Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 3: Firewall and NAT Settings
Internal Firewall Configuration
In many deployments outbound connections (from internal network to DMZ) will be permitted by the NAT/firewall device.
If the administrator wants to restrict this further, the following tables provide the permissive rules required. For further
information, see
If the administrator wants to restrict this further, the following tables provide the permissive rules required. For further
information, see
.
Ensure that any SIP or H.323 ‘fixup’ ALG or awareness functionality is disabled on the NAT firewall – if enabled this will
adversely interfere with the VCS functionality.
adversely interfere with the VCS functionality.
Outbound (Internal Network > DMZ)
Purpose
Source
Dest.
Source
IP
IP
Source port
Transport
protocol
protocol
Dest. IP
Dest. port
Management
Management
computer
computer
VCSe
As
required
required
>=1024
TCP
192.0.2.2
80 / 443 / 22 / 23
SNMP
monitoring
monitoring
Management
computer
computer
VCSe
As
required
required
>=1024
UDP
192.0.2.2
161
H.323 traversal calls using Assent
RAS Assent
VCSc
VCSe
Any
1719
UDP
192.0.2.2
6001
Q.931/H.225
and H.245
and H.245
VCSc
VCSe
Any
15000 to
19999
19999
TCP
192.0.2.2
2776
RTP Assent
VCSc
VCSe
Any
36002 to
59999 *
59999 *
UDP
192.0.2.2
36000 *
RTCP Assent
VCSc
VCSe
Any
36002 to
59999 *
59999 *
UDP
192.0.2.2
36001 *
SIP traversal calls
SIP TCP/TLS
VCSc
VCSe
10.0.0.2
25000 to
29999
29999
TCP
192.0.2.2
Traversal zone ports,
e.g. 7001
e.g. 7001
RTP Assent
VCSc
VCSe
10.0.0.2
36002 to
59999 *
59999 *
UDP
192.0.2.2
36000 *
RTCP Assent
VCSc
VCSe
10.0.0.2
36002 to
59999 *
59999 *
UDP
192.0.2.2
36001 *
When ICE is enabled on
VCS Control
zones and the
VCS Expressway
is used as the TURN server
TURN server
control
control
VCSc
VCSe
Any
>=1024
UDP
192.0.2.2
3478 **
TURN server
media
media
VCSc
VCSe
Any
>=1024
UDP
192.0.2.2
24000 to 29999 **
* On new installations of X8.1 or later, the default media traversal port range is 36000 to 59999, and is set on the VCS
Control (Configuration > Local Zones > Traversal Subzone). In Large VCS Expressway systems the first 12 ports in the
range – 36000 to 36011 by default – are always reserved for multiplexed traffic. The VCS Expressway listens on these
ports. You cannot configure a distinct range of demultiplex listening ports on Large systems: they always use the first 6
pairs in the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for multiplexed
RTP/RTCP traffic, on the VCS Expressway (Configuration > Traversal > Ports). On upgrades to X8.2 or later, the VCS
Control retains the media traversal port range from the previous version (could be 50000 - 54999 or 36000 - 59999,
Control (Configuration > Local Zones > Traversal Subzone). In Large VCS Expressway systems the first 12 ports in the
range – 36000 to 36011 by default – are always reserved for multiplexed traffic. The VCS Expressway listens on these
ports. You cannot configure a distinct range of demultiplex listening ports on Large systems: they always use the first 6
pairs in the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for multiplexed
RTP/RTCP traffic, on the VCS Expressway (Configuration > Traversal > Ports). On upgrades to X8.2 or later, the VCS
Control retains the media traversal port range from the previous version (could be 50000 - 54999 or 36000 - 59999,
48
Cisco VCS Expressway and VCS Control - Basic Configuration Deployment Guide