Web proxy server support for Zoom Phone

This post was most recently updated on July 28th, 2022

It is common for companies to employ web proxies on the company network for the purpose of securing outbound internet traffic. Additionally, administrators may configure a web proxy to allow remote workers to securely access corporate workloads on their workstations using web proxy software. As a result of overcrowded networks, web proxy servers can add another component to the network that inspects traffic, which can create performance issues for real-time applications. Website proxy servers may cause delays, packet loss, and jitter, among other performance-related problems.

In order to ensure that real-time traffic will flow directly to Zoom data centers from clients through a corporate firewall, Zoom recommends that all real-time traffic be allowed on a web proxy. It is recommended that UDP traffic through the web proxy be allowed instead of Zoom traffic if it can’t be allowed. This may cause latency and jitter and may deteriorate the user experience.

Do I need a web proxy server for Zoom Phone?

Zoom Phone provides users with a real-time experience, which is not always possible through web proxies due to Zoom Phone’s real-time nature. Furthermore, Zoom Phone already encrypts all traffic so, in this case, web proxies do not add to the security as it’s already encrypted. It is for this reason that when deploying and using Zoom Phone, the best practice is to bypass the web proxy.

Why is it best practice to avoid web proxy servers when using Zoom Phone?

By making use of the latest standards-based Voice over Internet Protocol (VoIP) technology, Zoom Phone provides businesses with a secure and reliable alternative to traditional on-premise PBX solutions. Session Initiation Protocol (SIP) is used for configuring the call, setting up calls, and providing information in calls, which is also encrypted using TLS1.2 technology and PKI certificates issued by a commercially trusted certificate authority. AES 256-GCM profiles are used by Zoom to encrypt voice traffic via Secure Real-Time Transport Protocol (SRTP). This ensures that unauthorized parties cannot listen in on conversations. Visit the Zoom Trust Center to learn more about Zoom Phone security.

How can I secure my Zoom Phone traffic without a web proxy server?

Zoom recommends that users be able to route traffic from their devices directly without a web proxy to Zoom data centers, so that Zoom users have an optimal experience.

In order to ensure that personally identifiable information is protected, Zoom has taken the following steps:

  • There are three types of traffic generated by Zoom clients:
    • Configuration – The process of downloading firmware and provision files
    • Signaling – For setting up and tearing down calls
    • Media – The actual stream of voice that is being used to carry out the conversation
  • From the Zoom client is encrypted using industry-standard technologies. There are several elements that are employed to ensure the privacy of this traffic, including using encryption with TLS version 1.2 for the signaling traffic, which reduces the chances of eavesdropping, tampering, or forging this data.
  • It is important to point out that the network traffic for Real-Time Transport Protocol (RTP) is encrypted with Secure Real-Time Transport Protocol, which provides the necessary confidentiality and message authentication.
  • Files such as firmware and configuration files must be downloaded over a secure HTTPS channel. Due to the fact that this is not real-time traffic, a web proxy can be used.
  • Known IP addresses and ports can be allowed for Zoom clients. Zoom typically initiates traffic outbound to its data centers, reducing the need to open firewall ports for inbound traffic. Check out the IP ranges list to make sure you have the most updated list of IP addresses.
  • We maintain a high level of security in our datacenter. Our SOC2 reports, which can be obtained upon request, document our security posture. To maintain our high security posture, we conduct third-party audits. Please refer to the security compliance section of the website for more information.