LogoLogo
Partner Portal Login
  • Welcome
  • Getting Started
    • Becoming A Partner
    • Getting Support
      • Community Services
        • SMTP Servers
        • DNS Servers
      • Service Status and Incidents
        • Status Page
        • nbn Incident Notifications
    • Accounts & Billing
      • Billing Overview
      • How to pay
  • Services
    • Connectivity
      • nbn TC4
        • Getting Started
        • Troubleshooting
          • nbn Self-Diagnostic Tool
        • Technical References
          • nbn TC4 Sevice Classes
          • nbn TC4 AVC-ID
      • nbn Enterprise Ethernet
        • Getting Started
      • Internet Services
        • IP Geolocation
        • Troubleshooting
          • Advanced Troubleshooting
            • nbn Enterprise Ethernet
            • Telstra Ethernet Access and AAPT Fibre
            • nbn TC4 Connectivity
              • FTTP (Fibre to the Premise)
              • FTTN/B (Fibre to the Node/Basement) or VDSL2
              • FTTC (Fibre to the Curb)
              • HFC (Hybrid Fibre Coaxial)
              • Wireless
          • Logging a fault for your WAN Service
          • WAN Diagnostic Tool
          • WAN Monitoring
        • Technical Reference
          • What is CGNAT and How does it work?
          • Ethernet Service Shaping Requirements
          • Router configuration for Telstra 4G/5G services
      • SD-WAN
        • Getting Started
          • How to login to Antares V2 Portal
          • Getting Familiar with Antares Portal
      • Requesting co-managed router access
    • Voice over IP (VoIP)
      • Best Practices to Protect You from Toll Fraud
      • Best Practice Guidelines
      • Inbound Numbering System
        • How to access the Inbound Numbering System?
        • Creating a new user
        • Diverting a 1300/1800 number
        • Moving a DID between services
        • Creating a basic IVR
      • Grandstream Device Management System (GDMS)
        • How to login to the GDMS platform
        • How to run diagnostic tests within the GDMS
        • How to add a site and move a VoIP Device into it
        • How do I add/remove users from the GDMS Portal?
      • 3CX Guides
        • How to configure our CTS Trunk on 3CX
        • Resolving Call Quality issues on 3CX deployments
        • How to configure a SIP Trunk on 3CX
        • Changes to default 3CX Headers
      • Microsoft Teams Direct Routing
        • Getting Support for Microsoft Direct Routing
        • Configuration Guide
        • Troubleshooting Call Routing
        • Unable to Dial Internationally from Teams
        • Creating a resource account and assigning a Direct Routing DID
        • "Call cannot be connected" error with Auto-Attendants and Queues
        • Creating Dial Plans to Prefix Outbound Calls
      • Brand Specific Guides
        • NetComm Router/ATA
          • How to register VOIPnow extension to NetComm device (NL1901ACV)
        • Cisco
          • SPA112 - Fax Settings
        • Grandstream
          • How to enable TLS encryption on Grandstream phone
          • Upgrading the firmware on Grandsteam phones
          • Setting up voicemail on the DP720 (Cordless Handset)
          • How to setup a VoIP Account on a Grandstream phone
          • Grandstream GXP2140 Voicemail
          • Setting up Monitored Call Parking
      • General
        • Getting Started with your VoIP Reseller Account
        • How much bandwidth do I need for VoIP?
      • VoIP Troubleshooting
        • VoIP Troubleshooting Guide
        • VoIP Fault Guide
        • SIP ALG and turning it off
        • Emails from VoIPNow going to SPAM
      • Number Porting
        • Can I port my existing phone numbers over?
        • How do I port numbers over to Hosted Network?
        • Reasons for Number Port Rejection
      • VoIPNow Guides
        • How to activate call recording in VOIPnow
        • Configuring Charging Plans to add margin to outbound calls
        • Configuring Charging Plans to add margin to 13/1300/1800 Inbound calls
        • What is a valid Caller ID?
        • How can I make Anonymous Calls?
        • Getting a breakdown on the resources for an Organization
        • Configuring Fax to Email
        • VoIP Bundle Creation & Implementation
        • Uploading Sound files to VoIPNow
        • How does Call Parking work on VoIPNow?
        • Transferring Calls Waiting in Queues
        • How to setup a Queue (Hunt Group)
        • How to find a list of all the numbers assigned to your Service Provider account
        • How to do a context jump based on the incoming Called DID
        • How to change Music on Hold for an extension
        • Creating and updating a time interval
        • How to apply a time interval to an Incoming Call Rule
        • How to add an Incoming Caller ID Prefix with an IVR
        • Applying sound files to an IVR
        • How to configure an IVR to transfer to an external number
        • How to enable International Call barring on Organizations and Users
        • List of the common issues submitted by the partners
        • How to Configure BLF on Virtual Multi-Purpose Key
        • How to configure Intercom/Paging
        • How to configure TLS and SRTP on VOIPnow and Grandstream Phones
        • How to give end customer an access to VOIPnow to view/manage the CDR and Call recordings
      • SIP Trunk Requirements: Ports, Protocols, and Codecs
    • Cloud
      • Infrastructure as a Service
        • Getting Started
          • How to login to vCloud Director
          • vCloud Resource Allocation
        • Virtual Machines & vApps
          • Creating a new Virtual Machine
          • What is a vApp and how to create one?
          • Mounting an ISO to a VM
          • Accessing the VM console
          • Using VM snapshots
          • Converting a VM to a Template
        • Backup and Restorations
          • Accessing Veeam Self Service Backup Portal
          • Creating a Backup Job
          • Enabling Application-Aware Processing in Veeam Self-Service Portal
          • Setting up Guest Processing
          • How to start a File Level Restore
          • How to carry out a full VM restore
          • Archived: Restoring a VM or guest files
        • Networking
          • Routed, Isolated and Direct networks in vCloud
          • How to create/delete a vApp network
          • How to create/delete a new Organization level network
        • Administrative Tasks
          • Creating Users
          • What is a 'Catalog' and how to create one
          • Uploading ISO files or OVA/OVF templates
          • Setting up Azure AD SAML based authentication for vCloud
          • Microsoft Software Licensing
          • Activating Windows Servers
          • Checking and Decreasing IaaS resources
      • Backup as a Service
        • Tenant Management via VSPC
          • VSPC Overview
          • Creating Companies
          • Adjusting tenant storage allocation
        • Configuration with Veeam B&R
          • Getting Started
          • Configuring Backup Jobs
          • Configuring Backup Copy Jobs
            • Seeding Backup Copies
        • Configuration of Veeam Agents via VSPC
          • Getting Started
          • Installing Agents
          • Using backup policies
      • Disaster Recovery as a Service
        • Getting Started
        • Configuring Replication Jobs
        • Seeding Replicas
        • Failover
          • Partial Failover
          • Full Site Failover
          • Accessing replica VMs
  • Partner Portal
    • General
      • Manage Contacts
      • How to cancel services in the Partner Portal
    • Rebilling System
      • End Customers Management
        • Services
        • Recurring and Once-Off Charges
      • Charging Plans
      • Rebilling Configuration
        • Integrations
        • Integration Errors
        • Email Settings
        • Product Settings
        • Bank Account
        • Invoice Details
    • Service Qualifications
      • How perform a WAN Service Qualification
      • WAN Service Qualifications Drafts
      • WAN Service Qualification History
      • FTTP Upgrade
    • Security
      • Multi-Factor Authentication
      • Microsoft Single Sign-On (SSO)
      • Account Permissions
Powered by GitBook
On this page
  • Security Best Practices
  • Network Best Practices
  1. Services
  2. Voice over IP (VoIP)

Best Practice Guidelines

Guidelines on how to improve the uptime/stability of their services by implementing redundant links and failover options.

PreviousBest Practices to Protect You from Toll FraudNextInbound Numbering System

Last updated 1 year ago

Carrier Level Redirection

Carrier Level Redirection allows us to redirect calls before they hit the Hosted Network Voice core.

If you’re expecting the customer's site to go offline, or are aware of maintenance we are conducting we strongly recommend that you request us to divert the customer's numbers to a secondary location or to a mobile temporarily.

To request carrier redirection you just need to submit a support ticket letting us know which DIDs need to be redirected to and the destination of the redirection. If it is an urgent request, submit a support ticket and then call us for priority support.

Configure inbound calling failover (For Multi-tenant PBX or VoIP Bundles)

Our VoIPNow platform supports the use of incoming call rules, these rules allow you to configure a rule that will divert calls to a predefined number in the event that the PBX/Phone becomes unregistered or unreachable.

Incoming call rules leveraging the “Unregistered status” will not work for services that are using IP based authentication as there is no registration.

It’s recommended to divert calls to a mobile or other off-net number that will not be impacted if the site goes offline e.g. due to a failed internet connection.

Inbound SIP Connections

For customers that require a high level of uptime, we strongly recommend taking advantage of our Inbound Numbering System as it provides several features to ensure uptime of your inbound calls.

Key features for inbound call redundancy include:

  • Network Queuing will queue calls in the event that your concurrent call limit is hit. For example with a SIP Trunk.

  • Off-Net Overflow / Failover will allow you to preconfigure off-net failover call flows in the event that the primary destinations are not answering or are unavailable.

SIP Trunk Redundancy

Where redundancy is required we recommend leveraging multiple outgoing SIP Servers. In the event of an upstream SIP failure, your PBX should be configured to automatically route calls over the second path. When ordering a SIP Trunk from Hosted Network we will issue you with a primary and secondary SIP server for this reason.

Legacy SIP Trunk services may only have a primary service but a secondary can be requested free of charge by contacting our support team.

To limit the failure zone you may also consider:

  1. Spreading the inbound DIDs across multiple SIP Trunks

  2. Leveraging our Inbound Number System to failover the inbound call routing between your primary and secondary SIP Trunks.

Physical WAN Link Redundancy

We strongly recommend that customers have some form of redundancy onsite for their internet access in order to keep them online if/when their primary service goes offline.

Typically this would be an NBN service with a 4G backup, but you can also use a faster (100/40) NBN service and have a slower (25/5) NBN service as a backup. You may even want to consider using an SD-WAN product like Hosted Network’s bonded internet service, as this will allow you to connect multiple WAN services without the displayed public IP changing.

If you use IP based authentication and the service fails over to the secondary connection your PBX/phone may fail to route calls unless you have allowed the secondary connection’s public IP address.

Security Best Practices

Lockdown your SIP Devices and Registration

We heavily recommend you ensure that your PBX or phone is configured to only accept traffic from the suitable SIP servers, many PBX or SIP devices will accept the traffic inbound but reject the majority of it due to it not being from a registered device.

If you have a UTM or a firewall capable of source-based rules then we also recommend you configure firewall rules to only allow SIP connections from your carrier trunks.

For VoIP Bundles, and Multi-Tenant PBX you can set the extension within our VoIP platform to only accept inbound/outbound traffic from a list of predefined IP addresses, this is different from IP based authentication but will still restrict registrations and calls from coming from unauthorized IP addresses.

This will prevent your SIP service from being registered by a third party if they manage to get ahold of the SIP password, and then spamming out international calls.

Use Complex Passwords

This applies not just to the password used to register your SIP device, but also to the login portal for your SIP handsets themselves.

Setting a complex password will help prevent a third party from getting access to the WebGUI of the SIP device in the event that the device is exposed to the web or by an attacker that is already inside the network.

A lot of SIP/VoIP compromises are caused by the use of insecure passwords or outdated firmware which contains an exploit to bypass authentication.

Regular Firmware Updates to SIP devices

You should ensure you are regularly updating the firmware for your SIP devices (Handset or PBX) as unpatched systems are most commonly the cause of VoIP Toll Fraud.

Hosted Network takes no responsibility for toll fraud caused by security issues on devices outside of our control such as downstream PBX’s or VoIP handsets. The partner and their end customers are responsible for all charges associated with toll fraud.

Use TLS and SRTP if possible

You should ensure your SIP Devices are using the TLS transport protocol in addition to the SRTP encryption settings if supported by the device itself.

A lot of issues are mitigated (specifically NAT issues) by setting the phone to use TLS for the transport protocol as opposed to UDP/TCP protocols. The SRTP option will also encrypt traffic between your servers and our SIP servers, keeping everything private in between and decreasing the risk of someone being able to intercept the traffic.

SRTP and TLS do not mean that the call has been encrypted end to end as once it leaves our network it may be routed via any number of carriers to its final destination, all of which Hosted Network have no control over.

Outbound Call Limits & Restrictions

For Multi Tenant PBX and VoIP Bundles you should set an upper limit on the number of outbound calls a customer can make to reduce the impact should they be compromised.

You may choose to set this limit to a dollar amount, e.g. $1000 to limit the risk of potential toll fraud.

We also strongly suggest barring outbound calls to international destinations if the customer doesn’t have a need to call internationally. Toll fraud is typically done to international numbers so this is a simple way of reducing risk.

Network Best Practices

Choose quality network hardware

  • A suitable router should be used when running VoIP. Basic features such as Quality of Service and the ability to turn off SIP ALG are essential.

  • For non SOHO environments, an enterprise router should always be used.

  • Routing and switching equipment that honours DSCP markings is also a requirement if you are tagging voice traffic as a priority.

Implement redundancies to maximize uptime

Consider implementing a dedicated internet connection, such as a 25/5Mbps nbn service so that any connectivity issues with your main internet service don’t affect your ability to make or receive phone calls. This also protects all VoIP traffic from being saturated if the primary link is congested and removes the complexities of needing to configure and manage Quality of Service (QoS).

Secondly, look at leveraging an SD-WAN service as opposed to load-balancing. Loud-balancing commonly causes the source IP to change and severely affects or disconnects an active phone call completely. An SD-WAN service allows for seamless movement between internet services should one experience issues.

Security and performance go hand in hand

As with any technology, security should be at the forefront of any deployment and ongoing management. While this section could be a book in itself, here are a few key items that we would recommend at a minimum be implemented.

Dedicated VLAN for voice traffic

Competing network traffic can cause degradation of VoIP traffic. VoIP traffic is extremely susceptible to bandwidth limitations, slowdowns, and other traffic on the same network taking precedence. Separate VoIP traffic into its own VLAN allows for precise controls and ensures that VoIP traffic is independent with the highest priority.

Quality of Service

Quality of service (QoS) allows you to create rules that prioritize your VoIP traffic across all of your network devices. A quality router and managed switches should include QoS settings that will allow you to accomplish this with ease. This may not be feasible for smaller deployments but where possible we recommend implementing it.

Quality of Service is only able to be configured on your WAN’s upload. The download component needs to be configured by your ISP. Hosted Network offers a number of solutions to enable this such as a Managed WAN service, SD-WAN or simply using a dedicated 25/5Mbps nbn service for voice traffic.

SIP ALG & SIP TLS

Depending on your configuration, SIP ALG can be the difference between a good user experience and intermittent issues that make the service seem unusable.

Unless your handsets are set up to specifically use TLS, SIP ALG should be disabled on the router.

If possible, we would recommend using SIP TLS as this encrypts the traffic and bypasses the issues experienced with SIP ALG.