cisco vcs ip port usage for firewall traversal deployment guide x4 to x7

8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7

1/28

Cisco TelePresence VideoCommunication Server (Cisco VCS)

IP port usage for firewall traversalCisco VCS X4 to X7D14606.03

September 2011


2/28

2

Contents: Cisco VCS IP port usage

Which IP ports are used with Cisco VCS?

Which IP ports need to be allowed through firewalls?

Format of informationTraversing firewalls Administration SIP calls H.323 calls

Internal Administration SIP calls H.323 calls


3/28

3

Guide to this document: format of information

VCS Expresswaysource port

Serverlistening port

Management control DMZ to public

Open firewall DMZ to public

IP address IP address ofVCS Expressway

IP address of DNSserver

I P P

or t s

DNS UDP S>= 1024

UDP 5353

S = Source port , typically >= 1024

publicInternet

Destination of messaging

Source of messaging

Destination of messaging: IP port letter reference for more details default / expected port range in italics

Source of messaging: IP port letter reference for more details default / expected port range in italics

Firewall needs to have a pinhole open for at least all source ports at IP address of sourceto all listening ports at IP address of listener

Destination of messaging: IP address

Source of messaging: IP address

When a firewall allows an outbound message through, it is

assumed that responses (up to about 20 to 30 seconds afterthe original send) will be allowed back through the firewall

Details of what definesthe IP port ID / range

Direction of management / calls

Direction firewall needs to be opened

Cisco VCS Control Cisco VCSExpressway

DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/


4/28

4

Administration: Cisco VCS Expressway

Management systemsource port

VCS Expresswayserver (listening) port

Management control Private to DMZ

Open firewall Private to DMZ

IP address IP address ofmanagementcomputer(s)

IP address ofVCS Expressway

I P P

or t s

http TCP S >= 1024

TCP 8080

https TCP S >= 1024

TCP 443443

ssh TCP S >= 1024

TCP 2222

telnet TCP S >= 1024

TCP 2323

SNMP UDP S >= 1024

UDP 161161


publicInternet

Management ports only open ports for the management methods to be used

VCS Control VCS Expressway

DMZ


5/28

5


PClistening port


Management control DMZ to private

Open firewall DMZ to private



I P P

or

t s

NTP UDP 123123

UDP S >= 1024

LDAP (for login) TCP 389 or 636389 or 636

TCP Ue 40000 to 49999

Syslog UDP 514

514

UDP Ve

40000 to 49999

publicInternetVCS Control VCS Expressway

DMZ


Ue = VCS TCP ephemeral port range fixed at 40000 to 49999

Ve = VCS UDP ephemeral port range fixed at 40000 to 49999



6/28

6



DMZ


TMS source port VCS Expressway(listening) port

TMS (listening) port VCS Expresswaysource port

Call direction TMS to VCS Expressway VCS Expressway to TMS

Open firewall n/a n/a

IP address External IPaddress of TMS


External IPaddress of TMS


I P P

or t s

https(TMS to VCSand secure

feedback fromVCS to TMS)

TCP S >= 1024

TCP 443443

TCP 443443

TCP S >= 1024

http(feedback toTMS)

- - TCP 8080

TCP S >= 1024

SNMP(To TMS)

UDP S >= 1024

UDP 161161


7/287



Serverlistening port

Management control DMZ to public

Open firewall DMZ to public


IP address of DNSServer

I P P

or t s

DNS UDP S10000 to 10210

UDP 5353

S = Source port: 10000 to 10210


DMZ


8/288

SIP traversal call

publicInternet

VCS Controlsource port


Call direction Inbound and outbound calls


IP address IP address ofVCS Control


I P P

o

r t s

SIP signaling TCP & TLS A25000 to 29999

TCP and TLS B7001

Assent RTP(traversal media)

UDP YC

50000 to 52399

UDP V

2776 Assent RTCP(traversal media)

UDP YC50000 to 52399

UDP W 2777

A = Protocols > SIP > Configuration > TCP Outbound port start to end: default =25000 to 29999

B = Zones > Traversal Client > SIP port, typically 7001 for first traversal zone, 7002 for second etc.

YC = Local Zone > Traversal Subzone > Traversal Media port start to end(configured on VCS Control): default = 50000 to 52399

V = VCS Expressway > Ports > Media demultiplexing RTP port: default = 2776

W = VCS Expressway > Ports > Media demultiplexing RTCP port: default = 2777


DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/


9/289

SIP call to endpoint with public IP address

publicInternet


Internet endpointserver (listening) port


Internet endpointsource port

Call direction Outbound to an endpoint in theInternet

Inbound from an endpoint in theInternet

Open firewall DMZ to Internet Internet to DMZ


Any IP address IP address ofVCS Expressway

Any IP address

I P P

or t s

SIP signaling UDP C5060

TCP & TLS A25000 to 29999

UDP & TCP &TLS F

5060 or >= 1024

UDP: C5060

TCP: K5060

TLS: L5061

UDP G5060 or >= 1024TCP & TLS H

>= 1024

RTP UDP YE50000 to 52399

UDP E >= 1024

UDP YE50000 to 52399

UDP E >= 1024

RTCP UDP YE50000 to 52399

UDP E >= 1024

UDP YE50000 to 52399

UDP E >= 1024

C = Protocols > SIP > Configuration > UDPport: default = 5060

A = Protocols > SIP > Configuration > TCPOutbound port start to end: default = 25000

to 29999 F = defined by endpoints registration (or if call

is to a non registered endpoint, IP port isdefined by DNS lookup) any port >= 1024 ,often 5060 for UDP

K = Protocols > SIP > Configuration > TCP port:default = 5060

L = Protocols > SIP > Configuration > TLS port:default =5061

G = any port >= 1024 , often 5060 for hard

endpointsH = any port >= 1024

YE = Local Zone > Traversal Subzone >Traversal Media port start to end (configuredon VCS Expressway): default = 50000 to52399

E = Endpoint media port range; value used isspecified in the SDP:= any IP port above 1024 = 50000 to 52399 for another VCS= 2326 to 2385 for MXP s tatic setting= 11000 to 65000 for MXP dynamic setting


DMZ


10/2810

SIP call to endpoint behind non SIP-aware firewall

publicInternet





Call direction Outbound to an endpoint behind afirewall

Inbound from an endpoint behind afirewall




Any IP address

I P P

or t s

SIP signaling UDP C5060

TCP & TLS A25000 to 29999

UDP & TCP &TLS F

5060 or >= 1024

UDP: C5060

TCP: K5060

TLS: L5061

UDP, TCP & TLS:Q

>= 1024


UDP N >= 1024

UDP YE50000 to 52399

UDP N >= 1024


UDP N >= 1024

UDP YE50000 to 52399

UDP N >= 1024


A = Protocols > SIP > Configuration > TCPOutbound port start to end: default =25000 to 29999

F = defined by endpoints registration (or ifcall is to a non registered endpoint, IP portis defined by DNS lookup) any port >=1024 , often 5060 for UDP

K = Protocols > SIP > Configuration > TCPport: default = 5060

L = Protocols > SIP > Configuration > TLSport: default =5061

Q = Egress IP port from far end non-NATaware firewall: any port >= 1024

YE = Local Zone > Traversal Subzone >Traversal Media port start to end(configured on VCS Expressway): default= 50000 to 52399

N = VCS waits until it receives media, then itsends its media to the IP port from whichthe media was received (egress port of

the media from the far end non SIP-awarefirewall): any port >= 1024


DMZ


11/2811

SIP additional ports for ICE (from VCS X6.0)

publicInternet





message direction Outbound from VCS to endpoint ininternet

Inbound from an endpoint in internet toVCS




Any IP address

I P P

or

t s

TURN servercontrol

N/A N/A UDP 3478

UDP M>= 1024

TURN servermedia UDP

60000 to 61799 UDP N

>= 1024 UDP

60000 to 61799 UDP N

>= 1024


DMZ

M = IP port of signalling from endpoint may beephemeral IP port of endpoint (if no firewall),or IP port of the outside firewall := any IP port above 1024

N = IP port of relevant ICE candidate host IPport, Server reflexive IP port (outside firewallport) or TURN server port:= any IP port above 1024


12/28

12

H.323 traversal call using Assent







I P P

or t s

Initial RASconnection

UDP RC1719

UDP D6001

Q 931 / H.225signaling

TCP P15000 to 19999

TCP T 2776

H.245 TCP P 15000 to 19999

TCP T 2776


UDP YC50000 to 52399

UDP V2776

Assent RTCP(traversal media)

UDP YC50000 to 52399

UDP W2777

RC = Protocols > H.323 > Gatekeeper > Registration UDP port: default = 1719

P = Protocols > H.323 > Gatekeeper > Call signaling port range start to end:default = 15000 to 19999

D = Zones > Traversal Zone > H.323 port, typically 6001 for first traversal zone,6002 for second etc.

T = VCS Expressway > Ports > H.323 Assent call signaling port: default = 2776





DMZ


13/28

13

H.323 traversal call using H.460.18 / 19 non-mux media







I P P

or t s


UDP RC 1719

UDP D6001


TCP P15000 to 19999

TCP M1720

H.245 TCP P 15000 to 19999

TCP U 2777


UDP YC50000 to 52399

UDP YE50000 to 52399

Assent RTCP(traversal media)

UDP YC50000 to 52399

UDP YE50000 to 52399

publicInternet




M = Protocols > H.323 Call signaling TCP port: default = 1720

U = VCS Expressway > Ports > H.323 H.460.18 call signaling port: default = 2777




YE = Local Zone < Traversal Subzone > Traversal Media port start to end(configured on VCS Expressway) : default = 50000 to 52399


DMZ


14/28

14

H.323 traversal call using H.460.18 / 19 multiplexed media







I P P

or t s


UDP RC1719

UDP D6001

Q 931 / H.225

signaling

TCP P15000 to 19999

TCP M1720

H.245 TCP P 15000 to 19999

TCP U 2777

H460.18/19 RTP (traversal media)

UDP YC50000 to 52399

UDP V2776

H460.18/19 RTCP (traversal media)

UDP YC50000 to 52399

UDP W2777

publicInternet










DMZ


15/28

15

H.323 call with registered endpoint with public IP address





Call direction Outbound to an endpoint in the Internet Inbound from an endpoint in the Internet




Any IP address

I P P

or t s


- - UDP RE1719

UDP J1719

Q 931 / H.225

signaling

TCP P

15000 to 19999

TCP G

1720

TCP M

1720

TCP K

1720

H.245 TCP P15000 to 19999

TCP H>= 1024

TCP P15000 to 19999

TCP H>= 1024


UDP E>= 1024

UDP YE50000 to 52399

UDP E>= 1024


UDP E>= 1024

UDP YE50000 to 52399

UDP E>=1024

publicInternet

R E = Protocols > H.323 > GatekeeperRegistration > UDP port, default = 1719

J = Endpoint RAS source port, typically 1719P = Protocols > H.323 > Gatekeeper > Call

signaling port range start to end: default =15000 to 19999

G = Endpoint signaling port, specified inregistration: any port >= 1024, typically1720

M = Protocols > H.323 Call signaling TCP port:default = 1720

K = Endpoint signaling port: any port >= 1024,typically 1720

H = Endpoint H.245 signaling port:= any IP port >= 1024 = 15000 to 19999 to another VCS

= 5555 to 5574 for MXP s tatic setting= 11000 to 65000 for MXP dynamic setting YE = Local Zone > Traversal Subzone >

Traversal Media port start to end(configured on VCS Expressway): default =50000 to 52399

E = Endpoint media port range; value used isspecified in codec negotiations:= any IP port above 1024= 50000 to 52399 for another VCS= 2326 to 2385 for MXP static setting= 11000 to 65000 for MXP dynamic setting


DMZ


16/28

16

H.323 call with a non-registered endpoint with public IP





Call direction Outbound to an endpoint in the Internet Inbound from an endpoint in the Internet




Any IP address

I P P

or t s


- - - -

Q 931 / H.225

signaling

TCP P

15000 to 19999

TCP G

1720

TCP M

1720

TCP K

1720

H.245 TCP P15000 to 19999

TCP H>= 1024

TCP P15000 to 19999

TCP H>= 1024


UDP E>= 1024

UDP YE50000 to 52399

UDP E>= 1024


UDP E>= 1024

UDP YE50000 to 52399

UDP E>=1024

publicInternet

P = Protocols > H.323 > Gatekeeper > Callsignaling port range start to end: default =15000 to 19999

G = Endpoint signaling port, specified bya) IP Port in call requestb) DNS lookup for URI to callc) 1720 if IP address but no port specifiedCan be: any port >= 1024, typically 1720



H = Endpoint H.245 signaling port:= any IP port >= 1024 = 15000 to 19999 to another VCS= 5555 to 5574 for MXP static setting= 11000 to 65000 for MXP dynamic setting

YE = Local Zone > Traversal Subzone >Traversal Media port start to end(configured on VCS Expressway): default =50000 to 52399



DMZ


17/28

17

H.323 call with endpoint supporting Assent behind firewall


Firewallsource port

Call direction Inbound from or outbound to anendpoint in the Internet behind a firewall

Open firewall Internet to DMZ


Any IP address

I P P

or t s


UDP RE1719

UDP Q >=1024


TCP T 2776

TCP Q >=1024

H.245 TCP T 2776

TCP Q >=1024

RTP UDP V2776

UDP N >=1024

RTCP UDP W2777

UDP N >=1024

publicInternet

RE = Protocols > H.323 > Gatekeeper Registration > UDP port, default = 1719

Q =Egress IP port from far end non-H.323 aware firewall: any port >= 1024

T = VCS Expressway > Ports > H.323 Assent call signaling port: default = 2776



N = Egress IP port of media from far end non-H.323 aware firewall: any port >= 1024


DMZ

For calls made from the VCS Expressway to the endpoint:1. VCS Expressway sends a message to the endpoint using the

return path of the established RAS (registration) connection2. The endpoint then makes a TCP connection out through its

firewall to the VCS Expressway (port T - 2776 must be openon the firewall local to the VCS Expressway)

3. Any further connections required (e.g. H.245) are requested bythe VCS Expressway over the established TCP connection,and the endpoint initiates them (to port T - 2776)

H 323 ll i th d i t ti H 460 18 / 19


18/28

18

H.323 call with endpoint supporting H.460.18 / 19 non-muxmedia


Firewallsource port




Any IP address

I P P

or t s


UDP RE1719

UDP Q >=1024


TCP M1720

TCP Q >=1024

H.245 TCP U 2777

TCP Q >=1024


UDP N >=1024


UDP N >=1024

publicInternet





YE = Local Zone > Traversal Subzone > Traversal Media port start to end (configuredon VCS Expressway): default = 50000 to 52399



DMZ



firewall to the VCS Expressway (port M - 1720 must be openon the firewall local to the VCS Expressway)

3. Any further connections required (e.g. H.245) are requested bythe VCS Expressway over the established TCP connection,and the endpoint initiates them (to port U - 2777)

H 323 ll ith d i t t i g H460 18 / 19


19/28

19

H.323 call with endpoint supporting H460.18 / 19mult iplexed media


Firewallsource port




Any IP address

I P P

or t s


UDP RE1719

UDP Q >=1024


TCP M1720

TCP Q >=1024

H.245 TCP U 2777

TCP Q >=1024

RTP UDP V2776

UDP N >=1024

RTCP UDP W2777

UDP N >=1024

publicInternet









DMZ



firewall to the VCS Expressway (port M - 1720 must be openon the firewall local to the VCS Expressway)

3. Any further connections required (e.g. H.245) are requested bythe VCS Expressway over the established TCP connection,and the endpoint initiates them (to port U - 2777)


20/28

20

SIP/H.323 Authentication: Cisco VCS Expressway

PClistening port


Management control DMZ to private

Open firewall DMZ to private



I P P

or t s

H.350 TCP 389 or 636389 or 636

TCP Ue 40000 to 49999

Active Directorydirect

UDP 53

UDP 88

TCP 88

UDP 389

TCP 389 or 636

TCP 445 or 139

53, 88, 389 or 636,445 or 139

UDP Ve 40000 to 49999

TCP Ue 40000 to 49999


DMZ

Ue = VCS TCP ephemeral port range fixed at 40000 to 49999

Ve = VCS UDP ephemeral port range fixed at 40000 to 49999



21/28

21

Administration: Cisco VCS Control


VCS Controllistening port

Management control Private network

Open firewall n/a


IP address ofVCS Control

I P P

or t s

http TCP S >= 1024

TCP 8080

https TCP S >= 1024

TCP 443443

ssh TCP S >= 1024

TCP 2222


TCP 2323

SNMP UDP S >= 1024

UDP 161161


DMZ

VCS Expressway



22/28

22

Administration: Cisco VCS Control




Open firewall n/a



I P P

or t s

NTP UDP 123123

UDP S >= 1024

LDAP TCP 389389

TCP S >= 1024


TCP 8080

TCP S >= 1024

DNS UDP 5353

UDP S10000 to 10210


DMZ

VCS Expressway



23/28

23

Administration: local endpoint


Endpointlistening port


Open firewall n/a


IP address ofEndpoint

I P P

or t s

http TCP S >= 1024

TCP 8080

https TCP S >= 1024

TCP 443443

ssh TCP S >= 1024

TCP 2222


TCP 2323

SNMP UDP S >= 1024

UDP 161161


DMZ

VCS Expressway



24/28

24

Administration: local endpoint




Open firewall n/a



I P P

or t s

NTP UDP 123123

UDP S >= 1024


TCP 8080

TCP S >= 1024

DNS UDP 5353

UDP S10000 to 10210


DMZ

VCS Expressway



25/28

25

SIP: internal




Endpointsource port

Call direction VCS Control to endpoint Endpoint to VCS Control



IP addressof endpoint


IP addressof endpoint

I P P

or t s

SIP signaling UDP C 5060

TCP & TLS A25000 to 29999

UDP & TCP &TLS F

5060 or >= 1024

UDP: C5060

TCP: K5060

TLS: L5061

UDP G5060 or >= 1024TCP & TLS H

>= 1024

RTP UDP YC50000 to 52399

UDP E>= 1024

UDP YE50000 to 52399

UDP E>= 1024

RTCP UDP YC50000 to 52399

UDP E>= 1024

UDP YE50000 to 52399

UDP E>=1024


DMZ

VCS Expressway


A = Protocols > SIP > Configuration > TCPOutbound port start to end: default = 25000to 29999

F = defined by endpoints registration (or if callis to a non-registered endpoint, IP port isdefined by DNS lookup) any port >= 1024 ,often 5060 for UDP

K = Protocols > SIP > Configuration > TCPport: default = 5060

L = Protocols > SIP > Configuration > TLSport: default =5061

G = any port >= 1024 , often 5060 for hardendpoints

H = any port >= 1024 Y

C = Local Zone > Traversal Subzone >Traversal Media port start to end(configured on VCS Control): default =50000 to 52399

E = Endpoint media port range; value used isspecified in the SDP:= any IP port above 1024 = 50000 to 52399 for another VCS= 2326 to 2385 for MXP static setting= 11000 to 65000 for MXP dynamic setting

YE = Local Zone > Traversal Subzone >Traversal Media port start to end

(configured on VCS Expressway): default =50000 to 52399


26/28

26

H.323: internal




Endpointsource port

Call direction VCS Control to endpoint Endpoint to VCS Control




Any IP address

I P P

or t s


- - UDP RC1719

UDP J1719

Q 931 / H.225

signaling

TCP P

15000 to 19999

TCP G

1720

TCP M

1720

TCP K

1720

H.245 TCP P15000 to 19999

TCP H>= 1024

TCP P15000 to 19999

TCP H>= 1024

RTP UDP YC50000 to 52399

UDP E>= 1024

UDP YC50000 to 52399

UDP E>= 1024

RTCP UDP YC50000 to 52399

UDP E>= 1024

UDP YC50000 to 52399

UDP E>=1024


DMZ

VCS Expressway

R C = Protocols > H.323 > GatekeeperRegistration > UDP port, default = 1719

J = Endpoint RAS source port, typically 1719P = Protocols > H.323 > Gatekeeper > Call

signaling port range start to end: default =15000 to 19999

G = Endpoint signaling port, specified inregistration: any port >= 1024, typically1720



H = Endpoint H.245 signaling port:= any IP port >= 1024 = 15000 to 19999 to another VCS= 5555 to 5574 for MXP s tatic setting= 11000 to 65000 for MXP dynamic setting

YC = Local Zone > Traversal Subzone >Traversal Media port start to end(configured on VCS Control): default =50000 to 52399



27/28

27

B2BUA

SIP B2BUA (for calls to Microsoft OCS/Lync devices)

H.323: internal

FEP a

FEP b

FEP cEdge Server

ActiveDirectory

MicrosoftOCS / Lync

Cisco VCS Expressway

MOC / Lync clientVideo endpoi nt

HardwareLoad

Balancer

Cisco TelePresence Advanced Media Gateway

TURNserver

Service / functi on Default port on B2BUAMedia 56000:57000 UDP

OCS/Lync device signaling 65072 TLS

Transcoder device signaling 65080 TLS

OCS/Lync presence communications 10011 TLS

Service / funct ion Default port on remote systemOCS/Lync device signaling 5061 TLS

TURN server signaling/media 3478 UDP

Transcoder device signaling 5061 TLS

Cisco OCS/Lyncgateway VCS Control

Cisco VCSControl


28/28

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUTNOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT

ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FORTHEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATIONPACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TOLOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley(UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the Universityof California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS AREPROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSEDOR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTALDAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE ORINABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCHDAMAGES.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listi ng of Cisco'strademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners.The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phonenumbers. Any examples, command display output, network topology diagrams, and other figures included i n the document are shown forillustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

2011 Cisco Systems, Inc. All rights reserved.

cisco vcs ip port usage for firewall traversal deployment guide x4 to x7

Documents