Table of Contents
Advertisement
Grey Headline (continued)
Firewall traversal protocols and ports
Ports for initial connections from
traversal clients
Each traversal server zone specifies an H.323
port and a SIP port to be used for the initial
connection from the client.
Each time you configure a new traversal
server zone on the VCS Expressway, you will
be allocated default port numbers for these
connections:
•
H.323 ports start at UDP/6001 and
increment by 1 for every new traversal
server zone
•
SIP ports start at TCP/7001 and increment
by 1 for every new traversal server zone.
You can change these default ports if
necessary but you must ensure that the ports
are unique for each traversal server zone.
After the H.323 and SIP ports have been set
on the VCS Expressway, matching ports must
be configured on the corresponding traversal
client.
The default port used for the initial
!
connections from MXP endpoints is the
same as that used for standard RAS
messages, i.e. UDP/1719. While it is possible
to change this port on the VCS Expressway,
most endpoints will not support connections to
ports other than UDP/1719. You are therefore
recommended to leave this as the default.
You must allow outbound connections
through your firewall to each of the
unique SIP and H.323 ports that are
configured on each of the VCS Expressway's
traversal server zones.
Overview and
System
Introduction
status
configuration
D14049.07
March 2010
Assent ports
For connections to the VCS Expressway using
the Assent protocol, the default ports are:
Call signaling
•
UDP/1719: listening port for RAS messages
•
TCP/2776: listening port for H.225 and
H.245 protocols
Media
•
UDP/2776: RTP media port
•
UDP/2777: RTCP media control port
If your VCS Expressway does not have any endpoints registering directly with it, and it is not
part of a cluster, then UDP/1719 is not required. You therefore do not need to allow
outbound connections to this port through the firewall between the VCS Control and VCS
Expressway.
SIP ports
Call signaling
SIP call signaling uses the same port as used
by the initial connection between the client and
server.
Media
Where the traversal client is a VCS, SIP media
uses Assent to traverse the firewall. The
default ports are the same as for H.323, i.e.:
•
UDP/2776: RTP media port
•
UDP/2777: RTCP media control port
VCS
Zones and
Clustering and
configuration
neighbors
peers
H.460.18/19 ports
For connections to the VCS Expressway using
the H.460.18/19 protocols, the default ports
are:
Call signaling
•
UDP/1719: listening port for RAS messages
•
TCP/1720: listening port for H.225 protocol
•
TCP/2777: listening port for H.245 protocol
Media
•
UDP/2776: RTP media port
•
UDP/2777: RTCP media control port
•
UDP/50000-52399: demultiplex media port
range
TURN ports
The VCS Expressway can be enabled to provide
TURN services
(Traversal Using Relays around
NAT) which can be used by SIP endpoints that
support the
ICE firewall traversal
protocol.
The ports used by these services are
configurable using:
•
VCS configuration > Expressway > TURN
xConfiguration Traversal Server
•
TURN
The ICE clients on each of the SIP endpoints
must be able to discover these ports, either
by using SRV records in DNS or by direct
configuration.
Call
Bandwidth
processing
control
132
TANDBERG
VIDEO COMMUNICATION SERVER
Ports for connections out to the public
internet
In situations where the VCS Expressway is
attempting to connect to an endpoint on the
public internet, you will not know the exact
ports on the endpoint to which the connection
will be made. This is because the ports to
be used are determined by the endpoint and
advised to the VCS Expressway only after the
server has located the endpoint on the public
internet. This may cause problems if your VCS
Expressway is located within a DMZ (i.e. there
is a firewall between the VCS Expressway and
the public internet) as you will not be able to
specify in advance rules that will allow you to
connect out to the endpoint's ports.
You can however specify the ports on the
VCS Expressway that will be used for calls
to and from endpoints on the public internet
so that your firewall administrator can allow
connections via these ports. The ports that
can be configured for this purpose are:
H.323
•
TCP/1720: signaling
•
UDP/1719: signaling
•
UDP/50000-52399: media
•
TCP/15000-19999: signaling
SIP
•
TCP/5061: signaling
•
UDP/5060 (default): signaling
•
UDP/50000-52399: media
•
TCP: a temporary port in the range
25000-29999 is allocated.
TURN
•
UDP/3478 (default): TURN services
•
UDP/60000-61200 (default range): media
Firewall
Applications
Maintenance
traversal
ADMINISTRATOR GUIDE
Appendices
Advertisement
Table of Contents
