GFI Support Home Start a conversation Sign in
Start a conversation
  1. GFI FaxMaker
  2. Articles
  3. Public Articles

GFI FaxMaker Inbound IP Allowlisting: What to Whitelist and What to Configure in the Firewall

Overview

If you want to harden your firewall to “allow only GFI FaxMaker,” it’s important to understand that GFI FaxMaker does not publish (and does not rely on) a fixed, product-owned list of external inbound IP addresses that can be whitelisted.

Firewall configuration should be implemented using the required ports/protocols documented in the official GFI FaxMaker documentation. Any inbound source-IP allowlisting depends on your fax transport method (FoIP vs. traditional fax lines).

Key Information

  • No official inbound IP list: GFI FaxMaker does not provide a hardcoded/official, global set of external inbound IP addresses for fax reception.
  • FoIP (SIP/H.323) inbound IPs are not controlled by FaxMaker: The only legitimate inbound source IPs to allow are those used by your SIP/VoIP provider (SIP trunk) and/or your internal PBX / call manager / SBC.
  • Traditional analog/digital fax lines: No external/public IP allowlisting is required for inbound fax reception in this model (fax traffic is not arriving via public IP to FaxMaker).
  • Ports/protocols still matter: Regardless of transport, configure firewall rules according to the official GFI FaxMaker documentation for the components you use (server, clients, web/API as applicable).
  • Validation approach: Confirm rules match documented requirements and (for FoIP) that only provider/PBX/SBC source IPs are allowed for inbound FoIP traffic.

Customer Impact

Action required: Implement firewall rules exactly as documented for GFI FaxMaker and your deployment scenario. If you use Fax over IP (FoIP), obtain the authoritative inbound source IP list from your SIP/VoIP provider and/or internal PBX/SBC team and restrict inbound FoIP traffic to only those sources.

Expected outcome: Your firewall will be locked down to the required ports/protocols for FaxMaker components, and (for FoIP) inbound traffic will be limited to only the provider/PBX/SBC source IPs that legitimately deliver calls/faxes to your FaxMaker environment.

Recommended Implementation Checklist

  1. Identify your fax setup: Confirm whether inbound faxes arrive via FoIP (e.g., SIP/H.323) or via traditional analog/digital lines.
  2. Apply the documented firewall requirements: Configure the firewall per the official GFI FaxMaker documentation for required ports/protocols for the components you use (server-only vs. web/API vs. clients).
  3. If using FoIP: Restrict inbound FoIP by source IP.
    • Create inbound allow rules limited to your SIP/VoIP provider and/or PBX/SBC source IPs.
    • Deny inbound FoIP traffic from all other sources.
  4. Verify:
    • Rule audit: Confirm firewall rules match the official documentation for your used components (server, clients, web/API).
    • FoIP only: Validate the allowlist contains only your provider and/or PBX/SBC source IPs (including redundancy/failover ranges where applicable).
    • Functional test: Perform an inbound fax test (and outbound if applicable). If inbound FoIP fails after hardening, re-check provider egress/source IPs and any failover/NAT scenarios.
  • SMTP: 25, 465, 587 (TCP) 
  • Web interface: 80, 443 (TCP) 
  • SMB/remote tools: 135–139 (TCP/UDP) and 445 (TCP/UDP) 
  • Web Services API / FaxMaker Client: 8555 (TCP) 
  • FoIP call setup defaults: 1720 (TCP) for H.323 and 5060 (UDP) for SIP

Documentation References (Authoritative Source)

  • Official GFI FaxMaker documentation for firewall ports/protocols (by component and scenario)
  • Windows Firewall configuration guidance for FaxMaker usage
  • FaxMaker Web Services API port configuration

Frequently Asked Questions

1. How do I know if I need to whitelist IP addresses at all?
You only need inbound source-IP allowlisting for fax reception when using Fax over IP (FoIP). With traditional analog/digital fax lines, there is no external/public IP allowlisting required for inbound fax traffic; only the documented ports/protocols apply for the FaxMaker components you use.
2. Does GFI FaxMaker publish a list of “official inbound IPs” to whitelist?
No. GFI FaxMaker does not have a hardcoded/official global set of external inbound IP addresses for fax reception. For FoIP, the relevant inbound source IPs are owned by your SIP/VoIP provider or internal PBX/SBC.
3. What IPs should be allowed for FoIP?
Allow only the source IP addresses provided by your SIP trunk/VoIP provider and/or the source IPs of your internal PBX/call manager/SBC that will connect to the FaxMaker server. Obtain the authoritative list from those teams/vendors.
4. What should I do if I applied the documented ports but inbound FoIP still fails?
Re-confirm (1) you are allowing the correct FoIP protocol/port per your provider, and (2) the allowlist includes all provider egress/source IPs (including redundancy/failover ranges). If the provider uses NAT or multiple SBCs, ensure the real source IPs seen by your firewall are included.
Choose files or drag and drop files
ai_initiated
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments