Wi-Fi Calling on a corporate network

Find the technical details to set up a corporate environment for Wi-Fi Calling.




In a multipurpose network setting, we recommend setting up a specific SSID (secure network) to exclusively segment traffic for Wi-Fi calling.




Even though voice over Wi-Fi does not require a specific security mechanism or authentication to be put in place in order to work, we recommendation securing the wireless local area network (WLAN) that will be used to carry Wi-Fi calling.


T-Mobile devices support the WLAN security techniques used in corporate environments for authentication and encryption, such as:


  • WPA (TKIP) - Personal and Enterprise
  • WPA2 (AES-CCMP) - Personal and Enterprise
  • LEAP: TKIP, Dynamic WEP, AES. (No LEAP-CKIP)
  • PEAP
  • Virtual private network (VPN) access security
  • Media Access Control (MAC) lists
  • Service-specific access security
  • Captive portal




EAP-FAST (if available) is the recommended EAP type for use of VoWLAN deployments.




IPv4 Address Block:


Port &TCP/UDPDescription
Port: 500 / UDPIPsec - IKE : Authentication [WFC 2.0]
Port: 4500 / UDPIPsec - NAT traversal : Encrypted voice traffic [WFC  2.0]
Port: 5061 / TCP/UDPSIP/TLS : Encrypted SIP [WFC 1.0]


IPv4 Address Block:


Port &TCP/UDPDescription
Port: 443 / TCPHTTPS : Used for handset authentication [WFC 1.0]
Port: 993 / TCPIMAP/SSL : Visual Voicemail [WFC 1.0]


Also whitelist the CRL server for DIGITS OTT and WFC 1.0: crl.t-mobile.com