port matrix template
TRANSCRIPT
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 1
Avaya Port Matrix
Avaya Aurareg
Communication Manager 810
Issue 11
May 1 2019
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 2
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF
PUBLICATION AND IS PROVIDED AS IS AVAYA INC DISCLAIMS ALL WARRANTIES EITHER EXPRESS OR IMPLIED INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE AVAYA INC MAKES NO REPRESENTATIONS
OR WARRANTIES THAT THE INFORMATION PROVIDED HEREIN WILL ELIMINATE SECURITY THREATS TO CUSTOMERSrsquo SYSTEMS AVAYA
INC ITS RELATED COMPANIES DIRECTORS EMPLOYEES REPRESENTATIVES SUPPLIERS OR AGENTS MAY NOT UNDER ANY
CIRCUMSTANCES BE HELD LIABLE FOR ANY DIRECT INDIRECT SPECIAL PUNITIVE EXEMPLARY INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OF THE INFORMATION PROVIDED HEREIN
THIS INCLUDES BUT IS NOT LIMITED TO THE LOSS OF DATA OR LOSS OF PROFIT EVEN IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES YOUR USE OF THIS INFORMATION CONSTITUTES ACCEPTANCE
OF THESE TERMS
copy 2019 Avaya Inc All Rights Reserved All trademarks identified by the reg
or trade are registered trademarks or trademarks respectively of Avaya Inc
All other trademarks are the property of their respective owners
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 3
1 Communication Manager Components
Data flows and their sockets are owned and directed by an application It is possible for a server to have more than one application but this document only covers the CM application not other applications running in separate virtual machines under VMware on the same hardware For the CM application sockets are created on the network interfaces but these may not be sourced from the server The source may be the servers Processor Ethernet (PE) but it may be another network element such as a CLAN circuit pack For the purposes of firewall configuration these sockets are sourced from the server so the firewall (iptables service) should be running on the same server
Component Interface Description
CM Ethernet All traffic
The above table says only Ethernet but that interface may be either CMs Processor Ethernet or the Ethernet interface on a CLAN circuit pack Each of the various Avaya CM servers have a number of network interfaces (up to 5) each of which has its own IP address The following table illustrates how different processor models make use of various network interfaces (NICs) In the table below the first number in an entry is an IP address and the second the maximum supported speed in megabits per second Interfaces assigned addresses 19211136 are for the Avaya Services Laptop labeled eth2 in the table Interfaces assigned address 192111313 or 192111314 are for the server duplication link labeled eth3 in the table Addresses of the form 1270008 are host loopback or internal addresses Addresses marked administered are assigned by the customer from the customers network
Note IP addresses for the Ethernet ports in this table are shown as examples only
Interface1 S8300D S8300E R610 R620 DL360G7 DL360PG8 (Simplex)
R610 R620 DL360G7 DL360PG8 (Duplex)
eth0 19211136 1000
19211136 1000
administered 1000
administered 1000
eth00 -- -- -- --
eth1 inet6 1000
inet6 1000
19211136 1000
19211136 1000
eth10000 135971116 135971116 -- --
eth14093 169254131 169254131 -- --
eth2 -- administered 1000
administered 1000
administered 1000
eth20 -- -- -- --
eth3 -- -- -- 192111313 (Server 1) and 192111314 (Server 2) 1000
eth30 -- -- -- --
eth4 -- -- -- --
eth40 -- -- -- --
11 Document Change History
EVENT DOCUMENT DATE CHANGE DESCRIPTION
Version 10 issued for a new CM R81 minor release
18 Apr 2019 Document stored as lt190586gt
A summary of changes
bull Syslog over TLS uses TCP port 6514
1 A colon in the interface name indicates an alias A period in the interface name indicates a vlan
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 4
bull CM Array feature uses TCP port 2376 for communication between Docker daemons
bull CM Array feature uses TCP port 9988 for communication between a container (Kafka) client and the container Broker
Version 11 was re-edited to correct some document errors
A summary of changes
bull Removed port 81 We have not supported HTTP IP phone updates for many years
bull Updated the Port Matrix diagram to move ldquoArray Kafkardquo to point to ldquoOtherrdquo block
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 5
Port Usage Tables
12 Port Usage Table Heading Definitions Source System System name or type that initiates connection requests
Source Port This is the default layer-4 port number of the connection source Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
Destination System System name or type that receives connection requests
Destination Port This is the default layer-4 port number to which the connection request is sent Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
NetworkApplication Protocol This is the name associated with the layer-4 protocol and layers-5-7 application
Optionally Enabled Disabled This field indicates whether customers can enable or disable a layer-4 port changing its default port setting Valid values include Yes or No
ldquoNordquo means the default port state cannot be changed (eg enable or disabled)
ldquoYesrdquo means the default port state can be changed and that the port can either be enabled or disabled
Default Port Listen State A listen port is either open closed or filtered
Open listen ports will respond to queries
Closed listen ports may or may not respond to queries and are only listed when they can be optionally enabled
Filtered listen ports can be open or closed Filtered UDP ports will not respond to queries Filtered TCP will respond to queries but will not allow connectivity
Description Connection details Some descriptions have a reference to the Notes section after each table for specifics on any of the row data
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 6
13 Port Tables Below are the tables which document the port usage for this product Note that a large number of IP ports used by CMs Processor Ethernet interface have the same IP port numbers as those used on CLAN circuit packs in port networks In many ways the CLAN circuit packs act as remote network interface cards for the processor controlling them Therefore the following CM port matrix table includes CLAN ports The affected ports are noted
In a theoretical sense all IP ports on CM are optionally enableddisabled with default port state closed Thats because by default CMs processor Ethernet is disabled For practical purposes almost all systems will have the processor Ethernet port enabled The enabledisable column in the following table assumes its enabled Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
Table 1 Listen Ports for Communication Manager
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
any NA
(NA)
CM NA
(NA) ICMP yes open
ICMP messages ping etc IP Protocol Number 1
Admin Device 1024 ndash 65535
CM 22
TCP SSH SCP SFTP
yes open OS administration interface over Secure Shell (SSH) Note 1 Note23
Admin Device 1024 ndash 65535
CM 23 TCP Telnet yes closed
OS administration interfaces over Telnet Note 23
Admin Device 1024 ndash 65535
CM 80 TCP HTTP no open
Avaya web administration interface Note 2 Note 23
IPSI 1024 ndash 65535
CM 123 UDP NTP Yes closed
Network Time Protocol (NTP)
CM SCS SRS 1024 ndash 65535
CM 123 UDP NTP Yes closed
Network Time Protocol (NTP)
SNMP
NMS
1024 ndash 65535
CM 161
UDP SNMP Agent
Yes closed
SNMP (server)
Note 5 Note 23
SNMP
NMS
1024 ndash 65535
CLAN 161
UDP SNMP Agent
Yes closed
SNMP (server)
Note 23
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 7
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Gateway CM SCS SRS UPS
1024 ndash 65535
CM 162
UDP SNMP Trap
Yes closed SNMP traps (server) collection
Note 6 Note 23
IP Phone 1024 ndash 2048
CM
CLAN 411 TCP
HTTPS No open
HTTPS IP Phone configuration file download
Note 3
Admin Device
SCS SRS
1024 ndash 65535
CM 443
TCP HTTPS
No open Avaya web administration interface (HTTPS) Note 23
CLAN IPSI TN2602AP
1024-65535
CM 514
UDP SYSLOG
TCPSYSLOG
Yes closed TN Board Logging amp Server Log Files
CM 13 or older 512 ndash 1023 SRS
514 TCP RSH yes closed Legacy (CM13) Filesync Service
Note 7
H248 Media Gateways
1024 ndash 65535
CM or CLAN 1039
TCP Encrypted
H248 yes open
Proprietary encrypted H248 over TCP Note 8
H323 Phone 1024-5000 CM 1300 TCP H323 yes closed TLS encrypted H323 signaling
CM 1024 ndash 65535
CM 1332
UDP DES Encrypted
Proprietary Note 9 Note 9
Arbiter
Note 9
H323 Phone 49300
CM or CLAN 1719 UDP H225 Yes closed
Registration Admission and Status (RAS) for phones Note 8
CM
CLAN
1024-65535
CM or CLAN
1719 TCPH323 Yes closed H323 RAS for trunks
Note 22
H323 Phone 1500 ndash 6500
CM or CLAN
1720 TCP H323 Yes closed H323 signaling
Note 8 Note 10
CM
CLAN 5000-5021
CM SCS SRS or CLAN
1719 1720 5000-9999
TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Third Party GK or GW
1024-65535
CM SCS SRS or CLAN
1720 TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 8
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Admin Device 1024 ndash 65535
CM 2222 TCP SSH Yes open
High Priority SSH
Note 12 Note 23
CM Array Mgmt 1024 ndash 65535
CM 2376 TCP TLS Yes closed
TLS encrypted exchange between Docker daemons (See note 24)
H248 GW 1024 ndash 65535
CM or CLAN
2944 TCP H248 Yes closed TLS encrypted H248
Note 8 Note 13
H248 GW 1024 ndash
65535 CM or CLAN 2945 TCP H248 Yes open
Unencrypted H248
Note 8 Note 13
Admin Device 1024 ndash
65535 CM
5022 TCP SSH yes open SAT interface over SSH
Note 14 Note 23
Admin Device 1024 ndash
65535 CM
5023 TCP Telnet yes closed SAT interface over Telnet
Note 15 Note 23
SIP Trunks 1024 ndash
65535 CM or CLAN
5060
(5000-9999) TCP SIP yes closed
SIP
Note 8 Note 16 Note 22
SIP Trunks 1024 ndash
65535 CM or CLAN
5061
(5000-9999)
TCP TLS SIPS
yes closed SIPS
Note 8 Note 17 Note 22
CM 1024 ndash
65535
CM
5098
TCP TLS
(optionally
encrypted)
no Open
Dupmgr
(SW duplication) ndash Server 1
Note 22
CM 1024 ndash
65535 CM
6514 TLSSYSLOG yes closed Server Log Files
AEServices 1024 ndash
65535
CM 8765
TCP ASAI (Q931 ASN1)
yes closed AEServices
Note 20
CM 1024 ndash 65535
CM 9000
TCP Proprietary
No Open DGB (debugging tool)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 9
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
AMS 1024 ndash 65535
CM 9061
(5000-9999)
TCPTLS SIPS
Yes closed SIP
Note 22
CM Array Mgmt 1024 ndash 65535
CM 9988 TCP Yes closed
Exchange between Kafka (container) client and a Kafka Broker (See note 24)
CM 1024 ndash 65535
CM
12080 TCP TLS no Closed
Dupmgr (SW duplication) ndash Server 2
Note 10 Proprietary Optionally encrypted
CM SCS SRS 20873 - 21872
CM SCS SRS 20873 - 21872 TCP TLS no open
Internal Filesync communication
Note 21
CM SCS SRS 1024 ndash 65535
CM ndash SRS 21873 TCP TLS no open
Filesync over SSL
Note 18
CM SCS SRS 1024 ndash 65535
CM 21874 TCP TLS No open
Filesync over SSL
Note 19
G650 1024 ndash 65535
CM or CLAN 59000 ndash 59200 TCP H245 No open
H245
NOTES 1 The Secure Shell (SSH) Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) services can be Disabled andor blocked by authenticating to the
media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SSH Server (SCPSFTP 22) and set Service State to Disabled
2 An Avaya Welcome and Access Warning banner is displayed via this port Once the user selects ldquoContinuerdquo this port automatically redirects to HTTPS (443tcp)
3 This note for IP phone download was removed since it has been in disuse for many years 4 The Network Time Protocol (NTP) server service is enabled if NTP is configured during installation or administration via the media server web administration
interface --gt Server (Maintenance) --gt Server Configuration --gt Configure Server --gt Continue --gt Continue --gt Select Configure individual services --gt Continue --gt Select Configure Time Server --gt Select this computer synchronizes with the duplicated server This option is utilized to synchronize time between the main media server duplicated media server Survivable Remote Servers (SRS formerly called LSP) and Survivable Core Servers (SCS formerly called ESS)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 10
5 By default the Simple Network Management (SNMP) Agent service is disabled The SNMP Agent service can be enabled and configured via authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Access -gt addchange If SNMP is enabled it is recommended that SNMP access be restricted to administered IP addresses and that SNMPv3 be utilized for enhanced security
6 By default the SNMP Trap server service is blocked The SNMP Trap server services can be unblocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Incoming Traps -gt AddChange
7 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older
8 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
9 The Arbiter service is only enabled on duplicated servers The Arbiter process 1) Decides which server is healthier and more able to be active and 2) Coordinates data shadowing between servers under the Duplication Managerrsquos control
10 Duplicated Port 5098 is for Server 1 and Port 12080 is for Server 2 11 CM as the destination is only when Processor Ethernet is enabled The Processor Ethernet limits H323 signaling connection requests to a processor-
dependent rate on the order of 5-10 per second 12 In CM31 or later the High Priority SSH service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web
administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name High Priority SSH (2222) and set Service State to Disabled Prior to CM31 the High Priority SSH service could be blocked via the media server host firewall by authenticating to the media server web administration interface --gt Launch Maintenance Web Interface --gt Security --gt Firewall -gt Uncheck Input to Server for Server hp-sshd
13 The H248 service is only enabled on media servers with Processor Ethernet enabled It limits connection requests to 50 with a burst limit of 100 14 In CM31 or later the Station Administration Terminal (SAT) SSH service can be Disabled andor blocked via the media server host firewall by authenticating
to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (SSH 5022) and set Service State to Disabled
15 In CM31 or later the Station Administration Terminal (SAT) Telnet service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (Telnet 5023) and set Service State to Disabled
16 The SIP service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
17 The SIPS service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
18 If the main CM server is CM2x and the survivable CM servers are CM 70 filesync (over SSL) utilizes port 21873tcp to transfer translation unicode license and password files to the standby server(s)
19 In CM3x and later filesync over SSL utilizes port 21874tcp to transfer translation unicode license and password files to the standby server(s)
20 Optionally encrypted in CM 41 and later See AE Services Administration and Maintenance Guide Release 41 (02-300357 Issue 8 December 2007) 21 Ports used for internal filesync communication defaults to 20873 ndash 20877 Number of ports used (up to 1000) is a function of the FileSyncMaxClient variable in
etcoptecsecsconf
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 11
22 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061
23 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
24 The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons The CM proxy uses TCP port 9988 to communicate with the Kafka client process (which runs as a Docker container) This feature is not activated unless CM Array is configured
Table 2 Talk-only Ports for Communication Manager
If a port is both listen and talk its covered by table 1 rather than by table 2
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
CM NA
(NA)
any NA
(NA) ICMP NA
ICMP messages ping etc IP Protocol Number 1
CM or CLAN 1024 - 65535 DNS Server 53 UDP DNS No DNS Requests and Responses
CM 1024 ndash 65535 Network
Time Server (NTS)
123 UDP NTP yes Network Time Protocol (client)
Note 1
CM 1024 ndash 65535 IPSI
123 UDP NTP yes Network Time Protocol (client)
Note 7
CM 1024 ndash 65535
SNMP NMS 162
(0-65535)
UDP SNMP Trap
yes
SNMP traps (client) for alarms or notable events
Note 2 Note 11
CLAN 1024 ndash 65535
SNMP NMS
162 UDP SNMP
Trap yes
SNMP traps (client) for alarms or notable events
Note 11
CM 1024-65535 Rsyslog server
514
UDP Syslog yes Remote system log storage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 12
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
SRS 514 CM 13 or
older Note 7 TCP RSH yes Legacy Filesync Service Note 7
CM (via CLANPE)
Note 8 H323 Phone
1720 TCP H323 yes TTS
Note 8
CM RADIUS Client
1024 ndash 65535 RADIUS Server
1812 1813 UDP
RADIUS no
RADIUS based login processing
Note 9
CM 1024 - 65535 IPSI
1956 TCP
Proprietary no IPSI Command Server Service
CM 1024 - 65535 IPSI
5010 TCP
Proprietary no IPSI Server control channel
CM 1024 - 65535 IPSI
5011 TCP
Proprietary No IPSI Server IPSI version channel
CM 1024 - 65535 IPSI
5012 TCP
Proprietary no IPSI Server serial number channel
CM SafeWord Client
1024 ndash 65535 SafeWord
Server 5030
TCP
SafeWord yes
SafeWord based login processing Note 9
CM 1024 ndash 65535 SIP Trunks 5060
(1 to 65535) TCP SIP yes
SIP
Note 4 Note 5 Note 10
CM 1024 ndash 65535 SIP Trunks 5061
(1 to 65535)
TCP TLS SIPS
yes SIP
Note 4 Note 6 Note 10
CM SecurID Client
1024 ndash 65535 SecurID Server
5500 UDP
SecurID yes
SecurID based login processing Note 9
CM or CLAN 5500 Audix LX MM MN
1024 - 65535 TCP
Proprietary no Audix Digital Networking
CM 1024 ndash 65535 AMS 9061
(1 to 65535)
TCPTLSSIPS
yes SIP
Note 10
NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt
Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 2
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF
PUBLICATION AND IS PROVIDED AS IS AVAYA INC DISCLAIMS ALL WARRANTIES EITHER EXPRESS OR IMPLIED INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE AVAYA INC MAKES NO REPRESENTATIONS
OR WARRANTIES THAT THE INFORMATION PROVIDED HEREIN WILL ELIMINATE SECURITY THREATS TO CUSTOMERSrsquo SYSTEMS AVAYA
INC ITS RELATED COMPANIES DIRECTORS EMPLOYEES REPRESENTATIVES SUPPLIERS OR AGENTS MAY NOT UNDER ANY
CIRCUMSTANCES BE HELD LIABLE FOR ANY DIRECT INDIRECT SPECIAL PUNITIVE EXEMPLARY INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OF THE INFORMATION PROVIDED HEREIN
THIS INCLUDES BUT IS NOT LIMITED TO THE LOSS OF DATA OR LOSS OF PROFIT EVEN IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES YOUR USE OF THIS INFORMATION CONSTITUTES ACCEPTANCE
OF THESE TERMS
copy 2019 Avaya Inc All Rights Reserved All trademarks identified by the reg
or trade are registered trademarks or trademarks respectively of Avaya Inc
All other trademarks are the property of their respective owners
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 3
1 Communication Manager Components
Data flows and their sockets are owned and directed by an application It is possible for a server to have more than one application but this document only covers the CM application not other applications running in separate virtual machines under VMware on the same hardware For the CM application sockets are created on the network interfaces but these may not be sourced from the server The source may be the servers Processor Ethernet (PE) but it may be another network element such as a CLAN circuit pack For the purposes of firewall configuration these sockets are sourced from the server so the firewall (iptables service) should be running on the same server
Component Interface Description
CM Ethernet All traffic
The above table says only Ethernet but that interface may be either CMs Processor Ethernet or the Ethernet interface on a CLAN circuit pack Each of the various Avaya CM servers have a number of network interfaces (up to 5) each of which has its own IP address The following table illustrates how different processor models make use of various network interfaces (NICs) In the table below the first number in an entry is an IP address and the second the maximum supported speed in megabits per second Interfaces assigned addresses 19211136 are for the Avaya Services Laptop labeled eth2 in the table Interfaces assigned address 192111313 or 192111314 are for the server duplication link labeled eth3 in the table Addresses of the form 1270008 are host loopback or internal addresses Addresses marked administered are assigned by the customer from the customers network
Note IP addresses for the Ethernet ports in this table are shown as examples only
Interface1 S8300D S8300E R610 R620 DL360G7 DL360PG8 (Simplex)
R610 R620 DL360G7 DL360PG8 (Duplex)
eth0 19211136 1000
19211136 1000
administered 1000
administered 1000
eth00 -- -- -- --
eth1 inet6 1000
inet6 1000
19211136 1000
19211136 1000
eth10000 135971116 135971116 -- --
eth14093 169254131 169254131 -- --
eth2 -- administered 1000
administered 1000
administered 1000
eth20 -- -- -- --
eth3 -- -- -- 192111313 (Server 1) and 192111314 (Server 2) 1000
eth30 -- -- -- --
eth4 -- -- -- --
eth40 -- -- -- --
11 Document Change History
EVENT DOCUMENT DATE CHANGE DESCRIPTION
Version 10 issued for a new CM R81 minor release
18 Apr 2019 Document stored as lt190586gt
A summary of changes
bull Syslog over TLS uses TCP port 6514
1 A colon in the interface name indicates an alias A period in the interface name indicates a vlan
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 4
bull CM Array feature uses TCP port 2376 for communication between Docker daemons
bull CM Array feature uses TCP port 9988 for communication between a container (Kafka) client and the container Broker
Version 11 was re-edited to correct some document errors
A summary of changes
bull Removed port 81 We have not supported HTTP IP phone updates for many years
bull Updated the Port Matrix diagram to move ldquoArray Kafkardquo to point to ldquoOtherrdquo block
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 5
Port Usage Tables
12 Port Usage Table Heading Definitions Source System System name or type that initiates connection requests
Source Port This is the default layer-4 port number of the connection source Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
Destination System System name or type that receives connection requests
Destination Port This is the default layer-4 port number to which the connection request is sent Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
NetworkApplication Protocol This is the name associated with the layer-4 protocol and layers-5-7 application
Optionally Enabled Disabled This field indicates whether customers can enable or disable a layer-4 port changing its default port setting Valid values include Yes or No
ldquoNordquo means the default port state cannot be changed (eg enable or disabled)
ldquoYesrdquo means the default port state can be changed and that the port can either be enabled or disabled
Default Port Listen State A listen port is either open closed or filtered
Open listen ports will respond to queries
Closed listen ports may or may not respond to queries and are only listed when they can be optionally enabled
Filtered listen ports can be open or closed Filtered UDP ports will not respond to queries Filtered TCP will respond to queries but will not allow connectivity
Description Connection details Some descriptions have a reference to the Notes section after each table for specifics on any of the row data
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 6
13 Port Tables Below are the tables which document the port usage for this product Note that a large number of IP ports used by CMs Processor Ethernet interface have the same IP port numbers as those used on CLAN circuit packs in port networks In many ways the CLAN circuit packs act as remote network interface cards for the processor controlling them Therefore the following CM port matrix table includes CLAN ports The affected ports are noted
In a theoretical sense all IP ports on CM are optionally enableddisabled with default port state closed Thats because by default CMs processor Ethernet is disabled For practical purposes almost all systems will have the processor Ethernet port enabled The enabledisable column in the following table assumes its enabled Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
Table 1 Listen Ports for Communication Manager
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
any NA
(NA)
CM NA
(NA) ICMP yes open
ICMP messages ping etc IP Protocol Number 1
Admin Device 1024 ndash 65535
CM 22
TCP SSH SCP SFTP
yes open OS administration interface over Secure Shell (SSH) Note 1 Note23
Admin Device 1024 ndash 65535
CM 23 TCP Telnet yes closed
OS administration interfaces over Telnet Note 23
Admin Device 1024 ndash 65535
CM 80 TCP HTTP no open
Avaya web administration interface Note 2 Note 23
IPSI 1024 ndash 65535
CM 123 UDP NTP Yes closed
Network Time Protocol (NTP)
CM SCS SRS 1024 ndash 65535
CM 123 UDP NTP Yes closed
Network Time Protocol (NTP)
SNMP
NMS
1024 ndash 65535
CM 161
UDP SNMP Agent
Yes closed
SNMP (server)
Note 5 Note 23
SNMP
NMS
1024 ndash 65535
CLAN 161
UDP SNMP Agent
Yes closed
SNMP (server)
Note 23
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 7
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Gateway CM SCS SRS UPS
1024 ndash 65535
CM 162
UDP SNMP Trap
Yes closed SNMP traps (server) collection
Note 6 Note 23
IP Phone 1024 ndash 2048
CM
CLAN 411 TCP
HTTPS No open
HTTPS IP Phone configuration file download
Note 3
Admin Device
SCS SRS
1024 ndash 65535
CM 443
TCP HTTPS
No open Avaya web administration interface (HTTPS) Note 23
CLAN IPSI TN2602AP
1024-65535
CM 514
UDP SYSLOG
TCPSYSLOG
Yes closed TN Board Logging amp Server Log Files
CM 13 or older 512 ndash 1023 SRS
514 TCP RSH yes closed Legacy (CM13) Filesync Service
Note 7
H248 Media Gateways
1024 ndash 65535
CM or CLAN 1039
TCP Encrypted
H248 yes open
Proprietary encrypted H248 over TCP Note 8
H323 Phone 1024-5000 CM 1300 TCP H323 yes closed TLS encrypted H323 signaling
CM 1024 ndash 65535
CM 1332
UDP DES Encrypted
Proprietary Note 9 Note 9
Arbiter
Note 9
H323 Phone 49300
CM or CLAN 1719 UDP H225 Yes closed
Registration Admission and Status (RAS) for phones Note 8
CM
CLAN
1024-65535
CM or CLAN
1719 TCPH323 Yes closed H323 RAS for trunks
Note 22
H323 Phone 1500 ndash 6500
CM or CLAN
1720 TCP H323 Yes closed H323 signaling
Note 8 Note 10
CM
CLAN 5000-5021
CM SCS SRS or CLAN
1719 1720 5000-9999
TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Third Party GK or GW
1024-65535
CM SCS SRS or CLAN
1720 TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 8
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Admin Device 1024 ndash 65535
CM 2222 TCP SSH Yes open
High Priority SSH
Note 12 Note 23
CM Array Mgmt 1024 ndash 65535
CM 2376 TCP TLS Yes closed
TLS encrypted exchange between Docker daemons (See note 24)
H248 GW 1024 ndash 65535
CM or CLAN
2944 TCP H248 Yes closed TLS encrypted H248
Note 8 Note 13
H248 GW 1024 ndash
65535 CM or CLAN 2945 TCP H248 Yes open
Unencrypted H248
Note 8 Note 13
Admin Device 1024 ndash
65535 CM
5022 TCP SSH yes open SAT interface over SSH
Note 14 Note 23
Admin Device 1024 ndash
65535 CM
5023 TCP Telnet yes closed SAT interface over Telnet
Note 15 Note 23
SIP Trunks 1024 ndash
65535 CM or CLAN
5060
(5000-9999) TCP SIP yes closed
SIP
Note 8 Note 16 Note 22
SIP Trunks 1024 ndash
65535 CM or CLAN
5061
(5000-9999)
TCP TLS SIPS
yes closed SIPS
Note 8 Note 17 Note 22
CM 1024 ndash
65535
CM
5098
TCP TLS
(optionally
encrypted)
no Open
Dupmgr
(SW duplication) ndash Server 1
Note 22
CM 1024 ndash
65535 CM
6514 TLSSYSLOG yes closed Server Log Files
AEServices 1024 ndash
65535
CM 8765
TCP ASAI (Q931 ASN1)
yes closed AEServices
Note 20
CM 1024 ndash 65535
CM 9000
TCP Proprietary
No Open DGB (debugging tool)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 9
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
AMS 1024 ndash 65535
CM 9061
(5000-9999)
TCPTLS SIPS
Yes closed SIP
Note 22
CM Array Mgmt 1024 ndash 65535
CM 9988 TCP Yes closed
Exchange between Kafka (container) client and a Kafka Broker (See note 24)
CM 1024 ndash 65535
CM
12080 TCP TLS no Closed
Dupmgr (SW duplication) ndash Server 2
Note 10 Proprietary Optionally encrypted
CM SCS SRS 20873 - 21872
CM SCS SRS 20873 - 21872 TCP TLS no open
Internal Filesync communication
Note 21
CM SCS SRS 1024 ndash 65535
CM ndash SRS 21873 TCP TLS no open
Filesync over SSL
Note 18
CM SCS SRS 1024 ndash 65535
CM 21874 TCP TLS No open
Filesync over SSL
Note 19
G650 1024 ndash 65535
CM or CLAN 59000 ndash 59200 TCP H245 No open
H245
NOTES 1 The Secure Shell (SSH) Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) services can be Disabled andor blocked by authenticating to the
media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SSH Server (SCPSFTP 22) and set Service State to Disabled
2 An Avaya Welcome and Access Warning banner is displayed via this port Once the user selects ldquoContinuerdquo this port automatically redirects to HTTPS (443tcp)
3 This note for IP phone download was removed since it has been in disuse for many years 4 The Network Time Protocol (NTP) server service is enabled if NTP is configured during installation or administration via the media server web administration
interface --gt Server (Maintenance) --gt Server Configuration --gt Configure Server --gt Continue --gt Continue --gt Select Configure individual services --gt Continue --gt Select Configure Time Server --gt Select this computer synchronizes with the duplicated server This option is utilized to synchronize time between the main media server duplicated media server Survivable Remote Servers (SRS formerly called LSP) and Survivable Core Servers (SCS formerly called ESS)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 10
5 By default the Simple Network Management (SNMP) Agent service is disabled The SNMP Agent service can be enabled and configured via authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Access -gt addchange If SNMP is enabled it is recommended that SNMP access be restricted to administered IP addresses and that SNMPv3 be utilized for enhanced security
6 By default the SNMP Trap server service is blocked The SNMP Trap server services can be unblocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Incoming Traps -gt AddChange
7 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older
8 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
9 The Arbiter service is only enabled on duplicated servers The Arbiter process 1) Decides which server is healthier and more able to be active and 2) Coordinates data shadowing between servers under the Duplication Managerrsquos control
10 Duplicated Port 5098 is for Server 1 and Port 12080 is for Server 2 11 CM as the destination is only when Processor Ethernet is enabled The Processor Ethernet limits H323 signaling connection requests to a processor-
dependent rate on the order of 5-10 per second 12 In CM31 or later the High Priority SSH service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web
administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name High Priority SSH (2222) and set Service State to Disabled Prior to CM31 the High Priority SSH service could be blocked via the media server host firewall by authenticating to the media server web administration interface --gt Launch Maintenance Web Interface --gt Security --gt Firewall -gt Uncheck Input to Server for Server hp-sshd
13 The H248 service is only enabled on media servers with Processor Ethernet enabled It limits connection requests to 50 with a burst limit of 100 14 In CM31 or later the Station Administration Terminal (SAT) SSH service can be Disabled andor blocked via the media server host firewall by authenticating
to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (SSH 5022) and set Service State to Disabled
15 In CM31 or later the Station Administration Terminal (SAT) Telnet service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (Telnet 5023) and set Service State to Disabled
16 The SIP service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
17 The SIPS service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
18 If the main CM server is CM2x and the survivable CM servers are CM 70 filesync (over SSL) utilizes port 21873tcp to transfer translation unicode license and password files to the standby server(s)
19 In CM3x and later filesync over SSL utilizes port 21874tcp to transfer translation unicode license and password files to the standby server(s)
20 Optionally encrypted in CM 41 and later See AE Services Administration and Maintenance Guide Release 41 (02-300357 Issue 8 December 2007) 21 Ports used for internal filesync communication defaults to 20873 ndash 20877 Number of ports used (up to 1000) is a function of the FileSyncMaxClient variable in
etcoptecsecsconf
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 11
22 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061
23 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
24 The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons The CM proxy uses TCP port 9988 to communicate with the Kafka client process (which runs as a Docker container) This feature is not activated unless CM Array is configured
Table 2 Talk-only Ports for Communication Manager
If a port is both listen and talk its covered by table 1 rather than by table 2
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
CM NA
(NA)
any NA
(NA) ICMP NA
ICMP messages ping etc IP Protocol Number 1
CM or CLAN 1024 - 65535 DNS Server 53 UDP DNS No DNS Requests and Responses
CM 1024 ndash 65535 Network
Time Server (NTS)
123 UDP NTP yes Network Time Protocol (client)
Note 1
CM 1024 ndash 65535 IPSI
123 UDP NTP yes Network Time Protocol (client)
Note 7
CM 1024 ndash 65535
SNMP NMS 162
(0-65535)
UDP SNMP Trap
yes
SNMP traps (client) for alarms or notable events
Note 2 Note 11
CLAN 1024 ndash 65535
SNMP NMS
162 UDP SNMP
Trap yes
SNMP traps (client) for alarms or notable events
Note 11
CM 1024-65535 Rsyslog server
514
UDP Syslog yes Remote system log storage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 12
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
SRS 514 CM 13 or
older Note 7 TCP RSH yes Legacy Filesync Service Note 7
CM (via CLANPE)
Note 8 H323 Phone
1720 TCP H323 yes TTS
Note 8
CM RADIUS Client
1024 ndash 65535 RADIUS Server
1812 1813 UDP
RADIUS no
RADIUS based login processing
Note 9
CM 1024 - 65535 IPSI
1956 TCP
Proprietary no IPSI Command Server Service
CM 1024 - 65535 IPSI
5010 TCP
Proprietary no IPSI Server control channel
CM 1024 - 65535 IPSI
5011 TCP
Proprietary No IPSI Server IPSI version channel
CM 1024 - 65535 IPSI
5012 TCP
Proprietary no IPSI Server serial number channel
CM SafeWord Client
1024 ndash 65535 SafeWord
Server 5030
TCP
SafeWord yes
SafeWord based login processing Note 9
CM 1024 ndash 65535 SIP Trunks 5060
(1 to 65535) TCP SIP yes
SIP
Note 4 Note 5 Note 10
CM 1024 ndash 65535 SIP Trunks 5061
(1 to 65535)
TCP TLS SIPS
yes SIP
Note 4 Note 6 Note 10
CM SecurID Client
1024 ndash 65535 SecurID Server
5500 UDP
SecurID yes
SecurID based login processing Note 9
CM or CLAN 5500 Audix LX MM MN
1024 - 65535 TCP
Proprietary no Audix Digital Networking
CM 1024 ndash 65535 AMS 9061
(1 to 65535)
TCPTLSSIPS
yes SIP
Note 10
NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt
Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 3
1 Communication Manager Components
Data flows and their sockets are owned and directed by an application It is possible for a server to have more than one application but this document only covers the CM application not other applications running in separate virtual machines under VMware on the same hardware For the CM application sockets are created on the network interfaces but these may not be sourced from the server The source may be the servers Processor Ethernet (PE) but it may be another network element such as a CLAN circuit pack For the purposes of firewall configuration these sockets are sourced from the server so the firewall (iptables service) should be running on the same server
Component Interface Description
CM Ethernet All traffic
The above table says only Ethernet but that interface may be either CMs Processor Ethernet or the Ethernet interface on a CLAN circuit pack Each of the various Avaya CM servers have a number of network interfaces (up to 5) each of which has its own IP address The following table illustrates how different processor models make use of various network interfaces (NICs) In the table below the first number in an entry is an IP address and the second the maximum supported speed in megabits per second Interfaces assigned addresses 19211136 are for the Avaya Services Laptop labeled eth2 in the table Interfaces assigned address 192111313 or 192111314 are for the server duplication link labeled eth3 in the table Addresses of the form 1270008 are host loopback or internal addresses Addresses marked administered are assigned by the customer from the customers network
Note IP addresses for the Ethernet ports in this table are shown as examples only
Interface1 S8300D S8300E R610 R620 DL360G7 DL360PG8 (Simplex)
R610 R620 DL360G7 DL360PG8 (Duplex)
eth0 19211136 1000
19211136 1000
administered 1000
administered 1000
eth00 -- -- -- --
eth1 inet6 1000
inet6 1000
19211136 1000
19211136 1000
eth10000 135971116 135971116 -- --
eth14093 169254131 169254131 -- --
eth2 -- administered 1000
administered 1000
administered 1000
eth20 -- -- -- --
eth3 -- -- -- 192111313 (Server 1) and 192111314 (Server 2) 1000
eth30 -- -- -- --
eth4 -- -- -- --
eth40 -- -- -- --
11 Document Change History
EVENT DOCUMENT DATE CHANGE DESCRIPTION
Version 10 issued for a new CM R81 minor release
18 Apr 2019 Document stored as lt190586gt
A summary of changes
bull Syslog over TLS uses TCP port 6514
1 A colon in the interface name indicates an alias A period in the interface name indicates a vlan
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 4
bull CM Array feature uses TCP port 2376 for communication between Docker daemons
bull CM Array feature uses TCP port 9988 for communication between a container (Kafka) client and the container Broker
Version 11 was re-edited to correct some document errors
A summary of changes
bull Removed port 81 We have not supported HTTP IP phone updates for many years
bull Updated the Port Matrix diagram to move ldquoArray Kafkardquo to point to ldquoOtherrdquo block
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 5
Port Usage Tables
12 Port Usage Table Heading Definitions Source System System name or type that initiates connection requests
Source Port This is the default layer-4 port number of the connection source Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
Destination System System name or type that receives connection requests
Destination Port This is the default layer-4 port number to which the connection request is sent Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
NetworkApplication Protocol This is the name associated with the layer-4 protocol and layers-5-7 application
Optionally Enabled Disabled This field indicates whether customers can enable or disable a layer-4 port changing its default port setting Valid values include Yes or No
ldquoNordquo means the default port state cannot be changed (eg enable or disabled)
ldquoYesrdquo means the default port state can be changed and that the port can either be enabled or disabled
Default Port Listen State A listen port is either open closed or filtered
Open listen ports will respond to queries
Closed listen ports may or may not respond to queries and are only listed when they can be optionally enabled
Filtered listen ports can be open or closed Filtered UDP ports will not respond to queries Filtered TCP will respond to queries but will not allow connectivity
Description Connection details Some descriptions have a reference to the Notes section after each table for specifics on any of the row data
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 6
13 Port Tables Below are the tables which document the port usage for this product Note that a large number of IP ports used by CMs Processor Ethernet interface have the same IP port numbers as those used on CLAN circuit packs in port networks In many ways the CLAN circuit packs act as remote network interface cards for the processor controlling them Therefore the following CM port matrix table includes CLAN ports The affected ports are noted
In a theoretical sense all IP ports on CM are optionally enableddisabled with default port state closed Thats because by default CMs processor Ethernet is disabled For practical purposes almost all systems will have the processor Ethernet port enabled The enabledisable column in the following table assumes its enabled Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
Table 1 Listen Ports for Communication Manager
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
any NA
(NA)
CM NA
(NA) ICMP yes open
ICMP messages ping etc IP Protocol Number 1
Admin Device 1024 ndash 65535
CM 22
TCP SSH SCP SFTP
yes open OS administration interface over Secure Shell (SSH) Note 1 Note23
Admin Device 1024 ndash 65535
CM 23 TCP Telnet yes closed
OS administration interfaces over Telnet Note 23
Admin Device 1024 ndash 65535
CM 80 TCP HTTP no open
Avaya web administration interface Note 2 Note 23
IPSI 1024 ndash 65535
CM 123 UDP NTP Yes closed
Network Time Protocol (NTP)
CM SCS SRS 1024 ndash 65535
CM 123 UDP NTP Yes closed
Network Time Protocol (NTP)
SNMP
NMS
1024 ndash 65535
CM 161
UDP SNMP Agent
Yes closed
SNMP (server)
Note 5 Note 23
SNMP
NMS
1024 ndash 65535
CLAN 161
UDP SNMP Agent
Yes closed
SNMP (server)
Note 23
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 7
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Gateway CM SCS SRS UPS
1024 ndash 65535
CM 162
UDP SNMP Trap
Yes closed SNMP traps (server) collection
Note 6 Note 23
IP Phone 1024 ndash 2048
CM
CLAN 411 TCP
HTTPS No open
HTTPS IP Phone configuration file download
Note 3
Admin Device
SCS SRS
1024 ndash 65535
CM 443
TCP HTTPS
No open Avaya web administration interface (HTTPS) Note 23
CLAN IPSI TN2602AP
1024-65535
CM 514
UDP SYSLOG
TCPSYSLOG
Yes closed TN Board Logging amp Server Log Files
CM 13 or older 512 ndash 1023 SRS
514 TCP RSH yes closed Legacy (CM13) Filesync Service
Note 7
H248 Media Gateways
1024 ndash 65535
CM or CLAN 1039
TCP Encrypted
H248 yes open
Proprietary encrypted H248 over TCP Note 8
H323 Phone 1024-5000 CM 1300 TCP H323 yes closed TLS encrypted H323 signaling
CM 1024 ndash 65535
CM 1332
UDP DES Encrypted
Proprietary Note 9 Note 9
Arbiter
Note 9
H323 Phone 49300
CM or CLAN 1719 UDP H225 Yes closed
Registration Admission and Status (RAS) for phones Note 8
CM
CLAN
1024-65535
CM or CLAN
1719 TCPH323 Yes closed H323 RAS for trunks
Note 22
H323 Phone 1500 ndash 6500
CM or CLAN
1720 TCP H323 Yes closed H323 signaling
Note 8 Note 10
CM
CLAN 5000-5021
CM SCS SRS or CLAN
1719 1720 5000-9999
TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Third Party GK or GW
1024-65535
CM SCS SRS or CLAN
1720 TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 8
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Admin Device 1024 ndash 65535
CM 2222 TCP SSH Yes open
High Priority SSH
Note 12 Note 23
CM Array Mgmt 1024 ndash 65535
CM 2376 TCP TLS Yes closed
TLS encrypted exchange between Docker daemons (See note 24)
H248 GW 1024 ndash 65535
CM or CLAN
2944 TCP H248 Yes closed TLS encrypted H248
Note 8 Note 13
H248 GW 1024 ndash
65535 CM or CLAN 2945 TCP H248 Yes open
Unencrypted H248
Note 8 Note 13
Admin Device 1024 ndash
65535 CM
5022 TCP SSH yes open SAT interface over SSH
Note 14 Note 23
Admin Device 1024 ndash
65535 CM
5023 TCP Telnet yes closed SAT interface over Telnet
Note 15 Note 23
SIP Trunks 1024 ndash
65535 CM or CLAN
5060
(5000-9999) TCP SIP yes closed
SIP
Note 8 Note 16 Note 22
SIP Trunks 1024 ndash
65535 CM or CLAN
5061
(5000-9999)
TCP TLS SIPS
yes closed SIPS
Note 8 Note 17 Note 22
CM 1024 ndash
65535
CM
5098
TCP TLS
(optionally
encrypted)
no Open
Dupmgr
(SW duplication) ndash Server 1
Note 22
CM 1024 ndash
65535 CM
6514 TLSSYSLOG yes closed Server Log Files
AEServices 1024 ndash
65535
CM 8765
TCP ASAI (Q931 ASN1)
yes closed AEServices
Note 20
CM 1024 ndash 65535
CM 9000
TCP Proprietary
No Open DGB (debugging tool)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 9
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
AMS 1024 ndash 65535
CM 9061
(5000-9999)
TCPTLS SIPS
Yes closed SIP
Note 22
CM Array Mgmt 1024 ndash 65535
CM 9988 TCP Yes closed
Exchange between Kafka (container) client and a Kafka Broker (See note 24)
CM 1024 ndash 65535
CM
12080 TCP TLS no Closed
Dupmgr (SW duplication) ndash Server 2
Note 10 Proprietary Optionally encrypted
CM SCS SRS 20873 - 21872
CM SCS SRS 20873 - 21872 TCP TLS no open
Internal Filesync communication
Note 21
CM SCS SRS 1024 ndash 65535
CM ndash SRS 21873 TCP TLS no open
Filesync over SSL
Note 18
CM SCS SRS 1024 ndash 65535
CM 21874 TCP TLS No open
Filesync over SSL
Note 19
G650 1024 ndash 65535
CM or CLAN 59000 ndash 59200 TCP H245 No open
H245
NOTES 1 The Secure Shell (SSH) Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) services can be Disabled andor blocked by authenticating to the
media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SSH Server (SCPSFTP 22) and set Service State to Disabled
2 An Avaya Welcome and Access Warning banner is displayed via this port Once the user selects ldquoContinuerdquo this port automatically redirects to HTTPS (443tcp)
3 This note for IP phone download was removed since it has been in disuse for many years 4 The Network Time Protocol (NTP) server service is enabled if NTP is configured during installation or administration via the media server web administration
interface --gt Server (Maintenance) --gt Server Configuration --gt Configure Server --gt Continue --gt Continue --gt Select Configure individual services --gt Continue --gt Select Configure Time Server --gt Select this computer synchronizes with the duplicated server This option is utilized to synchronize time between the main media server duplicated media server Survivable Remote Servers (SRS formerly called LSP) and Survivable Core Servers (SCS formerly called ESS)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 10
5 By default the Simple Network Management (SNMP) Agent service is disabled The SNMP Agent service can be enabled and configured via authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Access -gt addchange If SNMP is enabled it is recommended that SNMP access be restricted to administered IP addresses and that SNMPv3 be utilized for enhanced security
6 By default the SNMP Trap server service is blocked The SNMP Trap server services can be unblocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Incoming Traps -gt AddChange
7 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older
8 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
9 The Arbiter service is only enabled on duplicated servers The Arbiter process 1) Decides which server is healthier and more able to be active and 2) Coordinates data shadowing between servers under the Duplication Managerrsquos control
10 Duplicated Port 5098 is for Server 1 and Port 12080 is for Server 2 11 CM as the destination is only when Processor Ethernet is enabled The Processor Ethernet limits H323 signaling connection requests to a processor-
dependent rate on the order of 5-10 per second 12 In CM31 or later the High Priority SSH service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web
administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name High Priority SSH (2222) and set Service State to Disabled Prior to CM31 the High Priority SSH service could be blocked via the media server host firewall by authenticating to the media server web administration interface --gt Launch Maintenance Web Interface --gt Security --gt Firewall -gt Uncheck Input to Server for Server hp-sshd
13 The H248 service is only enabled on media servers with Processor Ethernet enabled It limits connection requests to 50 with a burst limit of 100 14 In CM31 or later the Station Administration Terminal (SAT) SSH service can be Disabled andor blocked via the media server host firewall by authenticating
to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (SSH 5022) and set Service State to Disabled
15 In CM31 or later the Station Administration Terminal (SAT) Telnet service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (Telnet 5023) and set Service State to Disabled
16 The SIP service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
17 The SIPS service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
18 If the main CM server is CM2x and the survivable CM servers are CM 70 filesync (over SSL) utilizes port 21873tcp to transfer translation unicode license and password files to the standby server(s)
19 In CM3x and later filesync over SSL utilizes port 21874tcp to transfer translation unicode license and password files to the standby server(s)
20 Optionally encrypted in CM 41 and later See AE Services Administration and Maintenance Guide Release 41 (02-300357 Issue 8 December 2007) 21 Ports used for internal filesync communication defaults to 20873 ndash 20877 Number of ports used (up to 1000) is a function of the FileSyncMaxClient variable in
etcoptecsecsconf
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 11
22 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061
23 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
24 The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons The CM proxy uses TCP port 9988 to communicate with the Kafka client process (which runs as a Docker container) This feature is not activated unless CM Array is configured
Table 2 Talk-only Ports for Communication Manager
If a port is both listen and talk its covered by table 1 rather than by table 2
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
CM NA
(NA)
any NA
(NA) ICMP NA
ICMP messages ping etc IP Protocol Number 1
CM or CLAN 1024 - 65535 DNS Server 53 UDP DNS No DNS Requests and Responses
CM 1024 ndash 65535 Network
Time Server (NTS)
123 UDP NTP yes Network Time Protocol (client)
Note 1
CM 1024 ndash 65535 IPSI
123 UDP NTP yes Network Time Protocol (client)
Note 7
CM 1024 ndash 65535
SNMP NMS 162
(0-65535)
UDP SNMP Trap
yes
SNMP traps (client) for alarms or notable events
Note 2 Note 11
CLAN 1024 ndash 65535
SNMP NMS
162 UDP SNMP
Trap yes
SNMP traps (client) for alarms or notable events
Note 11
CM 1024-65535 Rsyslog server
514
UDP Syslog yes Remote system log storage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 12
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
SRS 514 CM 13 or
older Note 7 TCP RSH yes Legacy Filesync Service Note 7
CM (via CLANPE)
Note 8 H323 Phone
1720 TCP H323 yes TTS
Note 8
CM RADIUS Client
1024 ndash 65535 RADIUS Server
1812 1813 UDP
RADIUS no
RADIUS based login processing
Note 9
CM 1024 - 65535 IPSI
1956 TCP
Proprietary no IPSI Command Server Service
CM 1024 - 65535 IPSI
5010 TCP
Proprietary no IPSI Server control channel
CM 1024 - 65535 IPSI
5011 TCP
Proprietary No IPSI Server IPSI version channel
CM 1024 - 65535 IPSI
5012 TCP
Proprietary no IPSI Server serial number channel
CM SafeWord Client
1024 ndash 65535 SafeWord
Server 5030
TCP
SafeWord yes
SafeWord based login processing Note 9
CM 1024 ndash 65535 SIP Trunks 5060
(1 to 65535) TCP SIP yes
SIP
Note 4 Note 5 Note 10
CM 1024 ndash 65535 SIP Trunks 5061
(1 to 65535)
TCP TLS SIPS
yes SIP
Note 4 Note 6 Note 10
CM SecurID Client
1024 ndash 65535 SecurID Server
5500 UDP
SecurID yes
SecurID based login processing Note 9
CM or CLAN 5500 Audix LX MM MN
1024 - 65535 TCP
Proprietary no Audix Digital Networking
CM 1024 ndash 65535 AMS 9061
(1 to 65535)
TCPTLSSIPS
yes SIP
Note 10
NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt
Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 4
bull CM Array feature uses TCP port 2376 for communication between Docker daemons
bull CM Array feature uses TCP port 9988 for communication between a container (Kafka) client and the container Broker
Version 11 was re-edited to correct some document errors
A summary of changes
bull Removed port 81 We have not supported HTTP IP phone updates for many years
bull Updated the Port Matrix diagram to move ldquoArray Kafkardquo to point to ldquoOtherrdquo block
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 5
Port Usage Tables
12 Port Usage Table Heading Definitions Source System System name or type that initiates connection requests
Source Port This is the default layer-4 port number of the connection source Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
Destination System System name or type that receives connection requests
Destination Port This is the default layer-4 port number to which the connection request is sent Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
NetworkApplication Protocol This is the name associated with the layer-4 protocol and layers-5-7 application
Optionally Enabled Disabled This field indicates whether customers can enable or disable a layer-4 port changing its default port setting Valid values include Yes or No
ldquoNordquo means the default port state cannot be changed (eg enable or disabled)
ldquoYesrdquo means the default port state can be changed and that the port can either be enabled or disabled
Default Port Listen State A listen port is either open closed or filtered
Open listen ports will respond to queries
Closed listen ports may or may not respond to queries and are only listed when they can be optionally enabled
Filtered listen ports can be open or closed Filtered UDP ports will not respond to queries Filtered TCP will respond to queries but will not allow connectivity
Description Connection details Some descriptions have a reference to the Notes section after each table for specifics on any of the row data
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 6
13 Port Tables Below are the tables which document the port usage for this product Note that a large number of IP ports used by CMs Processor Ethernet interface have the same IP port numbers as those used on CLAN circuit packs in port networks In many ways the CLAN circuit packs act as remote network interface cards for the processor controlling them Therefore the following CM port matrix table includes CLAN ports The affected ports are noted
In a theoretical sense all IP ports on CM are optionally enableddisabled with default port state closed Thats because by default CMs processor Ethernet is disabled For practical purposes almost all systems will have the processor Ethernet port enabled The enabledisable column in the following table assumes its enabled Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
Table 1 Listen Ports for Communication Manager
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
any NA
(NA)
CM NA
(NA) ICMP yes open
ICMP messages ping etc IP Protocol Number 1
Admin Device 1024 ndash 65535
CM 22
TCP SSH SCP SFTP
yes open OS administration interface over Secure Shell (SSH) Note 1 Note23
Admin Device 1024 ndash 65535
CM 23 TCP Telnet yes closed
OS administration interfaces over Telnet Note 23
Admin Device 1024 ndash 65535
CM 80 TCP HTTP no open
Avaya web administration interface Note 2 Note 23
IPSI 1024 ndash 65535
CM 123 UDP NTP Yes closed
Network Time Protocol (NTP)
CM SCS SRS 1024 ndash 65535
CM 123 UDP NTP Yes closed
Network Time Protocol (NTP)
SNMP
NMS
1024 ndash 65535
CM 161
UDP SNMP Agent
Yes closed
SNMP (server)
Note 5 Note 23
SNMP
NMS
1024 ndash 65535
CLAN 161
UDP SNMP Agent
Yes closed
SNMP (server)
Note 23
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 7
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Gateway CM SCS SRS UPS
1024 ndash 65535
CM 162
UDP SNMP Trap
Yes closed SNMP traps (server) collection
Note 6 Note 23
IP Phone 1024 ndash 2048
CM
CLAN 411 TCP
HTTPS No open
HTTPS IP Phone configuration file download
Note 3
Admin Device
SCS SRS
1024 ndash 65535
CM 443
TCP HTTPS
No open Avaya web administration interface (HTTPS) Note 23
CLAN IPSI TN2602AP
1024-65535
CM 514
UDP SYSLOG
TCPSYSLOG
Yes closed TN Board Logging amp Server Log Files
CM 13 or older 512 ndash 1023 SRS
514 TCP RSH yes closed Legacy (CM13) Filesync Service
Note 7
H248 Media Gateways
1024 ndash 65535
CM or CLAN 1039
TCP Encrypted
H248 yes open
Proprietary encrypted H248 over TCP Note 8
H323 Phone 1024-5000 CM 1300 TCP H323 yes closed TLS encrypted H323 signaling
CM 1024 ndash 65535
CM 1332
UDP DES Encrypted
Proprietary Note 9 Note 9
Arbiter
Note 9
H323 Phone 49300
CM or CLAN 1719 UDP H225 Yes closed
Registration Admission and Status (RAS) for phones Note 8
CM
CLAN
1024-65535
CM or CLAN
1719 TCPH323 Yes closed H323 RAS for trunks
Note 22
H323 Phone 1500 ndash 6500
CM or CLAN
1720 TCP H323 Yes closed H323 signaling
Note 8 Note 10
CM
CLAN 5000-5021
CM SCS SRS or CLAN
1719 1720 5000-9999
TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Third Party GK or GW
1024-65535
CM SCS SRS or CLAN
1720 TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 8
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Admin Device 1024 ndash 65535
CM 2222 TCP SSH Yes open
High Priority SSH
Note 12 Note 23
CM Array Mgmt 1024 ndash 65535
CM 2376 TCP TLS Yes closed
TLS encrypted exchange between Docker daemons (See note 24)
H248 GW 1024 ndash 65535
CM or CLAN
2944 TCP H248 Yes closed TLS encrypted H248
Note 8 Note 13
H248 GW 1024 ndash
65535 CM or CLAN 2945 TCP H248 Yes open
Unencrypted H248
Note 8 Note 13
Admin Device 1024 ndash
65535 CM
5022 TCP SSH yes open SAT interface over SSH
Note 14 Note 23
Admin Device 1024 ndash
65535 CM
5023 TCP Telnet yes closed SAT interface over Telnet
Note 15 Note 23
SIP Trunks 1024 ndash
65535 CM or CLAN
5060
(5000-9999) TCP SIP yes closed
SIP
Note 8 Note 16 Note 22
SIP Trunks 1024 ndash
65535 CM or CLAN
5061
(5000-9999)
TCP TLS SIPS
yes closed SIPS
Note 8 Note 17 Note 22
CM 1024 ndash
65535
CM
5098
TCP TLS
(optionally
encrypted)
no Open
Dupmgr
(SW duplication) ndash Server 1
Note 22
CM 1024 ndash
65535 CM
6514 TLSSYSLOG yes closed Server Log Files
AEServices 1024 ndash
65535
CM 8765
TCP ASAI (Q931 ASN1)
yes closed AEServices
Note 20
CM 1024 ndash 65535
CM 9000
TCP Proprietary
No Open DGB (debugging tool)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 9
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
AMS 1024 ndash 65535
CM 9061
(5000-9999)
TCPTLS SIPS
Yes closed SIP
Note 22
CM Array Mgmt 1024 ndash 65535
CM 9988 TCP Yes closed
Exchange between Kafka (container) client and a Kafka Broker (See note 24)
CM 1024 ndash 65535
CM
12080 TCP TLS no Closed
Dupmgr (SW duplication) ndash Server 2
Note 10 Proprietary Optionally encrypted
CM SCS SRS 20873 - 21872
CM SCS SRS 20873 - 21872 TCP TLS no open
Internal Filesync communication
Note 21
CM SCS SRS 1024 ndash 65535
CM ndash SRS 21873 TCP TLS no open
Filesync over SSL
Note 18
CM SCS SRS 1024 ndash 65535
CM 21874 TCP TLS No open
Filesync over SSL
Note 19
G650 1024 ndash 65535
CM or CLAN 59000 ndash 59200 TCP H245 No open
H245
NOTES 1 The Secure Shell (SSH) Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) services can be Disabled andor blocked by authenticating to the
media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SSH Server (SCPSFTP 22) and set Service State to Disabled
2 An Avaya Welcome and Access Warning banner is displayed via this port Once the user selects ldquoContinuerdquo this port automatically redirects to HTTPS (443tcp)
3 This note for IP phone download was removed since it has been in disuse for many years 4 The Network Time Protocol (NTP) server service is enabled if NTP is configured during installation or administration via the media server web administration
interface --gt Server (Maintenance) --gt Server Configuration --gt Configure Server --gt Continue --gt Continue --gt Select Configure individual services --gt Continue --gt Select Configure Time Server --gt Select this computer synchronizes with the duplicated server This option is utilized to synchronize time between the main media server duplicated media server Survivable Remote Servers (SRS formerly called LSP) and Survivable Core Servers (SCS formerly called ESS)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 10
5 By default the Simple Network Management (SNMP) Agent service is disabled The SNMP Agent service can be enabled and configured via authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Access -gt addchange If SNMP is enabled it is recommended that SNMP access be restricted to administered IP addresses and that SNMPv3 be utilized for enhanced security
6 By default the SNMP Trap server service is blocked The SNMP Trap server services can be unblocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Incoming Traps -gt AddChange
7 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older
8 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
9 The Arbiter service is only enabled on duplicated servers The Arbiter process 1) Decides which server is healthier and more able to be active and 2) Coordinates data shadowing between servers under the Duplication Managerrsquos control
10 Duplicated Port 5098 is for Server 1 and Port 12080 is for Server 2 11 CM as the destination is only when Processor Ethernet is enabled The Processor Ethernet limits H323 signaling connection requests to a processor-
dependent rate on the order of 5-10 per second 12 In CM31 or later the High Priority SSH service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web
administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name High Priority SSH (2222) and set Service State to Disabled Prior to CM31 the High Priority SSH service could be blocked via the media server host firewall by authenticating to the media server web administration interface --gt Launch Maintenance Web Interface --gt Security --gt Firewall -gt Uncheck Input to Server for Server hp-sshd
13 The H248 service is only enabled on media servers with Processor Ethernet enabled It limits connection requests to 50 with a burst limit of 100 14 In CM31 or later the Station Administration Terminal (SAT) SSH service can be Disabled andor blocked via the media server host firewall by authenticating
to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (SSH 5022) and set Service State to Disabled
15 In CM31 or later the Station Administration Terminal (SAT) Telnet service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (Telnet 5023) and set Service State to Disabled
16 The SIP service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
17 The SIPS service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
18 If the main CM server is CM2x and the survivable CM servers are CM 70 filesync (over SSL) utilizes port 21873tcp to transfer translation unicode license and password files to the standby server(s)
19 In CM3x and later filesync over SSL utilizes port 21874tcp to transfer translation unicode license and password files to the standby server(s)
20 Optionally encrypted in CM 41 and later See AE Services Administration and Maintenance Guide Release 41 (02-300357 Issue 8 December 2007) 21 Ports used for internal filesync communication defaults to 20873 ndash 20877 Number of ports used (up to 1000) is a function of the FileSyncMaxClient variable in
etcoptecsecsconf
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 11
22 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061
23 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
24 The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons The CM proxy uses TCP port 9988 to communicate with the Kafka client process (which runs as a Docker container) This feature is not activated unless CM Array is configured
Table 2 Talk-only Ports for Communication Manager
If a port is both listen and talk its covered by table 1 rather than by table 2
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
CM NA
(NA)
any NA
(NA) ICMP NA
ICMP messages ping etc IP Protocol Number 1
CM or CLAN 1024 - 65535 DNS Server 53 UDP DNS No DNS Requests and Responses
CM 1024 ndash 65535 Network
Time Server (NTS)
123 UDP NTP yes Network Time Protocol (client)
Note 1
CM 1024 ndash 65535 IPSI
123 UDP NTP yes Network Time Protocol (client)
Note 7
CM 1024 ndash 65535
SNMP NMS 162
(0-65535)
UDP SNMP Trap
yes
SNMP traps (client) for alarms or notable events
Note 2 Note 11
CLAN 1024 ndash 65535
SNMP NMS
162 UDP SNMP
Trap yes
SNMP traps (client) for alarms or notable events
Note 11
CM 1024-65535 Rsyslog server
514
UDP Syslog yes Remote system log storage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 12
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
SRS 514 CM 13 or
older Note 7 TCP RSH yes Legacy Filesync Service Note 7
CM (via CLANPE)
Note 8 H323 Phone
1720 TCP H323 yes TTS
Note 8
CM RADIUS Client
1024 ndash 65535 RADIUS Server
1812 1813 UDP
RADIUS no
RADIUS based login processing
Note 9
CM 1024 - 65535 IPSI
1956 TCP
Proprietary no IPSI Command Server Service
CM 1024 - 65535 IPSI
5010 TCP
Proprietary no IPSI Server control channel
CM 1024 - 65535 IPSI
5011 TCP
Proprietary No IPSI Server IPSI version channel
CM 1024 - 65535 IPSI
5012 TCP
Proprietary no IPSI Server serial number channel
CM SafeWord Client
1024 ndash 65535 SafeWord
Server 5030
TCP
SafeWord yes
SafeWord based login processing Note 9
CM 1024 ndash 65535 SIP Trunks 5060
(1 to 65535) TCP SIP yes
SIP
Note 4 Note 5 Note 10
CM 1024 ndash 65535 SIP Trunks 5061
(1 to 65535)
TCP TLS SIPS
yes SIP
Note 4 Note 6 Note 10
CM SecurID Client
1024 ndash 65535 SecurID Server
5500 UDP
SecurID yes
SecurID based login processing Note 9
CM or CLAN 5500 Audix LX MM MN
1024 - 65535 TCP
Proprietary no Audix Digital Networking
CM 1024 ndash 65535 AMS 9061
(1 to 65535)
TCPTLSSIPS
yes SIP
Note 10
NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt
Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 5
Port Usage Tables
12 Port Usage Table Heading Definitions Source System System name or type that initiates connection requests
Source Port This is the default layer-4 port number of the connection source Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
Destination System System name or type that receives connection requests
Destination Port This is the default layer-4 port number to which the connection request is sent Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
NetworkApplication Protocol This is the name associated with the layer-4 protocol and layers-5-7 application
Optionally Enabled Disabled This field indicates whether customers can enable or disable a layer-4 port changing its default port setting Valid values include Yes or No
ldquoNordquo means the default port state cannot be changed (eg enable or disabled)
ldquoYesrdquo means the default port state can be changed and that the port can either be enabled or disabled
Default Port Listen State A listen port is either open closed or filtered
Open listen ports will respond to queries
Closed listen ports may or may not respond to queries and are only listed when they can be optionally enabled
Filtered listen ports can be open or closed Filtered UDP ports will not respond to queries Filtered TCP will respond to queries but will not allow connectivity
Description Connection details Some descriptions have a reference to the Notes section after each table for specifics on any of the row data
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 6
13 Port Tables Below are the tables which document the port usage for this product Note that a large number of IP ports used by CMs Processor Ethernet interface have the same IP port numbers as those used on CLAN circuit packs in port networks In many ways the CLAN circuit packs act as remote network interface cards for the processor controlling them Therefore the following CM port matrix table includes CLAN ports The affected ports are noted
In a theoretical sense all IP ports on CM are optionally enableddisabled with default port state closed Thats because by default CMs processor Ethernet is disabled For practical purposes almost all systems will have the processor Ethernet port enabled The enabledisable column in the following table assumes its enabled Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
Table 1 Listen Ports for Communication Manager
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
any NA
(NA)
CM NA
(NA) ICMP yes open
ICMP messages ping etc IP Protocol Number 1
Admin Device 1024 ndash 65535
CM 22
TCP SSH SCP SFTP
yes open OS administration interface over Secure Shell (SSH) Note 1 Note23
Admin Device 1024 ndash 65535
CM 23 TCP Telnet yes closed
OS administration interfaces over Telnet Note 23
Admin Device 1024 ndash 65535
CM 80 TCP HTTP no open
Avaya web administration interface Note 2 Note 23
IPSI 1024 ndash 65535
CM 123 UDP NTP Yes closed
Network Time Protocol (NTP)
CM SCS SRS 1024 ndash 65535
CM 123 UDP NTP Yes closed
Network Time Protocol (NTP)
SNMP
NMS
1024 ndash 65535
CM 161
UDP SNMP Agent
Yes closed
SNMP (server)
Note 5 Note 23
SNMP
NMS
1024 ndash 65535
CLAN 161
UDP SNMP Agent
Yes closed
SNMP (server)
Note 23
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 7
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Gateway CM SCS SRS UPS
1024 ndash 65535
CM 162
UDP SNMP Trap
Yes closed SNMP traps (server) collection
Note 6 Note 23
IP Phone 1024 ndash 2048
CM
CLAN 411 TCP
HTTPS No open
HTTPS IP Phone configuration file download
Note 3
Admin Device
SCS SRS
1024 ndash 65535
CM 443
TCP HTTPS
No open Avaya web administration interface (HTTPS) Note 23
CLAN IPSI TN2602AP
1024-65535
CM 514
UDP SYSLOG
TCPSYSLOG
Yes closed TN Board Logging amp Server Log Files
CM 13 or older 512 ndash 1023 SRS
514 TCP RSH yes closed Legacy (CM13) Filesync Service
Note 7
H248 Media Gateways
1024 ndash 65535
CM or CLAN 1039
TCP Encrypted
H248 yes open
Proprietary encrypted H248 over TCP Note 8
H323 Phone 1024-5000 CM 1300 TCP H323 yes closed TLS encrypted H323 signaling
CM 1024 ndash 65535
CM 1332
UDP DES Encrypted
Proprietary Note 9 Note 9
Arbiter
Note 9
H323 Phone 49300
CM or CLAN 1719 UDP H225 Yes closed
Registration Admission and Status (RAS) for phones Note 8
CM
CLAN
1024-65535
CM or CLAN
1719 TCPH323 Yes closed H323 RAS for trunks
Note 22
H323 Phone 1500 ndash 6500
CM or CLAN
1720 TCP H323 Yes closed H323 signaling
Note 8 Note 10
CM
CLAN 5000-5021
CM SCS SRS or CLAN
1719 1720 5000-9999
TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Third Party GK or GW
1024-65535
CM SCS SRS or CLAN
1720 TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 8
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Admin Device 1024 ndash 65535
CM 2222 TCP SSH Yes open
High Priority SSH
Note 12 Note 23
CM Array Mgmt 1024 ndash 65535
CM 2376 TCP TLS Yes closed
TLS encrypted exchange between Docker daemons (See note 24)
H248 GW 1024 ndash 65535
CM or CLAN
2944 TCP H248 Yes closed TLS encrypted H248
Note 8 Note 13
H248 GW 1024 ndash
65535 CM or CLAN 2945 TCP H248 Yes open
Unencrypted H248
Note 8 Note 13
Admin Device 1024 ndash
65535 CM
5022 TCP SSH yes open SAT interface over SSH
Note 14 Note 23
Admin Device 1024 ndash
65535 CM
5023 TCP Telnet yes closed SAT interface over Telnet
Note 15 Note 23
SIP Trunks 1024 ndash
65535 CM or CLAN
5060
(5000-9999) TCP SIP yes closed
SIP
Note 8 Note 16 Note 22
SIP Trunks 1024 ndash
65535 CM or CLAN
5061
(5000-9999)
TCP TLS SIPS
yes closed SIPS
Note 8 Note 17 Note 22
CM 1024 ndash
65535
CM
5098
TCP TLS
(optionally
encrypted)
no Open
Dupmgr
(SW duplication) ndash Server 1
Note 22
CM 1024 ndash
65535 CM
6514 TLSSYSLOG yes closed Server Log Files
AEServices 1024 ndash
65535
CM 8765
TCP ASAI (Q931 ASN1)
yes closed AEServices
Note 20
CM 1024 ndash 65535
CM 9000
TCP Proprietary
No Open DGB (debugging tool)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 9
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
AMS 1024 ndash 65535
CM 9061
(5000-9999)
TCPTLS SIPS
Yes closed SIP
Note 22
CM Array Mgmt 1024 ndash 65535
CM 9988 TCP Yes closed
Exchange between Kafka (container) client and a Kafka Broker (See note 24)
CM 1024 ndash 65535
CM
12080 TCP TLS no Closed
Dupmgr (SW duplication) ndash Server 2
Note 10 Proprietary Optionally encrypted
CM SCS SRS 20873 - 21872
CM SCS SRS 20873 - 21872 TCP TLS no open
Internal Filesync communication
Note 21
CM SCS SRS 1024 ndash 65535
CM ndash SRS 21873 TCP TLS no open
Filesync over SSL
Note 18
CM SCS SRS 1024 ndash 65535
CM 21874 TCP TLS No open
Filesync over SSL
Note 19
G650 1024 ndash 65535
CM or CLAN 59000 ndash 59200 TCP H245 No open
H245
NOTES 1 The Secure Shell (SSH) Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) services can be Disabled andor blocked by authenticating to the
media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SSH Server (SCPSFTP 22) and set Service State to Disabled
2 An Avaya Welcome and Access Warning banner is displayed via this port Once the user selects ldquoContinuerdquo this port automatically redirects to HTTPS (443tcp)
3 This note for IP phone download was removed since it has been in disuse for many years 4 The Network Time Protocol (NTP) server service is enabled if NTP is configured during installation or administration via the media server web administration
interface --gt Server (Maintenance) --gt Server Configuration --gt Configure Server --gt Continue --gt Continue --gt Select Configure individual services --gt Continue --gt Select Configure Time Server --gt Select this computer synchronizes with the duplicated server This option is utilized to synchronize time between the main media server duplicated media server Survivable Remote Servers (SRS formerly called LSP) and Survivable Core Servers (SCS formerly called ESS)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 10
5 By default the Simple Network Management (SNMP) Agent service is disabled The SNMP Agent service can be enabled and configured via authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Access -gt addchange If SNMP is enabled it is recommended that SNMP access be restricted to administered IP addresses and that SNMPv3 be utilized for enhanced security
6 By default the SNMP Trap server service is blocked The SNMP Trap server services can be unblocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Incoming Traps -gt AddChange
7 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older
8 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
9 The Arbiter service is only enabled on duplicated servers The Arbiter process 1) Decides which server is healthier and more able to be active and 2) Coordinates data shadowing between servers under the Duplication Managerrsquos control
10 Duplicated Port 5098 is for Server 1 and Port 12080 is for Server 2 11 CM as the destination is only when Processor Ethernet is enabled The Processor Ethernet limits H323 signaling connection requests to a processor-
dependent rate on the order of 5-10 per second 12 In CM31 or later the High Priority SSH service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web
administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name High Priority SSH (2222) and set Service State to Disabled Prior to CM31 the High Priority SSH service could be blocked via the media server host firewall by authenticating to the media server web administration interface --gt Launch Maintenance Web Interface --gt Security --gt Firewall -gt Uncheck Input to Server for Server hp-sshd
13 The H248 service is only enabled on media servers with Processor Ethernet enabled It limits connection requests to 50 with a burst limit of 100 14 In CM31 or later the Station Administration Terminal (SAT) SSH service can be Disabled andor blocked via the media server host firewall by authenticating
to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (SSH 5022) and set Service State to Disabled
15 In CM31 or later the Station Administration Terminal (SAT) Telnet service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (Telnet 5023) and set Service State to Disabled
16 The SIP service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
17 The SIPS service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
18 If the main CM server is CM2x and the survivable CM servers are CM 70 filesync (over SSL) utilizes port 21873tcp to transfer translation unicode license and password files to the standby server(s)
19 In CM3x and later filesync over SSL utilizes port 21874tcp to transfer translation unicode license and password files to the standby server(s)
20 Optionally encrypted in CM 41 and later See AE Services Administration and Maintenance Guide Release 41 (02-300357 Issue 8 December 2007) 21 Ports used for internal filesync communication defaults to 20873 ndash 20877 Number of ports used (up to 1000) is a function of the FileSyncMaxClient variable in
etcoptecsecsconf
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 11
22 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061
23 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
24 The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons The CM proxy uses TCP port 9988 to communicate with the Kafka client process (which runs as a Docker container) This feature is not activated unless CM Array is configured
Table 2 Talk-only Ports for Communication Manager
If a port is both listen and talk its covered by table 1 rather than by table 2
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
CM NA
(NA)
any NA
(NA) ICMP NA
ICMP messages ping etc IP Protocol Number 1
CM or CLAN 1024 - 65535 DNS Server 53 UDP DNS No DNS Requests and Responses
CM 1024 ndash 65535 Network
Time Server (NTS)
123 UDP NTP yes Network Time Protocol (client)
Note 1
CM 1024 ndash 65535 IPSI
123 UDP NTP yes Network Time Protocol (client)
Note 7
CM 1024 ndash 65535
SNMP NMS 162
(0-65535)
UDP SNMP Trap
yes
SNMP traps (client) for alarms or notable events
Note 2 Note 11
CLAN 1024 ndash 65535
SNMP NMS
162 UDP SNMP
Trap yes
SNMP traps (client) for alarms or notable events
Note 11
CM 1024-65535 Rsyslog server
514
UDP Syslog yes Remote system log storage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 12
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
SRS 514 CM 13 or
older Note 7 TCP RSH yes Legacy Filesync Service Note 7
CM (via CLANPE)
Note 8 H323 Phone
1720 TCP H323 yes TTS
Note 8
CM RADIUS Client
1024 ndash 65535 RADIUS Server
1812 1813 UDP
RADIUS no
RADIUS based login processing
Note 9
CM 1024 - 65535 IPSI
1956 TCP
Proprietary no IPSI Command Server Service
CM 1024 - 65535 IPSI
5010 TCP
Proprietary no IPSI Server control channel
CM 1024 - 65535 IPSI
5011 TCP
Proprietary No IPSI Server IPSI version channel
CM 1024 - 65535 IPSI
5012 TCP
Proprietary no IPSI Server serial number channel
CM SafeWord Client
1024 ndash 65535 SafeWord
Server 5030
TCP
SafeWord yes
SafeWord based login processing Note 9
CM 1024 ndash 65535 SIP Trunks 5060
(1 to 65535) TCP SIP yes
SIP
Note 4 Note 5 Note 10
CM 1024 ndash 65535 SIP Trunks 5061
(1 to 65535)
TCP TLS SIPS
yes SIP
Note 4 Note 6 Note 10
CM SecurID Client
1024 ndash 65535 SecurID Server
5500 UDP
SecurID yes
SecurID based login processing Note 9
CM or CLAN 5500 Audix LX MM MN
1024 - 65535 TCP
Proprietary no Audix Digital Networking
CM 1024 ndash 65535 AMS 9061
(1 to 65535)
TCPTLSSIPS
yes SIP
Note 10
NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt
Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 6
13 Port Tables Below are the tables which document the port usage for this product Note that a large number of IP ports used by CMs Processor Ethernet interface have the same IP port numbers as those used on CLAN circuit packs in port networks In many ways the CLAN circuit packs act as remote network interface cards for the processor controlling them Therefore the following CM port matrix table includes CLAN ports The affected ports are noted
In a theoretical sense all IP ports on CM are optionally enableddisabled with default port state closed Thats because by default CMs processor Ethernet is disabled For practical purposes almost all systems will have the processor Ethernet port enabled The enabledisable column in the following table assumes its enabled Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
Table 1 Listen Ports for Communication Manager
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
any NA
(NA)
CM NA
(NA) ICMP yes open
ICMP messages ping etc IP Protocol Number 1
Admin Device 1024 ndash 65535
CM 22
TCP SSH SCP SFTP
yes open OS administration interface over Secure Shell (SSH) Note 1 Note23
Admin Device 1024 ndash 65535
CM 23 TCP Telnet yes closed
OS administration interfaces over Telnet Note 23
Admin Device 1024 ndash 65535
CM 80 TCP HTTP no open
Avaya web administration interface Note 2 Note 23
IPSI 1024 ndash 65535
CM 123 UDP NTP Yes closed
Network Time Protocol (NTP)
CM SCS SRS 1024 ndash 65535
CM 123 UDP NTP Yes closed
Network Time Protocol (NTP)
SNMP
NMS
1024 ndash 65535
CM 161
UDP SNMP Agent
Yes closed
SNMP (server)
Note 5 Note 23
SNMP
NMS
1024 ndash 65535
CLAN 161
UDP SNMP Agent
Yes closed
SNMP (server)
Note 23
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 7
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Gateway CM SCS SRS UPS
1024 ndash 65535
CM 162
UDP SNMP Trap
Yes closed SNMP traps (server) collection
Note 6 Note 23
IP Phone 1024 ndash 2048
CM
CLAN 411 TCP
HTTPS No open
HTTPS IP Phone configuration file download
Note 3
Admin Device
SCS SRS
1024 ndash 65535
CM 443
TCP HTTPS
No open Avaya web administration interface (HTTPS) Note 23
CLAN IPSI TN2602AP
1024-65535
CM 514
UDP SYSLOG
TCPSYSLOG
Yes closed TN Board Logging amp Server Log Files
CM 13 or older 512 ndash 1023 SRS
514 TCP RSH yes closed Legacy (CM13) Filesync Service
Note 7
H248 Media Gateways
1024 ndash 65535
CM or CLAN 1039
TCP Encrypted
H248 yes open
Proprietary encrypted H248 over TCP Note 8
H323 Phone 1024-5000 CM 1300 TCP H323 yes closed TLS encrypted H323 signaling
CM 1024 ndash 65535
CM 1332
UDP DES Encrypted
Proprietary Note 9 Note 9
Arbiter
Note 9
H323 Phone 49300
CM or CLAN 1719 UDP H225 Yes closed
Registration Admission and Status (RAS) for phones Note 8
CM
CLAN
1024-65535
CM or CLAN
1719 TCPH323 Yes closed H323 RAS for trunks
Note 22
H323 Phone 1500 ndash 6500
CM or CLAN
1720 TCP H323 Yes closed H323 signaling
Note 8 Note 10
CM
CLAN 5000-5021
CM SCS SRS or CLAN
1719 1720 5000-9999
TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Third Party GK or GW
1024-65535
CM SCS SRS or CLAN
1720 TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 8
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Admin Device 1024 ndash 65535
CM 2222 TCP SSH Yes open
High Priority SSH
Note 12 Note 23
CM Array Mgmt 1024 ndash 65535
CM 2376 TCP TLS Yes closed
TLS encrypted exchange between Docker daemons (See note 24)
H248 GW 1024 ndash 65535
CM or CLAN
2944 TCP H248 Yes closed TLS encrypted H248
Note 8 Note 13
H248 GW 1024 ndash
65535 CM or CLAN 2945 TCP H248 Yes open
Unencrypted H248
Note 8 Note 13
Admin Device 1024 ndash
65535 CM
5022 TCP SSH yes open SAT interface over SSH
Note 14 Note 23
Admin Device 1024 ndash
65535 CM
5023 TCP Telnet yes closed SAT interface over Telnet
Note 15 Note 23
SIP Trunks 1024 ndash
65535 CM or CLAN
5060
(5000-9999) TCP SIP yes closed
SIP
Note 8 Note 16 Note 22
SIP Trunks 1024 ndash
65535 CM or CLAN
5061
(5000-9999)
TCP TLS SIPS
yes closed SIPS
Note 8 Note 17 Note 22
CM 1024 ndash
65535
CM
5098
TCP TLS
(optionally
encrypted)
no Open
Dupmgr
(SW duplication) ndash Server 1
Note 22
CM 1024 ndash
65535 CM
6514 TLSSYSLOG yes closed Server Log Files
AEServices 1024 ndash
65535
CM 8765
TCP ASAI (Q931 ASN1)
yes closed AEServices
Note 20
CM 1024 ndash 65535
CM 9000
TCP Proprietary
No Open DGB (debugging tool)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 9
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
AMS 1024 ndash 65535
CM 9061
(5000-9999)
TCPTLS SIPS
Yes closed SIP
Note 22
CM Array Mgmt 1024 ndash 65535
CM 9988 TCP Yes closed
Exchange between Kafka (container) client and a Kafka Broker (See note 24)
CM 1024 ndash 65535
CM
12080 TCP TLS no Closed
Dupmgr (SW duplication) ndash Server 2
Note 10 Proprietary Optionally encrypted
CM SCS SRS 20873 - 21872
CM SCS SRS 20873 - 21872 TCP TLS no open
Internal Filesync communication
Note 21
CM SCS SRS 1024 ndash 65535
CM ndash SRS 21873 TCP TLS no open
Filesync over SSL
Note 18
CM SCS SRS 1024 ndash 65535
CM 21874 TCP TLS No open
Filesync over SSL
Note 19
G650 1024 ndash 65535
CM or CLAN 59000 ndash 59200 TCP H245 No open
H245
NOTES 1 The Secure Shell (SSH) Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) services can be Disabled andor blocked by authenticating to the
media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SSH Server (SCPSFTP 22) and set Service State to Disabled
2 An Avaya Welcome and Access Warning banner is displayed via this port Once the user selects ldquoContinuerdquo this port automatically redirects to HTTPS (443tcp)
3 This note for IP phone download was removed since it has been in disuse for many years 4 The Network Time Protocol (NTP) server service is enabled if NTP is configured during installation or administration via the media server web administration
interface --gt Server (Maintenance) --gt Server Configuration --gt Configure Server --gt Continue --gt Continue --gt Select Configure individual services --gt Continue --gt Select Configure Time Server --gt Select this computer synchronizes with the duplicated server This option is utilized to synchronize time between the main media server duplicated media server Survivable Remote Servers (SRS formerly called LSP) and Survivable Core Servers (SCS formerly called ESS)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 10
5 By default the Simple Network Management (SNMP) Agent service is disabled The SNMP Agent service can be enabled and configured via authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Access -gt addchange If SNMP is enabled it is recommended that SNMP access be restricted to administered IP addresses and that SNMPv3 be utilized for enhanced security
6 By default the SNMP Trap server service is blocked The SNMP Trap server services can be unblocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Incoming Traps -gt AddChange
7 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older
8 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
9 The Arbiter service is only enabled on duplicated servers The Arbiter process 1) Decides which server is healthier and more able to be active and 2) Coordinates data shadowing between servers under the Duplication Managerrsquos control
10 Duplicated Port 5098 is for Server 1 and Port 12080 is for Server 2 11 CM as the destination is only when Processor Ethernet is enabled The Processor Ethernet limits H323 signaling connection requests to a processor-
dependent rate on the order of 5-10 per second 12 In CM31 or later the High Priority SSH service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web
administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name High Priority SSH (2222) and set Service State to Disabled Prior to CM31 the High Priority SSH service could be blocked via the media server host firewall by authenticating to the media server web administration interface --gt Launch Maintenance Web Interface --gt Security --gt Firewall -gt Uncheck Input to Server for Server hp-sshd
13 The H248 service is only enabled on media servers with Processor Ethernet enabled It limits connection requests to 50 with a burst limit of 100 14 In CM31 or later the Station Administration Terminal (SAT) SSH service can be Disabled andor blocked via the media server host firewall by authenticating
to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (SSH 5022) and set Service State to Disabled
15 In CM31 or later the Station Administration Terminal (SAT) Telnet service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (Telnet 5023) and set Service State to Disabled
16 The SIP service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
17 The SIPS service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
18 If the main CM server is CM2x and the survivable CM servers are CM 70 filesync (over SSL) utilizes port 21873tcp to transfer translation unicode license and password files to the standby server(s)
19 In CM3x and later filesync over SSL utilizes port 21874tcp to transfer translation unicode license and password files to the standby server(s)
20 Optionally encrypted in CM 41 and later See AE Services Administration and Maintenance Guide Release 41 (02-300357 Issue 8 December 2007) 21 Ports used for internal filesync communication defaults to 20873 ndash 20877 Number of ports used (up to 1000) is a function of the FileSyncMaxClient variable in
etcoptecsecsconf
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 11
22 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061
23 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
24 The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons The CM proxy uses TCP port 9988 to communicate with the Kafka client process (which runs as a Docker container) This feature is not activated unless CM Array is configured
Table 2 Talk-only Ports for Communication Manager
If a port is both listen and talk its covered by table 1 rather than by table 2
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
CM NA
(NA)
any NA
(NA) ICMP NA
ICMP messages ping etc IP Protocol Number 1
CM or CLAN 1024 - 65535 DNS Server 53 UDP DNS No DNS Requests and Responses
CM 1024 ndash 65535 Network
Time Server (NTS)
123 UDP NTP yes Network Time Protocol (client)
Note 1
CM 1024 ndash 65535 IPSI
123 UDP NTP yes Network Time Protocol (client)
Note 7
CM 1024 ndash 65535
SNMP NMS 162
(0-65535)
UDP SNMP Trap
yes
SNMP traps (client) for alarms or notable events
Note 2 Note 11
CLAN 1024 ndash 65535
SNMP NMS
162 UDP SNMP
Trap yes
SNMP traps (client) for alarms or notable events
Note 11
CM 1024-65535 Rsyslog server
514
UDP Syslog yes Remote system log storage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 12
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
SRS 514 CM 13 or
older Note 7 TCP RSH yes Legacy Filesync Service Note 7
CM (via CLANPE)
Note 8 H323 Phone
1720 TCP H323 yes TTS
Note 8
CM RADIUS Client
1024 ndash 65535 RADIUS Server
1812 1813 UDP
RADIUS no
RADIUS based login processing
Note 9
CM 1024 - 65535 IPSI
1956 TCP
Proprietary no IPSI Command Server Service
CM 1024 - 65535 IPSI
5010 TCP
Proprietary no IPSI Server control channel
CM 1024 - 65535 IPSI
5011 TCP
Proprietary No IPSI Server IPSI version channel
CM 1024 - 65535 IPSI
5012 TCP
Proprietary no IPSI Server serial number channel
CM SafeWord Client
1024 ndash 65535 SafeWord
Server 5030
TCP
SafeWord yes
SafeWord based login processing Note 9
CM 1024 ndash 65535 SIP Trunks 5060
(1 to 65535) TCP SIP yes
SIP
Note 4 Note 5 Note 10
CM 1024 ndash 65535 SIP Trunks 5061
(1 to 65535)
TCP TLS SIPS
yes SIP
Note 4 Note 6 Note 10
CM SecurID Client
1024 ndash 65535 SecurID Server
5500 UDP
SecurID yes
SecurID based login processing Note 9
CM or CLAN 5500 Audix LX MM MN
1024 - 65535 TCP
Proprietary no Audix Digital Networking
CM 1024 ndash 65535 AMS 9061
(1 to 65535)
TCPTLSSIPS
yes SIP
Note 10
NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt
Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 7
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Gateway CM SCS SRS UPS
1024 ndash 65535
CM 162
UDP SNMP Trap
Yes closed SNMP traps (server) collection
Note 6 Note 23
IP Phone 1024 ndash 2048
CM
CLAN 411 TCP
HTTPS No open
HTTPS IP Phone configuration file download
Note 3
Admin Device
SCS SRS
1024 ndash 65535
CM 443
TCP HTTPS
No open Avaya web administration interface (HTTPS) Note 23
CLAN IPSI TN2602AP
1024-65535
CM 514
UDP SYSLOG
TCPSYSLOG
Yes closed TN Board Logging amp Server Log Files
CM 13 or older 512 ndash 1023 SRS
514 TCP RSH yes closed Legacy (CM13) Filesync Service
Note 7
H248 Media Gateways
1024 ndash 65535
CM or CLAN 1039
TCP Encrypted
H248 yes open
Proprietary encrypted H248 over TCP Note 8
H323 Phone 1024-5000 CM 1300 TCP H323 yes closed TLS encrypted H323 signaling
CM 1024 ndash 65535
CM 1332
UDP DES Encrypted
Proprietary Note 9 Note 9
Arbiter
Note 9
H323 Phone 49300
CM or CLAN 1719 UDP H225 Yes closed
Registration Admission and Status (RAS) for phones Note 8
CM
CLAN
1024-65535
CM or CLAN
1719 TCPH323 Yes closed H323 RAS for trunks
Note 22
H323 Phone 1500 ndash 6500
CM or CLAN
1720 TCP H323 Yes closed H323 signaling
Note 8 Note 10
CM
CLAN 5000-5021
CM SCS SRS or CLAN
1719 1720 5000-9999
TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Third Party GK or GW
1024-65535
CM SCS SRS or CLAN
1720 TCP H323 Yes closed H323 IP trunk Signaling Ports admin via SAT
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 8
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Admin Device 1024 ndash 65535
CM 2222 TCP SSH Yes open
High Priority SSH
Note 12 Note 23
CM Array Mgmt 1024 ndash 65535
CM 2376 TCP TLS Yes closed
TLS encrypted exchange between Docker daemons (See note 24)
H248 GW 1024 ndash 65535
CM or CLAN
2944 TCP H248 Yes closed TLS encrypted H248
Note 8 Note 13
H248 GW 1024 ndash
65535 CM or CLAN 2945 TCP H248 Yes open
Unencrypted H248
Note 8 Note 13
Admin Device 1024 ndash
65535 CM
5022 TCP SSH yes open SAT interface over SSH
Note 14 Note 23
Admin Device 1024 ndash
65535 CM
5023 TCP Telnet yes closed SAT interface over Telnet
Note 15 Note 23
SIP Trunks 1024 ndash
65535 CM or CLAN
5060
(5000-9999) TCP SIP yes closed
SIP
Note 8 Note 16 Note 22
SIP Trunks 1024 ndash
65535 CM or CLAN
5061
(5000-9999)
TCP TLS SIPS
yes closed SIPS
Note 8 Note 17 Note 22
CM 1024 ndash
65535
CM
5098
TCP TLS
(optionally
encrypted)
no Open
Dupmgr
(SW duplication) ndash Server 1
Note 22
CM 1024 ndash
65535 CM
6514 TLSSYSLOG yes closed Server Log Files
AEServices 1024 ndash
65535
CM 8765
TCP ASAI (Q931 ASN1)
yes closed AEServices
Note 20
CM 1024 ndash 65535
CM 9000
TCP Proprietary
No Open DGB (debugging tool)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 9
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
AMS 1024 ndash 65535
CM 9061
(5000-9999)
TCPTLS SIPS
Yes closed SIP
Note 22
CM Array Mgmt 1024 ndash 65535
CM 9988 TCP Yes closed
Exchange between Kafka (container) client and a Kafka Broker (See note 24)
CM 1024 ndash 65535
CM
12080 TCP TLS no Closed
Dupmgr (SW duplication) ndash Server 2
Note 10 Proprietary Optionally encrypted
CM SCS SRS 20873 - 21872
CM SCS SRS 20873 - 21872 TCP TLS no open
Internal Filesync communication
Note 21
CM SCS SRS 1024 ndash 65535
CM ndash SRS 21873 TCP TLS no open
Filesync over SSL
Note 18
CM SCS SRS 1024 ndash 65535
CM 21874 TCP TLS No open
Filesync over SSL
Note 19
G650 1024 ndash 65535
CM or CLAN 59000 ndash 59200 TCP H245 No open
H245
NOTES 1 The Secure Shell (SSH) Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) services can be Disabled andor blocked by authenticating to the
media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SSH Server (SCPSFTP 22) and set Service State to Disabled
2 An Avaya Welcome and Access Warning banner is displayed via this port Once the user selects ldquoContinuerdquo this port automatically redirects to HTTPS (443tcp)
3 This note for IP phone download was removed since it has been in disuse for many years 4 The Network Time Protocol (NTP) server service is enabled if NTP is configured during installation or administration via the media server web administration
interface --gt Server (Maintenance) --gt Server Configuration --gt Configure Server --gt Continue --gt Continue --gt Select Configure individual services --gt Continue --gt Select Configure Time Server --gt Select this computer synchronizes with the duplicated server This option is utilized to synchronize time between the main media server duplicated media server Survivable Remote Servers (SRS formerly called LSP) and Survivable Core Servers (SCS formerly called ESS)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 10
5 By default the Simple Network Management (SNMP) Agent service is disabled The SNMP Agent service can be enabled and configured via authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Access -gt addchange If SNMP is enabled it is recommended that SNMP access be restricted to administered IP addresses and that SNMPv3 be utilized for enhanced security
6 By default the SNMP Trap server service is blocked The SNMP Trap server services can be unblocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Incoming Traps -gt AddChange
7 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older
8 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
9 The Arbiter service is only enabled on duplicated servers The Arbiter process 1) Decides which server is healthier and more able to be active and 2) Coordinates data shadowing between servers under the Duplication Managerrsquos control
10 Duplicated Port 5098 is for Server 1 and Port 12080 is for Server 2 11 CM as the destination is only when Processor Ethernet is enabled The Processor Ethernet limits H323 signaling connection requests to a processor-
dependent rate on the order of 5-10 per second 12 In CM31 or later the High Priority SSH service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web
administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name High Priority SSH (2222) and set Service State to Disabled Prior to CM31 the High Priority SSH service could be blocked via the media server host firewall by authenticating to the media server web administration interface --gt Launch Maintenance Web Interface --gt Security --gt Firewall -gt Uncheck Input to Server for Server hp-sshd
13 The H248 service is only enabled on media servers with Processor Ethernet enabled It limits connection requests to 50 with a burst limit of 100 14 In CM31 or later the Station Administration Terminal (SAT) SSH service can be Disabled andor blocked via the media server host firewall by authenticating
to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (SSH 5022) and set Service State to Disabled
15 In CM31 or later the Station Administration Terminal (SAT) Telnet service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (Telnet 5023) and set Service State to Disabled
16 The SIP service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
17 The SIPS service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
18 If the main CM server is CM2x and the survivable CM servers are CM 70 filesync (over SSL) utilizes port 21873tcp to transfer translation unicode license and password files to the standby server(s)
19 In CM3x and later filesync over SSL utilizes port 21874tcp to transfer translation unicode license and password files to the standby server(s)
20 Optionally encrypted in CM 41 and later See AE Services Administration and Maintenance Guide Release 41 (02-300357 Issue 8 December 2007) 21 Ports used for internal filesync communication defaults to 20873 ndash 20877 Number of ports used (up to 1000) is a function of the FileSyncMaxClient variable in
etcoptecsecsconf
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 11
22 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061
23 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
24 The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons The CM proxy uses TCP port 9988 to communicate with the Kafka client process (which runs as a Docker container) This feature is not activated unless CM Array is configured
Table 2 Talk-only Ports for Communication Manager
If a port is both listen and talk its covered by table 1 rather than by table 2
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
CM NA
(NA)
any NA
(NA) ICMP NA
ICMP messages ping etc IP Protocol Number 1
CM or CLAN 1024 - 65535 DNS Server 53 UDP DNS No DNS Requests and Responses
CM 1024 ndash 65535 Network
Time Server (NTS)
123 UDP NTP yes Network Time Protocol (client)
Note 1
CM 1024 ndash 65535 IPSI
123 UDP NTP yes Network Time Protocol (client)
Note 7
CM 1024 ndash 65535
SNMP NMS 162
(0-65535)
UDP SNMP Trap
yes
SNMP traps (client) for alarms or notable events
Note 2 Note 11
CLAN 1024 ndash 65535
SNMP NMS
162 UDP SNMP
Trap yes
SNMP traps (client) for alarms or notable events
Note 11
CM 1024-65535 Rsyslog server
514
UDP Syslog yes Remote system log storage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 12
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
SRS 514 CM 13 or
older Note 7 TCP RSH yes Legacy Filesync Service Note 7
CM (via CLANPE)
Note 8 H323 Phone
1720 TCP H323 yes TTS
Note 8
CM RADIUS Client
1024 ndash 65535 RADIUS Server
1812 1813 UDP
RADIUS no
RADIUS based login processing
Note 9
CM 1024 - 65535 IPSI
1956 TCP
Proprietary no IPSI Command Server Service
CM 1024 - 65535 IPSI
5010 TCP
Proprietary no IPSI Server control channel
CM 1024 - 65535 IPSI
5011 TCP
Proprietary No IPSI Server IPSI version channel
CM 1024 - 65535 IPSI
5012 TCP
Proprietary no IPSI Server serial number channel
CM SafeWord Client
1024 ndash 65535 SafeWord
Server 5030
TCP
SafeWord yes
SafeWord based login processing Note 9
CM 1024 ndash 65535 SIP Trunks 5060
(1 to 65535) TCP SIP yes
SIP
Note 4 Note 5 Note 10
CM 1024 ndash 65535 SIP Trunks 5061
(1 to 65535)
TCP TLS SIPS
yes SIP
Note 4 Note 6 Note 10
CM SecurID Client
1024 ndash 65535 SecurID Server
5500 UDP
SecurID yes
SecurID based login processing Note 9
CM or CLAN 5500 Audix LX MM MN
1024 - 65535 TCP
Proprietary no Audix Digital Networking
CM 1024 ndash 65535 AMS 9061
(1 to 65535)
TCPTLSSIPS
yes SIP
Note 10
NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt
Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 8
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
Admin Device 1024 ndash 65535
CM 2222 TCP SSH Yes open
High Priority SSH
Note 12 Note 23
CM Array Mgmt 1024 ndash 65535
CM 2376 TCP TLS Yes closed
TLS encrypted exchange between Docker daemons (See note 24)
H248 GW 1024 ndash 65535
CM or CLAN
2944 TCP H248 Yes closed TLS encrypted H248
Note 8 Note 13
H248 GW 1024 ndash
65535 CM or CLAN 2945 TCP H248 Yes open
Unencrypted H248
Note 8 Note 13
Admin Device 1024 ndash
65535 CM
5022 TCP SSH yes open SAT interface over SSH
Note 14 Note 23
Admin Device 1024 ndash
65535 CM
5023 TCP Telnet yes closed SAT interface over Telnet
Note 15 Note 23
SIP Trunks 1024 ndash
65535 CM or CLAN
5060
(5000-9999) TCP SIP yes closed
SIP
Note 8 Note 16 Note 22
SIP Trunks 1024 ndash
65535 CM or CLAN
5061
(5000-9999)
TCP TLS SIPS
yes closed SIPS
Note 8 Note 17 Note 22
CM 1024 ndash
65535
CM
5098
TCP TLS
(optionally
encrypted)
no Open
Dupmgr
(SW duplication) ndash Server 1
Note 22
CM 1024 ndash
65535 CM
6514 TLSSYSLOG yes closed Server Log Files
AEServices 1024 ndash
65535
CM 8765
TCP ASAI (Q931 ASN1)
yes closed AEServices
Note 20
CM 1024 ndash 65535
CM 9000
TCP Proprietary
No Open DGB (debugging tool)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 9
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
AMS 1024 ndash 65535
CM 9061
(5000-9999)
TCPTLS SIPS
Yes closed SIP
Note 22
CM Array Mgmt 1024 ndash 65535
CM 9988 TCP Yes closed
Exchange between Kafka (container) client and a Kafka Broker (See note 24)
CM 1024 ndash 65535
CM
12080 TCP TLS no Closed
Dupmgr (SW duplication) ndash Server 2
Note 10 Proprietary Optionally encrypted
CM SCS SRS 20873 - 21872
CM SCS SRS 20873 - 21872 TCP TLS no open
Internal Filesync communication
Note 21
CM SCS SRS 1024 ndash 65535
CM ndash SRS 21873 TCP TLS no open
Filesync over SSL
Note 18
CM SCS SRS 1024 ndash 65535
CM 21874 TCP TLS No open
Filesync over SSL
Note 19
G650 1024 ndash 65535
CM or CLAN 59000 ndash 59200 TCP H245 No open
H245
NOTES 1 The Secure Shell (SSH) Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) services can be Disabled andor blocked by authenticating to the
media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SSH Server (SCPSFTP 22) and set Service State to Disabled
2 An Avaya Welcome and Access Warning banner is displayed via this port Once the user selects ldquoContinuerdquo this port automatically redirects to HTTPS (443tcp)
3 This note for IP phone download was removed since it has been in disuse for many years 4 The Network Time Protocol (NTP) server service is enabled if NTP is configured during installation or administration via the media server web administration
interface --gt Server (Maintenance) --gt Server Configuration --gt Configure Server --gt Continue --gt Continue --gt Select Configure individual services --gt Continue --gt Select Configure Time Server --gt Select this computer synchronizes with the duplicated server This option is utilized to synchronize time between the main media server duplicated media server Survivable Remote Servers (SRS formerly called LSP) and Survivable Core Servers (SCS formerly called ESS)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 10
5 By default the Simple Network Management (SNMP) Agent service is disabled The SNMP Agent service can be enabled and configured via authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Access -gt addchange If SNMP is enabled it is recommended that SNMP access be restricted to administered IP addresses and that SNMPv3 be utilized for enhanced security
6 By default the SNMP Trap server service is blocked The SNMP Trap server services can be unblocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Incoming Traps -gt AddChange
7 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older
8 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
9 The Arbiter service is only enabled on duplicated servers The Arbiter process 1) Decides which server is healthier and more able to be active and 2) Coordinates data shadowing between servers under the Duplication Managerrsquos control
10 Duplicated Port 5098 is for Server 1 and Port 12080 is for Server 2 11 CM as the destination is only when Processor Ethernet is enabled The Processor Ethernet limits H323 signaling connection requests to a processor-
dependent rate on the order of 5-10 per second 12 In CM31 or later the High Priority SSH service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web
administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name High Priority SSH (2222) and set Service State to Disabled Prior to CM31 the High Priority SSH service could be blocked via the media server host firewall by authenticating to the media server web administration interface --gt Launch Maintenance Web Interface --gt Security --gt Firewall -gt Uncheck Input to Server for Server hp-sshd
13 The H248 service is only enabled on media servers with Processor Ethernet enabled It limits connection requests to 50 with a burst limit of 100 14 In CM31 or later the Station Administration Terminal (SAT) SSH service can be Disabled andor blocked via the media server host firewall by authenticating
to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (SSH 5022) and set Service State to Disabled
15 In CM31 or later the Station Administration Terminal (SAT) Telnet service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (Telnet 5023) and set Service State to Disabled
16 The SIP service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
17 The SIPS service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
18 If the main CM server is CM2x and the survivable CM servers are CM 70 filesync (over SSL) utilizes port 21873tcp to transfer translation unicode license and password files to the standby server(s)
19 In CM3x and later filesync over SSL utilizes port 21874tcp to transfer translation unicode license and password files to the standby server(s)
20 Optionally encrypted in CM 41 and later See AE Services Administration and Maintenance Guide Release 41 (02-300357 Issue 8 December 2007) 21 Ports used for internal filesync communication defaults to 20873 ndash 20877 Number of ports used (up to 1000) is a function of the FileSyncMaxClient variable in
etcoptecsecsconf
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 11
22 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061
23 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
24 The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons The CM proxy uses TCP port 9988 to communicate with the Kafka client process (which runs as a Docker container) This feature is not activated unless CM Array is configured
Table 2 Talk-only Ports for Communication Manager
If a port is both listen and talk its covered by table 1 rather than by table 2
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
CM NA
(NA)
any NA
(NA) ICMP NA
ICMP messages ping etc IP Protocol Number 1
CM or CLAN 1024 - 65535 DNS Server 53 UDP DNS No DNS Requests and Responses
CM 1024 ndash 65535 Network
Time Server (NTS)
123 UDP NTP yes Network Time Protocol (client)
Note 1
CM 1024 ndash 65535 IPSI
123 UDP NTP yes Network Time Protocol (client)
Note 7
CM 1024 ndash 65535
SNMP NMS 162
(0-65535)
UDP SNMP Trap
yes
SNMP traps (client) for alarms or notable events
Note 2 Note 11
CLAN 1024 ndash 65535
SNMP NMS
162 UDP SNMP
Trap yes
SNMP traps (client) for alarms or notable events
Note 11
CM 1024-65535 Rsyslog server
514
UDP Syslog yes Remote system log storage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 12
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
SRS 514 CM 13 or
older Note 7 TCP RSH yes Legacy Filesync Service Note 7
CM (via CLANPE)
Note 8 H323 Phone
1720 TCP H323 yes TTS
Note 8
CM RADIUS Client
1024 ndash 65535 RADIUS Server
1812 1813 UDP
RADIUS no
RADIUS based login processing
Note 9
CM 1024 - 65535 IPSI
1956 TCP
Proprietary no IPSI Command Server Service
CM 1024 - 65535 IPSI
5010 TCP
Proprietary no IPSI Server control channel
CM 1024 - 65535 IPSI
5011 TCP
Proprietary No IPSI Server IPSI version channel
CM 1024 - 65535 IPSI
5012 TCP
Proprietary no IPSI Server serial number channel
CM SafeWord Client
1024 ndash 65535 SafeWord
Server 5030
TCP
SafeWord yes
SafeWord based login processing Note 9
CM 1024 ndash 65535 SIP Trunks 5060
(1 to 65535) TCP SIP yes
SIP
Note 4 Note 5 Note 10
CM 1024 ndash 65535 SIP Trunks 5061
(1 to 65535)
TCP TLS SIPS
yes SIP
Note 4 Note 6 Note 10
CM SecurID Client
1024 ndash 65535 SecurID Server
5500 UDP
SecurID yes
SecurID based login processing Note 9
CM or CLAN 5500 Audix LX MM MN
1024 - 65535 TCP
Proprietary no Audix Digital Networking
CM 1024 ndash 65535 AMS 9061
(1 to 65535)
TCPTLSSIPS
yes SIP
Note 10
NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt
Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 9
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Non-Configurable Range)
System Port
(Configurable Range)
AMS 1024 ndash 65535
CM 9061
(5000-9999)
TCPTLS SIPS
Yes closed SIP
Note 22
CM Array Mgmt 1024 ndash 65535
CM 9988 TCP Yes closed
Exchange between Kafka (container) client and a Kafka Broker (See note 24)
CM 1024 ndash 65535
CM
12080 TCP TLS no Closed
Dupmgr (SW duplication) ndash Server 2
Note 10 Proprietary Optionally encrypted
CM SCS SRS 20873 - 21872
CM SCS SRS 20873 - 21872 TCP TLS no open
Internal Filesync communication
Note 21
CM SCS SRS 1024 ndash 65535
CM ndash SRS 21873 TCP TLS no open
Filesync over SSL
Note 18
CM SCS SRS 1024 ndash 65535
CM 21874 TCP TLS No open
Filesync over SSL
Note 19
G650 1024 ndash 65535
CM or CLAN 59000 ndash 59200 TCP H245 No open
H245
NOTES 1 The Secure Shell (SSH) Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) services can be Disabled andor blocked by authenticating to the
media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SSH Server (SCPSFTP 22) and set Service State to Disabled
2 An Avaya Welcome and Access Warning banner is displayed via this port Once the user selects ldquoContinuerdquo this port automatically redirects to HTTPS (443tcp)
3 This note for IP phone download was removed since it has been in disuse for many years 4 The Network Time Protocol (NTP) server service is enabled if NTP is configured during installation or administration via the media server web administration
interface --gt Server (Maintenance) --gt Server Configuration --gt Configure Server --gt Continue --gt Continue --gt Select Configure individual services --gt Continue --gt Select Configure Time Server --gt Select this computer synchronizes with the duplicated server This option is utilized to synchronize time between the main media server duplicated media server Survivable Remote Servers (SRS formerly called LSP) and Survivable Core Servers (SCS formerly called ESS)
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 10
5 By default the Simple Network Management (SNMP) Agent service is disabled The SNMP Agent service can be enabled and configured via authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Access -gt addchange If SNMP is enabled it is recommended that SNMP access be restricted to administered IP addresses and that SNMPv3 be utilized for enhanced security
6 By default the SNMP Trap server service is blocked The SNMP Trap server services can be unblocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Incoming Traps -gt AddChange
7 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older
8 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
9 The Arbiter service is only enabled on duplicated servers The Arbiter process 1) Decides which server is healthier and more able to be active and 2) Coordinates data shadowing between servers under the Duplication Managerrsquos control
10 Duplicated Port 5098 is for Server 1 and Port 12080 is for Server 2 11 CM as the destination is only when Processor Ethernet is enabled The Processor Ethernet limits H323 signaling connection requests to a processor-
dependent rate on the order of 5-10 per second 12 In CM31 or later the High Priority SSH service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web
administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name High Priority SSH (2222) and set Service State to Disabled Prior to CM31 the High Priority SSH service could be blocked via the media server host firewall by authenticating to the media server web administration interface --gt Launch Maintenance Web Interface --gt Security --gt Firewall -gt Uncheck Input to Server for Server hp-sshd
13 The H248 service is only enabled on media servers with Processor Ethernet enabled It limits connection requests to 50 with a burst limit of 100 14 In CM31 or later the Station Administration Terminal (SAT) SSH service can be Disabled andor blocked via the media server host firewall by authenticating
to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (SSH 5022) and set Service State to Disabled
15 In CM31 or later the Station Administration Terminal (SAT) Telnet service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (Telnet 5023) and set Service State to Disabled
16 The SIP service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
17 The SIPS service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
18 If the main CM server is CM2x and the survivable CM servers are CM 70 filesync (over SSL) utilizes port 21873tcp to transfer translation unicode license and password files to the standby server(s)
19 In CM3x and later filesync over SSL utilizes port 21874tcp to transfer translation unicode license and password files to the standby server(s)
20 Optionally encrypted in CM 41 and later See AE Services Administration and Maintenance Guide Release 41 (02-300357 Issue 8 December 2007) 21 Ports used for internal filesync communication defaults to 20873 ndash 20877 Number of ports used (up to 1000) is a function of the FileSyncMaxClient variable in
etcoptecsecsconf
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 11
22 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061
23 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
24 The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons The CM proxy uses TCP port 9988 to communicate with the Kafka client process (which runs as a Docker container) This feature is not activated unless CM Array is configured
Table 2 Talk-only Ports for Communication Manager
If a port is both listen and talk its covered by table 1 rather than by table 2
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
CM NA
(NA)
any NA
(NA) ICMP NA
ICMP messages ping etc IP Protocol Number 1
CM or CLAN 1024 - 65535 DNS Server 53 UDP DNS No DNS Requests and Responses
CM 1024 ndash 65535 Network
Time Server (NTS)
123 UDP NTP yes Network Time Protocol (client)
Note 1
CM 1024 ndash 65535 IPSI
123 UDP NTP yes Network Time Protocol (client)
Note 7
CM 1024 ndash 65535
SNMP NMS 162
(0-65535)
UDP SNMP Trap
yes
SNMP traps (client) for alarms or notable events
Note 2 Note 11
CLAN 1024 ndash 65535
SNMP NMS
162 UDP SNMP
Trap yes
SNMP traps (client) for alarms or notable events
Note 11
CM 1024-65535 Rsyslog server
514
UDP Syslog yes Remote system log storage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 12
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
SRS 514 CM 13 or
older Note 7 TCP RSH yes Legacy Filesync Service Note 7
CM (via CLANPE)
Note 8 H323 Phone
1720 TCP H323 yes TTS
Note 8
CM RADIUS Client
1024 ndash 65535 RADIUS Server
1812 1813 UDP
RADIUS no
RADIUS based login processing
Note 9
CM 1024 - 65535 IPSI
1956 TCP
Proprietary no IPSI Command Server Service
CM 1024 - 65535 IPSI
5010 TCP
Proprietary no IPSI Server control channel
CM 1024 - 65535 IPSI
5011 TCP
Proprietary No IPSI Server IPSI version channel
CM 1024 - 65535 IPSI
5012 TCP
Proprietary no IPSI Server serial number channel
CM SafeWord Client
1024 ndash 65535 SafeWord
Server 5030
TCP
SafeWord yes
SafeWord based login processing Note 9
CM 1024 ndash 65535 SIP Trunks 5060
(1 to 65535) TCP SIP yes
SIP
Note 4 Note 5 Note 10
CM 1024 ndash 65535 SIP Trunks 5061
(1 to 65535)
TCP TLS SIPS
yes SIP
Note 4 Note 6 Note 10
CM SecurID Client
1024 ndash 65535 SecurID Server
5500 UDP
SecurID yes
SecurID based login processing Note 9
CM or CLAN 5500 Audix LX MM MN
1024 - 65535 TCP
Proprietary no Audix Digital Networking
CM 1024 ndash 65535 AMS 9061
(1 to 65535)
TCPTLSSIPS
yes SIP
Note 10
NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt
Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 10
5 By default the Simple Network Management (SNMP) Agent service is disabled The SNMP Agent service can be enabled and configured via authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Access -gt addchange If SNMP is enabled it is recommended that SNMP access be restricted to administered IP addresses and that SNMPv3 be utilized for enhanced security
6 By default the SNMP Trap server service is blocked The SNMP Trap server services can be unblocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt SNMP -gt Incoming Traps -gt AddChange
7 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older
8 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
9 The Arbiter service is only enabled on duplicated servers The Arbiter process 1) Decides which server is healthier and more able to be active and 2) Coordinates data shadowing between servers under the Duplication Managerrsquos control
10 Duplicated Port 5098 is for Server 1 and Port 12080 is for Server 2 11 CM as the destination is only when Processor Ethernet is enabled The Processor Ethernet limits H323 signaling connection requests to a processor-
dependent rate on the order of 5-10 per second 12 In CM31 or later the High Priority SSH service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web
administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name High Priority SSH (2222) and set Service State to Disabled Prior to CM31 the High Priority SSH service could be blocked via the media server host firewall by authenticating to the media server web administration interface --gt Launch Maintenance Web Interface --gt Security --gt Firewall -gt Uncheck Input to Server for Server hp-sshd
13 The H248 service is only enabled on media servers with Processor Ethernet enabled It limits connection requests to 50 with a burst limit of 100 14 In CM31 or later the Station Administration Terminal (SAT) SSH service can be Disabled andor blocked via the media server host firewall by authenticating
to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (SSH 5022) and set Service State to Disabled
15 In CM31 or later the Station Administration Terminal (SAT) Telnet service can be Disabled andor blocked via the media server host firewall by authenticating to the media server web administration interface --gt Server (Maintenance) --gt Security --gt Server Access --gt Change Service Name SAT (Telnet 5023) and set Service State to Disabled
16 The SIP service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
17 The SIPS service is only enabled on media servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
18 If the main CM server is CM2x and the survivable CM servers are CM 70 filesync (over SSL) utilizes port 21873tcp to transfer translation unicode license and password files to the standby server(s)
19 In CM3x and later filesync over SSL utilizes port 21874tcp to transfer translation unicode license and password files to the standby server(s)
20 Optionally encrypted in CM 41 and later See AE Services Administration and Maintenance Guide Release 41 (02-300357 Issue 8 December 2007) 21 Ports used for internal filesync communication defaults to 20873 ndash 20877 Number of ports used (up to 1000) is a function of the FileSyncMaxClient variable in
etcoptecsecsconf
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 11
22 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061
23 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
24 The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons The CM proxy uses TCP port 9988 to communicate with the Kafka client process (which runs as a Docker container) This feature is not activated unless CM Array is configured
Table 2 Talk-only Ports for Communication Manager
If a port is both listen and talk its covered by table 1 rather than by table 2
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
CM NA
(NA)
any NA
(NA) ICMP NA
ICMP messages ping etc IP Protocol Number 1
CM or CLAN 1024 - 65535 DNS Server 53 UDP DNS No DNS Requests and Responses
CM 1024 ndash 65535 Network
Time Server (NTS)
123 UDP NTP yes Network Time Protocol (client)
Note 1
CM 1024 ndash 65535 IPSI
123 UDP NTP yes Network Time Protocol (client)
Note 7
CM 1024 ndash 65535
SNMP NMS 162
(0-65535)
UDP SNMP Trap
yes
SNMP traps (client) for alarms or notable events
Note 2 Note 11
CLAN 1024 ndash 65535
SNMP NMS
162 UDP SNMP
Trap yes
SNMP traps (client) for alarms or notable events
Note 11
CM 1024-65535 Rsyslog server
514
UDP Syslog yes Remote system log storage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 12
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
SRS 514 CM 13 or
older Note 7 TCP RSH yes Legacy Filesync Service Note 7
CM (via CLANPE)
Note 8 H323 Phone
1720 TCP H323 yes TTS
Note 8
CM RADIUS Client
1024 ndash 65535 RADIUS Server
1812 1813 UDP
RADIUS no
RADIUS based login processing
Note 9
CM 1024 - 65535 IPSI
1956 TCP
Proprietary no IPSI Command Server Service
CM 1024 - 65535 IPSI
5010 TCP
Proprietary no IPSI Server control channel
CM 1024 - 65535 IPSI
5011 TCP
Proprietary No IPSI Server IPSI version channel
CM 1024 - 65535 IPSI
5012 TCP
Proprietary no IPSI Server serial number channel
CM SafeWord Client
1024 ndash 65535 SafeWord
Server 5030
TCP
SafeWord yes
SafeWord based login processing Note 9
CM 1024 ndash 65535 SIP Trunks 5060
(1 to 65535) TCP SIP yes
SIP
Note 4 Note 5 Note 10
CM 1024 ndash 65535 SIP Trunks 5061
(1 to 65535)
TCP TLS SIPS
yes SIP
Note 4 Note 6 Note 10
CM SecurID Client
1024 ndash 65535 SecurID Server
5500 UDP
SecurID yes
SecurID based login processing Note 9
CM or CLAN 5500 Audix LX MM MN
1024 - 65535 TCP
Proprietary no Audix Digital Networking
CM 1024 ndash 65535 AMS 9061
(1 to 65535)
TCPTLSSIPS
yes SIP
Note 10
NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt
Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 11
22 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061
23 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
24 The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons The CM proxy uses TCP port 9988 to communicate with the Kafka client process (which runs as a Docker container) This feature is not activated unless CM Array is configured
Table 2 Talk-only Ports for Communication Manager
If a port is both listen and talk its covered by table 1 rather than by table 2
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
CM NA
(NA)
any NA
(NA) ICMP NA
ICMP messages ping etc IP Protocol Number 1
CM or CLAN 1024 - 65535 DNS Server 53 UDP DNS No DNS Requests and Responses
CM 1024 ndash 65535 Network
Time Server (NTS)
123 UDP NTP yes Network Time Protocol (client)
Note 1
CM 1024 ndash 65535 IPSI
123 UDP NTP yes Network Time Protocol (client)
Note 7
CM 1024 ndash 65535
SNMP NMS 162
(0-65535)
UDP SNMP Trap
yes
SNMP traps (client) for alarms or notable events
Note 2 Note 11
CLAN 1024 ndash 65535
SNMP NMS
162 UDP SNMP
Trap yes
SNMP traps (client) for alarms or notable events
Note 11
CM 1024-65535 Rsyslog server
514
UDP Syslog yes Remote system log storage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 12
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
SRS 514 CM 13 or
older Note 7 TCP RSH yes Legacy Filesync Service Note 7
CM (via CLANPE)
Note 8 H323 Phone
1720 TCP H323 yes TTS
Note 8
CM RADIUS Client
1024 ndash 65535 RADIUS Server
1812 1813 UDP
RADIUS no
RADIUS based login processing
Note 9
CM 1024 - 65535 IPSI
1956 TCP
Proprietary no IPSI Command Server Service
CM 1024 - 65535 IPSI
5010 TCP
Proprietary no IPSI Server control channel
CM 1024 - 65535 IPSI
5011 TCP
Proprietary No IPSI Server IPSI version channel
CM 1024 - 65535 IPSI
5012 TCP
Proprietary no IPSI Server serial number channel
CM SafeWord Client
1024 ndash 65535 SafeWord
Server 5030
TCP
SafeWord yes
SafeWord based login processing Note 9
CM 1024 ndash 65535 SIP Trunks 5060
(1 to 65535) TCP SIP yes
SIP
Note 4 Note 5 Note 10
CM 1024 ndash 65535 SIP Trunks 5061
(1 to 65535)
TCP TLS SIPS
yes SIP
Note 4 Note 6 Note 10
CM SecurID Client
1024 ndash 65535 SecurID Server
5500 UDP
SecurID yes
SecurID based login processing Note 9
CM or CLAN 5500 Audix LX MM MN
1024 - 65535 TCP
Proprietary no Audix Digital Networking
CM 1024 ndash 65535 AMS 9061
(1 to 65535)
TCPTLSSIPS
yes SIP
Note 10
NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt
Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 12
Source Destination
Network Application
Protocol
Optionally
Enabled
Disabled
Description System Port
(Non-Configurable
Range)
System Port
(Configurable Range)
SRS 514 CM 13 or
older Note 7 TCP RSH yes Legacy Filesync Service Note 7
CM (via CLANPE)
Note 8 H323 Phone
1720 TCP H323 yes TTS
Note 8
CM RADIUS Client
1024 ndash 65535 RADIUS Server
1812 1813 UDP
RADIUS no
RADIUS based login processing
Note 9
CM 1024 - 65535 IPSI
1956 TCP
Proprietary no IPSI Command Server Service
CM 1024 - 65535 IPSI
5010 TCP
Proprietary no IPSI Server control channel
CM 1024 - 65535 IPSI
5011 TCP
Proprietary No IPSI Server IPSI version channel
CM 1024 - 65535 IPSI
5012 TCP
Proprietary no IPSI Server serial number channel
CM SafeWord Client
1024 ndash 65535 SafeWord
Server 5030
TCP
SafeWord yes
SafeWord based login processing Note 9
CM 1024 ndash 65535 SIP Trunks 5060
(1 to 65535) TCP SIP yes
SIP
Note 4 Note 5 Note 10
CM 1024 ndash 65535 SIP Trunks 5061
(1 to 65535)
TCP TLS SIPS
yes SIP
Note 4 Note 6 Note 10
CM SecurID Client
1024 ndash 65535 SecurID Server
5500 UDP
SecurID yes
SecurID based login processing Note 9
CM or CLAN 5500 Audix LX MM MN
1024 - 65535 TCP
Proprietary no Audix Digital Networking
CM 1024 ndash 65535 AMS 9061
(1 to 65535)
TCPTLSSIPS
yes SIP
Note 10
NOTES 1 The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface --gt
Server (Maintenance) --gt Server Configuration -gt NTP Configuration -gt NTP Mode (Enabled Disabled) The IP address or Domain Name Server (DNS) Name for a Primary Secondary or Tertiary Network Time Server (NTS) can be provided Furthermore the NTP the media server can be configured to support multicast timing messages or direct poll requests to the Network Time Server (NTS) Finally keys can optionally be provided for secure communications with the NTS
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 13
2 By default SNMP Trap client service is disabled The SNMP Trap client service can be enabled and configured via authenticating to the media server web interface --gt Server (Maintenance) --gt SNMP -gt FP Traps -gt AddChange
3 By default the Legacy Filesync service is disabled This port is only enabled if a CM 70 SRS is configured to synchronize translations with a CM main server running CM 13 or older The destination port range is 512 - 1023 but its not configurable
4 By default only the S8300D and S8300E servers have the Processor Ethernet enabled Processor Ethernet enables use of the Ethernet card resident in the processor cabinet in place of a C-LAN card Processor Ethernet can be confirmed enabled or disabled using the SAT interface --gt Type display system-parameters customer-options --gt under page 4 see Processor Ethernet
5 The SIP service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
6 The SIPS service is only enabled on CM servers with Processor Ethernet enabled It limits connection requests 50 with a burst limit of 100 The configurable range excludes well-known ports used by other services eg wrongly attempting to use 5060 for TLS
7 CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request 8 Source port is configurable using the ldquochange ip-network-regionrdquo SAT command (page 2) The default is 61440 ndash 61444 9 Disabled by default Requires root access to enable 10 TLS enabled AMS SIP signaling groups on CM are blocked from using 1719 1720 5060 or 5061 TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061 TLS enabled H323 signaling groups are blocked from using 5061 or 9061 11 If an Ethernet interface has been dedicated for use by out-of-band management firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication http 80 and 443 ssh 22 2222 and 5022 telnet 23 and 5023 SNMP 161 and 162
14 Port Table Changes There are no port changes from the R701 release
15 Port Table Changes on CMM The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM A separate Avaya Port Matrix document for CMM will instead contain updated information about CMMs IP port usage
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 14
2 Port Usage Diagram
Avaya Aurareg
Communication
Manager
HTTPHTTPS SIP(S)H323
SSH SNMP
Proprietary ICMP Other
Network Admin
HTTPS-TCP443
HTTP-TCP80
SSH-TCP22
SSH-TCP2222
SSH-TCP5022
Phone or trunk or
SIP media server
HTTP-TCP81
HTTPS-TCP411
SNMP-UDP161
SNMP-UDP162
H323-TCP default 1719
H323-UDP1719
H323-TCP1720
SIP-TCP default 5060
SIP-TCP default 5061
SIP-TCP default 9061
Other CM Servers
Telnet-TCP23
Telnet-TCP5023
NTP-UDP123
Syslog-UDP514 Array Docker-TCP2376
Media Gateways
Arbiter-UDP1332
Dupmgr-TCP5098 12080
DGB-TCP 9000
Filesync-TCP 20873- 21874
ICMP
NTP-UDP123
Syslog-UDP514 Syslog-TLS6514 Array KafkaTCP9988
Other or Any
ASAI-TCP 8765
H323-TCP1300
H248-TCP1039
H248-TCP2944
H248-TCP2945
H245-TCP59000-59200
H323-UDP1719 For registration
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 15
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams Consider your desktop PC Multiple applications may be simultaneously receiving information In this example email may use destination TCP port 25 a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Furthermore each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket (discussed later) Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Type Ranges
Port numbers are divided into three ranges Well-Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports)
Well-Known Ports are those numbered from 0 through 1023
Registered Ports are those numbered from 1024 through 49151
Dynamic Ports are those numbered from 49152 through 65535
The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well-Known Ports
For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well-known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well-known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 16
In UNIX and Linux operating systems only root may open or close a well-known port Well-Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The dynamic port range is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345 Data Flow 2 1721616141235 - 101232345 Data Flow 3 1721616141234 - 101242345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique Therefore if one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream has the source and destination information reversed because the ingress is coming from the server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
May 2019 Avaya Port Matrix Avaya Aurareg Communication Manager 81 17
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
Application level gateways (ALG) act as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning2
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access using IP addresses port numbers and application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall policies Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction but can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
2 The act of systematically scanning a computers ports Since a port is a place where information goes into and out of a
computer port scanning identifies open doors to a computer Port scanning has legitimate uses in managing networks but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer