allow the default NTP setting of pool.ntp.org through the firewall. If your internal security requirements do not allow for external NTP, our advice is to use Option 42 in your DHCP scope to override the NTP setting to an NTP server of your choice. Should you not have an internal NTP server, please use ntp2.packet8.net.

SIP-Application Level Gateway (ALG)

By default, 8x8 enables SRTP, which supersedes SIP-ALG functionality for a list of equipment that supports SRTP see our list of SRTP Compatible Equipment. 8x8 recommends for NON-SRTP Users that SIP-ALG be disabled on all your Layer 3 Network equipment, as SIP-ALG can cause issues with SIP messages. Please review and test to ensure that disabling SIP-ALG on your networking equipment will not impact other existing services on their network. For more information on SIP-ALG and possible solutions for disabling please see our SIP-ALG documentation, click here.

SIP-ALG (Application Level Gateway) is a feature in which the layer three network equipment can manipulate the payload section of a SIP Packet to change the private addressing to be public address. As the phone or Virtual Office software is not aware of the public address, all payload information references private addressing. Edge devices attempt to "correct" this by opening all SIP packets and manipulating the payload (body) of the packets by replacing private addresses with the public IP of the edge device and the Natted port. Unfortunately, many devices do not adequately manipulate these packets causing them to be invalid or contain incorrect information. For this reason, 8x8 recommends that this function be disabled for non-SRTP users.

Firewall Rules

Our recommendation is to create an OUTBOUND Policy "Internal to 8x8" rule in your firewall. This is a highly secure action as it is only opening outbound traffic towards a known destination (8x8 data center(s)). The list of 8x8 subnets (or Domains) is later in the document.

We recommend setting firewall session timers as follows to prevent premature NAT session changes that can cause de-registration, intermittent one-way audio, and phones not to pick up or ring when using certain firewalls: 

  • UDP session timer: 300 seconds 
  • TCP session timer (TLS connections only, port 5443): 300 - 700 seconds

Application and Browser-Based Interfaces

Outbound requests made via HTTP over TLS (HTTPS) on port TCP 443 to all 8x8 domains listed in the Domains section of this document without restriction. 8x8 has implemented HTTP to HTTPs redirection. Customers should also allow TCP port 80 towards 8x8 networks as a result. 

Proxy Server

8x8 ONLY supports using a proxy for TCP port 80 and 443 (HTTP/HTTPS) traffic, all other traffic (Video and Audio) should bypass your proxy. 8x8 has made every attempt to ensure that the Virtual Office Desktop application will respect the proxy settings of the system VOD is running on. 8x8's web applications (Contact Center Agent Interface, Configuration managers, Analytics, and so forth) are, by nature, proxy aware and will respect the proxy setting of the system/browser.

Physical Instruments

For all approved telephony devices (endpoints), Outbound requests made via HTTP over TLS (HTTPS) on port TCP 443 to all 8x8 domains listed in the Domains section of this document without restriction to specific IP address ranges.

Provisioning Note: Poly devices can make use of Poly Zero Touch Provisioning (ZTP) and Poly PDMS service. Each of these services require HTTPS traffic to be allowed to Poly. For more details see How do I Whitelist Zero Touch Provisioning Services for Obihai and Polycom Devices. Device Access to Poly’s IPs is NOT required for 8x8 services, it will assist/speed deployment for new devices.

Network Considerations and Recommendations

The below are Network considerations and recommendations that customers should review and adopt as appropriate, as they may not ally to all installations.

Parameters

Requirements

Wiring

At least Cat 5 (preferably Cat 6) wiring to each user

PoE (recommended)

See Device Manufacturer Data Sheets

Packet loss

0% packet loss 

Jitter

<20 ms jitter 

Network latency

<100 ms latency to 8x8 data centers. VoIP services are known to work even in higher latency conditions up to 150-200 milliseconds. However, this must be maintained consistently with no packet loss.

Bandwidth requirement

Voice UCaaS and CCaaS:

  • G711 Codec: 90 kbps symmetric/call 
  • G722 Codec: 90 kbps symmetric/call 
  • G729 Codec: 35 kbps symmetric/call 
  • CCaaS add an additional 30kbps symmetric/call

Video Meetings Upstream:

  • Up to 3Mbps for video
  • 40kbps for audio

Video Meetings Downstream:

  • 2.5 Mbps for "On Stage" video in high quality
  • At least 500kbps for one incoming stream at the lowest quality
  • 200kbps per thumbnail stream (excluding on-stage)
  • 40kbps for audio

Downstream max bandwidth in a conference of n people would be 2.5Mbps + (n-2)*200kbps + 40kbps

Please make sure you have 50% of your available bandwidth free to accommodate any spike in usage. Always assume that at least 35% of your users are on call at any time. However, depending on your company's use case, you may have a higher percentage. 

 

Parameters

Considerations

If running a converged network for voice and data 

Configure VLANs to separate the traffic. Please ensure that the Phone VLAN has the following DNS and NTP in its DHCP scope: 

  • Use 8x8 DNS (Global Traffic Managers) servers 192.84.18.11 and 8.28.0.9 
  • Use 8x8 NTP server ntp2.packet8.net

Note: The recommended DNS does not resolve any other domain except 8x8.com and packet8.net. 

DHCP scope 

Ensure that there are no rules specified to force any provisioning server or NTP server to deviate from default 8x8 values. For provisioning servers, you must disable Option 66/160.  

Maximum Transmission Unit (MTU)

The network must support an MTU of 1500 bytes per packet. The MTU is the size of the largest protocol data unit that the layer can pass onwards. This is for Non-SRTP Communications only. 

WAN failover 

We highly recommend that you use dual WAN connections in a failover state by using WAN link redundancy (Active / Standby). Dual WAN connections in load balancing (Active / Active) may not be supported due to the multiple ways to implement, speak to your 8x8 engineer for supported options and/or recommendations.

VPN use cases

If your remote users or Internet egress use a VPN tunnel, please make sure that the 8x8 traffic does not traverse it. Consider a Split Tunnel to have local Internet egress for 8x8 traffic. In addition, split DNS to resolve 8x8 domain queries locally. Speak to your 8x8 engineer for more information.

QoS / Priority

The basic approach of handling QoS for 8x8 traffic within your network is by DSCP markings as provided by the applications and approved devices. When configuring QoS, on circuits that support QoS, external to your network 8x8's recommendation is to identify 8x8 traffic based on source/destination network, (i.e., not by DSCP markings, ports, channels, etc.). RTP will make up 90+% of your traffic. That way, any of your traffic that is sourced/destined to any of the 8x8 networks should be treated with the highest priority.

If the majority of your users are on Wi-Fi rather than Ethernet, please make sure you follow the best practices in Wi-Fi deployment to ensure plenty of coverage. 

Virtual Office Meetings does not currently mark the meetings traffic; our recommendation is to set priority (EF) on the predictable port of UDP 10000.

8x8 DSCP / CoS Values Applied

 

Endpoint Type

Traffic Type / Application

COS Value

(Decimal)

DSCP

(Decimal)

Name

Windows / Non-Admin

Voice Media - Real-Time

CS7

DSCP 56

 

Windows / Non-Admin

SIP Signalling

CS5

DSCP 40

 

Windows / Admin

Voice Media - Real-Time

EF

DSCP 46

Expedited Forwarding

Windows / Admin

SIP Signalling

AF31

DSCP 26

Assured Forwarding

Mac / iOS

Voice Media - Real-Time

EF

DSCP 46

Expedited Forwarding

Mac / iOS

SIP Signalling

AF31

DSCP 26

Assured Forwarding

Android

Voice Media - Real-Time

EF

DSCP 46

Expedited Forwarding

Android

SIP Signalling

AF31

DSCP 26

Assured Forwarding

8x8 Datacenter Ports

Traffic Requiring Outbound Connections from within the customer network to the 8x8 Cloud.

Traffic Source & Purpose

Applies To

Protocol(s)

Destination Port(s)

Device 

  • Provisioning
  • Configuration
  • Software Update

All Certified Physical Phones & ATAs

  • HTTP
  • HTTPS

TCP 80, 443

Device

Secure SIP Signalling

All Certified Physical Phones & ATAs

SIPS

(Secure SIP)

TCP 5443

Device

Corporate Directory

Certified Physical Phones

LDAPS

TCP 636

Device

Network Time

All Certified Physical Phones & ATAs

NTP

  • UDP
  • TCP 123

Can be provided locally via DHCP Option 42

Device

Domain Name System

All Certified Physical Phones & ATAs

DNS

  • UDP 53
  • TCP 53

Can be provided locally via DHCP Option

Device

  • SIP Activation
  • SIP Signalling

All Certified Physical Phones & ATAs

SIP

  • UDP 5060 (Activation only)
  • UDP 5199,5299,5399
       

Softphone Application & Browser

  • Authorization
  • Messaging
  • Presence
  • Configuration
  • Administration
  • Reporting
  • Quality Management
  • Microservices
  • Virtual Office Mobile & Desktop
  • Config Manager
  • Analytics
  • Virtual Contact Center Agent, Supervisor
  • Quality mgmt

HTTPS

TCP 443

Softphone Application

Secure SIP Signalling (Default)

  • Virtual Office Mobile
  • Virtual Office Desktop

SIPS

(Secure SIP)

TCP: 5401,5443

Softphone Application

SIP Signalling (Optional)

  • Virtual Office Mobile
  • Virtual Office Desktop

SIP

 

TCP: 5199

       

Real-Time Audio

Voice Call Audio

  • Physical Phones
  • Virtual Office Mobile & Desktop

SRTP

(Secure RTP)

  • UDP 24000 - 30999 
  • UDP 38000 - 44999 
  • UDP 52000 - 58999
  • UDP 50000 - 65535

8x8 Video Meetings 


 
  • Virtual Office Mobile
  • Virtual Office Desktop
  • Browser
  • HTTPS
  • RTP/WebRTC
  • RTP/WebRTC
  • TCP 443
  • UDP/TCP 443
  • UDP 10000

Optional Services

Applications

The following are optional items that may not be required. Consult your 8x8 team to validate whether these scenarios are applicable to your specific use cases.

Traffic Source & Purpose

Applies To

Protocol(s)

Destination Port(s) 

Quality Management Screen Recording

Streaming screens

Screen Recording Client in Quality Management

HTTPS

TCP 443

VCC FTPS Call Recording Download

Downloads of contact center call recordings using FTP over TLS (FTPS).

FTPS

Note: FTPS is not the same as SFTP (SSH Based).

  • Control Connection: TCP: 21, 2121, 990
  • Data XFER Ports: UDP:30000-30999

Bria Softphone

Standalone contact center softphone

  • SIP
  • RTP
  • UDP 5060, 5061
  • UDP High Ports (1024 - 65535)

Zoiper Softphone

Standalone contact center softphone

  • SIP
  • RTP
  • UDP 5060, 5061
  • UDP High Ports (32000 - 65535)

Network Utility

  • Media Tests
  • Fragmentation Test
  • BufferBloat Test

Network Assessment

RTP

UDP 3478-3480

Wavecell API

Video API

  • HTTP
  • HTTPS
  • WSS

UDP 10000 - 20000

SIP Trunks

  • SIP(S) Signalling
  • (S)RTP

See customized Statement of Work for the unique implementation

Applications Requiring Incoming Connections

Traffic Source & Purpose

Applies To

Protocol(s)

Destination Port(s)

Contact Center Email

POP3/IMAP email access

Contact Center Email Queueing

  • POP3
  • POP3S
  • IMAP
  • IMAPS
  • SMTP
  • SMTP TLS
  • SMTP SSL
  • TCP 110
  • TCP 995
  • TCP 143
  • TCP 993
  • TCP 25
  • TCP 587
  • TCP 465

Note: custom ports can be configured.

SIP Trunks

  • SIP(S) Signalling
  • (S)RTP

See customized Statement of Work for the unique implementation

8x8 Datacenter IP Ranges & Domains

IP Ranges

Below is a list of IP Ranges that are used by 8x8 products and applications.

Geographic Region

Address Ranges

Cloudflare CDN

(8x8 employs third-party security measures against cyber-attacks, which require traffic to be

routed through that service's IP addresses)

  • 104.16.110.61
  • 104.16.109.61

US East

  • 8.28.0.0/22 
  • 162.221.238.0/23

US West

  • 8.5.248.0/23
  • 8.21.164.0/24
  • 63.209.12.0/24
  • 162.221.236.0/23
  • 192.84.16.0/22

Canada

  • 67.225.14.144/28
  • 142.165.219.0/24

UK

  • 217.163.57.0/24
  • 216.59.136.0/21
  • 91.236.117.0/24
  • 109.70.58.0/24

Asia Pacific (HK)

103.252.162.0/24

Australia

103.239.164.0/24

Netherlands

64.95.100.96/28

Brazil

168.90.173.112/28

Singapore

117.20.40.192/28

India

124.124.82.224/28

Reserved for Future Use

209.94.72.0/22

8x8 Video Meetings 

  • 13.232.101.208
  • 3.0.167.49
  • 54.66.154.44
  • 35.182.147.109
  • 3.122.28.43
  • 63.32.210.13
  • 35.176.73.125
  • 54.233.170.124
  • 54.167.244.60
  • 18.220.195.182
  • 54.214.212.235
  • 13.248.132.124
  • 76.223.3.109
  • 13.248.142.92
  •  76.223.9.91

Required Core Services

  • US-East-1 (Virginia): 3.219.176.32/27, 3.235.61.96/27
  • US-East-2 (Ohio): 3.14.30.96/27
  • US-East-2: 13.248.140.87, 76.223.9.159
  • US-East-2: 13.248.132.105, 76.223.4.132
  • US-West-2  (Oregon): 34.223.80.128/27, 44.234.37.64/27
  • EU-Central-1 (Frankfort): 3.123.12.160/27, 3.126.60.32/27
  • EU-West-2 (London): 3.9.41.96/27 
  • EU-West-2: 3.9.159.0/27
  • EU-West-2: 13.248.145.116, 76.223.18.166
  • EU-West-2: 13.248.140.65, 76.223.14.171
  • AP-Southeast-1 (Singapore): 18.139.118.128/27
  • AP-Southeast-1 (Singapore): 13.251.201.173
  • AP-Southeast-2 (Sydney): 3.106.23.128/27
  • AP-Southeast-2: 13.248.132.108, 76.223.7.179
  • AP-Southeast-2: 13.248.138.121, 76.223.13.178
  • SA-East-1 (São Paulo): 18.229.100.64/27
  • CA-Central-1 (Canada Central): 13.248.132.114, 76.223.2.173
  • CA-Central-1: 13.248.142.126, 76.223.16.174
  • Global: 13.248.142.77 & 76.223.15.160
  • Global: 13.248.145.23 & 76.223.20.131

Domains

Below is a list of domains that are used by 8x8 products and applications.

Note: In the process of connecting to Secure HTTP servers and setting up TLS connections, the certificates used in the connections will be validated by the issuing authority. Ensure you allow access to any/all issuing authorities.

Provisioning Note: Poly devices can make use of Poly Zero Touch Provisioning (ZTP) and Poly PDMS service. Each of these services require HTTPS traffic to be allowed to Poly. For more details see How do I Whitelist Zero Touch Provisioning Services for Obihai and Polycom Devices. Device Access to Poly’s IPs is NOT required for 8x8 services, it will assist/speed deployment for new devices.

Use

Domain

8x8 Core Domains

  • *.8x8.com
  • 8x8.vc
  • *.jitsi.net
  • *.packet8.net
  • *.p8t.us
  • *.cloud8.net
  • *.dxi.eu
  • *.easycallnow.net
  • *.easycontactnow.com
  • *.wavecell.com

8x8 Media Domains

  • *.packet8.net
  • *.8x8.com

3rd Party Domains


 
  • *.cloudflare.net
  • *.apigee.io
  • *.okta.com
  • *.segment.io
  • submit.backtrace.io
  • *.callstats.io
  • *.amplitude.com
  • www.gravatar.com
  • www.google-analytics.com
  • *.gstatic.com
  • *.googleapis.com
  • *.google.com
  • *.googleusercontent.com
  • *.youtube.com
  • *.microsoft.com
  • *.microsoftonline.com
  • *.msauth.net
  • *.live.com
  • *.dropboxapi.com
  • *.dropboxstatic.com
  • *.dropbox.com
  • *.dropboxusercontent.com
  • dropboxcaptcha.com

 

  • Was this article helpful?