port matrix template

Avaya ndash Proprietary

Use pursuant to the terms of your signed agreement or Avaya policy

May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 1

Avaya Port Matrix

Avaya Aurareg

Communication Manager 810

Issue 11

May 1 2019




ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF

PUBLICATION AND IS PROVIDED AS IS AVAYA INC DISCLAIMS ALL WARRANTIES EITHER EXPRESS OR IMPLIED INCLUDING THE

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE AVAYA INC MAKES NO REPRESENTATIONS

OR WARRANTIES THAT THE INFORMATION PROVIDED HEREIN WILL ELIMINATE SECURITY THREATS TO CUSTOMERSrsquo SYSTEMS AVAYA

INC ITS RELATED COMPANIES DIRECTORS EMPLOYEES REPRESENTATIVES SUPPLIERS OR AGENTS MAY NOT UNDER ANY

CIRCUMSTANCES BE HELD LIABLE FOR ANY DIRECT INDIRECT SPECIAL PUNITIVE EXEMPLARY INCIDENTAL OR CONSEQUENTIAL DAMAGES

ARISING OUT OF THE USE OF THE INFORMATION PROVIDED HEREIN

THIS INCLUDES BUT IS NOT LIMITED TO THE LOSS OF DATA OR LOSS OF PROFIT EVEN IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH

DAMAGES YOUR USE OF THIS INFORMATION CONSTITUTES ACCEPTANCE

OF THESE TERMS

copy 2019 Avaya Inc All Rights Reserved All trademarks identified by the reg

or trade are registered trademarks or trademarks respectively of Avaya Inc

All other trademarks are the property of their respective owners




1 Communication Manager Components

Data flows and their sockets are owned and directed by an application It is possible for a server to have more than one application but this document only covers the CM application not other applications running in separate virtual machines under VMware on the same hardware For the CM application sockets are created on the network interfaces but these may not be sourced from the server The source may be the servers Processor Ethernet (PE) but it may be another network element such as a CLAN circuit pack For the purposes of firewall configuration these sockets are sourced from the server so the firewall (iptables service) should be running on the same server

Component Interface Description

CM Ethernet All traffic

The above table says only Ethernet but that interface may be either CMs Processor Ethernet or the Ethernet interface on a CLAN circuit pack Each of the various Avaya CM servers have a number of network interfaces (up to 5) each of which has its own IP address The following table illustrates how different processor models make use of various network interfaces (NICs) In the table below the first number in an entry is an IP address and the second the maximum supported speed in megabits per second Interfaces assigned addresses 19211136 are for the Avaya Services Laptop labeled eth2 in the table Interfaces assigned address 192111313 or 192111314 are for the server duplication link labeled eth3 in the table Addresses of the form 1270008 are host loopback or internal addresses Addresses marked administered are assigned by the customer from the customers network

Note IP addresses for the Ethernet ports in this table are shown as examples only

Interface1 S8300D S8300E R610 R620 DL360G7 DL360PG8 (Simplex)

R610 R620 DL360G7 DL360PG8 (Duplex)

eth0 19211136 1000

19211136 1000

administered 1000

administered 1000

eth00 -- -- -- --

eth1 inet6 1000

inet6 1000

19211136 1000

19211136 1000

eth10000 135971116 135971116 -- --

eth14093 169254131 169254131 -- --

eth2 -- administered 1000

administered 1000

administered 1000

eth20 -- -- -- --

eth3 -- -- -- 192111313 (Server 1) and 192111314 (Server 2) 1000

eth30 -- -- -- --

eth4 -- -- -- --

eth40 -- -- -- --

11 Document Change History

EVENT DOCUMENT DATE CHANGE DESCRIPTION

Version 10 issued for a new CM R81 minor release

18 Apr 2019 Document stored as lt190586gt

A summary of changes

bull Syslog over TLS uses TCP port 6514

1 A colon in the interface name indicates an alias A period in the interface name indicates a vlan




bull CM Array feature uses TCP port 2376 for communication between Docker daemons

bull CM Array feature uses TCP port 9988 for communication between a container (Kafka) client and the container Broker

Version 11 was re-edited to correct some document errors


bull Removed port 81 We have not supported HTTP IP phone updates for many years

bull Updated the Port Matrix diagram to move ldquoArray Kafkardquo to point to ldquoOtherrdquo block




Port Usage Tables

12 Port Usage Table Heading Definitions Source System System name or type that initiates connection requests

Source Port This is the default layer-4 port number of the connection source Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable

Destination System System name or type that receives connection requests

Destination Port This is the default layer-4 port number to which the connection request is sent Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable

NetworkApplication Protocol This is the name associated with the layer-4 protocol and layers-5-7 application

Optionally Enabled Disabled This field indicates whether customers can enable or disable a layer-4 port changing its default port setting Valid values include Yes or No

ldquoNordquo means the default port state cannot be changed (eg enable or disabled)

ldquoYesrdquo means the default port state can be changed and that the port can either be enabled or disabled

Default Port Listen State A listen port is either open closed or filtered

Open listen ports will respond to queries

Closed listen ports may or may not respond to queries and are only listed when they can be optionally enabled

Filtered listen ports can be open or closed Filtered UDP ports will not respond to queries Filtered TCP will respond to queries but will not allow connectivity

Description Connection details Some descriptions have a reference to the Notes section after each table for specifics on any of the row data




13 Port Tables Below are the tables which document the port usage for this product Note that a large number of IP ports used by CMs Processor Ethernet interface have the same IP port numbers as those used on CLAN circuit packs in port networks In many ways the CLAN circuit packs act as remote network interface cards for the processor controlling them Therefore the following CM port matrix table includes CLAN ports The affected ports are noted

In a theoretical sense all IP ports on CM are optionally enableddisabled with default port state closed Thats because by default CMs processor Ethernet is disabled For practical purposes almost all systems will have the processor Ethernet port enabled The enabledisable column in the following table assumes its enabled Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet

Table 1 Listen Ports for Communication Manager

Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State

Description System Port

(Non-Configurable Range)

System Port

(Configurable Range)

any NA

(NA)

CM NA

(NA) ICMP yes open

ICMP messages ping etc IP Protocol Number 1

Admin Device 1024 ndash 65535

CM 22

TCP SSH SCP SFTP

yes open OS administration interface over Secure Shell (SSH) Note 1 Note23


CM 23 TCP Telnet yes closed

OS administration interfaces over Telnet Note 23


CM 80 TCP HTTP no open

Avaya web administration interface Note 2 Note 23

IPSI 1024 ndash 65535

CM 123 UDP NTP Yes closed

Network Time Protocol (NTP)

CM SCS SRS 1024 ndash 65535



SNMP

NMS

1024 ndash 65535

CM 161

UDP SNMP Agent

Yes closed

SNMP (server)

Note 5 Note 23

SNMP

NMS

1024 ndash 65535

CLAN 161

UDP SNMP Agent

Yes closed

SNMP (server)

Note 23




Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port


Gateway CM SCS SRS UPS

1024 ndash 65535

CM 162

UDP SNMP Trap

Yes closed SNMP traps (server) collection

Note 6 Note 23

IP Phone 1024 ndash 2048

CM

CLAN 411 TCP

HTTPS No open

HTTPS IP Phone configuration file download

Note 3

Admin Device

SCS SRS

1024 ndash 65535

CM 443

TCP HTTPS

No open Avaya web administration interface (HTTPS) Note 23

CLAN IPSI TN2602AP

1024-65535

CM 514

UDP SYSLOG

TCPSYSLOG

Yes closed TN Board Logging amp Server Log Files

CM 13 or older 512 ndash 1023 SRS

514 TCP RSH yes closed Legacy (CM13) Filesync Service

Note 7

H248 Media Gateways

1024 ndash 65535

CM or CLAN 1039

TCP Encrypted

H248 yes open

Proprietary encrypted H248 over TCP Note 8

H323 Phone 1024-5000 CM 1300 TCP H323 yes closed TLS encrypted H323 signaling

CM 1024 ndash 65535

CM 1332

UDP DES Encrypted

Proprietary Note 9 Note 9

Arbiter

Note 9

H323 Phone 49300

CM or CLAN 1719 UDP H225 Yes closed

Registration Admission and Status (RAS) for phones Note 8

CM

CLAN

1024-65535

CM or CLAN

1719 TCPH323 Yes closed H323 RAS for trunks

Note 22

H323 Phone 1500 ndash 6500

CM or CLAN

1720 TCP H323 Yes closed H323 signaling

Note 8 Note 10

CM

CLAN 5000-5021

CM SCS SRS or CLAN

1719 1720 5000-9999

TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT

Third Party GK or GW

1024-65535

CM SCS SRS or CLAN

1720 TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT




Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



CM 2222 TCP SSH Yes open

High Priority SSH

Note 12 Note 23

CM Array Mgmt 1024 ndash 65535

CM 2376 TCP TLS Yes closed

TLS encrypted exchange between Docker daemons (See note 24)

H248 GW 1024 ndash 65535

CM or CLAN

2944 TCP H248 Yes closed TLS encrypted H248

Note 8 Note 13

H248 GW 1024 ndash

65535 CM or CLAN 2945 TCP H248 Yes open

Unencrypted H248

Note 8 Note 13

Admin Device 1024 ndash

65535 CM

5022 TCP SSH yes open SAT interface over SSH

Note 14 Note 23


65535 CM

5023 TCP Telnet yes closed SAT interface over Telnet

Note 15 Note 23

SIP Trunks 1024 ndash

65535 CM or CLAN

5060

(5000-9999) TCP SIP yes closed

SIP

Note 8 Note 16 Note 22


65535 CM or CLAN

5061

(5000-9999)

TCP TLS SIPS

yes closed SIPS


CM 1024 ndash

65535

CM

5098

TCP TLS

(optionally

encrypted)

no Open

Dupmgr

(SW duplication) ndash Server 1

Note 22

CM 1024 ndash

65535 CM

6514 TLSSYSLOG yes closed Server Log Files

AEServices 1024 ndash

65535

CM 8765

TCP ASAI (Q931 ASN1)

yes closed AEServices

Note 20

CM 1024 ndash 65535

CM 9000

TCP Proprietary

No Open DGB (debugging tool)




Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port


AMS 1024 ndash 65535

CM 9061

(5000-9999)

TCPTLS SIPS

Yes closed SIP

Note 22


CM 9988 TCP Yes closed

Exchange between Kafka (container) client and a Kafka Broker (See note 24)

CM 1024 ndash 65535

CM

12080 TCP TLS no Closed

Dupmgr (SW duplication) ndash Server 2

Note 10 Proprietary Optionally encrypted

CM SCS SRS 20873 - 21872

CM SCS SRS 20873 - 21872 TCP TLS no open

Internal Filesync communication

Note 21


CM ndash SRS 21873 TCP TLS no open

Filesync over SSL

Note 18


CM 21874 TCP TLS No open

Filesync over SSL

Note 19

G650 1024 ndash 65535

CM or CLAN 59000 ndash 59200 TCP H245 No open

H245

NOTES 1 The Secure Shell (SSH) Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) services can be Disabled andor blocked by authenticating to the

media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SSH Server (SCPSFTP 22) and set Service State to Disabled

2 An Avaya Welcome and Access Warning banner is displayed via this port Once the user selects ldquoContinuerdquo this port automatically redirects to HTTPS (443tcp)

3 This note for IP phone download was removed since it has been in disuse for many years 4 The Network Time Protocol (NTP) server service is enabled if NTP is configured during installation or administration via the media server web administration

interface --gt Server (Maintenance) --gt Server Configuration --gt Configure Server --gt Continue --gt Continue --gt Select Configure individual services --gt Continue --gt Select Configure Time Server --gt Select this computer synchronizes with the duplicated server This option is utilized to synchronize time between the main media server duplicated media server Survivable Remote Servers (SRS formerly called LSP) and Survivable Core Servers (SCS formerly called ESS)




5 By default the Simple Network Management (SNMP) Agent service is disabled The SNMP Agent service can be enabled and configured via authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Access -gt addchange If SNMP is enabled it is recommended that SNMP access be restricted to administered IP addresses and that SNMPv3 be utilized for enhanced security

6 By default the SNMP Trap server service is blocked The SNMP Trap server services can be unblocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Incoming Traps -gt AddChange

7 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older

8 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet

9 The Arbiter service is only enabled on duplicated servers The Arbiter process 1) Decides which server is healthier and more able to be active and 2) Coordinates data shadowing between servers under the Duplication Managerrsquos control

10 Duplicated Port 5098 is for Server 1 and Port 12080 is for Server 2 11 CM as the destination is only when Processor Ethernet is enabled The Processor Ethernet limits H323 signaling connection requests to a processor-

dependent rate on the order of 5-10 per second 12 In CM31 or later the High Priority SSH service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web

administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name High Priority SSH (2222) and set Service State to Disabled Prior to CM31 the High Priority SSH service could be blocked via the media server host firewall by authenticating to the media server web administration interface --gt Launch Maintenance Web Interface --gt Security --gt Firewall -gt Uncheck Input to Server for Server hp-sshd

13 The H248 service is only enabled on media servers with Processor Ethernet enabled It limits connection requests to 50 with a burst limit of 100 14 In CM31 or later the Station Administration Terminal (SAT) SSH service can be Disabled andor blocked via the media server host firewall by authenticating

to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (SSH 5022) and set Service State to Disabled

15 In CM31 or later the Station Administration Terminal (SAT) Telnet service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (Telnet 5023) and set Service State to Disabled

16 The SIP service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS

17 The SIPS service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS

18 If the main CM server is CM2x and the survivable CM servers are CM 70 filesync (over SSL) utilizes port 21873tcp to transfer translation unicode license and password files to the standby server(s)

19 In CM3x and later filesync over SSL utilizes port 21874tcp to transfer translation unicode license and password files to the standby server(s)

20 Optionally encrypted in CM 41 and later See AE Services Administration and Maintenance Guide Release 41 (02-300357 Issue 8 December 2007) 21 Ports used for internal filesync communication defaults to 20873 ndash 20877 Number of ports used (up to 1000) is a function of the FileSyncMaxClient variable in

etcoptecsecsconf




22 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061

23 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162

24 The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons The CM proxy uses TCP port 9988 to communicate with the Kafka client process (which runs as a Docker container) This feature is not activated unless CM Array is configured

Table 2 Talk-only Ports for Communication Manager

If a port is both listen and talk its covered by table 1 rather than by table 2

Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


CM NA

(NA)

any NA

(NA) ICMP NA


CM or CLAN 1024 - 65535 DNS Server 53 UDP DNS No DNS Requests and Responses

CM 1024 ndash 65535 Network

Time Server (NTS)

123 UDP NTP yes Network Time Protocol (client)

Note 1

CM 1024 ndash 65535 IPSI


Note 7

CM 1024 ndash 65535

SNMP NMS 162

(0-65535)

UDP SNMP Trap

yes

SNMP traps (client) for alarms or notable events

Note 2 Note 11

CLAN 1024 ndash 65535

SNMP NMS

162 UDP SNMP

Trap yes


Note 11

CM 1024-65535 Rsyslog server

514

UDP Syslog yes Remote system log storage




Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


SRS 514 CM 13 or

older Note 7 TCP RSH yes Legacy Filesync Service Note 7

CM (via CLANPE)

Note 8 H323 Phone

1720 TCP H323 yes TTS

Note 8

CM RADIUS Client

1024 ndash 65535 RADIUS Server

1812 1813 UDP

RADIUS no

RADIUS based login processing

Note 9

CM 1024 - 65535 IPSI

1956 TCP

Proprietary no IPSI Command Server Service

CM 1024 - 65535 IPSI

5010 TCP

Proprietary no IPSI Server control channel

CM 1024 - 65535 IPSI

5011 TCP

Proprietary No IPSI Server IPSI version channel

CM 1024 - 65535 IPSI

5012 TCP

Proprietary no IPSI Server serial number channel

CM SafeWord Client

1024 ndash 65535 SafeWord

Server 5030

TCP

SafeWord yes

SafeWord based login processing Note 9

CM 1024 ndash 65535 SIP Trunks 5060

(1 to 65535) TCP SIP yes

SIP



(1 to 65535)

TCP TLS SIPS

yes SIP


CM SecurID Client

1024 ndash 65535 SecurID Server

5500 UDP

SecurID yes

SecurID based login processing Note 9

CM or CLAN 5500 Audix LX MM MN

1024 - 65535 TCP

Proprietary no Audix Digital Networking

CM 1024 ndash 65535 AMS 9061

(1 to 65535)

TCPTLSSIPS

yes SIP

Note 10

NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt

Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS




2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange

3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable


5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS

6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS

7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from

using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the

Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162

14 Port Table Changes There are no port changes from the R701 release

15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage




2 Port Usage Diagram

Avaya Aurareg

Communication

Manager

HTTPHTTPS SIP(S)H323

SSH SNMP

Proprietary ICMP Other

Network Admin

HTTPS-TCP443

HTTP-TCP80

SSH-TCP22

SSH-TCP2222

SSH-TCP5022

Phone or trunk or

SIP media server

HTTP-TCP81

HTTPS-TCP411

SNMP-UDP161

SNMP-UDP162

H323-TCP default 1719

H323-UDP1719

H323-TCP1720

SIP-TCP default 5060



Other CM Servers

Telnet-TCP23

Telnet-TCP5023

NTP-UDP123

Syslog-UDP514 Array Docker-TCP2376

Media Gateways

Arbiter-UDP1332

Dupmgr-TCP5098 12080

DGB-TCP 9000

Filesync-TCP 20873- 21874

ICMP

NTP-UDP123

Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988

Other or Any

ASAI-TCP 8765

H323-TCP1300

H248-TCP1039

H248-TCP2944

H248-TCP2945

H245-TCP59000-59200

H323-UDP1719 For registration




Appendix A Overview of TCPIP Ports

What are ports and how are they used

TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams

Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation

Port Type Ranges

Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)

Well-Known Ports are those numbered from 0 through 1023

Registered Ports are those numbered from 1024 through 49151

Dynamic Ports are those numbered from 49152 through 65535

The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers

Well-Known Ports

For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023




In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo

Registered Ports

Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings

Dynamic Ports

Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535

Sockets

A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique

`

Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780

TCP-info Destination 1921681101369 Source 1010104780

Socket Example Diagram

Figure 1 Socket example showing ingress and egress data flows from a PC to a web server

Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server




Understanding Firewall Types and Policy Creation

Firewall Types

There are three basic firewall types

bull Packet Filtering

bull Application Level Gateways (Proxy Servers)

bull Hybrid (Stateful Inspection)

Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet

Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events

Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2

Firewall Policies

The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types

This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network

Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns

Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone

2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a

computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but

port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer




ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF

PUBLICATION AND IS PROVIDED AS IS AVAYA INC DISCLAIMS ALL WARRANTIES EITHER EXPRESS OR IMPLIED INCLUDING THE

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE AVAYA INC MAKES NO REPRESENTATIONS

OR WARRANTIES THAT THE INFORMATION PROVIDED HEREIN WILL ELIMINATE SECURITY THREATS TO CUSTOMERSrsquo SYSTEMS AVAYA

INC ITS RELATED COMPANIES DIRECTORS EMPLOYEES REPRESENTATIVES SUPPLIERS OR AGENTS MAY NOT UNDER ANY

CIRCUMSTANCES BE HELD LIABLE FOR ANY DIRECT INDIRECT SPECIAL PUNITIVE EXEMPLARY INCIDENTAL OR CONSEQUENTIAL DAMAGES

ARISING OUT OF THE USE OF THE INFORMATION PROVIDED HEREIN

THIS INCLUDES BUT IS NOT LIMITED TO THE LOSS OF DATA OR LOSS OF PROFIT EVEN IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH

DAMAGES YOUR USE OF THIS INFORMATION CONSTITUTES ACCEPTANCE

OF THESE TERMS

copy 2019 Avaya Inc All Rights Reserved All trademarks identified by the reg

or trade are registered trademarks or trademarks respectively of Avaya Inc

All other trademarks are the property of their respective owners












eth0 19211136 1000

19211136 1000

administered 1000

administered 1000

eth00 -- -- -- --

eth1 inet6 1000

inet6 1000

19211136 1000

19211136 1000

eth10000 135971116 135971116 -- --

eth14093 169254131 169254131 -- --


administered 1000

administered 1000

eth20 -- -- -- --


eth30 -- -- -- --

eth4 -- -- -- --

eth40 -- -- -- --




















Port Usage Tables




















Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port


any NA

(NA)

CM NA

(NA) ICMP yes open



CM 22

TCP SSH SCP SFTP














SNMP

NMS

1024 ndash 65535

CM 161

UDP SNMP Agent

Yes closed

SNMP (server)

Note 5 Note 23

SNMP

NMS

1024 ndash 65535

CLAN 161

UDP SNMP Agent

Yes closed

SNMP (server)

Note 23




Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



1024 ndash 65535

CM 162

UDP SNMP Trap


Note 6 Note 23


CM

CLAN 411 TCP

HTTPS No open


Note 3

Admin Device

SCS SRS

1024 ndash 65535

CM 443

TCP HTTPS


CLAN IPSI TN2602AP

1024-65535

CM 514

UDP SYSLOG

TCPSYSLOG




Note 7

H248 Media Gateways

1024 ndash 65535

CM or CLAN 1039

TCP Encrypted

H248 yes open



CM 1024 ndash 65535

CM 1332

UDP DES Encrypted


Arbiter

Note 9

H323 Phone 49300



CM

CLAN

1024-65535

CM or CLAN


Note 22


CM or CLAN


Note 8 Note 10

CM

CLAN 5000-5021

CM SCS SRS or CLAN

1719 1720 5000-9999



1024-65535

CM SCS SRS or CLAN





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port




High Priority SSH

Note 12 Note 23




H248 GW 1024 ndash 65535

CM or CLAN


Note 8 Note 13

H248 GW 1024 ndash


Unencrypted H248

Note 8 Note 13


65535 CM


Note 14 Note 23


65535 CM


Note 15 Note 23


65535 CM or CLAN

5060


SIP



65535 CM or CLAN

5061

(5000-9999)

TCP TLS SIPS

yes closed SIPS


CM 1024 ndash

65535

CM

5098

TCP TLS

(optionally

encrypted)

no Open

Dupmgr


Note 22

CM 1024 ndash

65535 CM



65535

CM 8765



Note 20

CM 1024 ndash 65535

CM 9000

TCP Proprietary





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



CM 9061

(5000-9999)

TCPTLS SIPS

Yes closed SIP

Note 22




CM 1024 ndash 65535

CM




CM SCS SRS 20873 - 21872



Note 21



Filesync over SSL

Note 18



Filesync over SSL

Note 19

G650 1024 ndash 65535


H245

























etcoptecsecsconf









Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


CM NA

(NA)

any NA

(NA) ICMP NA




Time Server (NTS)


Note 1



Note 7

CM 1024 ndash 65535

SNMP NMS 162

(0-65535)

UDP SNMP Trap

yes


Note 2 Note 11


SNMP NMS

162 UDP SNMP

Trap yes


Note 11


514





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


SRS 514 CM 13 or


CM (via CLANPE)

Note 8 H323 Phone


Note 8

CM RADIUS Client


1812 1813 UDP

RADIUS no


Note 9

CM 1024 - 65535 IPSI

1956 TCP


CM 1024 - 65535 IPSI

5010 TCP


CM 1024 - 65535 IPSI

5011 TCP


CM 1024 - 65535 IPSI

5012 TCP


CM SafeWord Client


Server 5030

TCP

SafeWord yes




SIP



(1 to 65535)

TCP TLS SIPS

yes SIP


CM SecurID Client


5500 UDP

SecurID yes



1024 - 65535 TCP


CM 1024 ndash 65535 AMS 9061

(1 to 65535)

TCPTLSSIPS

yes SIP

Note 10




















Avaya Aurareg

Communication

Manager


SSH SNMP


Network Admin

HTTPS-TCP443

HTTP-TCP80

SSH-TCP22

SSH-TCP2222

SSH-TCP5022

Phone or trunk or

SIP media server

HTTP-TCP81

HTTPS-TCP411

SNMP-UDP161

SNMP-UDP162


H323-UDP1719

H323-TCP1720




Other CM Servers

Telnet-TCP23

Telnet-TCP5023

NTP-UDP123


Media Gateways

Arbiter-UDP1332


DGB-TCP 9000


ICMP

NTP-UDP123


Other or Any

ASAI-TCP 8765

H323-TCP1300

H248-TCP1039

H248-TCP2944

H248-TCP2945

H245-TCP59000-59200









Port Type Ranges






Well-Known Ports






Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies



















eth0 19211136 1000

19211136 1000

administered 1000

administered 1000

eth00 -- -- -- --

eth1 inet6 1000

inet6 1000

19211136 1000

19211136 1000

eth10000 135971116 135971116 -- --

eth14093 169254131 169254131 -- --


administered 1000

administered 1000

eth20 -- -- -- --


eth30 -- -- -- --

eth4 -- -- -- --

eth40 -- -- -- --




















Port Usage Tables




















Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port


any NA

(NA)

CM NA

(NA) ICMP yes open



CM 22

TCP SSH SCP SFTP














SNMP

NMS

1024 ndash 65535

CM 161

UDP SNMP Agent

Yes closed

SNMP (server)

Note 5 Note 23

SNMP

NMS

1024 ndash 65535

CLAN 161

UDP SNMP Agent

Yes closed

SNMP (server)

Note 23




Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



1024 ndash 65535

CM 162

UDP SNMP Trap


Note 6 Note 23


CM

CLAN 411 TCP

HTTPS No open


Note 3

Admin Device

SCS SRS

1024 ndash 65535

CM 443

TCP HTTPS


CLAN IPSI TN2602AP

1024-65535

CM 514

UDP SYSLOG

TCPSYSLOG




Note 7

H248 Media Gateways

1024 ndash 65535

CM or CLAN 1039

TCP Encrypted

H248 yes open



CM 1024 ndash 65535

CM 1332

UDP DES Encrypted


Arbiter

Note 9

H323 Phone 49300



CM

CLAN

1024-65535

CM or CLAN


Note 22


CM or CLAN


Note 8 Note 10

CM

CLAN 5000-5021

CM SCS SRS or CLAN

1719 1720 5000-9999



1024-65535

CM SCS SRS or CLAN





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port




High Priority SSH

Note 12 Note 23




H248 GW 1024 ndash 65535

CM or CLAN


Note 8 Note 13

H248 GW 1024 ndash


Unencrypted H248

Note 8 Note 13


65535 CM


Note 14 Note 23


65535 CM


Note 15 Note 23


65535 CM or CLAN

5060


SIP



65535 CM or CLAN

5061

(5000-9999)

TCP TLS SIPS

yes closed SIPS


CM 1024 ndash

65535

CM

5098

TCP TLS

(optionally

encrypted)

no Open

Dupmgr


Note 22

CM 1024 ndash

65535 CM



65535

CM 8765



Note 20

CM 1024 ndash 65535

CM 9000

TCP Proprietary





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



CM 9061

(5000-9999)

TCPTLS SIPS

Yes closed SIP

Note 22




CM 1024 ndash 65535

CM




CM SCS SRS 20873 - 21872



Note 21



Filesync over SSL

Note 18



Filesync over SSL

Note 19

G650 1024 ndash 65535


H245

























etcoptecsecsconf









Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


CM NA

(NA)

any NA

(NA) ICMP NA




Time Server (NTS)


Note 1



Note 7

CM 1024 ndash 65535

SNMP NMS 162

(0-65535)

UDP SNMP Trap

yes


Note 2 Note 11


SNMP NMS

162 UDP SNMP

Trap yes


Note 11


514





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


SRS 514 CM 13 or


CM (via CLANPE)

Note 8 H323 Phone


Note 8

CM RADIUS Client


1812 1813 UDP

RADIUS no


Note 9

CM 1024 - 65535 IPSI

1956 TCP


CM 1024 - 65535 IPSI

5010 TCP


CM 1024 - 65535 IPSI

5011 TCP


CM 1024 - 65535 IPSI

5012 TCP


CM SafeWord Client


Server 5030

TCP

SafeWord yes




SIP



(1 to 65535)

TCP TLS SIPS

yes SIP


CM SecurID Client


5500 UDP

SecurID yes



1024 - 65535 TCP


CM 1024 ndash 65535 AMS 9061

(1 to 65535)

TCPTLSSIPS

yes SIP

Note 10




















Avaya Aurareg

Communication

Manager


SSH SNMP


Network Admin

HTTPS-TCP443

HTTP-TCP80

SSH-TCP22

SSH-TCP2222

SSH-TCP5022

Phone or trunk or

SIP media server

HTTP-TCP81

HTTPS-TCP411

SNMP-UDP161

SNMP-UDP162


H323-UDP1719

H323-TCP1720




Other CM Servers

Telnet-TCP23

Telnet-TCP5023

NTP-UDP123


Media Gateways

Arbiter-UDP1332


DGB-TCP 9000


ICMP

NTP-UDP123


Other or Any

ASAI-TCP 8765

H323-TCP1300

H248-TCP1039

H248-TCP2944

H248-TCP2945

H245-TCP59000-59200









Port Type Ranges






Well-Known Ports






Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies




















Port Usage Tables




















Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port


any NA

(NA)

CM NA

(NA) ICMP yes open



CM 22

TCP SSH SCP SFTP














SNMP

NMS

1024 ndash 65535

CM 161

UDP SNMP Agent

Yes closed

SNMP (server)

Note 5 Note 23

SNMP

NMS

1024 ndash 65535

CLAN 161

UDP SNMP Agent

Yes closed

SNMP (server)

Note 23




Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



1024 ndash 65535

CM 162

UDP SNMP Trap


Note 6 Note 23


CM

CLAN 411 TCP

HTTPS No open


Note 3

Admin Device

SCS SRS

1024 ndash 65535

CM 443

TCP HTTPS


CLAN IPSI TN2602AP

1024-65535

CM 514

UDP SYSLOG

TCPSYSLOG




Note 7

H248 Media Gateways

1024 ndash 65535

CM or CLAN 1039

TCP Encrypted

H248 yes open



CM 1024 ndash 65535

CM 1332

UDP DES Encrypted


Arbiter

Note 9

H323 Phone 49300



CM

CLAN

1024-65535

CM or CLAN


Note 22


CM or CLAN


Note 8 Note 10

CM

CLAN 5000-5021

CM SCS SRS or CLAN

1719 1720 5000-9999



1024-65535

CM SCS SRS or CLAN





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port




High Priority SSH

Note 12 Note 23




H248 GW 1024 ndash 65535

CM or CLAN


Note 8 Note 13

H248 GW 1024 ndash


Unencrypted H248

Note 8 Note 13


65535 CM


Note 14 Note 23


65535 CM


Note 15 Note 23


65535 CM or CLAN

5060


SIP



65535 CM or CLAN

5061

(5000-9999)

TCP TLS SIPS

yes closed SIPS


CM 1024 ndash

65535

CM

5098

TCP TLS

(optionally

encrypted)

no Open

Dupmgr


Note 22

CM 1024 ndash

65535 CM



65535

CM 8765



Note 20

CM 1024 ndash 65535

CM 9000

TCP Proprietary





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



CM 9061

(5000-9999)

TCPTLS SIPS

Yes closed SIP

Note 22




CM 1024 ndash 65535

CM




CM SCS SRS 20873 - 21872



Note 21



Filesync over SSL

Note 18



Filesync over SSL

Note 19

G650 1024 ndash 65535


H245

























etcoptecsecsconf









Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


CM NA

(NA)

any NA

(NA) ICMP NA




Time Server (NTS)


Note 1



Note 7

CM 1024 ndash 65535

SNMP NMS 162

(0-65535)

UDP SNMP Trap

yes


Note 2 Note 11


SNMP NMS

162 UDP SNMP

Trap yes


Note 11


514





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


SRS 514 CM 13 or


CM (via CLANPE)

Note 8 H323 Phone


Note 8

CM RADIUS Client


1812 1813 UDP

RADIUS no


Note 9

CM 1024 - 65535 IPSI

1956 TCP


CM 1024 - 65535 IPSI

5010 TCP


CM 1024 - 65535 IPSI

5011 TCP


CM 1024 - 65535 IPSI

5012 TCP


CM SafeWord Client


Server 5030

TCP

SafeWord yes




SIP



(1 to 65535)

TCP TLS SIPS

yes SIP


CM SecurID Client


5500 UDP

SecurID yes



1024 - 65535 TCP


CM 1024 ndash 65535 AMS 9061

(1 to 65535)

TCPTLSSIPS

yes SIP

Note 10




















Avaya Aurareg

Communication

Manager


SSH SNMP


Network Admin

HTTPS-TCP443

HTTP-TCP80

SSH-TCP22

SSH-TCP2222

SSH-TCP5022

Phone or trunk or

SIP media server

HTTP-TCP81

HTTPS-TCP411

SNMP-UDP161

SNMP-UDP162


H323-UDP1719

H323-TCP1720




Other CM Servers

Telnet-TCP23

Telnet-TCP5023

NTP-UDP123


Media Gateways

Arbiter-UDP1332


DGB-TCP 9000


ICMP

NTP-UDP123


Other or Any

ASAI-TCP 8765

H323-TCP1300

H248-TCP1039

H248-TCP2944

H248-TCP2945

H245-TCP59000-59200









Port Type Ranges






Well-Known Ports






Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies














Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port


any NA

(NA)

CM NA

(NA) ICMP yes open



CM 22

TCP SSH SCP SFTP














SNMP

NMS

1024 ndash 65535

CM 161

UDP SNMP Agent

Yes closed

SNMP (server)

Note 5 Note 23

SNMP

NMS

1024 ndash 65535

CLAN 161

UDP SNMP Agent

Yes closed

SNMP (server)

Note 23




Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



1024 ndash 65535

CM 162

UDP SNMP Trap


Note 6 Note 23


CM

CLAN 411 TCP

HTTPS No open


Note 3

Admin Device

SCS SRS

1024 ndash 65535

CM 443

TCP HTTPS


CLAN IPSI TN2602AP

1024-65535

CM 514

UDP SYSLOG

TCPSYSLOG




Note 7

H248 Media Gateways

1024 ndash 65535

CM or CLAN 1039

TCP Encrypted

H248 yes open



CM 1024 ndash 65535

CM 1332

UDP DES Encrypted


Arbiter

Note 9

H323 Phone 49300



CM

CLAN

1024-65535

CM or CLAN


Note 22


CM or CLAN


Note 8 Note 10

CM

CLAN 5000-5021

CM SCS SRS or CLAN

1719 1720 5000-9999



1024-65535

CM SCS SRS or CLAN





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port




High Priority SSH

Note 12 Note 23




H248 GW 1024 ndash 65535

CM or CLAN


Note 8 Note 13

H248 GW 1024 ndash


Unencrypted H248

Note 8 Note 13


65535 CM


Note 14 Note 23


65535 CM


Note 15 Note 23


65535 CM or CLAN

5060


SIP



65535 CM or CLAN

5061

(5000-9999)

TCP TLS SIPS

yes closed SIPS


CM 1024 ndash

65535

CM

5098

TCP TLS

(optionally

encrypted)

no Open

Dupmgr


Note 22

CM 1024 ndash

65535 CM



65535

CM 8765



Note 20

CM 1024 ndash 65535

CM 9000

TCP Proprietary





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



CM 9061

(5000-9999)

TCPTLS SIPS

Yes closed SIP

Note 22




CM 1024 ndash 65535

CM




CM SCS SRS 20873 - 21872



Note 21



Filesync over SSL

Note 18



Filesync over SSL

Note 19

G650 1024 ndash 65535


H245

























etcoptecsecsconf









Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


CM NA

(NA)

any NA

(NA) ICMP NA




Time Server (NTS)


Note 1



Note 7

CM 1024 ndash 65535

SNMP NMS 162

(0-65535)

UDP SNMP Trap

yes


Note 2 Note 11


SNMP NMS

162 UDP SNMP

Trap yes


Note 11


514





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


SRS 514 CM 13 or


CM (via CLANPE)

Note 8 H323 Phone


Note 8

CM RADIUS Client


1812 1813 UDP

RADIUS no


Note 9

CM 1024 - 65535 IPSI

1956 TCP


CM 1024 - 65535 IPSI

5010 TCP


CM 1024 - 65535 IPSI

5011 TCP


CM 1024 - 65535 IPSI

5012 TCP


CM SafeWord Client


Server 5030

TCP

SafeWord yes




SIP



(1 to 65535)

TCP TLS SIPS

yes SIP


CM SecurID Client


5500 UDP

SecurID yes



1024 - 65535 TCP


CM 1024 ndash 65535 AMS 9061

(1 to 65535)

TCPTLSSIPS

yes SIP

Note 10




















Avaya Aurareg

Communication

Manager


SSH SNMP


Network Admin

HTTPS-TCP443

HTTP-TCP80

SSH-TCP22

SSH-TCP2222

SSH-TCP5022

Phone or trunk or

SIP media server

HTTP-TCP81

HTTPS-TCP411

SNMP-UDP161

SNMP-UDP162


H323-UDP1719

H323-TCP1720




Other CM Servers

Telnet-TCP23

Telnet-TCP5023

NTP-UDP123


Media Gateways

Arbiter-UDP1332


DGB-TCP 9000


ICMP

NTP-UDP123


Other or Any

ASAI-TCP 8765

H323-TCP1300

H248-TCP1039

H248-TCP2944

H248-TCP2945

H245-TCP59000-59200









Port Type Ranges






Well-Known Ports






Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies











Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



1024 ndash 65535

CM 162

UDP SNMP Trap


Note 6 Note 23


CM

CLAN 411 TCP

HTTPS No open


Note 3

Admin Device

SCS SRS

1024 ndash 65535

CM 443

TCP HTTPS


CLAN IPSI TN2602AP

1024-65535

CM 514

UDP SYSLOG

TCPSYSLOG




Note 7

H248 Media Gateways

1024 ndash 65535

CM or CLAN 1039

TCP Encrypted

H248 yes open



CM 1024 ndash 65535

CM 1332

UDP DES Encrypted


Arbiter

Note 9

H323 Phone 49300



CM

CLAN

1024-65535

CM or CLAN


Note 22


CM or CLAN


Note 8 Note 10

CM

CLAN 5000-5021

CM SCS SRS or CLAN

1719 1720 5000-9999



1024-65535

CM SCS SRS or CLAN





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port




High Priority SSH

Note 12 Note 23




H248 GW 1024 ndash 65535

CM or CLAN


Note 8 Note 13

H248 GW 1024 ndash


Unencrypted H248

Note 8 Note 13


65535 CM


Note 14 Note 23


65535 CM


Note 15 Note 23


65535 CM or CLAN

5060


SIP



65535 CM or CLAN

5061

(5000-9999)

TCP TLS SIPS

yes closed SIPS


CM 1024 ndash

65535

CM

5098

TCP TLS

(optionally

encrypted)

no Open

Dupmgr


Note 22

CM 1024 ndash

65535 CM



65535

CM 8765



Note 20

CM 1024 ndash 65535

CM 9000

TCP Proprietary





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



CM 9061

(5000-9999)

TCPTLS SIPS

Yes closed SIP

Note 22




CM 1024 ndash 65535

CM




CM SCS SRS 20873 - 21872



Note 21



Filesync over SSL

Note 18



Filesync over SSL

Note 19

G650 1024 ndash 65535


H245

























etcoptecsecsconf









Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


CM NA

(NA)

any NA

(NA) ICMP NA




Time Server (NTS)


Note 1



Note 7

CM 1024 ndash 65535

SNMP NMS 162

(0-65535)

UDP SNMP Trap

yes


Note 2 Note 11


SNMP NMS

162 UDP SNMP

Trap yes


Note 11


514





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


SRS 514 CM 13 or


CM (via CLANPE)

Note 8 H323 Phone


Note 8

CM RADIUS Client


1812 1813 UDP

RADIUS no


Note 9

CM 1024 - 65535 IPSI

1956 TCP


CM 1024 - 65535 IPSI

5010 TCP


CM 1024 - 65535 IPSI

5011 TCP


CM 1024 - 65535 IPSI

5012 TCP


CM SafeWord Client


Server 5030

TCP

SafeWord yes




SIP



(1 to 65535)

TCP TLS SIPS

yes SIP


CM SecurID Client


5500 UDP

SecurID yes



1024 - 65535 TCP


CM 1024 ndash 65535 AMS 9061

(1 to 65535)

TCPTLSSIPS

yes SIP

Note 10




















Avaya Aurareg

Communication

Manager


SSH SNMP


Network Admin

HTTPS-TCP443

HTTP-TCP80

SSH-TCP22

SSH-TCP2222

SSH-TCP5022

Phone or trunk or

SIP media server

HTTP-TCP81

HTTPS-TCP411

SNMP-UDP161

SNMP-UDP162


H323-UDP1719

H323-TCP1720




Other CM Servers

Telnet-TCP23

Telnet-TCP5023

NTP-UDP123


Media Gateways

Arbiter-UDP1332


DGB-TCP 9000


ICMP

NTP-UDP123


Other or Any

ASAI-TCP 8765

H323-TCP1300

H248-TCP1039

H248-TCP2944

H248-TCP2945

H245-TCP59000-59200









Port Type Ranges






Well-Known Ports






Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies











Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port




High Priority SSH

Note 12 Note 23




H248 GW 1024 ndash 65535

CM or CLAN


Note 8 Note 13

H248 GW 1024 ndash


Unencrypted H248

Note 8 Note 13


65535 CM


Note 14 Note 23


65535 CM


Note 15 Note 23


65535 CM or CLAN

5060


SIP



65535 CM or CLAN

5061

(5000-9999)

TCP TLS SIPS

yes closed SIPS


CM 1024 ndash

65535

CM

5098

TCP TLS

(optionally

encrypted)

no Open

Dupmgr


Note 22

CM 1024 ndash

65535 CM



65535

CM 8765



Note 20

CM 1024 ndash 65535

CM 9000

TCP Proprietary





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



CM 9061

(5000-9999)

TCPTLS SIPS

Yes closed SIP

Note 22




CM 1024 ndash 65535

CM




CM SCS SRS 20873 - 21872



Note 21



Filesync over SSL

Note 18



Filesync over SSL

Note 19

G650 1024 ndash 65535


H245

























etcoptecsecsconf









Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


CM NA

(NA)

any NA

(NA) ICMP NA




Time Server (NTS)


Note 1



Note 7

CM 1024 ndash 65535

SNMP NMS 162

(0-65535)

UDP SNMP Trap

yes


Note 2 Note 11


SNMP NMS

162 UDP SNMP

Trap yes


Note 11


514





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


SRS 514 CM 13 or


CM (via CLANPE)

Note 8 H323 Phone


Note 8

CM RADIUS Client


1812 1813 UDP

RADIUS no


Note 9

CM 1024 - 65535 IPSI

1956 TCP


CM 1024 - 65535 IPSI

5010 TCP


CM 1024 - 65535 IPSI

5011 TCP


CM 1024 - 65535 IPSI

5012 TCP


CM SafeWord Client


Server 5030

TCP

SafeWord yes




SIP



(1 to 65535)

TCP TLS SIPS

yes SIP


CM SecurID Client


5500 UDP

SecurID yes



1024 - 65535 TCP


CM 1024 ndash 65535 AMS 9061

(1 to 65535)

TCPTLSSIPS

yes SIP

Note 10




















Avaya Aurareg

Communication

Manager


SSH SNMP


Network Admin

HTTPS-TCP443

HTTP-TCP80

SSH-TCP22

SSH-TCP2222

SSH-TCP5022

Phone or trunk or

SIP media server

HTTP-TCP81

HTTPS-TCP411

SNMP-UDP161

SNMP-UDP162


H323-UDP1719

H323-TCP1720




Other CM Servers

Telnet-TCP23

Telnet-TCP5023

NTP-UDP123


Media Gateways

Arbiter-UDP1332


DGB-TCP 9000


ICMP

NTP-UDP123


Other or Any

ASAI-TCP 8765

H323-TCP1300

H248-TCP1039

H248-TCP2944

H248-TCP2945

H245-TCP59000-59200









Port Type Ranges






Well-Known Ports






Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies











Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled

Default Port State



System Port



CM 9061

(5000-9999)

TCPTLS SIPS

Yes closed SIP

Note 22




CM 1024 ndash 65535

CM




CM SCS SRS 20873 - 21872



Note 21



Filesync over SSL

Note 18



Filesync over SSL

Note 19

G650 1024 ndash 65535


H245

























etcoptecsecsconf









Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


CM NA

(NA)

any NA

(NA) ICMP NA




Time Server (NTS)


Note 1



Note 7

CM 1024 ndash 65535

SNMP NMS 162

(0-65535)

UDP SNMP Trap

yes


Note 2 Note 11


SNMP NMS

162 UDP SNMP

Trap yes


Note 11


514





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


SRS 514 CM 13 or


CM (via CLANPE)

Note 8 H323 Phone


Note 8

CM RADIUS Client


1812 1813 UDP

RADIUS no


Note 9

CM 1024 - 65535 IPSI

1956 TCP


CM 1024 - 65535 IPSI

5010 TCP


CM 1024 - 65535 IPSI

5011 TCP


CM 1024 - 65535 IPSI

5012 TCP


CM SafeWord Client


Server 5030

TCP

SafeWord yes




SIP



(1 to 65535)

TCP TLS SIPS

yes SIP


CM SecurID Client


5500 UDP

SecurID yes



1024 - 65535 TCP


CM 1024 ndash 65535 AMS 9061

(1 to 65535)

TCPTLSSIPS

yes SIP

Note 10




















Avaya Aurareg

Communication

Manager


SSH SNMP


Network Admin

HTTPS-TCP443

HTTP-TCP80

SSH-TCP22

SSH-TCP2222

SSH-TCP5022

Phone or trunk or

SIP media server

HTTP-TCP81

HTTPS-TCP411

SNMP-UDP161

SNMP-UDP162


H323-UDP1719

H323-TCP1720




Other CM Servers

Telnet-TCP23

Telnet-TCP5023

NTP-UDP123


Media Gateways

Arbiter-UDP1332


DGB-TCP 9000


ICMP

NTP-UDP123


Other or Any

ASAI-TCP 8765

H323-TCP1300

H248-TCP1039

H248-TCP2944

H248-TCP2945

H245-TCP59000-59200









Port Type Ranges






Well-Known Ports






Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies



























etcoptecsecsconf









Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


CM NA

(NA)

any NA

(NA) ICMP NA




Time Server (NTS)


Note 1



Note 7

CM 1024 ndash 65535

SNMP NMS 162

(0-65535)

UDP SNMP Trap

yes


Note 2 Note 11


SNMP NMS

162 UDP SNMP

Trap yes


Note 11


514





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


SRS 514 CM 13 or


CM (via CLANPE)

Note 8 H323 Phone


Note 8

CM RADIUS Client


1812 1813 UDP

RADIUS no


Note 9

CM 1024 - 65535 IPSI

1956 TCP


CM 1024 - 65535 IPSI

5010 TCP


CM 1024 - 65535 IPSI

5011 TCP


CM 1024 - 65535 IPSI

5012 TCP


CM SafeWord Client


Server 5030

TCP

SafeWord yes




SIP



(1 to 65535)

TCP TLS SIPS

yes SIP


CM SecurID Client


5500 UDP

SecurID yes



1024 - 65535 TCP


CM 1024 ndash 65535 AMS 9061

(1 to 65535)

TCPTLSSIPS

yes SIP

Note 10




















Avaya Aurareg

Communication

Manager


SSH SNMP


Network Admin

HTTPS-TCP443

HTTP-TCP80

SSH-TCP22

SSH-TCP2222

SSH-TCP5022

Phone or trunk or

SIP media server

HTTP-TCP81

HTTPS-TCP411

SNMP-UDP161

SNMP-UDP162


H323-UDP1719

H323-TCP1720




Other CM Servers

Telnet-TCP23

Telnet-TCP5023

NTP-UDP123


Media Gateways

Arbiter-UDP1332


DGB-TCP 9000


ICMP

NTP-UDP123


Other or Any

ASAI-TCP 8765

H323-TCP1300

H248-TCP1039

H248-TCP2944

H248-TCP2945

H245-TCP59000-59200









Port Type Ranges






Well-Known Ports






Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies
















Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


CM NA

(NA)

any NA

(NA) ICMP NA




Time Server (NTS)


Note 1



Note 7

CM 1024 ndash 65535

SNMP NMS 162

(0-65535)

UDP SNMP Trap

yes


Note 2 Note 11


SNMP NMS

162 UDP SNMP

Trap yes


Note 11


514





Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


SRS 514 CM 13 or


CM (via CLANPE)

Note 8 H323 Phone


Note 8

CM RADIUS Client


1812 1813 UDP

RADIUS no


Note 9

CM 1024 - 65535 IPSI

1956 TCP


CM 1024 - 65535 IPSI

5010 TCP


CM 1024 - 65535 IPSI

5011 TCP


CM 1024 - 65535 IPSI

5012 TCP


CM SafeWord Client


Server 5030

TCP

SafeWord yes




SIP



(1 to 65535)

TCP TLS SIPS

yes SIP


CM SecurID Client


5500 UDP

SecurID yes



1024 - 65535 TCP


CM 1024 ndash 65535 AMS 9061

(1 to 65535)

TCPTLSSIPS

yes SIP

Note 10




















Avaya Aurareg

Communication

Manager


SSH SNMP


Network Admin

HTTPS-TCP443

HTTP-TCP80

SSH-TCP22

SSH-TCP2222

SSH-TCP5022

Phone or trunk or

SIP media server

HTTP-TCP81

HTTPS-TCP411

SNMP-UDP161

SNMP-UDP162


H323-UDP1719

H323-TCP1720




Other CM Servers

Telnet-TCP23

Telnet-TCP5023

NTP-UDP123


Media Gateways

Arbiter-UDP1332


DGB-TCP 9000


ICMP

NTP-UDP123


Other or Any

ASAI-TCP 8765

H323-TCP1300

H248-TCP1039

H248-TCP2944

H248-TCP2945

H245-TCP59000-59200









Port Type Ranges






Well-Known Ports






Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies











Source Destination

Network Application

Protocol

Optionally

Enabled

Disabled


(Non-Configurable

Range)

System Port


SRS 514 CM 13 or


CM (via CLANPE)

Note 8 H323 Phone


Note 8

CM RADIUS Client


1812 1813 UDP

RADIUS no


Note 9

CM 1024 - 65535 IPSI

1956 TCP


CM 1024 - 65535 IPSI

5010 TCP


CM 1024 - 65535 IPSI

5011 TCP


CM 1024 - 65535 IPSI

5012 TCP


CM SafeWord Client


Server 5030

TCP

SafeWord yes




SIP



(1 to 65535)

TCP TLS SIPS

yes SIP


CM SecurID Client


5500 UDP

SecurID yes



1024 - 65535 TCP


CM 1024 ndash 65535 AMS 9061

(1 to 65535)

TCPTLSSIPS

yes SIP

Note 10




















Avaya Aurareg

Communication

Manager


SSH SNMP


Network Admin

HTTPS-TCP443

HTTP-TCP80

SSH-TCP22

SSH-TCP2222

SSH-TCP5022

Phone or trunk or

SIP media server

HTTP-TCP81

HTTPS-TCP411

SNMP-UDP161

SNMP-UDP162


H323-UDP1719

H323-TCP1720




Other CM Servers

Telnet-TCP23

Telnet-TCP5023

NTP-UDP123


Media Gateways

Arbiter-UDP1332


DGB-TCP 9000


ICMP

NTP-UDP123


Other or Any

ASAI-TCP 8765

H323-TCP1300

H248-TCP1039

H248-TCP2944

H248-TCP2945

H245-TCP59000-59200









Port Type Ranges






Well-Known Ports






Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies

























Avaya Aurareg

Communication

Manager


SSH SNMP


Network Admin

HTTPS-TCP443

HTTP-TCP80

SSH-TCP22

SSH-TCP2222

SSH-TCP5022

Phone or trunk or

SIP media server

HTTP-TCP81

HTTPS-TCP411

SNMP-UDP161

SNMP-UDP162


H323-UDP1719

H323-TCP1720




Other CM Servers

Telnet-TCP23

Telnet-TCP5023

NTP-UDP123


Media Gateways

Arbiter-UDP1332


DGB-TCP 9000


ICMP

NTP-UDP123


Other or Any

ASAI-TCP 8765

H323-TCP1300

H248-TCP1039

H248-TCP2944

H248-TCP2945

H245-TCP59000-59200









Port Type Ranges






Well-Known Ports






Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies















Port Type Ranges






Well-Known Ports






Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies












Registered Ports


Dynamic Ports


Sockets


`










Firewall Types








Firewall Policies












Firewall Types








Firewall Policies








port matrix template

Documents