It appears that the wi-fi calling feature that has finally rolled out for iPhones with iOS 9.3 will require some firewall changes for corporate firewalls.
It looks like the feature establishes a per app vpn for the calling feature. IPsec and ike protocols appear to be in use.
I'm hoping to find documentation from Verizon on what ports and addresses to enabled for this feature.
Can anyone point me in the right direction?
Solved! Go to Correct Answer
@Weth, thanks for the document, I had not seen it yet.
I see the line that states: "IPsec: The enterprise firewall policy needs to enable User Datagram Protocol (UDP) ports 500 and 4500 for IPsec to work properly."
I'm looking for a specific range of destination IP addresses to allow for the outbound rule. Just allowing the ports outbound without a specific destination won't work for use. We need to keep our outbound traffic limited to specific destinations.
Got it. Same reason I can't get it turned on in our hospital. Sure would be great for the far reaches of the basement with X-ray blocking walls near the radiology suite! Unless someone chimes in at a level of Verizon network technical knowledge that I have not seen in this forum, you'll need to get by the first 2 layers of CS so a third level can put in a request for a technical contact.
Did you see where it is connecting to from a less controlled network, I.e. Home?
agreed. Not going to hold my breath.
I called CS today and they told me to call Apple Care Support number because CS had not been briefed on 9.3 calling feature yet, and since it's an Apple device, I needed to call Apple.
I think I'm going to try our business rep.
I also sent a tweet to @VZWSupport to see if they had any info, nothing yet. trying multiple channels to see if I can get a quick resolution.
Still haven't found any official documentation yet but I did some sleuthing and found the following needs to be enabled.
As @Weth noted, the Cisco document recommends the following ports need to be allowed outbound
Only 2 Verizon IP addresses appear in the destination list, but not sure if they are regional.
184.108.40.206 - 232.sub-141-207-225.myvzw.com (Appears to be West coast)
220.127.116.11 - 232.sub-141-207-227.myvzw.com (Appears to be East coast)
We've enabled outbound traffic to these addresses on these ports and it works.
studerje1, We always want your concerns to be addressed and solved properly. This is a community forum and we provide the community the initial opportunity to answer here. We do see here that @Weth was able to provide you with a great solution to your concern. Is everything working currently? Do you have any other concerns?
Follow us on Twitter @VZWSupport
If my response answered your question please click the �Correct Answer� button under my response. This ensures others can benefit from our conversation. Thanks in advance for your help with this!!
as you can see by my initial response to his post.
I acknowledged that it was helpful, but was only half of the answer I'm seeking.
"I'm looking for a specific range of destination IP addresses to allow for the outbound rule. Just allowing the ports outbound without a specific destination won't work for us. We need to keep our outbound traffic limited to specific destinations."
For what it's worth, I detected a connection to IP 18.104.22.168 when making a WiFi call in Ohio. Hopefully Verizon can chime in with an official, complete list of IPs.