Cisco Cisco TelePresence Video Communication Server Expressway
later, the VCS Control retains the media traversal port range from the previous version (could be 50000 - 54999 or
36000 - 59999, depending on source version). The VCS Expressway retains the previously configured demultiplexing
pair (either 2776 & 2777 or 50000 & 50001 by default, depending on upgrade path) and the switch Use configured
demultiplexing ports is set to Yes. If you do not want to use a particular pair of ports, switch Use configured
demultiplexing ports to No, then the VCS Expressway will listen on the first pair of ports in the media traversal port
range (36000 and 36001 by default). In this case, we recommend that you close the previously configured ports after
you configure the firewall for the new ports.
36000 - 59999, depending on source version). The VCS Expressway retains the previously configured demultiplexing
pair (either 2776 & 2777 or 50000 & 50001 by default, depending on upgrade path) and the switch Use configured
demultiplexing ports is set to Yes. If you do not want to use a particular pair of ports, switch Use configured
demultiplexing ports to No, then the VCS Expressway will listen on the first pair of ports in the media traversal port
range (36000 and 36001 by default). In this case, we recommend that you close the previously configured ports after
you configure the firewall for the new ports.
Inbound (DMZ > Internal network)
As VCS Control to VCS Expressway communications are always initiated from the VCS Control to the VCS
Expressway (VCS Expressway sending messages by responding to VCS Control’s messages) no ports need to be
opened from DMZ to Internal for call handling.
Expressway (VCS Expressway sending messages by responding to VCS Control’s messages) no ports need to be
opened from DMZ to Internal for call handling.
However, if the VCS Expressway needs to communicate with local services, such as a Syslog server, some of the
following NAT configurations may be required:
following NAT configurations may be required:
Purpose
Source Destination
Source IP Source port
Transport
protocol
protocol
Dest. IP
Dest.
port
port
Logging
VCSe
Syslog server
192.0.2.2 30000 to
35999
UDP
10.0.0.13 514
Management
VCSe
Cisco TMS
server
server
192.0.2.2 >=1024
TCP
10.0.0.14 80 /
443
LDAP (for log in, if
required)
required)
VCSe
LDAP server
192.0.2.2 30000 to
35999
TCP
389 /
636
636
NTP (time sync)
VCSe
Local NTP
server
server
192.0.2.2 123
UDP
123
DNS
VCSe
Local DNS
server
server
192.0.2.2 >=1024
UDP
53
Traffic destined for logging or management server addresses (using specific destination ports) must be routed to the
internal network.
internal network.
External Firewall Configuration Requirement
In this example it is assumed that outbound connections (from DMZ to external network) are all permitted by the
firewall device.
firewall device.
Ensure that any SIP or H.323 "fixup" ALG or awareness functionality is disabled on the NAT firewall – if enabled this
will adversely interfere with the VCS functionality.
will adversely interfere with the VCS functionality.
Inbound (Internet > DMZ)
Purpose
Source
Dest.
Source
IP
IP
Source
port
port
Transport
protocol
protocol
Dest. IP
Dest. port
H.323 endpoints registering with Assent
RAS Assent
Endpoint
VCSe Any
>=1024
UDP
192.0.2.2 1719
Q.931/H.225 and
H.245
H.245
Endpoint
VCSe Any
>=1024
TCP
192.0.2.2 2776
RTP Assent
Endpoint
VCSe Any
>=1024
UDP
192.0.2.2 36000
RTCP Assent
Endpoint
VCSe Any
>=1024
UDP
192.0.2.2 36001
60
Cisco VCS Expressway and VCS Control - Basic Configuration Deployment Guide
Appendix 3: Firewall and NAT Settings