In a multipurpose network setting, we recommend setting up a specific SSID (secure network) to exclusively segment traffic for Wi-Fi calling.
Even though voice over Wi-Fi does not require a specific security mechanism or authentication to be put in place in order to work, we recommendation securing the wireless local area network (WLAN) that will be used to carry Wi-Fi calling.
T-Mobile devices support the WLAN security techniques used in corporate environments for authentication and encryption, such as:
- WPA (TKIP) - Personal and Enterprise
- WPA2 (AES-CCMP) - Personal and Enterprise
- LEAP: TKIP, Dynamic WEP, AES. (No LEAP-CKIP)
- EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA
- Virtual private network (VPN) access security
- Media Access Control (MAC) lists
- Service-specific access security
- Captive portal
EAP-FAST (if available) is the recommended EAP type for use of VoWLAN deployments.
IPv4 Address Block: 22.214.171.124/17:
|Port: 500 / UDP||IPsec - IKE : Authentication [WFC 2.0]|
|Port: 4500 / UDP||IPsec - NAT traversal : Encrypted voice traffic [WFC 2.0]|
|Port: 5061 / TCP/UDP||SIP/TLS : Encrypted SIP [WFC 1.0]|
IPv4 Address Block: 126.96.36.199/19:
|Port: 443 / TCP||HTTPS : Used for handset authentication [WFC 1.0]|
|Port: 993 / TCP||IMAP/SSL : Visual Voicemail [WFC 1.0]|
Also whitelist the CRL server for DIGITS OTT and WFC 1.0: crl.t-mobile.com 188.8.131.52