Cisco Cisco Expressway
Purpose
Protocol
Expressway-C (source)
Internal Device Port/Range
HTTP (configuration file retrieval)
TCP
Ephemeral port
6970 (Unified CM)
CUC (voicemail)
TCP
Ephemeral port
443 (Unity Connection)
Message Waiting Indicator (MWI) from
Unity Connection
Unity Connection
TCP
Ephemeral port
7080 (Unity Connection)
Media
UDP
36000 to 59999*
>= 1024 (Media recipient
eg. endpoint)
eg. endpoint)
SIP signaling
TCP
25000 to 29999
5060 (Unified CM)
Secure SIP signaling
TLS
25000 to 29999
5061 (Unified CM)
* The default media traversal port range is 36000 to 59999, and is set on the Expressway-C at Configuration
> Traversal Subzone. In Large Expressway systems the first 12 ports in the range – 36000 to 36011 by default – are
always reserved for multiplexed traffic. The Expressway-E listens on these ports. You cannot configure a distinct
range of demultiplex listening ports on Large systems: they always use the first 6 pairs in the media port range. On
Small/Medium systems you can explicitly specify which 2 ports listen for multiplexed RTP/RTCP traffic, on the
Expressway-E (Configuration > Traversal > Ports). If you choose not to configure a particular pair of ports (Use
configured demultiplexing ports = No), then the Expressway-E will listen on the first pair of ports in the media
traversal port range (36000 and 36001 by default).
> Traversal Subzone. In Large Expressway systems the first 12 ports in the range – 36000 to 36011 by default – are
always reserved for multiplexed traffic. The Expressway-E listens on these ports. You cannot configure a distinct
range of demultiplex listening ports on Large systems: they always use the first 6 pairs in the media port range. On
Small/Medium systems you can explicitly specify which 2 ports listen for multiplexed RTP/RTCP traffic, on the
Expressway-E (Configuration > Traversal > Ports). If you choose not to configure a particular pair of ports (Use
configured demultiplexing ports = No), then the Expressway-E will listen on the first pair of ports in the media
traversal port range (36000 and 36001 by default).
Note that:
■
Ports 8191/8192 TCP and 8883/8884 TCP are used internally within the Expressway-C and the Expressway-E
applications. Therefore these ports must not be allocated for any other purpose. The Expressway-E listens
externally on port 8883; therefore we recommend that you create custom firewall rules on the external LAN
interface to drop TCP traffic on that port.
applications. Therefore these ports must not be allocated for any other purpose. The Expressway-E listens
externally on port 8883; therefore we recommend that you create custom firewall rules on the external LAN
interface to drop TCP traffic on that port.
■
The Expressway-E listens on port 2222 for SSH tunnel traffic. The only legitimate sender of such traffic is the
Expressway-C (cluster). Therefore we recommend that you create the following firewall rules for the SSH
tunnels service:
Expressway-C (cluster). Therefore we recommend that you create the following firewall rules for the SSH
tunnels service:
—
one or more rules to allow all of the Expressway-C peer addresses (via the internal LAN interface, if
appropriate)
appropriate)
—
followed by a lower priority (higher number) rule that drops all traffic for the SSH tunnels service (on the
internal LAN interface if appropriate, and if so, another rule to drop all traffic on the external interface)
internal LAN interface if appropriate, and if so, another rule to drop all traffic on the external interface)
Additional Information
Unified CM Dial Plan
The Unified CM dial plan is not impacted by devices registering via Expressway. Remote and mobile devices still
register directly to Unified CM and their dial plan will be the same as when it is registered locally.
register directly to Unified CM and their dial plan will be the same as when it is registered locally.
Deploying Unified CM and Expressway in Different Domains
Unified CM nodes and Expressway peers can be located in different domains. For example, your Unified CM nodes
may be in the
may be in the
enterprise.com
domain and your Expressway system may be in the
edge.com
domain.
In this case, Unified CM nodes must use IP addresses or FQDNs for the Server host name / IP address to ensure that
Expressway can route traffic to the relevant Unified CM nodes.
Expressway can route traffic to the relevant Unified CM nodes.
Unified CM servers and IM&P servers must share the same domain.
44
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Additional Information