Cisco Cisco Expressway
Purpose
Protocol
Expressway-C (source)
Unified CM (listening)
HTTP proxy (UDS)
TCP
Ephemeral port
8443 (Unified CM)
HTTP proxy (SOAP)
TCP
Ephemeral port
8443 (IM and Presence
Service)
Service)
HTTP (configuration file retrieval)
TCP
Ephemeral port
6970
CUC (voicemail)
TCP
Ephemeral port
443 (CUC)
Media
UDP
36000 to 59999*
>= 1024
SIP signaling
TCP
25000 to 29999
5060
Secure SIP signaling
TLS
25000 to 29999
5061
* The default media traversal port range is 36000 to 59999, and is set on the Expressway-C at
Configuration
> Traversal Subzone
. In Large Expressway systems the first 12 ports in the range – 36000 to 36011 by
default – are always reserved for multiplexed traffic. The Expressway-E listens on these ports. You cannot
configure a distinct range of demultiplex listening ports on Large systems: they always use the first 6 pairs in
the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for
multiplexed RTP/RTCP traffic, on the Expressway-E (
configure a distinct range of demultiplex listening ports on Large systems: they always use the first 6 pairs in
the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for
multiplexed RTP/RTCP traffic, on the Expressway-E (
Configuration > Traversal > Ports
). If you choose
not to configure a particular pair of ports (Use configured demultiplexing ports = No), then the
Expressway-E will listen on the first pair of ports in the media traversal port range (36000 and 36001 by
default).
Expressway-E will listen on the first pair of ports in the media traversal port range (36000 and 36001 by
default).
Note that:
n
Ports 8191/8192 TCP and 8883/8884 TCP are used internally within the Expressway-C and the
Expressway-E applications. Therefore these ports must not be allocated for any other purpose. The
Expressway-E listens externally on port 8883; therefore we recommend that you create custom firewall
rules on the external LAN interface to drop TCP traffic on that port.
Expressway-E applications. Therefore these ports must not be allocated for any other purpose. The
Expressway-E listens externally on port 8883; therefore we recommend that you create custom firewall
rules on the external LAN interface to drop TCP traffic on that port.
n
The Expressway-E listens on port 2222 for SSH tunnel traffic. The only legitimate sender of such traffic is
the Expressway-C (cluster). Therefore we recommend that you create the following firewall rules for the
SSH tunnels service:
the Expressway-C (cluster). Therefore we recommend that you create the following firewall rules for the
SSH tunnels service:
l
one or more rules to allow all of the Expressway-C peer addresses (via the internal LAN interface, if
appropriate)
appropriate)
l
followed by a lower priority (higher number) rule that drops all traffic for the SSH tunnels service (on the
internal LAN interface if appropriate, and if so, another rule to drop all traffic on the external interface)
internal LAN interface if appropriate, and if so, another rule to drop all traffic on the external interface)
Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.5.1)
Page 37 of 50
Mobile and remote access port reference