Companies often have web proxies that are deployed in their corporate environment to secure outbound internet traffic. Administrators may also have remote workers connect to their corporate workloads using a web proxy to secure their work terminal. Web proxies are additional network components that inspect traffic and may cause performance-related issues to real-time applications like introducing latency, jitter, and packet loss in network congestion scenarios.
Zoom recommends that any real-time traffic be allowed on a web proxy to ensure that the traffic flows directly from the client through a corporate firewall to the Zoom data centers. If you're unable to allow the Zoom traffic, it is recommended to allow UDP traffic through the web proxy however this may introduce latency and jitter and may deteriorate the user experience.
This article covers:
- Do I need a web proxy server for Zoom Phone?
- Why is it best practice to avoid web proxy servers when using Zoom Phone?
- How can I secure my Zoom Phone traffic without a web proxy server?
Do I need a web proxy server for Zoom Phone?
Due to the real time nature of Zoom Phone, web proxies may provide a sub-optimal experience to the end user. Also, in the case of Zoom Phone, all traffic is already encrypted so web proxies do not make it more secure. With this in mind, the best practice is to bypass web proxies when deploying and using Zoom Phone.
Why is it best practice to avoid web proxy servers when using Zoom Phone?
Utilizing standards-based Voice over Internet Protocol (VoIP) to deliver best-in-class voice services, Zoom Phone delivers a secure and reliable alternative to traditional on-premise PBX solutions. Signaling, call setup, and in-call features are delivered via Session Initiation Protocol (SIP) and encrypted using TLS1.2 and PKI Certificates issued by a trusted commercial certificate authority. Zoom uses UDP to route voice traffic which is encrypted using Secure Real-Time Transport Protocol (SRTP) with Advanced Encryption Standard (AES) 256-GCM profiles to ensure that unauthorized parties cannot eavesdrop on phone conversations. For more information on Zoom Phone’s security capabilities, visit the Zoom Trust Center.
How can I secure my Zoom Phone traffic without a web proxy server?
To ensure that Zoom users have an optimal experience, Zoom recommends allowing traffic destined to Zoom data centers, i.e. routed directly without a web proxy.
Zoom takes the following steps to ensure that data that is being allowed is protected:
- Zoom clients generate three kinds of traffic:
- Configuration - download firmware and provisioning files
- Signaling - used for call setups and teardown
- Media - actual voice stream which is part of the conversation
- All traffic from the Zoom clients are encrypted with industry standard encryption technology. To ensure privacy of the traffic, the signaling traffic is encrypted with TLS version 1.2 which limits the possibility of eavesdropping, tampering or forging of this data.
- The media traffic is encrypted with Secure Real-Time Transport Protocol which provides confidentiality, message authentication and replay protection to the RTP traffic.
- Configuration and firmware files are downloaded over a HTTPS channel. Since this traffic is not considered real time, this can traverse a web proxy.
- Traffic from Zoom clients can be allowed to known IP addresses and ports. Traffic is typically initiated from the Zoom clients outbound to the Zoom data center limiting any firewall ports that need to be opened for inbound traffic. To ensure that you have the most up to date list of IP addresses, see the list of IP ranges.
- Zoom maintains a high security standard within our datacenter. Our security postures are documented in our SOC2 reports that are available on request. Third party audits are conducted to ensure that we maintain this high security posture. See detailed reports around our security compliance.