Cisco Cisco TelePresence Video Communication Server Expressway

Appendix 2: Additional Information

Device Authentication Port Reference

H.350 Directory Service

The following table lists the ports used for device authentication between VCS and the H.350 server. They are
configurable via Configuration > Authentication > Devices > H.350 directory service.

Purpose

VCS port

Destination port

H.350 LDAP server

TCP ephemeral port

TCP/389 or TCP/636

Active Directory (Direct)

The following table lists the ports used for device authentication between VCS and the AD system. They are
configurable via Configuration > Authentication > Devices > Active Directory Service.

Purpose

VCS port

Destination port

Kerberos Key Distribution Center

UDP ephemeral port

88 UDP

Kerberos

TCP ephemeral port

88 TCP

VCS with Domain Controller (CLDAP)

UDP ephemeral port

389 UDP

VCS with Domain Controller (LDAP)

TCP ephemeral port

389 / 636 TCP

Client credential authentication with the Domain
Controller (Microsoft-DS). VCS initially tries port 445,
but if that cannot be reached it tries port 139.

TCP ephemeral port

445 / 139 TCP

Certificates for TLS

For the VCS to connect to a server over TLS, the trusted CA certificate installed on the VCS must be able to authorize
that server’s server certificate.

For more information see

Certificate Creation and Use with VCS Deployment Guide

Use with VCS Clusters

Active Directory (Direct)

All authentication configuration is replicated across cluster peers, however the DNS server is configurable
independently on each VCS peer. Make sure that each peer references a DNS server that can look up the AD server,
Kerberos KDC and other required DNS and DNS SRV addresses.

Joining or leaving a domain must be carried out for every peer of the cluster, as each peer independently connects to
the AD server.

Cisco VCS Authenticating Devices Deployment Guide