Cisco Cisco TelePresence Video Communication Server Expressway
media traversal port range (36000 and 36001 by default). In this case, we recommend that you close the
previously configured ports after you configure the firewall for the new ports.
previously configured ports after you configure the firewall for the new ports.
Inbound (DMZ > Internal network)
As VCS Control to VCS Expressway communications are always initiated from the VCS Control to the VCS
Expressway (VCS Expressway sending messages by responding to VCS Control’s messages) no ports
need to be opened from DMZ to Internal for call handling.
Expressway (VCS Expressway sending messages by responding to VCS Control’s messages) no ports
need to be opened from DMZ to Internal for call handling.
However, if the VCS Expressway needs to communicate with local services, such as a Syslog server, some
of the following NAT configurations may be required:
of the following NAT configurations may be required:
Purpose
Source Destination
Source
IP
IP
Source port Transport
protocol
Dest. IP
Dest.
port
port
Logging
VCSe
Syslog server
192.0.2.2 30000 to
35999
UDP
10.0.0.13 514
Management
VCSe
Cisco TMS
server
server
192.0.2.2 >=1024
TCP
10.0.0.14 80 / 443
LDAP (for log in, if
required)
required)
VCSe
LDAP server
192.0.2.2 30000 to
35999
TCP
389 /
636
636
NTP (time sync)
VCSe
Local NTP
server
server
192.0.2.2 123
UDP
123
DNS
VCSe
Local DNS
server
server
192.0.2.2 >=1024
UDP
53
Traffic destined for logging or management server addresses (using specific destination ports) must be
routed to the internal network.
routed to the internal network.
External firewall configuration requirement
In this example it is assumed that outbound connections (from DMZ to external network) are all permitted by
the firewall device.
the firewall device.
Ensure that any SIP or H.323 "fixup" ALG or awareness functionality is disabled on the NAT firewall – if
enabled this will adversely interfere with the VCS functionality.
enabled this will adversely interfere with the VCS functionality.
Inbound (Internet > DMZ)
Purpose
Source
Dest.
Source
IP
IP
Source
port
port
Transport
protocol
protocol
Dest. IP
Dest. port
H.323 endpoints registering with Assent
RAS Assent
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 1719
Q.931/H.225 and
H.245
H.245
Endpoint VCSe Any
>=1024
TCP
192.0.2.2 2776
RTP Assent
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 36000
RTCP Assent
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 36001
H.323 endpoints registering with public IP addresses
Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway) Deploy-
ment Guide (X8.5.2)
ment Guide (X8.5.2)
Page 53 of 67
Appendix 3: Firewall and NAT settings