Connectivity Requirements
9Line for CUCM Overview
The 9Line for CUCM services relies on communication between your Cisco UCM servers, the 9Line Agent, your SBCs, and the 9Line Cloud. The 9Line Agent does not participate in the critical call path for emergency 911 or test 933 calls.
Inspection Considerations
The 9Line Agent authenticates with the 9Line cloud using certificates. Because these certificates identify and authenticate each agent connection, TLS/SSL traffic between the 9Line Agent and the 9Line data centers must not be subject to TLS/SSL inspection unless deploying the agent with a Proxy server configuration. Additional information on configuring the proxy settings is included in the Agent document 9Line for CUCM Agent Download and Installation.
Firewall Rules
The table below lists only the destination ports to the 9Line services. Client-side ephemeral ports are not listed. All services except the Azure Container Registries are routed through Cloudflare for security and DDoS protection purposes.
9Line IP Addresses are not shared in this public-facing document; please log in to the 9Line Support Portal to access the IP Information.
If your firewall can filter based on a URL, we recommend allowing all traffic to our domain. Otherwise, configure your firewall for the Cloudflare IPs available at https://www.cloudflare.com/ips.
For SIP signaling and media traffic behind firewalls, the SIP Application Layer Gateway functionality must be disabled, and traffic should be allowed on the ports and protocols as defined in the configuration section.
Purpose | Source | Destination | Protocol | Ports |
|---|---|---|---|---|
Primary SIP signaling (No TLS) | Your SBC external-facing leg | Refer to 9Line Support Portal IP Information | TCP | 5060 |
Secondary SIP signaling | Your SBC external-facing leg | Refer to 9Line Support Portal IP Information | TCP | 5060 |
Primary SIP signaling | Your SBC external-facing leg | Refer to 9Line Support Portal *IP Information | TCP | 5061 |
Secondary SIP signaling | Your SBC external-facing leg | Refer to 9Line Support Portal IP Information | TCP | 5061 |
Primary Audio Media | Your SBC external-facing leg | Refer to 9Line Support Portal IP Information | UDP | 40000-60000 |
Secondary Audio Media | Your SBC external-facing leg | Refer to 9Line Support Portal IP Information | UDP | 40000-60000 |
Agent - 9Line Communication | Your 9Line Agent IP | mgmt.9line911.com | TCP | 443 |
Agent - Telemetry and Metrics: Required for 9Line to provide Application Logging and Troubleshooting | Your 9Line Agent IP |
| TCP | 443 |
Agent - Manager Alerts | Your 9Line Agent | api.opsgenie.com | TCP | 443 |
CURRI* | Your CUCM servers | calling.9line911.com | TCP | 443 |
Portal Administration | Internal PCs | portal.9line911.com | TCP | 443 |
DNS | Your 9Line Agent IP | DNS Server* | TCP/UDP | 53 |
DNS** | Your CUCM servers | DNS Server | TCP/UDP | 53 |
NTP | Your 9Line Agent | Internal or Internet | UDP | 123 |
* When configuring "CUCM Clusters" in the 9Line portal, if using the CUCM hostname(s) rather than the IP address, the DNS server specified must be able to resolve the CUCM server hostname(s). This is typically an internal server address. External DNS servers like 8.8.8.8 or 1.1.1.1 will not resolve the internal CUCM hostname.
** Applicable only for CURRI integrations. When using CURRI, your CUCM server(s) must be able to resolve 9Line hostnames.
DMZ Port Usage
If your organization utilizes internal firewalls to segment internal trusted networks, the following ports must be configured for the 9Line Agent to communicate with your telephony infrastructure and network.
| Purpose | Source | Destination | Protocol | Ports |
|---|---|---|---|---|
| SNMP | Your 9Line Agent VM IP | Your Network Switches and CUCM cluster(s) | UDP | 161 |
| AXL | Your 9Line Agent VM IP | Your CUCM cluster(s) | TCP | 8443 |
| SSH | Your management network(s) | Your 9Line Agent VM IP | TCP | 22 |
| NTP | Your 9Line Agent VM IP | Internal or Internet | UDP | 123 |
Optional Rules for 9Line Monitoring
If you wish to enable the optional 9Line monitoring through Azure Arc, the following additional rules must be enabled. All traffic occurs over encrypted TCP/443 (TLS). Note: Rules labeled “Always” only apply if you wish to use the Azure Arc Monitoring feature.
Destination | Description | When Required |
|---|---|---|
| Used to resolve the download script during installation | At installation time, only. |
| Used to download the Linux installation package | At installation time, only. |
| Authentication / Azure Active Directory | Always |
| Authentication / Azure Active Directory | Always |
| Authentication / Azure Active Directory | Always |
| Azure Resource Manager - to create or delete the Arc server resource | Always |
| Metadata and hybrid identity services | Always |
| Extension management and guest configuration services | Always |
| Notification service for extension and connectivity scenarios | Always |
| Notification service for extension and connectivity scenarios | Always |
| For Remote Support SSH scenarios | If the customer wishes to enable customer-driven remote support via SSH. |
RTP Port Ranges - Customer SBC’s
Your SBC platform determines your RTP port range. Any firewall rules you create regarding RTP will need to take this into account. The following documentation discusses changing the range for Cisco SBC Platforms RTP - Negotiated UDP port range with Cisco CUBE.
SIP TLS and SRTP Requirements
- Signed Certificate Exchange using PKI; no registration required.
- Encryption (recommended:
AEAD_AES_256_GCM). Other options include:AEAD_AES_128_GCMAES_CM_128_HMAC_SHA1_80AES_CM_128_HMAC_SHA1_32
- TLS 1.2 exclusively for SIP Signaling (port 5061 required).
- SRTP via DTLS.
Helpful Documentation: Cisco Unified Border Element Configuration Guide - Cisco IOS XE 17.6 Onwards - SRTP-SRTP Interworking
Supporting Emergency Callback
Kari's Law mandates that 911 operators be able to initiate a call to the person who called 911 in the event of an emergency call disconnection. In the context of Kari's Law compliance, 9Line offers a crucial feature in managing the callback telephone number mapping for each call. This telephone number is essential for emergency call tracking and callback functionality.
When an outside party, such as a 911 dispatcher, calls the 9Line managed telephone number, 9Line’s Session Border Controllers (SBCs) will initially receive the call. Subsequently, 9Line relays the call back to the customer’s SBC IP address. The customer’s SBC will route to the Cisco Unified Communications Manager (CUCM) and, ultimately, to the original phone that initiated the 911 call.
To support this feature, create firewall rules that allow for SIP traffic originating from 9Line’s SBCs to your SBCs to pass. The 9Line IP addresses specified above are applicable, as are the TCP port for signaling and the UDP ports for media. The destination IP address and signaling port for an emergency callback from 9Line can be specified as an alternate IP and Port. This is configured by editing the Voice Gateway in the 9Line portal.
Third-Party Cookies
If your organization blocks third-party cookies, please note the required domains for cookies below. These apply to administrators when performing configuration tasks at https://portal.9line911.com and Jabber users when accessing the 9Line gadget in the Jabber client. Ideally, all domains specified below would be accessible. However, if security policy dictates, please ensure the required domains are allowed. If your security policy prevents this, please raise a ticket via the support portal for further discussion with 9Line.
| Domain | Required | Purpose |
|---|---|---|
*.cloudflare.com | Yes | Used by Cloudflare Web App Firewall, caching, and portal performance acceleration. |
*.9line911.com | Yes | Used to control access and operational state in the 9Line portal. |
*.azure.com | Yes | Used by Azure load balancers and application gateways to route traffic to 9Line systems. |
*.userpilot.io | No | Interactive user guides and portal surveys. |
Updated 7 months ago