BYOC-P or BYOP-P infrastructure requirements

When building BYOC-P or BYOP-P, certain infrastructure requirements are mandatory to ensure successful connectivity to Zoom data centers. The requirements are outlined below.

Session Border Controllers (SBCs)

Zoom maintains a list of certified SBC vendors and models that have undergone interoperability testing with Zoom. This allows organizations to leverage their existing equipment, protecting their investments when using BYOC-P or BYOP-P connections. Zoom works with hardware partners to test and validate solution functionality with a variety of Session Border Controllers (SBCs) manufacturers' makes and models.

General SBC requirements

Public trusted certificates for your SBC

For TLS validation to be successful, Zoom requires you to obtain a certificate for your SBC from one of the approved vendors. Our servers will verify the certificate installed on your SBC during the validation process. The certificate must include the SBC FQDN in either the common name (CN) or the subject alternative name (SAN) fields. Additionally, wildcard certificates with the appropriate domain names configured on your SBC are acceptable. Please note that TLS negotiation will fail if your SBC's signed certificate is not from one of the vendors listed below.

Supported certificate authorities

Supported certificate authorities
AffirmTrust	GeoTrust	Starfield
Baltimore	GlobalSign	Symantec
Buypass	GoDaddy	T-Systems
Comodo/Sectigo	QuoVadis	TeliaSonera
D-Trust	SECOM Trust	Thawte Inc.
Digicert	Sectigo/Comodo	USERTRUST
Entrust/SSL.com	SSL.com/Entrust	Verisign
Starfield Technologies	Sectigo/The USERTRUST Network	TWCA
Internet Security Research Group (Let's Encrypt Root CA)
Google Trust Services LLC

Supported root certificates

Common name or certificate name	Certificate Issuer Organization	Valid From [GMT]	Valid To [GMT]	Serial Number
Buypass Class 2 Root CA	Buypass AS-983163327	2010 Oct 26	2040 Oct 26	02
Buypass Class 3 Root CA	Buypass AS-983163327	2010 Oct 26	2040 Oct 26	02
DigiCert Assured ID Root CA	DigiCert Inc	2006 Nov 10	2031 Nov 10	0CE7E0E517D846FE8FE560FC1BF03039
DigiCert Assured ID Root G2	DigiCert Inc	2013 Aug 01	2038 Jan 15	0B931C3AD63967EA6723BFC3AF9AF44B
DigiCert Assured ID Root G3	DigiCert Inc	2013 Aug 01	2038 Jan 15	0BA15AFA1DDFA0B54944AFCD24A06CEC
DigiCert Global Root CA	DigiCert Inc	2006 Nov 10	2031 Nov 10	08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
DigiCert Global Root G2	DigiCert Inc	2013 Aug 01	2038 Jan 15	03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5
DigiCert Global Root G3	DigiCert Inc	2013 Aug 01	2038 Jan 15	055556BCF25EA43535C3A40FD5AB4572
DigiCert High Assurance EV Root CA	DigiCert Inc	2006 Nov 10	2031 Nov 10	02AC5C266A0B409B8F0B79F2AE462577
DigiCert Trusted Root G4	DigiCert Inc	2013 Aug 01	2038 Jan 15	059B1B579E8E2132E23907BDA777755C
GeoTrust Primary Certification Authority	GeoTrust Inc.	2006 Nov 27	2036 Jul 16	18ACB56AFD69B6153A636CAFDAFAC4A1
GeoTrust Primary Certification Authority - G2	GeoTrust Inc.	2007 Nov 05	2038 Jan 18	3CB2F4480A00E2FEEB243B5E603EC36B
GeoTrust Primary Certification Authority - G3	GeoTrust Inc.	2008 Apr 02	2037 Dec 01	15AC6E9419B2794B41F627A9C3180F1F
GeoTrust Universal CA	GeoTrust Inc.	2004 Mar 04	2029 Mar 04	01
GeoTrust Universal CA 2	GeoTrust Inc.	2004 Mar 04	2029 Mar 04	011
Symantec Class 1 Public Primary Certification Authority - G4	Symantec Corporation	2011 Oct 05	2038 Jan 18	216E33A5CBD388A46F2907B4273CC4D8
Symantec Class 1 Public Primary Certification Authority - G6	Symantec Corporation	2011 Oct 18	2037 Dec 01	243275F21D2FD20933F7B46ACAD0F398
Symantec Class 2 Public Primary Certification Authority - G4	Symantec Corporation	2011 Oct 05	2038 Jan 18	34176512403BB756802D80CB7955A61E
Symantec Class 2 Public Primary Certification Authority - G6	Symantec Corporation	2011 Oct 18	2037 Dec 01	64829EFC371E745DFC97FF97C8B1FF41
thawte Primary Root CA	thawte, Inc.	2006 Nov 17	2036 Jul 16	344ED55720D5EDEC49F42FCE37DB2B6D
thawte Primary Root CA - G2	thawte, Inc.	2007 Nov 05	2038 Jan 18	35FC265CD9844FC93D263D579BAED756
thawte Primary Root CA - G3	thawte, Inc.	2008 Apr 02	2037 Dec 01	600197B746A7EAB4B49AD64B2FF790FB
VeriSign Class 1 Public Primary Certification Authority - G3	VeriSign, Inc.	1999 Oct 01	2036 Jul 16	8B5B75568454850B00CFAF3848CEB1A4
VeriSign Class 2 Public Primary Certification Authority - G3	VeriSign, Inc.	1999 Oct 01	2036 Jul 16	6170CB498C5F984529E7B0A6D9505B7A
VeriSign Class 3 Public Primary Certification Authority - G3	VeriSign, Inc.	1999 Oct 01	2036 Jul 16	9B7E0649A33E62B9D5EE90487129EF57
VeriSign Class 3 Public Primary Certification Authority - G4	VeriSign, Inc.	2007 Nov 05	2038 Jan 18	2F80FE238C0E220F486712289187ACB3
VeriSign Class 3 Public Primary Certification Authority - G5	VeriSign, Inc.	2006 Nov 08	2036 Jul 16	18DAD19E267DE8BB4A2158CDCC6B3B4A
VeriSign Universal Root Certification Authority	VeriSign, Inc.	2008 Apr 02	2037 Dec 01	401AC46421B31321030EBBE4121AC51D
AffirmTrust Commercial	AffirmTrust	2010 Jan 29	2030 Dec 31	7777062726A9B17C
AffirmTrust Networking	AffirmTrust	2010 Jan 29	2030 Dec 31	7C4F04391CD4992D
AffirmTrust Premium	AffirmTrust	2010 Jan 29	2040 Dec 31	6D8C1446B1A60AEE
AffirmTrust Premium ECC	AffirmTrust	2010 Jan 29	2040 Dec 31	7497258AC73F7A54
Entrust Root Certification Authority	Entrust, Inc.	2006 Nov 27	2026 Nov 27	456B5054
Entrust Root Certification Authority - EC1	Entrust, Inc.	2012 Dec 18	2037 Dec 18	A68B79290000000050D091F9
Entrust Root Certification Authority - G2	Entrust, Inc.	2009 Jul 07	2030 Dec 07	4A538C28
Entrust Root Certification Authority - G4	Entrust, Inc.	2015 May 27	2037 Dec 27	D9B5437FAFA9390F000000005565AD58
Entrust.net Certification Authority (2048)	Entrust.net	1999 Dec 24	2029 Jul 24	3863DEF8
GlobalSign	GlobalSign	2012 Nov 13	2038 Jan 19	605949E0262EBB55F90A778A71F94AD86C
GlobalSign	GlobalSign	2009 Mar 18	2029 Mar 18	04000000000121585308A2
GlobalSign	GlobalSign	2014 Dec 10	2034 Dec 10	45E6BB038333C3856548E6FF4551
GlobalSign Root CA	GlobalSign nv-sa	1998 Sep 01	2028 Jan 28	040000000001154B5AC394
Go Daddy Class 2 CA	The Go Daddy Group, Inc.	2004 Jun 29	2034 Jun 29	00
Go Daddy Root Certificate Authority - G2	GoDaddy.com, Inc.	2009 Sep 01	2037 Dec 31	00
Starfield Class 2 CA	Starfield Technologies, Inc.	2004 Jun 29	2034 Jun 29	00
Starfield Root Certificate Authority - G2	Starfield Technologies, Inc.	2009 Sep 01	2037 Dec 31	00
QuoVadis Root CA 1 G3	QuoVadis Limited	2012 Jan 12	2042 Jan 12	78585F2EAD2C194BE3370735341328B596D46593
QuoVadis Root CA 2	QuoVadis Limited	2006 Nov 24	2031 Nov 24	0509
QuoVadis Root CA 2 G3	QuoVadis Limited	2012 Jan 12	2042 Jan 12	445734245B81899B35F2CEB82B3B5BA726F07528
QuoVadis Root CA 3	QuoVadis Limited	2006 Nov 24	2031 Nov 24	05C6
QuoVadis Root CA 3 G3	QuoVadis Limited	2012 Jan 12	2042 Jan 12	2EF59B0228A7DB7AFFD5A3A9EEBD03A0CF126A1D
AAA Certificate Services	Comodo CA Limited	2004 Jan 01	2028 Dec 31	01
COMODO Certification Authority	COMODO CA Limited	2006 Dec 01	2029 Dec 31	4E812D8A8265E00B02EE3E350246E53D
COMODO ECC Certification Authority	COMODO CA Limited	2008 Mar 06	2038 Jan 18	1F47AFAA62007050544C019E9B63992A
COMODO RSA Certification Authority	COMODO CA Limited	2010 Jan 19	2038 Jan 18	4CAAF9CADB636FE01FF74ED85B03869D
USERTrust ECC Certification Authority	The USERTRUST Network	2010 Feb 01	2038 Jan 18	5C8B99C55A94C5D27156DECD8980CC26
USERTrust RSA Certification Authority	The USERTRUST Network	2010 Feb 01	2038 Jan 18	01FD6D30FCA3CA51A81BBC640E35032D
T-TeleSec GlobalRoot Class 2	T-Systems Enterprise Services GmbH	2008 Oct 01	2033 Oct 01	01
T-TeleSec GlobalRoot Class 3	T-Systems Enterprise Services GmbH	2008 Oct 01	2033 Oct 01	01
Specific Customer Certs Added to only AM/FR SBCs	GlobalSign	2018.11.21	2028 Nov 21	01ee5f222de71b43a5d4669f9e
TeliaSonera Root CA v1	TeliaSonera	2007 Oct 18	2032 Oct 18	95BE16A0F72E46F17B398272FA8BCD96
Telia Root CA v2	TeliaSonera	2018 Nov 29	2043 Nov 29	01675F27D6FE7AE3E4ACBE095B059E
ISRG Root X1 (Let's Encrypt Root CA)	Internet Security Research Group	2015 Jun 04	2035 Jun 04	82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
D-TRUST Root CA 3 2013	D-Turst GmbH	2013 Sept 20	2028 Sept 20	0FDDAC
D-TRUST Root Class 3 CA 2 2009	D-Turst GmbH	2009 Nov 5	2029 Nov 5	0983F3
D-TRUST Root Class 3 CA 2 EV 2009	D-Turst GmbH	2009 Nov 6	2029 Nov 5	0983F4
Security Communication RootCA2	SECOM Trust Systems CO.,LTD.	2009 May 29	2029 May 29	00
Symantec Trust Services Private SHA256 Root CA	Symantec Corporation	2014 Jun 13	2044 Jun 12	172837993EBECCE1BEB5A788F50590BE
IdenTrust Commercial Root CA 1	IdenTrust	2014.01.16	2034.01.16	0A0142800000014523C844B500000002
Client ECC Root CA 2022	SSL.com	2022.08.25	2046.08.19	76F8481EAEF03C701FE03F25540183D5
Client RSA Root CA 2022	SSL.com	2022.08.25	2046.08.19	76AFEE88931545B650539B809CA4DF9A
EV Root Certification Authority ECC	SSL.com	2016.02.12	2041.02.12	2C299C5B16ED0595
EV Root Certification Authority RSA R2	SSL.com	2017.05.31	2042.05.30	56B629CD34BC78F6
Root Certification Authority ECC	SSL.com	2016.02.12	2041.02.12	75E6DFCBC1685BA8
Root Certification Authority RSA	SSL.com	2016.02.12	2041.02.12	7B2C9BD316803299
TLS ECC Root CA 2022	SSL.com	2022.08.25	2046.08.19	1403F5ABFB378B17405BE243B2A5D1C4
TLS RSA Root CA 2022	SSL.com	2022.08.25	2046.08.19	6FBEDAAD73BD0840E28B4DBED4F75B91
TWCA Global Root CA	TWCA	2012.06.27	2030.12.31	0CBE
TWCA Root Certification Authority	TWCA	2008.08.28	2030.12.31	01
GTS Root R1	Google Trust Services LLC	2016.06.22	2036.06.22	0203E5936F31B01349886BA217
Sectigo Public Server Authentication Root R46	Sectigo Limited	2021.03.21	2046.03.	758DFD8BAE7C0700FAA925A7E1C7AD14

Public trusted certificate installed on your SBC

Zoom infrastructure utilizes certificates issued by DigiCert. To ensure communication initiated from your SBC is established successfully, your system must have the root certificates mentioned below.

DigiCert Global Root G2 certificate

Downloads	PEM format and DER format
Serial Number	03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5
SHA1 Fingerprint	DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
SHA256 Fingerprint	CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F

DigiCert TLS RSA4096 Root G5 certificate

Downloads	PEM format and DER format
Serial Number	08:F9:B4:78:A8:FA:7E:DA:6A:33:37:89:DE:7C:CF:8A
SHA1 Fingerprint	A7:88:49:DC:5D:7C:75:8C:8C:DE:39:98:56:B3:AA:D0:B2:A5:71:35
SHA256 Fingerprint	37:1A:00:DC:05:33:B3:72:1A:7E:EB:40:E8:41:9E:70:79:9D:2B:0A:0F:2C:1D:80:69:31:65:F7:CE:C4:AD:75

Cipher requirements

Zoom supports the following ciphers for media and signaling. Ensure that your SBC is configured to support at least one of the ciphers in each of the respective categories.

Signaling cipher

Priority 1: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Priority 2: TLS_RSA_WITH_AES_256_CBC_SHA_256
Priority 3: TLS_RSA_WITH_AES_128_CBC_SHA

Media cipher

Priority 1: AEAD_AES_256_GCM
Priority 2: AES_256_CM_HMAC_SHA1_80
Priority 3: AES_CM_128_HMAC_SHA1_80
Priority 4: AES_CM_128_HMAC_SHA1 32

Hostnames for customers implementing Mutual TLS verification

Customers who choose to configure Mutual TLS verification can use the following fully qualified domain names (FQDNs) for peer-name verification on their SBCs.

Region	Location	Address	FQDN
North America	San Jose, CA, US	144.195.121.212	cplbyoc01.sjc.zoom.us
North America	Dulles, VA, US	206.247.121.212	cplbyoc01.iad.zoom.us
Europe	Amsterdam, NL	159.124.0.84	cplbyoc01.ams.zoom.us
Europe	Frankfurt, DE	159.124.32.84	cplbyoc01.fra.zoom.us
Australia	Sydney, AU	159.124.96.84	cplbyoc01.syd.zoom.us
Australia	Melbourne, AU	159.124.64.84	cplbyoc01.mel.zoom.us
Asia	Singapore, SG	170.114.156.212	cplbyoc01.sin.zoom.us
Asia	Tokyo, JP	170.114.185.212	cplbyoc01.nrt.zoom.us
Japan	Tokyo, JP	170.114.185.212	cplbyoc01.nrt.zoom.us
Japan	Osaka, JP	147.124.96.84	cplbyoc01.kix.zoom.us
Central/South America	Queretaro, MX	159.124.128.84	cplbyoc01.qro.zoom.us
Central/South America	Dulles, VA, US	206.247.121.212	cplbyoc01.iad.zoom.us

Firewall requirements

When configuring BYOC-P, traffic flows from Zoom data centers to your SBC. To facilitate this communication, you may need to implement firewall changes to ensure traffic can reach your SBC. The following list table outlines the ports/IPs that must be whitelisted on your firewalls. Additionally, some customers may require firewall modifications to permit outbound traffic from their SBC. These changes are necessary to enable successful call connectivity between Zoom data centers and your SBCs.

Region	Source	Destination	Ports/Protocol
Central and South America	Customer SBC	159.124.128.84 206.247.121.212	TCP/5061
	159.124.128.84 206.247.121.212	SBC	TCP/5061 (This may vary based on your SBC configuration)
	Customer SBC	159.124.128.80/28 206.247.121.208/28	UDP/10000-64000
	159.124.128.80/28 206.247.121.208/28	SBC	UDP/10000-64000 (This may vary based on your SBC configuration)
North America	Customer SBC	144.195.121.212 206.247.121.212	TCP/5061
	144.195.121.212 206.247.121.212	SBC	TCP/5061 (This may vary based on your SBC configuration)
	Customer SBC	144.195.121.208/28 206.247.121.208/28	UDP/10000-64000
	144.195.121.208/28 206.247.121.208/28	SBC	UDP/10000-64000 (This may vary based on your SBC configuration)
Asia	Customer SBC	170.114.156.212 170.114.185.212	TCP/5061
	170.114.156.212 170.114.185.212	SBC	TCP/5061 (This may vary based on your SBC configuration)
	Customer SBC	170.114.156.208/28 170.114.185.208/28	UDP/10000-64000
	170.114.156.208/28 170.114.185.208/28	SBC	UDP/10000-64000(This may vary based on your SBC configuration)
Japan	Customer SBC	147.124.96.84 170.114.185.212	TCP/5061
	147.124.96.84 170.114.185.212	SBC	TCP/5061 (This may vary based on your SBC configuration)
	Customer SBC	147.124.96.80/28 170.114.185.208/28	UDP/10000-64000
	147.124.96.80/28 170.114.185.208/28	SBC	UDP/10000-64000 (This may vary based on your SBC configuration)
Oceania	Customer SBC	159.124.96.84 159.124.64.84	TCP/5061
	159.124.96.84 159.124.64.84	SBC	TCP/5061 (This may vary based on your SBC configuration)
	Customer SBC	159.124.96.80/28 159.124.64.80/28	UDP/10000-64000
	159.124.96.80/28 159.124.64.80/28	SBC	UDP/10000-64000 (This may vary based on your SBC configuration)
Europe	Customer SBC	159.124.0.84 159.124.32.84	TCP/5061
	159.124.0.84 159.124.32.84	SBC	TCP/5061 (This may vary based on your SBC configuration)
	Customer SBC	159.124.0.80/28 159.124.32.80/28	UDP/10000-64000
	159.124.0.80/28 159.124.32.80/28	SBC	UDP/10000-64000 (This may vary based on your SBC configuration)