BYOC-P or BYOP-P infrastructure requirements

When building BYOC-P or BYOP-P, certain infrastructure requirements are mandatory to ensure successful connectivity to Zoom data centers. The requirements are outlined below.

Note: This applies to Zoom Phone and Zoom Contact Center.

Table of Contents

Session Border Controllers (SBCs)

Zoom maintains a list of certified SBC vendors and models that have undergone interoperability testing with Zoom. This allows organizations to leverage their existing equipment, protecting their investments when using BYOC-P or BYOP-P connections. Zoom works with hardware partners to test and validate solution functionality with a variety of Session Border Controllers (SBCs) manufacturers' makes and models.

General SBC requirements

Public trusted certificates

Public trusted certificates for your SBC

For TLS validation to be successful, Zoom requires you to obtain a certificate for your SBC from one of the approved vendors. Our servers will verify the certificate installed on your SBC during the validation process. The certificate must include the SBC FQDN in either the common name (CN) or the subject alternative name (SAN) fields. Additionally, wildcard certificates with the appropriate domain names configured on your SBC are acceptable. Please note that TLS negotiation will fail if your SBC's signed certificate is not from one of the vendors listed below.

Supported certificate authorities

AffirmTrust

GeoTrust

Starfield

Baltimore

GlobalSign

Symantec

Buypass

GoDaddy

T-Systems

Comodo/Sectigo

QuoVadis

TeliaSonera

D-Trust

SECOM Trust

Thawte Inc.

Digicert

Sectigo/Comodo

USERTRUST

Entrust/SSL.com

SSL.com/Entrust

Verisign

Starfield Technologies

Sectigo/The USERTRUST Network

TWCA

Internet Security Research Group (Let's Encrypt Root CA)

  

Public trusted certificate installed on your SBC

Zoom infrastructure utilizes certificates issued by DigiCert. To ensure communication initiated from your SBC is established successfully, your system must have the root certificates mentioned below.

DigiCert Global Root G2 certificate

DownloadsPEM format and DER format

Serial Number

03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5

SHA1 Fingerprint

DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4

SHA256 Fingerprint

CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F

DigiCert TLS RSA4096 Root G5 certificate

DownloadsPEM format and DER format

Serial Number

08:F9:B4:78:A8:FA:7E:DA:6A:33:37:89:DE:7C:CF:8A

SHA1 Fingerprint

A7:88:49:DC:5D:7C:75:8C:8C:DE:39:98:56:B3:AA:D0:B2:A5:71:35

SHA256 Fingerprint

37:1A:00:DC:05:33:B3:72:1A:7E:EB:40:E8:41:9E:70:79:9D:2B:0A:0F:2C:1D:80:69:31:65:F7:CE:C4:AD:75

Cipher requirements

Zoom supports the following ciphers for media and signaling. Ensure that your SBC is configured to support at least one of the ciphers in each of the respective categories.

Signaling cipher

Priority 1: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Priority 2: TLS_RSA_WITH_AES_256_CBC_SHA_256
Priority 3: TLS_RSA_WITH_AES_128_CBC_SHA

Media cipher

Priority 1: AEAD_AES_256_GCM
Priority 2: AES_256_CM_HMAC_SHA1_80
Priority 3: AES_CM_128_HMAC_SHA1_80
Priority 4: AES_CM_128_HMAC_SHA1 32

Firewall requirements

When configuring BYOC-P, traffic flows from Zoom data centers to your SBC. To facilitate this communication, you may need to implement firewall changes to ensure traffic can reach your SBC. The following list table outlines the ports/IPs that must be whitelisted on your firewalls. Additionally, some customers may require firewall modifications to permit outbound traffic from their SBC. These changes are necessary to enable successful call connectivity between Zoom data centers and your SBCs.

note icon
The media port range has been expanded as follows: UDP/10000-65000 (This is different from Zoom's current port range.)
RegionSourceDestinationPorts/Protocol

Central and South America

Customer SBC

159.124.128.84
206.247.121.212

TCP/5061

159.124.128.84
206.247.121.212

SBC

TCP/5061 (This may vary based on your SBC configuration)

Customer SBC

159.124.128.80/28
206.247.121.208/28

UDP/10000-65000

159.124.128.80/28
206.247.121.208/28

SBC

UDP/10000-65000 (This may vary based on your SBC configuration)

North America

 

Customer SBC

144.195.121.212
206.247.121.212

TCP/5061

144.195.121.212
206.247.121.212

SBC

TCP/5061 (This may vary based on your SBC configuration)

Customer SBC

144.195.121.208/28
206.247.121.208/28

UDP/10000-65000

144.195.121.208/28
206.247.121.208/28

SBC

UDP/10000-65000 (This may vary based on your SBC configuration)

Asia

Customer SBC

170.114.156.212
170.114.185.212

TCP/5061

170.114.156.212
170.114.185.212

SBC

TCP/5061 (This may vary based on your SBC configuration)

Customer SBC

170.114.156.208/28
170.114.185.208/28

UDP/10000-65000

170.114.156.208/28
170.114.185.208/28

SBC

UDP/10000-65000(This may vary based on your SBC configuration)

Japan

Customer SBC

147.124.96.84
170.114.185.212

TCP/5061

147.124.96.84
170.114.185.212

SBC

TCP/5061 (This may vary based on your SBC configuration)

Customer SBC

147.124.96.80/28
170.114.185.208/28

UDP/10000-65000

147.124.96.80/28
170.114.185.208/28

SBC

UDP/10000-65000 (This may vary based on your SBC configuration)

Oceania

Customer SBC

159.124.96.84
159.124.64.84

TCP/5061

159.124.96.84
159.124.64.84

SBC

TCP/5061 (This may vary based on your SBC configuration)

Customer SBC

159.124.96.80/28
159.124.64.80/28

UDP/10000-65000

159.124.96.80/28
159.124.64.80/28

SBC

UDP/10000-65000 (This may vary based on your SBC configuration)

Europe

Customer SBC

159.124.0.84
159.124.32.84

TCP/5061

159.124.0.84
159.124.32.84

SBC

TCP/5061 (This may vary based on your SBC configuration)

Customer SBC

159.124.0.80/28
159.124.32.80/28

UDP/10000-65000

159.124.0.80/28
159.124.32.80/28

SBC

UDP/10000-65000 (This may vary based on your SBC configuration)

note icon
Planning the deployment of BYOC-P/BYOP-P is crucial for a successful implementation. Learn more from the following resources: