Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 2: Additional Information
Device Authentication Port Reference
H.350 Directory Service
The following table lists the ports used for device authentication between VCS and the H.350 server. They are
configurable via Configuration > Authentication > Devices > H.350 directory service.
configurable via Configuration > Authentication > Devices > H.350 directory service.
Purpose
VCS port
Destination port
H.350 LDAP server
TCP ephemeral port
TCP/389 or TCP/636
Active Directory (Direct)
The following table lists the ports used for device authentication between VCS and the AD system. They are
configurable via Configuration > Authentication > Devices > Active Directory Service.
configurable via Configuration > Authentication > Devices > Active Directory Service.
Purpose
VCS port
Destination port
Kerberos Key Distribution Center
UDP ephemeral port
88 UDP
Kerberos
TCP ephemeral port
88 TCP
VCS with Domain Controller (CLDAP)
UDP ephemeral port
389 UDP
VCS with Domain Controller (LDAP)
TCP ephemeral port
389 / 636 TCP
Client credential authentication with the Domain
Controller (Microsoft-DS). VCS initially tries port 445,
but if that cannot be reached it tries port 139.
Controller (Microsoft-DS). VCS initially tries port 445,
but if that cannot be reached it tries port 139.
TCP ephemeral port
445 / 139 TCP
Certificates for TLS
For the VCS to connect to a server over TLS, the trusted CA certificate installed on the VCS must be able to authorize
that server’s server certificate.
that server’s server certificate.
Use with VCS Clusters
Active Directory (Direct)
All authentication configuration is replicated across cluster peers, however the DNS server is configurable
independently on each VCS peer. Make sure that each peer references a DNS server that can look up the AD server,
Kerberos KDC and other required DNS and DNS SRV addresses.
independently on each VCS peer. Make sure that each peer references a DNS server that can look up the AD server,
Kerberos KDC and other required DNS and DNS SRV addresses.
Joining or leaving a domain must be carried out for every peer of the cluster, as each peer independently connects to
the AD server.
the AD server.
34
Cisco VCS Authenticating Devices Deployment Guide