Prerequisites for a Xelion deployment

Prerequisites for a Xelion deployment

Prerequisites for a Xelion Deployment

Technical Implementation & Provisioning Requirements

This guide outlines the essential network, firewall, and environmental prerequisites required to ensure a successful, stable, and secure Xelion deployment. Please review these technical specifications with your network administrator or IT partner prior to the scheduled installation date.

General Requirements

  • Internet Connection: A reliable, high-speed business internet connection is required.
  • Email Access: Each configured user should ideally have a unique, valid email address, which serves as their primary Xelion username.
  • Content Filtering: VoIP and provisioning traffic must be fully excluded from deep packet inspection (DPI) or HTTPS/SSL interception protocols.
  • DHCP Availability: Dynamic Host Configuration Protocol (DHCP) should be available on the voice network. If static IP addressing is strictly required for hardware handsets, notify B4BC prior to deployment and provide the full network mapping schema.
  • VLAN Configurations: If IP phones are to be partitioned into a dedicated voice network, advise B4BC ahead of installation with your specific voice VLAN tags and subnet allocation details.
  • SIP ALG: SIP Application Layer Gateway (also natively labeled as SIP Transformation, SIP Helper, or SIP Inspection) must be strictly disabled across all network routers and security gateways.
  • Double NAT: Daisy-chained NAT architectures (positioning a secondary router or gateway behind an untrusted NAT firewall device) are completely unsupported.
  • UDP Session Timer: Must be configured to a minimum threshold of 180 seconds. Note: Specific vendor platforms, such as SonicWall security solutions, require this timer to be raised to 620 seconds to completely mitigate inbound one-way audio dropouts.
  • MTU Value: Ensure WAN MTU values are locked to the maximum capacity supported by your ISP infrastructure (typically 1492 or 1500 bytes).

⚠️ Important Firewall Security Notes

1. Public Cloud DNS Resolution: Xelion application instances run entirely on resilient Public Cloud infrastructure. Ensure your core firewall architecture regularly processes and freshens dynamic DNS lookups to maintain seamless connectivity.
2. Inbound Rule Restrictions: Do not establish inbound firewall mappings or port forwarding targeting physical handsets directly (e.g., exposing SIP ports or local HTTP/HTTPS user interfaces to the WAN). Unfiltered inbound access introduces catastrophic vulnerabilities and directly exposes hardware endpoints to automated toll fraud exploitation.
3. uPnP Enforcement: Verify that Universal Plug and Play (uPnP) operations are categorically disabled across the entire voice VLAN or peripheral networks.
4. Stateful Traffic Handling: Modern security appliances are inherently stateful and explicitly handle response path maps. If deploying on legacy stateless appliances, return traffic path rules matching outbound flows must be configured manually.

Outbound Port & Provisioning Rule Sets

Egress (outbound) traffic flows must be explicitly permitted from the local voice network or LAN segment to the external destinations detailed below:

Source Destination URL Destination IP Ports / Protocols Purpose
LAN / Voice VLAN b4bmt01.xelion.com b4bmt02.xelion.com 52.31.77.253, 35.179.86.222 TCP 80, 443, 1791
TCP 389, 636
TCP+UDP 5060-5069
UDP 10000-20000
HTTP/S Configuration, Web GUI, Secure SIP Signaling, Xelion Softphone, LDAP, & RTP Media Streams.
LAN / Voice VLAN rps.yealink.com rpscloud.yealink.com 52.29.124.181, 3.124.165.251, 51.11.241.228, 20.19.96.56, 20.242.144.0 / .1 TCP 80
TCP 443
Yealink Redirect and Provisioning Service (RPS) handshakes.
LAN / Voice VLAN fdps.fanvil.com 119.28.67.228 TCP 80
TCP 443
Fanvil Device Provisioning System (FDPS) redirection server.
LAN / Voice VLAN 8.8.8.8,8.8.4.4 TCP+UDP 53 Google Public DNS lookup resolution services.
LAN / Voice VLAN 1.1.1.1,1.0.0.1 TCP+UDP 53 Cloudflare Public DNS lookup resolution services.
LAN / Voice VLAN uk.pool.ntp.org 80.87.128.222, 81.21.65.169, 85.199.214.102 / .98 UDP 123 Network Time Protocol (NTP) for local region clock sync.
LAN / Voice VLAN pool.ntp.org 202.28.93.5, 194.239.208.213, 185.177.150.85, 91.121.165.46 UDP 123 Global fallback Network Time Protocol (NTP) services.

Web Content Filtering & HTTPS Inspection Decryption

For organizations deploying Next-Gen Firewalls (NGFW), deep packet application layer tools, or secure web gateways (SWG):

  • Whitelisting Policies: Explicitly add the domains below to your network-wide destination profile allow-lists.
  • Decryption Bypass: Configure rule overrides to entirely bypass the following URLs from active HTTPS/SSL structural deep inspection. Breaking safe TLS authentication frames disrupts server handshakes and terminates firmware provisioning routines.
b4bmt01.xelion.com b4bmt02.xelion.com rps.yealink.com rpscloud.yealink.com fdps.fanvil.com

Useful Reference Resources

Consult vendor-specific deployment blueprints for prescriptive edge configurations:

    • Related Articles

    • Prerequisites for a VoIPSure deployment

      General requirements: Reliable high speed Internet Connection. Email Access - each user must have a unique and valid email address. The user must be able to retrieve their emails from wherever they intend using the VoIP service as onboarding ...
    • Prerequisites for a VoIPSure V2 deployment

      General requirements: Reliable high speed Internet Connection. Email Access - each user must have a unique and valid email address. The user must be able to retrieve their emails from wherever they intend using the VoIP service as onboarding ...
    • Hosted VoIP Firewall Requirements

      Introduction The purpose of this document is to define the firewall and general router configuration necessary to implement B4BC’s Voice over Internet Protocol (VoIP) communications on a local area network. This document is intended to be vendor ...
    • Panasonic NS SIP Trunk Requirements

      Panasonic NS700 SIP Trunk Requirements 1. Introduction The purpose of this document is to define the firewall and general router configuration necessary to implement Voice over Internet Protocol (VoIP) communications using a Panasonic PBX across a ...
    • NEC SV9100 SIP Trunk Requirements

      Introduction The purpose of this document is to define the firewall and general router configuration necessary to implement Voice over Internet Protocol (VoIP) communications on a NEC SV9100 PBX across a local area network. Disclaimer: The ...