Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 3 – Firewall and NAT configuration
Cisco VCS Deployment Guide: Basic configuration – VCS Control with VCS Expressway
Page 55 of 59
n
Ensure that any SIP or H.323 ‘fixup’ ALG or awareness functionality is disabled on the NAT firewall – if
enabled this will adversely interfere with the Cisco VCS functionality.
enabled this will adversely interfere with the Cisco VCS functionality.
n
If a Cisco TMS server and a Syslog logging server are deployed (see the
section) then the following NAT configuration is required:
Inbound (DMZ > Internal network)
Purpose
Source Destination Source
IP
Source port
Transport
protocol
protocol
Dest. IP
Dest.
port
port
Logging
VCSe
Syslog
server
server
192.0.2.2 40000 to
49999
UDP
10.0.0.13 514
Management
VCSe
TMS server
192.0.2.2 >=1024
TCP
10.0.0.14 80 / 443
LDAP (for login, if
required)
required)
VCSe
LDAP
server
server
192.0.2.2 40000 to
49999
TCP
389 /
636
636
NTP (time sync)
VCSe
NTP server
192.0.2.2 >=1024
UDP
123
Access to services such as DNS (UDP port 53) and NTP (UDP port 123) for time synchronization
should be permitted on the appropriate firewall.
should be permitted on the appropriate firewall.
n
Traffic destined for the Logging and Management server addresses (using specific destination ports)
must be routed to the internal network.
must be routed to the internal network.
External firewall configuration requirement
In this example it is assumed that outbound connections (from DMZ to external network) are all permitted
by the firewall device.
by the firewall device.
n
Ensure that any SIP or H.323 "fixup" ALG or awareness functionality is disabled on the NAT firewall –
if enabled this will adversely interfere with the Cisco VCS functionality.
if enabled this will adversely interfere with the Cisco VCS functionality.