Cisco Cisco Expressway Maintenance Manual
Configuring your firewall for Jabber Guest traffic
This section summarizes the ports that need to be opened for Jabber Guest traffic on the firewalls between
your internal network (where the Expressway-C is located) and the DMZ (where the Expressway-E is
located) and between the DMZ and the public internet.
your internal network (where the Expressway-C is located) and the DMZ (where the Expressway-E is
located) and between the DMZ and the public internet.
Inbound from public internet to Expressway-E (DMZ)
Purpose
Protocol
Internet endpoint
(source)
(source)
Expressway-E (listening)
HTTPS traffic (see notes below)
TCP
TCP source port
9443
HTTP traffic (see notes below)
TCP
TCP source port
9980
TURN server control / media
UDP
UDP source port
3478 (small/medium
system)
system)
3478-3483 (default range
on large system)*
on large system)*
Note that:
n
HTTP and HTTPS traffic from Jabber Guest clients in the internet is sent to ports 80 and 443 TCP
respectively. Therefore the firewall between the Expressway-E and the public internet must translate
destination port 80 to 9980 and destination port 443 to 9443 for all TCP traffic that targets the Expressway-
E address.
respectively. Therefore the firewall between the Expressway-E and the public internet must translate
destination port 80 to 9980 and destination port 443 to 9443 for all TCP traffic that targets the Expressway-
E address.
n
80/443 TCP are the standard HTTP/S administration interfaces on the Expressway. If the Expressway-E
is administered from systems located in the internet, then the firewall translation must also distinguish by
source address and must not translate the destination port of traffic arriving from those management
systems.
is administered from systems located in the internet, then the firewall translation must also distinguish by
source address and must not translate the destination port of traffic arriving from those management
systems.
n
You also need to ensure that appropriate DNS records exist so that the Jabber Guest client can reach the
Expressway-E. The FQDN of the Expressway-E in DNS must include the Jabber Guest domain, so in this
case it could be expressway.example.com. Use round-robin DNS if it is a cluster of Expressway-Es.
Note that this is public DNS configuration and it does not impose any configuration requirements on the
Expressway-E itself (host name / domain name on the DNS page, or the cluster name etc.)
Expressway-E. The FQDN of the Expressway-E in DNS must include the Jabber Guest domain, so in this
case it could be expressway.example.com. Use round-robin DNS if it is a cluster of Expressway-Es.
Note that this is public DNS configuration and it does not impose any configuration requirements on the
Expressway-E itself (host name / domain name on the DNS page, or the cluster name etc.)
Inbound from Expressway-E (external/NAT address) to Expressway-C (private)
Purpose
Protocol
Expressway-E (source
external/NAT address)
external/NAT address)
Expressway-C (listening)
Media
UDP
24000 to 29999
36002 to 59999 **
Jabber Guest media does not go through the traversal link between Expressway-E and Expressway-C. You
may find that two way media can still be established even if the Expressway-E to Expressway-C rules
described above are not applied. This is because the outbound media creates a pinhole in the firewall.
However, these rules are required to support uni-directional media (that is, only from outside to inside).
may find that two way media can still be established even if the Expressway-E to Expressway-C rules
described above are not applied. This is because the outbound media creates a pinhole in the firewall.
However, these rules are required to support uni-directional media (that is, only from outside to inside).
Cisco Expressway Administrator Guide (X8.5.1)
Page 98 of 399
Unified Communications
Cisco Jabber Guest