Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Purpose
Protocol
VCS Control (source)
Internal Device Port/Range
HTTP proxy (SOAP)
TCP
Ephemeral port
8443 (IM and Presence
Service)
Service)
HTTP (configuration file retrieval)
TCP
Ephemeral port
6970 (Unified CM)
CUC (voicemail)
TCP
Ephemeral port
443 (Unity Connection)
Message Waiting Indicator (MWI) from
Unity Connection
Unity Connection
TCP
Ephemeral port
7080 (Unity Connection)
Media
UDP
36000 to 59999*
>= 1024 (Media recipient
eg. endpoint)
eg. endpoint)
SIP signaling
TCP
25000 to 29999
5060 (Unified CM)
Secure SIP signaling
TLS
25000 to 29999
5061 (Unified CM)
* On new installations of X8.1 or later, the default media traversal port range is 36000 to 59999, and is set on the VCS
Control (Configuration > Local Zones > Traversal Subzone). In Large VCS Expressway systems the first 12 ports in
the range – 36000 to 36011 by default – are always reserved for multiplexed traffic. The VCS Expressway listens on
these ports. You cannot configure a distinct range of demultiplex listening ports on Large systems: they always use
the first 6 pairs in the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for
multiplexed RTP/RTCP traffic, on the VCS Expressway (Configuration > Traversal > Ports). On upgrades to X8.2 or
later, the VCS Control retains the media traversal port range from the previous version (could be 50000 - 54999 or
36000 - 59999, depending on source version). The VCS Expressway retains the previously configured demultiplexing
pair (either 2776 & 2777 or 50000 & 50001 by default, depending on upgrade path) and the switch Use configured
demultiplexing ports is set to Yes. If you do not want to use a particular pair of ports, switch Use configured
demultiplexing ports to No, then the VCS Expressway will listen on the first pair of ports in the media traversal port
range (36000 and 36001 by default). In this case, we recommend that you close the previously configured ports after
you configure the firewall for the new ports.
Control (Configuration > Local Zones > Traversal Subzone). In Large VCS Expressway systems the first 12 ports in
the range – 36000 to 36011 by default – are always reserved for multiplexed traffic. The VCS Expressway listens on
these ports. You cannot configure a distinct range of demultiplex listening ports on Large systems: they always use
the first 6 pairs in the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for
multiplexed RTP/RTCP traffic, on the VCS Expressway (Configuration > Traversal > Ports). On upgrades to X8.2 or
later, the VCS Control retains the media traversal port range from the previous version (could be 50000 - 54999 or
36000 - 59999, depending on source version). The VCS Expressway retains the previously configured demultiplexing
pair (either 2776 & 2777 or 50000 & 50001 by default, depending on upgrade path) and the switch Use configured
demultiplexing ports is set to Yes. If you do not want to use a particular pair of ports, switch Use configured
demultiplexing ports to No, then the VCS Expressway will listen on the first pair of ports in the media traversal port
range (36000 and 36001 by default). In this case, we recommend that you close the previously configured ports after
you configure the firewall for the new ports.
Note that:
■
Ports 8191/8192 TCP and 8883/8884 TCP are used internally within the VCS Control and the VCS
Expressway applications. Therefore these ports must not be allocated for any other purpose. The VCS
Expressway listens externally on port 8883; therefore we recommend that you create custom firewall rules on
the external LAN interface to drop TCP traffic on that port.
Expressway applications. Therefore these ports must not be allocated for any other purpose. The VCS
Expressway listens externally on port 8883; therefore we recommend that you create custom firewall rules on
the external LAN interface to drop TCP traffic on that port.
■
The VCS Expressway listens on port 2222 for SSH tunnel traffic. The only legitimate sender of such traffic is
the VCS Control (cluster). Therefore we recommend that you create the following firewall rules for the SSH
tunnels service:
the VCS Control (cluster). Therefore we recommend that you create the following firewall rules for the SSH
tunnels service:
—
one or more rules to allow all of the VCS Control peer addresses (via the internal LAN interface, if
appropriate)
appropriate)
—
followed by a lower priority (higher number) rule that drops all traffic for the SSH tunnels service (on the
internal LAN interface if appropriate, and if so, another rule to drop all traffic on the external interface)
internal LAN interface if appropriate, and if so, another rule to drop all traffic on the external interface)
Microsoft Lync B2BUA Port Reference
The port numbers listed below are the default port values. The values used in a real deployment may vary if they have
been modified, for example, by changes of registry settings or through group policy, on Lync and Lync client, or
configuration on VCS (Applications > B2BUA).
been modified, for example, by changes of registry settings or through group policy, on Lync and Lync client, or
configuration on VCS (Applications > B2BUA).
374
Cisco TelePresence Video Communication Server Administrator Guide