WebRTC firewall issues

I’ve spent a lot of time trying to troubleshoot this, but still can’t get it to work, so I figured it’s time to get help from experts in this awesome community.

The FreePBX ( server is hosted on Vultr. It works perfectly, except for a group of users who are in one office behind a Cisco firewall. Because these users can’t install a softphone (corporate IT won’t allow installation of new software), we have these users connecting via WebRTC on Firefox. From outside their network, the same PC using WebRTC works perfectly. However, when the users are behind their Cisco firewall, we haven’t been able to get WebRTC to work. We get the green phone icon and can make a call, for example *60, but we don’t hear any audio.

Here are the outbound ports that we’ve had their IT open up on their Cisco firewall:

Outbound ports from their network to the FreePBX server:
service-object tcp destination eq www
service-object tcp destination eq 81
service-object tcp destination eq https
service-object tcp destination eq 8083
service-object tcp destination eq 8088
service-object tcp destination eq 8089
service-object udp destination eq 81
service-object udp destination eq 8083
service-object udp destination eq 8088
service-object udp destination eq 8089
service-object udp destination range 10000 20000

Outbound ports from their network to stun.counterpath.com:
service-object udp destination eq 3478

I know that those are more ports than we really need, but we’ve opened up a lot more ports in order to troubleshoot. I think we really just need outbound 443 TCP, 8089 TCP, and 10000-20000 UDP to the FreePBX server, and 3478 UDP to the STUN server - is that right?

What are we missing here in order to get WebRTC to work behind their Cisco firewall? Thank you for your help!

IT should allow installation of a softphone…not sure why they wouldn’t…

You should really be allowing all traffic to/from the static public IP of the PBX instead of worrying about ports; I bet if they did this, then you’d see better success. Make sure NAT = Yes is set on the PBX.