Cisco TelePresence Administrator's Manual page 23

Introduction
New traversal media port framework
For new installations of X8.1 or later, the default range for traversal media ports is 36000 – 59999. The
n
previous default range of 50000 - 54999 still applies to earlier releases that have upgraded to X8.1. The
larger range is required to support the improved scalability features.
The media demultiplexing ports on the VCS Expressway now use the first set of ports from the general
n
range of traversal media ports instead of 2776 and 2777.
On existing systems that have been upgraded to X8.1, this will be 50000 and 50001 by default.
l
On new installations of X8.1, this will be 36000 and 36001 by default.
l
On large VM deployments, the first 12 ports in the traversal media port range are used (50000 - 50011 or
l
36000 - 36011 as appropriate).
This applies to all RTP/RTCP media, regardless of whether it is H.323 or SIP. Thus, the previously used
Media demultiplexing RTP port and RTCP port settings
associated xConfiguration Traversal Server CLI commands have been removed.
Administrators will need to adjust their firewall settings accordingly.
New TURN server port framework
On Large VM server deployments you can configure a range of TURN request listening ports. The default
range is 3478 – 3483.
For new installations of X8.1 or later, the default range for TURN relay media ports is 24000 – 29999. The
previous default range of 60000 – 61799 still applies to earlier releases that have upgraded to X8.1.
Delegated credential checking for device authentication (SIP only)
By default, the VCS uses the relevant credential checking mechanisms (local database, Active Directory
Service or H.350 directory via LDAP) on the VCS performing the authentication challenge.
Alternatively you can now configure the VCS so that the credential checking of SIP messages is delegated,
via a traversal zone, to another VCS. Delegated credential checking is useful in deployments where you
want to allow devices to register on a VCS Expressway, but for security you want all communications with
authentication systems (such as an Active Directory server) to be performed inside the enterprise.
Credential checking for both Digest and NTLM messages may be delegated.
Automated protection
An automated intrusion protection feature has been added. It can be used to detect and block malicious
traffic and to help protect the VCS from dictionary-based attempts to breach login security.
It works by parsing the system's log files to look for repeated failures to access specific service categories,
such as SIP, SSH and web/HTTPS access. When the number of failures within a specified time window
reaches the configured threshold, the source host address (the intruder) is blocked for a period of time. You
can configure sets of addresses that are exempted always from one or more categories.
Automated protection should be used in combination with the existing firewall rules feature - use automated
protection to temporarily block specific threats and use firewall rules to block permanently a range of known
host addresses.
Licensing of audio-only SIP traversal calls
Audio-only SIP traversal calls are now treated distinctly from video SIP traversal calls. Each traversal call
license allows either 1 video call or 2 audio-only SIP calls. Hence, a 100 traversal call license would allow, for
example, 90 video and 20 SIP audio-only simultaneous calls. Any other audio-only call (non-traversal, H.323
or interworked) will consume a standard video call license (traversal or non-traversal as appropriate).
Cisco VCS Administrator Guide (X8.1.1)
(Configuration > Traversal >
What's new in this version?
Ports) and
Page 23 of 507