Cisco Cisco Expressway Maintenance Manual
Trunk) Deployment Guide.
■
Endpoints registered to a neighbor system (such as a Cisco VCS): in this case you need to have configured
a neighbor zone between the neighbor system and Expressway-C, and suitable search rules to route calls for
the Jabber Guest domain to the neighbor system.
a neighbor zone between the neighbor system and Expressway-C, and suitable search rules to route calls for
the Jabber Guest domain to the neighbor system.
Configuring your Firewall for Jabber Guest Traffic
This section summarizes the ports that need to be opened for Jabber Guest traffic on the firewalls between your
internal network (where the Expressway-C is located) and the DMZ (where the Expressway-E is located) and
between the DMZ and the public internet.
internal network (where the Expressway-C is located) and the DMZ (where the Expressway-E is located) and
between the DMZ and the public internet.
Inbound from public internet to Expressway-E (DMZ)
Purpose
Protocol
Internet endpoint (source)
Expressway-E (listening)
HTTPS traffic (see notes below)
TCP
TCP source port
9443
HTTP traffic (see notes below)
TCP
TCP source port
9980
TURN server control / media
UDP
UDP source port
3478 (small/medium
system)
system)
3478-3483 (default range
on large system)*
on large system)*
Note that:
■
HTTP and HTTPS traffic from Jabber Guest clients in the internet is sent to ports 80 and 443 TCP respectively.
Therefore the firewall between the Expressway-E and the public internet must translate destination port 80 to
9980 and destination port 443 to 9443 for all TCP traffic that targets the Expressway-E address.
Therefore the firewall between the Expressway-E and the public internet must translate destination port 80 to
9980 and destination port 443 to 9443 for all TCP traffic that targets the Expressway-E address.
■
80/443 TCP are the standard HTTP/S administration interfaces on the Expressway. If the Expressway-E is
administered from systems located in the internet, then the firewall translation must also distinguish by source
address and must not translate the destination port of traffic arriving from those management systems.
administered from systems located in the internet, then the firewall translation must also distinguish by source
address and must not translate the destination port of traffic arriving from those management systems.
■
You also need to ensure that appropriate DNS records exist so that the Jabber Guest client can reach the
Expressway-E. The FQDN of the Expressway-E in DNS must include the Jabber Guest domain, so in this case
it could be
Expressway-E. The FQDN of the Expressway-E in DNS must include the Jabber Guest domain, so in this case
it could be
expressway.example.com
. Use round-robin DNS if it is a cluster of Expressway-Es.
Note that this is public DNS configuration and it does not impose any configuration requirements on the
Expressway-E itself (host name / domain name on the DNS page, or the cluster name etc.)
Expressway-E itself (host name / domain name on the DNS page, or the cluster name etc.)
Inbound from Expressway-E (external/NAT address) to Expressway-C (private)
Purpose
Protocol
Expressway-E (source
external/NAT address)
external/NAT address)
Expressway-C (listening)
Media
UDP
24000 to 29999
36002 to 59999 **
Jabber Guest media does not go through the traversal link between Expressway-E and Expressway-C. You may find
that two way media can still be established even if the Expressway-E to Expressway-C rules described above are not
applied. This is because the outbound media creates a pinhole in the firewall. However, these rules are required to
support uni-directional media (that is, only from outside to inside).
that two way media can still be established even if the Expressway-E to Expressway-C rules described above are not
applied. This is because the outbound media creates a pinhole in the firewall. However, these rules are required to
support uni-directional media (that is, only from outside to inside).
87
Cisco Expressway Administrator Guide