Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Configuring your firewall for Jabber Guest traffic
This section summarizes the ports that need to be opened for Jabber Guest traffic on the firewalls between
your internal network (where the VCS Control is located) and the DMZ (where the VCS Expressway is
located) and between the DMZ and the public internet.
your internal network (where the VCS Control is located) and the DMZ (where the VCS Expressway is
located) and between the DMZ and the public internet.
Inbound from public internet to VCS Expressway (DMZ)
Purpose
Protocol
Internet endpoint
(source)
(source)
VCS Expressway
(listening)
(listening)
HTTPS traffic (see notes below)
TCP
TCP source port
9443
HTTP traffic (see notes below)
TCP
TCP source port
9980
TURN server control / media
UDP
UDP source port
3478 (small/medium
system)
system)
3478-3483 (default range
on large system)*
on large system)*
Note that:
n
HTTP and HTTPS traffic from Jabber Guest clients in the internet is sent to ports 80 and 443 TCP
respectively. Therefore the firewall between the VCS Expressway and the public internet must translate
destination port 80 to 9980 and destination port 443 to 9443 for all TCP traffic that targets the VCS
Expressway address.
respectively. Therefore the firewall between the VCS Expressway and the public internet must translate
destination port 80 to 9980 and destination port 443 to 9443 for all TCP traffic that targets the VCS
Expressway address.
n
80/443 TCP are the standard HTTP/S administration interfaces on the VCS. If the VCS Expressway is
administered from systems located in the internet, then the firewall translation must also distinguish by
source address and must not translate the destination port of traffic arriving from those management
systems.
administered from systems located in the internet, then the firewall translation must also distinguish by
source address and must not translate the destination port of traffic arriving from those management
systems.
n
You also need to ensure that appropriate DNS records exist so that the Jabber Guest client can reach the
VCS Expressway. The FQDN of the VCS Expressway in DNS must include the Jabber Guest domain, so
in this case it could be expressway.example.com. Use round-robin DNS if it is a cluster of VCS
Expressways.
Note that this is public DNS configuration and it does not impose any configuration requirements on the
VCS Expressway itself (host name / domain name on the DNS page, or the cluster name etc.)
VCS Expressway. The FQDN of the VCS Expressway in DNS must include the Jabber Guest domain, so
in this case it could be expressway.example.com. Use round-robin DNS if it is a cluster of VCS
Expressways.
Note that this is public DNS configuration and it does not impose any configuration requirements on the
VCS Expressway itself (host name / domain name on the DNS page, or the cluster name etc.)
Inbound from VCS Expressway (external/NAT address) to VCS Control (private)
Purpose
Protocol
VCS Expressway (source
external/NAT address)
external/NAT address)
VCS Control (listening)
Media
UDP
24000 to 29999 *
36002 to 59999 **
Jabber Guest media does not go through the traversal link between VCS Expressway and VCS Control. You
may find that two way media can still be established even if the VCS Expressway to VCS Control rules
described above are not applied. This is because the outbound media creates a pinhole in the firewall.
However, these rules are required to support uni-directional media (that is, only from outside to inside).
may find that two way media can still be established even if the VCS Expressway to VCS Control rules
described above are not applied. This is because the outbound media creates a pinhole in the firewall.
However, these rules are required to support uni-directional media (that is, only from outside to inside).
Cisco TelePresence Video Communication Server Administrator Guide (X8.5)
Page 108 of 559
Unified Communications
Cisco Jabber Guest