Cisco Cisco Expressway Maintenance Manual
Configuring Ports for Firewall Traversal
Ports play a vital part in firewall traversal configuration. The correct ports must be set on the Expressway-E, traversal
client and firewall in order for connections to be permitted.
client and firewall in order for connections to be permitted.
Ports are initially configured on the Expressway-E by the Expressway-E administrator. The firewall administrator and
the traversal client administrator should then be notified of the ports, and they must configure their systems to
connect to these specific ports on the server. The only port configuration required on the traversal client is the range
of ports it uses for outgoing connections; the firewall administrator may need to know this information so that if
necessary they can configure the firewall to allow outgoing connections from those ports.
the traversal client administrator should then be notified of the ports, and they must configure their systems to
connect to these specific ports on the server. The only port configuration required on the traversal client is the range
of ports it uses for outgoing connections; the firewall administrator may need to know this information so that if
necessary they can configure the firewall to allow outgoing connections from those ports.
the Expressway, both inbound and outbound. This information can be provided to your firewall administrator so that
the firewall can be configured appropriately.
the firewall can be configured appropriately.
When Advanced Networking is enabled, all ports configured on the Expressway, including those relating to firewall
traversal, apply to both IP addresses; you cannot configure ports separately for each IP address.
traversal, apply to both IP addresses; you cannot configure ports separately for each IP address.
The Expressway solution works as follows:
1.
Each traversal client connects via the firewall to a unique port on the Expressway-E.
2.
The server identifies each client by the port on which it receives the connection, and the authentication
credentials provided by the client.
credentials provided by the client.
3.
After the connection has been established, the client regularly sends a probe to the Expressway-E to keep the
connection alive.
connection alive.
4.
When the Expressway-E receives an incoming call for the client, it uses this initial connection to send an
incoming call request to the client.
incoming call request to the client.
5.
The client then initiates one or more outbound connections. The destination ports used for these connections
differ for signaling and/or media, and depend on the protocol being used (see the following sections for more
details).
differ for signaling and/or media, and depend on the protocol being used (see the following sections for more
details).
Configuring the Firewall
For Expressway firewall traversal to function correctly, your firewall must be configured to:
■
allow initial outbound traffic from the client to the ports being used by the Expressway-E
■
allow return traffic from those ports on the Expressway-E back to the originating client
Note:
we recommend that you turn off any H.323 and SIP protocol support on the firewall: these are not needed in
conjunction with the Expressway solution and may interfere with its operation.
Configuring Traversal Server Ports
The Expressway-E has specific listening ports used for firewall traversal. Rules must be set on your firewall to allow
connections to these ports. In most cases the default ports should be used. However, you have the option to change
these ports if necessary by going to the Ports page (Configuration > Traversal > Ports).
connections to these ports. In most cases the default ports should be used. However, you have the option to change
these ports if necessary by going to the Ports page (Configuration > Traversal > Ports).
The configurable ports for signaling are:
■
H.323 Assent call signaling port; default is 2776
■
H.323 H.460.18 call signaling port; default is 2777
RTP and RTCP Media Demultiplexing Ports
43
Cisco Expressway Administrator Guide
Firewall Traversal