Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 3 – Firewall and NAT configuration
Cisco VCS Deployment Guide: Basic configuration – VCS Control with VCS Expressway
Page 56 of 59
Inbound (Internet > DMZ)
Purpose
Source
Dest.
Source
IP
IP
Source
port
port
Transport
protocol
protocol
Dest. IP
Dest. port
H.323 endpoints registering with Assent
RAS Assent
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 1719
Q.931/H.225 and
H.245
H.245
Endpoint VCSe Any
>=1024
TCP
192.0.2.2 2776
RTCP Assent
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 2777
RTP Assent
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 2776
H.323 endpoints registering with public IP addresses
RAS
Endpoint VCSe Any
1719
UDP
192.0.2.2 1719
Q.931/H.225
Endpoint VCSe Any
>=1024
TCP
192.0.2.2 15000 to
19999
H.245
Endpoint VCSe Any
>=1024
TCP
192.0.2.2 1720
RTP & RTCP
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 50000 to
52399
SIP endpoints registering using UDP / TCP or TLS
SIP TCP
Endpoint VCSe Any
>=1024
TCP
192.0.2.2 5060
SIP UDP
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 5060
SIP TLS
Endpoint VCSe Any
>=1024
TCP
192.0.2.2 5061
RTP & RTCP
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 50000 to
52399
TURN server control
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 3478
TURN server media
Endpoint VCSe Any
>=1024
UDP
192.0.2.2 60000 to
61799
Outbound (DMZ > Internet)
If you want to restrict communications from the DMZ to the wider Internet, the following table provides
information on the outgoing IP addresses and ports required to permit the Cisco VCS Expressway to
provide service to external endpoints.
information on the outgoing IP addresses and ports required to permit the Cisco VCS Expressway to
provide service to external endpoints.
Purpose
Source Dest.
Source
IP
IP
Source port
Transport
protocol
protocol
Dest. IP
Dest.
port
port
H.323 endpoints registering with public IP address
RAS
VCSe
Endpoint
192.0.2.2 >=1024
UDP
Any
1719
Q.931/H.225
VCSe
Endpoint
192.0.2.2 15000 to
19999
TCP
Any
1720