Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 3: Firewall and NAT Settings
Internal Firewall Configuration
In many deployments outbound connections (from internal network to DMZ) will be permitted by the NAT/firewall
device. If the administrator wants to restrict this further, the following tables provide the permissive rules required. For
further information, see
device. If the administrator wants to restrict this further, the following tables provide the permissive rules required. For
further information, see
.
Ensure that any SIP or H.323 ‘fixup’ ALG or awareness functionality is disabled on the NAT firewall – if enabled this
will adversely interfere with the VCS functionality.
will adversely interfere with the VCS functionality.
Outbound (Internal Network > DMZ)
Purpose
Source
Dest.
Source
IP
IP
Source
port
port
Transport
protocol
protocol
Dest. IP
Dest. port
Management
Management
computer
computer
VCSe
As
required
required
>=1024
TCP
192.0.2.2 80 / 443 / 22 / 23
SNMP
monitoring
monitoring
Management
computer
computer
VCSe
As
required
required
>=1024
UDP
192.0.2.2 161
H.323 traversal calls using Assent
RAS Assent
VCSc
VCSe
Any
1719
UDP
192.0.2.2 6001
Q.931/H.225
and H.245
and H.245
VCSc
VCSe
Any
15000 to
19999
19999
TCP
192.0.2.2 2776
RTP Assent
VCSc
VCSe
Any
36002 to
59999 *
59999 *
UDP
192.0.2.2 36000 *
RTCP Assent
VCSc
VCSe
Any
36002 to
59999 *
59999 *
UDP
192.0.2.2 36001 *
SIP traversal calls
SIP TCP/TLS
VCSc
VCSe
10.0.0.2 25000 to
29999
TCP
192.0.2.2 Traversal zone
ports, e.g. 7001
RTP Assent
VCSc
VCSe
10.0.0.2 36002 to
59999 *
UDP
192.0.2.2 36000 *
RTCP Assent
VCSc
VCSe
10.0.0.2 36002 to
59999 *
UDP
192.0.2.2 36001 *
When ICE is enabled on
VCS Control
zones and the
VCS Expressway
is used as the TURN server
TURN server
control
control
VCSc
VCSe
Any
>=1024
UDP
192.0.2.2 3478 **
TURN server
media
media
VCSc
VCSe
Any
>=1024
UDP
192.0.2.2 24000 to 29999 **
* On new installations of X8.1 or later, the default media traversal port range is 36000 to 59999, and is set on the VCS
Control (Configuration > Local Zones > Traversal Subzone). In Large VCS Expressway systems the first 12 ports in
the range – 36000 to 36011 by default – are always reserved for multiplexed traffic. The VCS Expressway listens on
these ports. You cannot configure a distinct range of demultiplex listening ports on Large systems: they always use
the first 6 pairs in the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for
multiplexed RTP/RTCP traffic, on the VCS Expressway (Configuration > Traversal > Ports). On upgrades to X8.2 or
Control (Configuration > Local Zones > Traversal Subzone). In Large VCS Expressway systems the first 12 ports in
the range – 36000 to 36011 by default – are always reserved for multiplexed traffic. The VCS Expressway listens on
these ports. You cannot configure a distinct range of demultiplex listening ports on Large systems: they always use
the first 6 pairs in the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for
multiplexed RTP/RTCP traffic, on the VCS Expressway (Configuration > Traversal > Ports). On upgrades to X8.2 or
59
Cisco VCS Expressway and VCS Control - Basic Configuration Deployment Guide
Appendix 3: Firewall and NAT Settings