TheWebMachine Networks
Apr 18, 2020
Edited: Oct 10, 2020

Proper EC2 Security Group Ports

In order for AWS FreePBX to function properly, a number of ports need to be accessible from the outside world. These include ports for things such as the SIP signaling and web server. In order to help clarify things for those with existing instances, if you have changed your Security Group and want to revert to defaults, or if you are simply unsure what all these ports are for, this page will outline our default Security Group/open ports for AWS FreePBX for your reference.


Your EC2 Security Group for AWS FreePBX should look like the following by default. Note that we are only concerned with the Inbound tab and that the "Source: 0.0.0.0/0" is the "Anywhere" option when editing the rules:



PBX Admin Access



PBX SIP and IAX Communication



PBX User Control Panel (UCP)



PBX Phone Provisioning and Phone Apps



Zulu 3



Zulu 2



Additional notes:

  • If you install additional modules and packages, you may need to open additional ports here to make everything work properly. Refer to the module or package's documentation for details

  • If you wish to use Zulu, you will need to add TCP ports 8002, 8003 & 8089 to the Security Group

  • If you enable TLS for chan_sip or chan_pjsip, you will need to assign and/or open the additional ports here

  • If you change default port assignments on any of the above services, you will need to edit the respective entry here (and always fully reboot your server for any port changes to take effect)

  • If you know for sure you aren't using some of these services, you may want to close (delete) some of these ports to further secure your system. Uncommonly used services include xmpp (5222, 5269, 5280), vcom (8001), asterisk-radan (8088), and asterisk-java (58080). You do not (and should not) need to disable any of these services on the server, itself...simply close these ports in the Security Group and they become inaccessible without compromising the stability of your server

  • If your organization's internet traffic originates from a single static IP address, you may want to edit the rules to change the source from "Anywhere" to the specific IP of your organization. You should NOT, however, make this change on ports 22, 80, or 81 unless you are certain you don't want any access to the SSH console, web admin, or for users to have access to their voicemails/faxes/etc via the web from outside your organization's network

0 comments
Closed
Closed
 

a division of Rebar IT Outsourcing

TheWebMachine Networks is a division of Rebar IT Outsourcing, a Technology Contract Services company.

 

If you are in need of Technical Support, first try visiting our Support Wiki. There, you will find our FAQs on the most common questions and issues experienced. You may also contact our friendly and knowledgeable Support Staff by using the floating blue button on the right or by clicking here.

FreePBX® is a Registered Trademark of Sangoma Technologies and is used with permission.
TheWebMachine Networks is a fully licensed and certified Sangoma partner.
Amazon Web Services is a trademark of Amazon.com, Inc. or its affiliates in the United States and/or other countries.
TheWebMachine Networks is an AWS Partner Network Member.
Rebar IT Outsourcing • TheWebMachine Networks
P.O. Box 271365 • Dallas, TX 75227 • USA

201204 1045