Prerequisites for a Xelion Deployment
Technical Implementation & Provisioning Requirements
This guide outlines the essential network, firewall, and environmental prerequisites required to ensure a successful, stable, and secure Xelion deployment. Please review these technical specifications with your network administrator or IT partner prior to the scheduled installation date.
General Requirements
- Internet Connection: A reliable, high-speed business internet connection is required.
- Email Access: Each configured user should ideally have a unique, valid email address, which serves as their primary Xelion username.
- Content Filtering: VoIP and provisioning traffic must be fully excluded from deep packet inspection (DPI) or HTTPS/SSL interception protocols.
- DHCP Availability: Dynamic Host Configuration Protocol (DHCP) should be available on the voice network. If static IP addressing is strictly required for hardware handsets, notify B4BC prior to deployment and provide the full network mapping schema.
- VLAN Configurations: If IP phones are to be partitioned into a dedicated voice network, advise B4BC ahead of installation with your specific voice VLAN tags and subnet allocation details.
- SIP ALG: SIP Application Layer Gateway (also natively labeled as SIP Transformation, SIP Helper, or SIP Inspection) must be strictly disabled across all network routers and security gateways.
- Double NAT: Daisy-chained NAT architectures (positioning a secondary router or gateway behind an untrusted NAT firewall device) are completely unsupported.
- UDP Session Timer: Must be configured to a minimum threshold of 180 seconds. Note: Specific vendor platforms, such as SonicWall security solutions, require this timer to be raised to 620 seconds to completely mitigate inbound one-way audio dropouts.
- MTU Value: Ensure WAN MTU values are locked to the maximum capacity supported by your ISP infrastructure (typically 1492 or 1500 bytes).
⚠️ Important Firewall Security Notes
1. Public Cloud DNS Resolution: Xelion application instances run entirely on resilient Public Cloud infrastructure. Ensure your core firewall architecture regularly processes and freshens dynamic DNS lookups to maintain seamless connectivity.
2. Inbound Rule Restrictions: Do not establish inbound firewall mappings or port forwarding targeting physical handsets directly (e.g., exposing SIP ports or local HTTP/HTTPS user interfaces to the WAN). Unfiltered inbound access introduces catastrophic vulnerabilities and directly exposes hardware endpoints to automated toll fraud exploitation.
3. uPnP Enforcement: Verify that Universal Plug and Play (uPnP) operations are categorically disabled across the entire voice VLAN or peripheral networks.
4. Stateful Traffic Handling: Modern security appliances are inherently stateful and explicitly handle response path maps. If deploying on legacy stateless appliances, return traffic path rules matching outbound flows must be configured manually.
Outbound Port & Provisioning Rule Sets
Egress (outbound) traffic flows must be explicitly permitted from the local voice network or LAN segment to the external destinations detailed below:
| Source |
Destination URL |
Destination IP |
Ports / Protocols |
Purpose |
| LAN / Voice VLAN |
b4bmt01.xelion.com
b4bmt02.xelion.com
|
52.31.77.253,
35.179.86.222
|
TCP 80, 443, 1791
TCP 389, 636
TCP+UDP 5060-5069
UDP 10000-20000
|
HTTP/S Configuration, Web GUI, Secure SIP Signaling, Xelion Softphone, LDAP, & RTP Media Streams. |
| LAN / Voice VLAN |
rps.yealink.com
rpscloud.yealink.com
|
52.29.124.181,
3.124.165.251,
51.11.241.228,
20.19.96.56,
20.242.144.0 / .1
|
TCP 80 TCP 443 |
Yealink Redirect and Provisioning Service (RPS) handshakes. |
| LAN / Voice VLAN |
fdps.fanvil.com |
119.28.67.228 |
TCP 80 TCP 443 |
Fanvil Device Provisioning System (FDPS) redirection server. |
| LAN / Voice VLAN |
— |
8.8.8.8,8.8.4.4 |
TCP+UDP 53 |
Google Public DNS lookup resolution services. |
| LAN / Voice VLAN |
— |
1.1.1.1,1.0.0.1 |
TCP+UDP 53 |
Cloudflare Public DNS lookup resolution services. |
| LAN / Voice VLAN |
uk.pool.ntp.org |
80.87.128.222,
81.21.65.169,
85.199.214.102 / .98
|
UDP 123 |
Network Time Protocol (NTP) for local region clock sync. |
| LAN / Voice VLAN |
pool.ntp.org |
202.28.93.5,
194.239.208.213,
185.177.150.85,
91.121.165.46
|
UDP 123 |
Global fallback Network Time Protocol (NTP) services. |
Web Content Filtering & HTTPS Inspection Decryption
For organizations deploying Next-Gen Firewalls (NGFW), deep packet application layer tools, or secure web gateways (SWG):
- Whitelisting Policies: Explicitly add the domains below to your network-wide destination profile allow-lists.
- Decryption Bypass: Configure rule overrides to entirely bypass the following URLs from active HTTPS/SSL structural deep inspection. Breaking safe TLS authentication frames disrupts server handshakes and terminates firmware provisioning routines.
b4bmt01.xelion.com
b4bmt02.xelion.com
rps.yealink.com
rpscloud.yealink.com
fdps.fanvil.com
Useful Reference Resources
Consult vendor-specific deployment blueprints for prescriptive edge configurations: