8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
1/28
Cisco TelePresence VideoCommunication Server (Cisco VCS)
IP port usage for firewall traversalCisco VCS X4 to X7D14606.03
September 2011
8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
2/28
2
Contents: Cisco VCS IP port usage
Which IP ports are used with Cisco VCS?
Which IP ports need to be allowed through firewalls?
Format of informationTraversing firewalls Administration SIP calls H.323 calls
Internal Administration SIP calls H.323 calls
8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
3/28
3
Guide to this document: format of information
VCS Expresswaysource port
Serverlistening port
Management control DMZ to public
Open firewall DMZ to public
IP address IP address ofVCS Expressway
IP address of DNSserver
I P P
or t s
DNS UDP S>= 1024
UDP 5353
S = Source port , typically >= 1024
publicInternet
Destination of messaging
Source of messaging
Destination of messaging: IP port letter reference for more details default / expected port range in italics
Source of messaging: IP port letter reference for more details default / expected port range in italics
Firewall needs to have a pinhole open for at least all source ports at IP address of sourceto all listening ports at IP address of listener
Destination of messaging: IP address
Source of messaging: IP address
When a firewall allows an outbound message through, it is
assumed that responses (up to about 20 to 30 seconds afterthe original send) will be allowed back through the firewall
Details of what definesthe IP port ID / range
Direction of management / calls
Direction firewall needs to be opened
Cisco VCS Control Cisco VCSExpressway
DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
4/28
4
Administration: Cisco VCS Expressway
Management systemsource port
VCS Expresswayserver (listening) port
Management control Private to DMZ
Open firewall Private to DMZ
IP address IP address ofmanagementcomputer(s)
IP address ofVCS Expressway
I P P
or t s
http TCP S >= 1024
TCP 8080
https TCP S >= 1024
TCP 443443
ssh TCP S >= 1024
TCP 2222
telnet TCP S >= 1024
TCP 2323
SNMP UDP S >= 1024
UDP 161161
S = Source port , typically >= 1024
publicInternet
Management ports only open ports for the management methods to be used
VCS Control VCS Expressway
DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
5/28
5
Administration: Cisco VCS Expressway
PClistening port
VCS Expresswaysource port
Management control DMZ to private
Open firewall DMZ to private
IP address IP address ofmanagementcomputer(s)
IP address ofVCS Expressway
I P P
or
t s
NTP UDP 123123
UDP S >= 1024
LDAP (for login) TCP 389 or 636389 or 636
TCP Ue 40000 to 49999
Syslog UDP 514
514
UDP Ve
40000 to 49999
publicInternetVCS Control VCS Expressway
DMZ
S = Source port , typically >= 1024
Ue = VCS TCP ephemeral port range fixed at 40000 to 49999
Ve = VCS UDP ephemeral port range fixed at 40000 to 49999
Management ports only open ports for the management methods to be used
http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
6/28
6
Administration: Cisco VCS Expressway
publicInternetVCS Control VCS Expressway
DMZ
S = Source port , typically >= 1024
TMS source port VCS Expressway(listening) port
TMS (listening) port VCS Expresswaysource port
Call direction TMS to VCS Expressway VCS Expressway to TMS
Open firewall n/a n/a
IP address External IPaddress of TMS
IP address ofVCS Expressway
External IPaddress of TMS
IP address ofVCS Expressway
I P P
or t s
https(TMS to VCSand secure
feedback fromVCS to TMS)
TCP S >= 1024
TCP 443443
TCP 443443
TCP S >= 1024
http(feedback toTMS)
- - TCP 8080
TCP S >= 1024
SNMP(To TMS)
UDP S >= 1024
UDP 161161
http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
7/287
Administration: Cisco VCS Expressway
VCS Expresswaysource port
Serverlistening port
Management control DMZ to public
Open firewall DMZ to public
IP address IP address ofVCS Expressway
IP address of DNSServer
I P P
or t s
DNS UDP S10000 to 10210
UDP 5353
S = Source port: 10000 to 10210
publicInternetVCS Control VCS Expressway
DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
8/288
SIP traversal call
publicInternet
VCS Controlsource port
VCS Expresswayserver (listening) port
Call direction Inbound and outbound calls
Open firewall Private to DMZ
IP address IP address ofVCS Control
IP address ofVCS Expressway
I P P
o
r t s
SIP signaling TCP & TLS A25000 to 29999
TCP and TLS B7001
Assent RTP(traversal media)
UDP YC
50000 to 52399
UDP V
2776 Assent RTCP(traversal media)
UDP YC50000 to 52399
UDP W 2777
A = Protocols > SIP > Configuration > TCP Outbound port start to end: default =25000 to 29999
B = Zones > Traversal Client > SIP port, typically 7001 for first traversal zone, 7002 for second etc.
YC = Local Zone > Traversal Subzone > Traversal Media port start to end(configured on VCS Control): default = 50000 to 52399
V = VCS Expressway > Ports > Media demultiplexing RTP port: default = 2776
W = VCS Expressway > Ports > Media demultiplexing RTCP port: default = 2777
VCS Control VCS Expressway
DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
9/289
SIP call to endpoint with public IP address
publicInternet
VCS Expresswaysource port
Internet endpointserver (listening) port
VCS Expresswayserver (listening) port
Internet endpointsource port
Call direction Outbound to an endpoint in theInternet
Inbound from an endpoint in theInternet
Open firewall DMZ to Internet Internet to DMZ
IP address IP address ofVCS Expressway
Any IP address IP address ofVCS Expressway
Any IP address
I P P
or t s
SIP signaling UDP C5060
TCP & TLS A25000 to 29999
UDP & TCP &TLS F
5060 or >= 1024
UDP: C5060
TCP: K5060
TLS: L5061
UDP G5060 or >= 1024TCP & TLS H
>= 1024
RTP UDP YE50000 to 52399
UDP E >= 1024
UDP YE50000 to 52399
UDP E >= 1024
RTCP UDP YE50000 to 52399
UDP E >= 1024
UDP YE50000 to 52399
UDP E >= 1024
C = Protocols > SIP > Configuration > UDPport: default = 5060
A = Protocols > SIP > Configuration > TCPOutbound port start to end: default = 25000
to 29999 F = defined by endpoints registration (or if call
is to a non registered endpoint, IP port isdefined by DNS lookup) any port >= 1024 ,often 5060 for UDP
K = Protocols > SIP > Configuration > TCP port:default = 5060
L = Protocols > SIP > Configuration > TLS port:default =5061
G = any port >= 1024 , often 5060 for hard
endpointsH = any port >= 1024
YE = Local Zone > Traversal Subzone >Traversal Media port start to end (configuredon VCS Expressway): default = 50000 to52399
E = Endpoint media port range; value used isspecified in the SDP:= any IP port above 1024 = 50000 to 52399 for another VCS= 2326 to 2385 for MXP s tatic setting= 11000 to 65000 for MXP dynamic setting
VCS Control VCS Expressway
DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
10/2810
SIP call to endpoint behind non SIP-aware firewall
publicInternet
VCS Expresswaysource port
Internet endpointserver (listening) port
VCS Expresswayserver (listening) port
Internet endpointsource port
Call direction Outbound to an endpoint behind afirewall
Inbound from an endpoint behind afirewall
Open firewall DMZ to Internet Internet to DMZ
IP address IP address ofVCS Expressway
Any IP address IP address ofVCS Expressway
Any IP address
I P P
or t s
SIP signaling UDP C5060
TCP & TLS A25000 to 29999
UDP & TCP &TLS F
5060 or >= 1024
UDP: C5060
TCP: K5060
TLS: L5061
UDP, TCP & TLS:Q
>= 1024
RTP UDP YE50000 to 52399
UDP N >= 1024
UDP YE50000 to 52399
UDP N >= 1024
RTCP UDP YE50000 to 52399
UDP N >= 1024
UDP YE50000 to 52399
UDP N >= 1024
C = Protocols > SIP > Configuration > UDPport: default = 5060
A = Protocols > SIP > Configuration > TCPOutbound port start to end: default =25000 to 29999
F = defined by endpoints registration (or ifcall is to a non registered endpoint, IP portis defined by DNS lookup) any port >=1024 , often 5060 for UDP
K = Protocols > SIP > Configuration > TCPport: default = 5060
L = Protocols > SIP > Configuration > TLSport: default =5061
Q = Egress IP port from far end non-NATaware firewall: any port >= 1024
YE = Local Zone > Traversal Subzone >Traversal Media port start to end(configured on VCS Expressway): default= 50000 to 52399
N = VCS waits until it receives media, then itsends its media to the IP port from whichthe media was received (egress port of
the media from the far end non SIP-awarefirewall): any port >= 1024
VCS Control VCS Expressway
DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
11/2811
SIP additional ports for ICE (from VCS X6.0)
publicInternet
VCS Expresswaysource port
Internet endpointserver (listening) port
VCS Expresswayserver (listening) port
Internet endpointsource port
message direction Outbound from VCS to endpoint ininternet
Inbound from an endpoint in internet toVCS
Open firewall DMZ to Internet Internet to DMZ
IP address IP address ofVCS Expressway
Any IP address IP address ofVCS Expressway
Any IP address
I P P
or
t s
TURN servercontrol
N/A N/A UDP 3478
UDP M>= 1024
TURN servermedia UDP
60000 to 61799 UDP N
>= 1024 UDP
60000 to 61799 UDP N
>= 1024
VCS Control VCS Expressway
DMZ
M = IP port of signalling from endpoint may beephemeral IP port of endpoint (if no firewall),or IP port of the outside firewall := any IP port above 1024
N = IP port of relevant ICE candidate host IPport, Server reflexive IP port (outside firewallport) or TURN server port:= any IP port above 1024
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
12/28
12
H.323 traversal call using Assent
VCS Controlsource port
VCS Expresswayserver (listening) port
Call direction Inbound and outbound calls
Open firewall Private to DMZ
IP address IP address ofVCS Control
IP address ofVCS Expressway
I P P
or t s
Initial RASconnection
UDP RC1719
UDP D6001
Q 931 / H.225signaling
TCP P15000 to 19999
TCP T 2776
H.245 TCP P 15000 to 19999
TCP T 2776
Assent RTP(traversal media)
UDP YC50000 to 52399
UDP V2776
Assent RTCP(traversal media)
UDP YC50000 to 52399
UDP W2777
RC = Protocols > H.323 > Gatekeeper > Registration UDP port: default = 1719
P = Protocols > H.323 > Gatekeeper > Call signaling port range start to end:default = 15000 to 19999
D = Zones > Traversal Zone > H.323 port, typically 6001 for first traversal zone,6002 for second etc.
T = VCS Expressway > Ports > H.323 Assent call signaling port: default = 2776
V = VCS Expressway > Ports > Media demultiplexing RTP port: default = 2776
W = VCS Expressway > Ports > Media demultiplexing RTCP port: default = 2777
YC = Local Zone > Traversal Subzone > Traversal Media port start to end(configured on VCS Control): default = 50000 to 52399
publicInternetVCS Control VCS Expressway
DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
13/28
13
H.323 traversal call using H.460.18 / 19 non-mux media
VCS Controlsource port
VCS Expresswayserver (listening) port
Call direction Inbound and outbound calls
Open firewall Private to DMZ
IP address IP address ofVCS Control
IP address ofVCS Expressway
I P P
or t s
Initial RASconnection
UDP RC 1719
UDP D6001
Q 931 / H.225signaling
TCP P15000 to 19999
TCP M1720
H.245 TCP P 15000 to 19999
TCP U 2777
Assent RTP(traversal media)
UDP YC50000 to 52399
UDP YE50000 to 52399
Assent RTCP(traversal media)
UDP YC50000 to 52399
UDP YE50000 to 52399
publicInternet
RC = Protocols > H.323 > Gatekeeper > Registration UDP port: default = 1719
P = Protocols > H.323 > Gatekeeper > Call signaling port range start to end:default = 15000 to 19999
D = Zones > Traversal Zone > H.323 port, typically 6001 for first traversal zone,6002 for second etc.
M = Protocols > H.323 Call signaling TCP port: default = 1720
U = VCS Expressway > Ports > H.323 H.460.18 call signaling port: default = 2777
V = VCS Expressway > Ports > Media demultiplexing RTP port: default = 2776
W = VCS Expressway > Ports > Media demultiplexing RTCP port: default = 2777
YC = Local Zone > Traversal Subzone > Traversal Media port start to end(configured on VCS Control): default = 50000 to 52399
YE = Local Zone < Traversal Subzone > Traversal Media port start to end(configured on VCS Expressway) : default = 50000 to 52399
VCS Control VCS Expressway
DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
14/28
14
H.323 traversal call using H.460.18 / 19 multiplexed media
VCS Controlsource port
VCS Expresswayserver (listening) port
Call direction Inbound and outbound calls
Open firewall Private to DMZ
IP address IP address ofVCS Control
IP address ofVCS Expressway
I P P
or t s
Initial RASconnection
UDP RC1719
UDP D6001
Q 931 / H.225
signaling
TCP P15000 to 19999
TCP M1720
H.245 TCP P 15000 to 19999
TCP U 2777
H460.18/19 RTP (traversal media)
UDP YC50000 to 52399
UDP V2776
H460.18/19 RTCP (traversal media)
UDP YC50000 to 52399
UDP W2777
publicInternet
RC = Protocols > H.323 > Gatekeeper > Registration UDP port: default = 1719
P = Protocols > H.323 > Gatekeeper > Call signaling port range start to end:default = 15000 to 19999
D = Zones > Traversal Zone > H.323 port, typically 6001 for first traversal zone,6002 for second etc.
M = Protocols > H.323 Call signaling TCP port: default = 1720
U = VCS Expressway > Ports > H.323 H.460.18 call signaling port: default = 2777
V = VCS Expressway > Ports > Media demultiplexing RTP port: default = 2776
W = VCS Expressway > Ports > Media demultiplexing RTCP port: default = 2777
YC = Local Zone > Traversal Subzone > Traversal Media port start to end(configured on VCS Control): default = 50000 to 52399
VCS Control VCS Expressway
DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
15/28
15
H.323 call with registered endpoint with public IP address
VCS Expresswaysource port
Internet endpointserver (listening) port
VCS Expresswayserver (listening) port
Internet endpointsource port
Call direction Outbound to an endpoint in the Internet Inbound from an endpoint in the Internet
Open firewall DMZ to Internet Internet to DMZ
IP address IP address ofVCS Expressway
Any IP address IP address ofVCS Expressway
Any IP address
I P P
or t s
Initial RASconnection
- - UDP RE1719
UDP J1719
Q 931 / H.225
signaling
TCP P
15000 to 19999
TCP G
1720
TCP M
1720
TCP K
1720
H.245 TCP P15000 to 19999
TCP H>= 1024
TCP P15000 to 19999
TCP H>= 1024
RTP UDP YE50000 to 52399
UDP E>= 1024
UDP YE50000 to 52399
UDP E>= 1024
RTCP UDP YE50000 to 52399
UDP E>= 1024
UDP YE50000 to 52399
UDP E>=1024
publicInternet
R E = Protocols > H.323 > GatekeeperRegistration > UDP port, default = 1719
J = Endpoint RAS source port, typically 1719P = Protocols > H.323 > Gatekeeper > Call
signaling port range start to end: default =15000 to 19999
G = Endpoint signaling port, specified inregistration: any port >= 1024, typically1720
M = Protocols > H.323 Call signaling TCP port:default = 1720
K = Endpoint signaling port: any port >= 1024,typically 1720
H = Endpoint H.245 signaling port:= any IP port >= 1024 = 15000 to 19999 to another VCS
= 5555 to 5574 for MXP s tatic setting= 11000 to 65000 for MXP dynamic setting YE = Local Zone > Traversal Subzone >
Traversal Media port start to end(configured on VCS Expressway): default =50000 to 52399
E = Endpoint media port range; value used isspecified in codec negotiations:= any IP port above 1024= 50000 to 52399 for another VCS= 2326 to 2385 for MXP static setting= 11000 to 65000 for MXP dynamic setting
VCS Control VCS Expressway
DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
16/28
16
H.323 call with a non-registered endpoint with public IP
VCS Expresswaysource port
Internet endpointserver (listening) port
VCS Expresswayserver (listening) port
Internet endpointsource port
Call direction Outbound to an endpoint in the Internet Inbound from an endpoint in the Internet
Open firewall DMZ to Internet Internet to DMZ
IP address IP address ofVCS Expressway
Any IP address IP address ofVCS Expressway
Any IP address
I P P
or t s
Initial RASconnection
- - - -
Q 931 / H.225
signaling
TCP P
15000 to 19999
TCP G
1720
TCP M
1720
TCP K
1720
H.245 TCP P15000 to 19999
TCP H>= 1024
TCP P15000 to 19999
TCP H>= 1024
RTP UDP YE50000 to 52399
UDP E>= 1024
UDP YE50000 to 52399
UDP E>= 1024
RTCP UDP YE50000 to 52399
UDP E>= 1024
UDP YE50000 to 52399
UDP E>=1024
publicInternet
P = Protocols > H.323 > Gatekeeper > Callsignaling port range start to end: default =15000 to 19999
G = Endpoint signaling port, specified bya) IP Port in call requestb) DNS lookup for URI to callc) 1720 if IP address but no port specifiedCan be: any port >= 1024, typically 1720
M = Protocols > H.323 Call signaling TCP port:default = 1720
K = Endpoint signaling port: any port >= 1024,typically 1720
H = Endpoint H.245 signaling port:= any IP port >= 1024 = 15000 to 19999 to another VCS= 5555 to 5574 for MXP static setting= 11000 to 65000 for MXP dynamic setting
YE = Local Zone > Traversal Subzone >Traversal Media port start to end(configured on VCS Expressway): default =50000 to 52399
E = Endpoint media port range; value used isspecified in codec negotiations:= any IP port above 1024= 50000 to 52399 for another VCS= 2326 to 2385 for MXP static setting= 11000 to 65000 for MXP dynamic setting
VCS Control VCS Expressway
DMZ
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
17/28
17
H.323 call with endpoint supporting Assent behind firewall
VCS Expresswayserver (listening) port
Firewallsource port
Call direction Inbound from or outbound to anendpoint in the Internet behind a firewall
Open firewall Internet to DMZ
IP address IP address ofVCS Expressway
Any IP address
I P P
or t s
Initial RASconnection
UDP RE1719
UDP Q >=1024
Q 931 / H.225signaling
TCP T 2776
TCP Q >=1024
H.245 TCP T 2776
TCP Q >=1024
RTP UDP V2776
UDP N >=1024
RTCP UDP W2777
UDP N >=1024
publicInternet
RE = Protocols > H.323 > Gatekeeper Registration > UDP port, default = 1719
Q =Egress IP port from far end non-H.323 aware firewall: any port >= 1024
T = VCS Expressway > Ports > H.323 Assent call signaling port: default = 2776
V = VCS Expressway > Ports > Media demultiplexing RTP port: default = 2776
W = VCS Expressway > Ports > Media demultiplexing RTCP port: default = 2777
N = Egress IP port of media from far end non-H.323 aware firewall: any port >= 1024
VCS Control VCS Expressway
DMZ
For calls made from the VCS Expressway to the endpoint:1. VCS Expressway sends a message to the endpoint using the
return path of the established RAS (registration) connection2. The endpoint then makes a TCP connection out through its
firewall to the VCS Expressway (port T - 2776 must be openon the firewall local to the VCS Expressway)
3. Any further connections required (e.g. H.245) are requested bythe VCS Expressway over the established TCP connection,and the endpoint initiates them (to port T - 2776)
H 323 ll i th d i t ti H 460 18 / 19
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
18/28
18
H.323 call with endpoint supporting H.460.18 / 19 non-muxmedia
VCS Expresswayserver (listening) port
Firewallsource port
Call direction Inbound from or outbound to anendpoint in the Internet behind a firewall
Open firewall Internet to DMZ
IP address IP address ofVCS Expressway
Any IP address
I P P
or t s
Initial RASconnection
UDP RE1719
UDP Q >=1024
Q 931 / H.225signaling
TCP M1720
TCP Q >=1024
H.245 TCP U 2777
TCP Q >=1024
RTP UDP YE50000 to 52399
UDP N >=1024
RTCP UDP YE50000 to 52399
UDP N >=1024
publicInternet
RE = Protocols > H.323 > Gatekeeper Registration > UDP port, default = 1719
Q =Egress IP port from far end non-H.323 aware firewall: any port >= 1024
M = Protocols > H.323 Call signaling TCP port: default = 1720
U = VCS Expressway > Ports > H.323 H.460.18 call signaling port: default = 2777
YE = Local Zone > Traversal Subzone > Traversal Media port start to end (configuredon VCS Expressway): default = 50000 to 52399
N = Egress IP port of media from far end non-H.323 aware firewall: any port >= 1024
VCS Control VCS Expressway
DMZ
For calls made from the VCS Expressway to the endpoint:1. VCS Expressway sends a message to the endpoint using the
return path of the established RAS (registration) connection2. The endpoint then makes a TCP connection out through its
firewall to the VCS Expressway (port M - 1720 must be openon the firewall local to the VCS Expressway)
3. Any further connections required (e.g. H.245) are requested bythe VCS Expressway over the established TCP connection,and the endpoint initiates them (to port U - 2777)
H 323 ll ith d i t t i g H460 18 / 19
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
19/28
19
H.323 call with endpoint supporting H460.18 / 19mult iplexed media
VCS Expresswayserver (listening) port
Firewallsource port
Call direction Inbound from or outbound to anendpoint in the Internet behind a firewall
Open firewall Internet to DMZ
IP address IP address ofVCS Expressway
Any IP address
I P P
or t s
Initial RASconnection
UDP RE1719
UDP Q >=1024
Q 931 / H.225signaling
TCP M1720
TCP Q >=1024
H.245 TCP U 2777
TCP Q >=1024
RTP UDP V2776
UDP N >=1024
RTCP UDP W2777
UDP N >=1024
publicInternet
RE = Protocols > H.323 > Gatekeeper Registration > UDP port, default = 1719
Q =Egress IP port from far end non-H.323 aware firewall: any port >= 1024
M = Protocols > H.323 Call signaling TCP port: default = 1720
U = VCS Expressway > Ports > H.323 H.460.18 call signaling port: default = 2777
V = VCS Expressway > Ports > Media demultiplexing RTP port: default = 2776
W = VCS Expressway > Ports > Media demultiplexing RTCP port: default = 2777
N = Egress IP port of media from far end non-H.323 aware firewall: any port >= 1024
VCS Control VCS Expressway
DMZ
For calls made from the VCS Expressway to the endpoint:1. VCS Expressway sends a message to the endpoint using the
return path of the established RAS (registration) connection2. The endpoint then makes a TCP connection out through its
firewall to the VCS Expressway (port M - 1720 must be openon the firewall local to the VCS Expressway)
3. Any further connections required (e.g. H.245) are requested bythe VCS Expressway over the established TCP connection,and the endpoint initiates them (to port U - 2777)
http://clickthumbnail%285%29/http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
20/28
20
SIP/H.323 Authentication: Cisco VCS Expressway
PClistening port
VCS Expresswaysource port
Management control DMZ to private
Open firewall DMZ to private
IP address IP address ofmanagementcomputer(s)
IP address ofVCS Expressway
I P P
or t s
H.350 TCP 389 or 636389 or 636
TCP Ue 40000 to 49999
Active Directorydirect
UDP 53
UDP 88
TCP 88
UDP 389
TCP 389 or 636
TCP 445 or 139
53, 88, 389 or 636,445 or 139
UDP Ve 40000 to 49999
TCP Ue 40000 to 49999
publicInternetVCS Control VCS Expressway
DMZ
Ue = VCS TCP ephemeral port range fixed at 40000 to 49999
Ve = VCS UDP ephemeral port range fixed at 40000 to 49999
Management ports only open ports for the management methods to be used
http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
21/28
21
Administration: Cisco VCS Control
Management systemsource port
VCS Controllistening port
Management control Private network
Open firewall n/a
IP address IP address ofmanagementcomputer(s)
IP address ofVCS Control
I P P
or t s
http TCP S >= 1024
TCP 8080
https TCP S >= 1024
TCP 443443
ssh TCP S >= 1024
TCP 2222
telnet TCP S >= 1024
TCP 2323
SNMP UDP S >= 1024
UDP 161161
publicInternetVCS Control VCS Expressway
DMZ
VCS Expressway
S = Source port , typically >= 1024
http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
22/28
22
Administration: Cisco VCS Control
Management systemsource port
VCS Controlsource port
Management control Private network
Open firewall n/a
IP address IP address ofmanagementcomputer(s)
IP address ofVCS Control
I P P
or t s
NTP UDP 123123
UDP S >= 1024
LDAP TCP 389389
TCP S >= 1024
http(feedback toTMS)
TCP 8080
TCP S >= 1024
DNS UDP 5353
UDP S10000 to 10210
publicInternetVCS Control VCS Expressway
DMZ
VCS Expressway
S = Source port , typically >= 1024
http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
23/28
23
Administration: local endpoint
Management systemsource port
Endpointlistening port
Management control Private network
Open firewall n/a
IP address IP address ofmanagementcomputer(s)
IP address ofEndpoint
I P P
or t s
http TCP S >= 1024
TCP 8080
https TCP S >= 1024
TCP 443443
ssh TCP S >= 1024
TCP 2222
telnet TCP S >= 1024
TCP 2323
SNMP UDP S >= 1024
UDP 161161
publicInternetVCS Control VCS Expressway
DMZ
VCS Expressway
S = Source port , typically >= 1024
http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
24/28
24
Administration: local endpoint
Management systemsource port
VCS Controlsource port
Management control Private network
Open firewall n/a
IP address IP address ofmanagementcomputer(s)
IP address ofVCS Control
I P P
or t s
NTP UDP 123123
UDP S >= 1024
http(feedback toTMS)
TCP 8080
TCP S >= 1024
DNS UDP 5353
UDP S10000 to 10210
publicInternetVCS Control VCS Expressway
DMZ
VCS Expressway
S = Source port , typically >= 1024
http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
25/28
25
SIP: internal
VCS Controlsource port
Endpointlistening port
VCS Controllistening port
Endpointsource port
Call direction VCS Control to endpoint Endpoint to VCS Control
Open firewall n/a n/a
IP address IP address ofVCS Control
IP addressof endpoint
IP address ofVCS Control
IP addressof endpoint
I P P
or t s
SIP signaling UDP C 5060
TCP & TLS A25000 to 29999
UDP & TCP &TLS F
5060 or >= 1024
UDP: C5060
TCP: K5060
TLS: L5061
UDP G5060 or >= 1024TCP & TLS H
>= 1024
RTP UDP YC50000 to 52399
UDP E>= 1024
UDP YE50000 to 52399
UDP E>= 1024
RTCP UDP YC50000 to 52399
UDP E>= 1024
UDP YE50000 to 52399
UDP E>=1024
publicInternetVCS Control VCS Expressway
DMZ
VCS Expressway
C = Protocols > SIP > Configuration > UDPport: default = 5060
A = Protocols > SIP > Configuration > TCPOutbound port start to end: default = 25000to 29999
F = defined by endpoints registration (or if callis to a non-registered endpoint, IP port isdefined by DNS lookup) any port >= 1024 ,often 5060 for UDP
K = Protocols > SIP > Configuration > TCPport: default = 5060
L = Protocols > SIP > Configuration > TLSport: default =5061
G = any port >= 1024 , often 5060 for hardendpoints
H = any port >= 1024 Y
C = Local Zone > Traversal Subzone >Traversal Media port start to end(configured on VCS Control): default =50000 to 52399
E = Endpoint media port range; value used isspecified in the SDP:= any IP port above 1024 = 50000 to 52399 for another VCS= 2326 to 2385 for MXP static setting= 11000 to 65000 for MXP dynamic setting
YE = Local Zone > Traversal Subzone >Traversal Media port start to end
(configured on VCS Expressway): default =50000 to 52399
http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
26/28
26
H.323: internal
VCS Controlsource port
Endpointlistening port
VCS Controllistening port
Endpointsource port
Call direction VCS Control to endpoint Endpoint to VCS Control
Open firewall n/a n/a
IP address IP address ofVCS Expressway
Any IP address IP address ofVCS Expressway
Any IP address
I P P
or t s
Initial RASconnection
- - UDP RC1719
UDP J1719
Q 931 / H.225
signaling
TCP P
15000 to 19999
TCP G
1720
TCP M
1720
TCP K
1720
H.245 TCP P15000 to 19999
TCP H>= 1024
TCP P15000 to 19999
TCP H>= 1024
RTP UDP YC50000 to 52399
UDP E>= 1024
UDP YC50000 to 52399
UDP E>= 1024
RTCP UDP YC50000 to 52399
UDP E>= 1024
UDP YC50000 to 52399
UDP E>=1024
publicInternetVCS Control VCS Expressway
DMZ
VCS Expressway
R C = Protocols > H.323 > GatekeeperRegistration > UDP port, default = 1719
J = Endpoint RAS source port, typically 1719P = Protocols > H.323 > Gatekeeper > Call
signaling port range start to end: default =15000 to 19999
G = Endpoint signaling port, specified inregistration: any port >= 1024, typically1720
M = Protocols > H.323 Call signaling TCP port:default = 1720
K = Endpoint signaling port: any port >= 1024,typically 1720
H = Endpoint H.245 signaling port:= any IP port >= 1024 = 15000 to 19999 to another VCS= 5555 to 5574 for MXP s tatic setting= 11000 to 65000 for MXP dynamic setting
YC = Local Zone > Traversal Subzone >Traversal Media port start to end(configured on VCS Control): default =50000 to 52399
E = Endpoint media port range; value used isspecified in codec negotiations:= any IP port above 1024= 50000 to 52399 for another VCS= 2326 to 2385 for MXP static setting= 11000 to 65000 for MXP dynamic setting
http://clickthumbnail%285%29/http://clickthumbnail%285%29/8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
27/28
27
B2BUA
SIP B2BUA (for calls to Microsoft OCS/Lync devices)
H.323: internal
FEP a
FEP b
FEP cEdge Server
ActiveDirectory
MicrosoftOCS / Lync
Cisco VCS Expressway
MOC / Lync clientVideo endpoi nt
HardwareLoad
Balancer
Cisco TelePresence Advanced Media Gateway
TURNserver
Service / functi on Default port on B2BUAMedia 56000:57000 UDP
OCS/Lync device signaling 65072 TLS
Transcoder device signaling 65080 TLS
OCS/Lync presence communications 10011 TLS
Service / funct ion Default port on remote systemOCS/Lync device signaling 5061 TLS
TURN server signaling/media 3478 UDP
Transcoder device signaling 5061 TLS
Cisco OCS/Lyncgateway VCS Control
Cisco VCSControl
8/12/2019 Cisco VCS IP Port Usage for Firewall Traversal Deployment Guide X4 to X7
28/28
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUTNOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FORTHEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATIONPACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TOLOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley(UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the Universityof California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS AREPROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSEDOR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTALDAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE ORINABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCHDAMAGES.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listi ng of Cisco'strademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners.The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phonenumbers. Any examples, command display output, network topology diagrams, and other figures included i n the document are shown forillustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
2011 Cisco Systems, Inc. All rights reserved.