Cisco Cisco Expressway Maintenance Manual
The call signaling ports are configured via Configuration > Traversal > Ports. The traversal media port range is
configured via Configuration > Traversal Subzone.
configured via Configuration > Traversal Subzone.
Configuring TURN Ports
(Traversal Using Relays around NAT) which can be used
by ICE-enabled SIP endpoints.
The ports used by these services are configurable via Configuration > Traversal > TURN.
The ICE clients on each of the SIP endpoints must be able to discover these ports, either by using SRV records in DNS
or by direct configuration.
or by direct configuration.
Configuring Ports for Connections Out to the Public Internet
In situations where the Expressway-E is attempting to connect to an endpoint on the public internet, you will not
know the exact ports on the endpoint to which the connection will be made. This is because the ports to be used are
determined by the endpoint and advised to the Expressway-E only after the server has located the endpoint on the
public internet. This may cause problems if your Expressway-E is located within a DMZ (where there is a firewall
between the Expressway-E and the public internet) as you will not be able to specify in advance any rules that will
allow you to connect out to the endpoint’s ports.
know the exact ports on the endpoint to which the connection will be made. This is because the ports to be used are
determined by the endpoint and advised to the Expressway-E only after the server has located the endpoint on the
public internet. This may cause problems if your Expressway-E is located within a DMZ (where there is a firewall
between the Expressway-E and the public internet) as you will not be able to specify in advance any rules that will
allow you to connect out to the endpoint’s ports.
You can however specify the ports on the Expressway-E that are used for calls to and from endpoints on the public
internet so that your firewall administrator can allow connections via these ports. The ports that can be configured for
this purpose are:
internet so that your firewall administrator can allow connections via these ports. The ports that can be configured for
this purpose are:
H.323
SIP
TURN
TCP/1720: signaling
UDP/1719: signaling
UDP/36000-59999: media*
TCP/15000-19999: signaling
TCP/5061: signaling
UDP/5060 (default): signaling
UDP/36000-59999: media*
TCP: a temporary port in the range
25000-29999 is allocated
25000-29999 is allocated
UDP/3478 (default): TURN services **
UDP/24000-29999 (default range):
media
media
Table 3 Port connections out to the public internet
* The default media traversal port range is 36000 to 59999, and is set on the Expressway-C at Configuration
> Traversal Subzone. In Large Expressway systems the first 12 ports in the range – 36000 to 36011 by default – are
always reserved for multiplexed traffic. The Expressway-E listens on these ports. You cannot configure a distinct
range of demultiplex listening ports on Large systems: they always use the first 6 pairs in the media port range. On
Small/Medium systems you can explicitly specify which 2 ports listen for multiplexed RTP/RTCP traffic, on the
Expressway-E (Configuration > Traversal > Ports). If you choose not to configure a particular pair of ports (Use
configured demultiplexing ports = No), then the Expressway-E will listen on the first pair of ports in the media
traversal port range (36000 and 36001 by default).
> Traversal Subzone. In Large Expressway systems the first 12 ports in the range – 36000 to 36011 by default – are
always reserved for multiplexed traffic. The Expressway-E listens on these ports. You cannot configure a distinct
range of demultiplex listening ports on Large systems: they always use the first 6 pairs in the media port range. On
Small/Medium systems you can explicitly specify which 2 ports listen for multiplexed RTP/RTCP traffic, on the
Expressway-E (Configuration > Traversal > Ports). If you choose not to configure a particular pair of ports (Use
configured demultiplexing ports = No), then the Expressway-E will listen on the first pair of ports in the media
traversal port range (36000 and 36001 by default).
** On Large systems you can configure a range of TURN request listening ports. The default range is 3478 – 3483.
Firewall Traversal and Authentication
The Expressway-E allows only authenticated client systems to use it as a traversal server.
Upon receiving the initial connection request from the traversal client, the Expressway-E asks the client to
authenticate itself by providing its authentication credentials. The Expressway-E then looks up the client’s
credentials in its own authentication database. If a match is found, the Expressway-E accepts the request from the
client.
authenticate itself by providing its authentication credentials. The Expressway-E then looks up the client’s
credentials in its own authentication database. If a match is found, the Expressway-E accepts the request from the
client.
The settings used for authentication depend on the type of traversal client:
42
Cisco Expressway Administrator Guide