Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 3: Firewall and NAT settings
Internal firewall configuration
In many deployments outbound connections (from internal network to DMZ) will be permitted by the
NAT/firewall device. If the administrator wants to restrict this further, the following tables provide the
permissive rules required. For further information, see
NAT/firewall device. If the administrator wants to restrict this further, the following tables provide the
permissive rules required. For further information, see
Ensure that any SIP or H.323 ‘fixup’ ALG or awareness functionality is disabled on the NAT firewall – if
enabled this will adversely interfere with the VCS functionality.
enabled this will adversely interfere with the VCS functionality.
Outbound (Internal network > DMZ)
Purpose
Source
Dest.
Source
IP
IP
Source
port
port
Transport
protocol
protocol
Dest. IP
Dest. port
Management
Management
computer
computer
VCSe As
required
>=1024
TCP
192.0.2.2 80 / 443 / 22 / 23
SNMP
monitoring
monitoring
Management
computer
computer
VCSe As
required
>=1024
UDP
192.0.2.2 161
H.323 traversal calls using Assent
RAS Assent
VCSc
VCSe Any
1719
UDP
192.0.2.2 6001
Q.931/H.225
and H.245
and H.245
VCSc
VCSe Any
15000 to
19999
19999
TCP
192.0.2.2 2776
RTP Assent
VCSc
VCSe Any
36002 to
59999 *
59999 *
UDP
192.0.2.2 36000 *
RTCP Assent
VCSc
VCSe Any
36002 to
59999 *
59999 *
UDP
192.0.2.2 36001 *
SIP traversal calls
SIP TCP/TLS
VCSc
VCSe 10.0.0.2
25000 to
29999
29999
TCP
192.0.2.2 Traversal zone
ports, e.g. 7001
RTP Assent
VCSc
VCSe 10.0.0.2
36002 to
59999 *
59999 *
UDP
192.0.2.2 36000 *
RTCP Assent
VCSc
VCSe 10.0.0.2
36002 to
59999 *
59999 *
UDP
192.0.2.2 36001 *
* On new installations of X8.1 or later, the default media traversal port range is 36000 to 59999, and is set on
the VCS Control (
the VCS Control (
Configuration > Local Zones > Traversal Subzone
). In Large VCS Expressway
systems the first 12 ports in the range – 36000 to 36011 by default – are always reserved for multiplexed
traffic. The VCS Expressway listens on these ports. You cannot configure a distinct range of demultiplex
listening ports on Large systems: they always use the first 6 pairs in the media port range. On Small/Medium
systems you can explicitly specify which 2 ports listen for multiplexed RTP/RTCP traffic, on the VCS
Expressway (
traffic. The VCS Expressway listens on these ports. You cannot configure a distinct range of demultiplex
listening ports on Large systems: they always use the first 6 pairs in the media port range. On Small/Medium
systems you can explicitly specify which 2 ports listen for multiplexed RTP/RTCP traffic, on the VCS
Expressway (
Configuration > Traversal > Ports
). On upgrades to X8.2 or later, the VCS Control retains
the media traversal port range from the previous version (could be 50000 - 54999 or 36000 - 59999, depending
on source version). The VCS Expressway retains the previously configured demultiplexing pair (either 2776
& 2777 or 50000 & 50001 by default, depending on upgrade path) and the switch Use configured
demultiplexing ports is set to Yes. If you do not want to use a particular pair of ports, switch Use
configured demultiplexing ports to No, then the VCS Expressway will listen on the first pair of ports in the
on source version). The VCS Expressway retains the previously configured demultiplexing pair (either 2776
& 2777 or 50000 & 50001 by default, depending on upgrade path) and the switch Use configured
demultiplexing ports is set to Yes. If you do not want to use a particular pair of ports, switch Use
configured demultiplexing ports to No, then the VCS Expressway will listen on the first pair of ports in the
Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway) Deploy-
ment Guide (X8.5.2)
ment Guide (X8.5.2)
Page 52 of 67
Appendix 3: Firewall and NAT settings