Cisco Cisco TelePresence Video Communication Server Expressway
However, if the VCS Expressway needs to communicate with local services, such as a Syslog server, some
of the following NAT configurations may be required:
of the following NAT configurations may be required:
Purpose
Source Destination
Source
IP
IP
Source port Transport
protocol
Dest. IP
Dest.
port
port
Logging
VCSe
Syslog server
192.0.2.2 30000 to
35999
UDP
10.0.0.13 514
Management
VCSe
Cisco TMS
server
server
192.0.2.2 >=1024
TCP
10.0.0.14 80 / 443
LDAP (for log in, if
required)
required)
VCSe
LDAP server
192.0.2.2 30000 to
35999
TCP
389 /
636
636
NTP (time sync)
VCSe
Local NTP
server
server
192.0.2.2 123
UDP
123
DNS
VCSe
Local DNS
server
server
192.0.2.2 >=1024
UDP
53
Traffic destined for logging or management server addresses (using specific destination ports) must be
routed to the internal network.
routed to the internal network.
External firewall configuration requirement
In this example it is assumed that outbound connections (from DMZ to external network) are all permitted by
the firewall device.
the firewall device.
Ensure that any SIP or H.323 "fixup" ALG or awareness functionality is disabled on the NAT firewall – if
enabled this will adversely interfere with the VCS functionality.
enabled this will adversely interfere with the VCS functionality.
Inbound (Internet > DMZ)
Purpose
Source
Dest.
Source
IP
IP
Source
port
port
Transport
protocol
protocol
Dest. IP
Dest. port
H.323 endpoints registering with Assent
RAS Assent
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 1719
Q.931/H.225 and
H.245
H.245
Endpoint VCSe Any
>=1024
TCP
192.0.2.2 2776
RTP Assent
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 36000
RTCP Assent
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 36001
H.323 endpoints registering with public IP addresses
RAS
Endpoint VCSe Any
1719
UDP
192.0.2.2 1719
Q.931/H.225
Endpoint VCSe Any
>=1024
TCP
192.0.2.2 1720
H.245
Endpoint VCSe Any
>=1024
TCP
192.0.2.2 15000 to 19999
RTP & RTCP
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 36002 to 59999
SIP endpoints registering using UDP / TCP or TLS
SIP TCP
Endpoint VCSe Any
>=1024
TCP
192.0.2.2 5060
Cisco VCS Basic Configuration (Control with Expressway) Deployment Guide
Page 52 of 65
Appendix 3: Firewall and NAT settings