Wi-Fi Calling on a corporate network

Find the technical details to set up a corporate environment for Wi-Fi Calling.

 

 

Setup

In a multipurpose network setting, we recommend setting up a specific SSID (secure network) to exclusively segment traffic for Wi-Fi calling.

 

 

Security

Even though voice over Wi-Fi does not require a specific security mechanism or authentication to be put in place in order to work, we recommendation securing the wireless local area network (WLAN) that will be used to carry Wi-Fi calling.

 

T-Mobile devices support the WLAN security techniques used in corporate environments for authentication and encryption, such as:

 

  • WPA (TKIP) - Personal and Enterprise
  • WPA2 (AES-CCMP) - Personal and Enterprise
  • LEAP: TKIP, Dynamic WEP, AES. (No LEAP-CKIP)
  • PEAP
  • EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA
  • Virtual private network (VPN) access security
  • Media Access Control (MAC) lists
  • Service-specific access security
  • Captive portal

 

 

EAP

EAP-FAST (if available) is the recommended EAP type for use of VoWLAN deployments.

 

 

Firewalls

IPv4 Address Block: 208.54.0.0/17:

 

Port &TCP/UDPDescription
Port: 500 / UDPIPsec - IKE : Authentication [WFC 2.0]
Port: 4500 / UDPIPsec - NAT traversal : Encrypted voice traffic [WFC  2.0]
Port: 5061 / TCP/UDPSIP/TLS : Encrypted SIP [WFC 1.0]

 

IPv4 Address Block: 66.94.0.0/19:

 

Port &TCP/UDPDescription
Port: 443 / TCPHTTPS : Used for handset authentication [WFC 1.0]
Port: 993 / TCPIMAP/SSL : Visual Voicemail [WFC 1.0]

 

Also whitelist the CRL server for DIGITS OTT and WFC 1.0: crl.t-mobile.com 206.29.177.36