Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Firewall traversal
Cisco VCS Administrator Guide (X7.0)
Page 230 of 488
You have the option to change these ports if necessary by going to the
page (
VCS configuration
> Expressway > Ports
).
If your VCS Expressway does not have any endpoints registering directly with it, and it is not part of a
cluster, then UDP/1719 is not required. You therefore do not need to allow outbound connections to this
port through the firewall between the VCS Control and VCS Expressway.
cluster, then UDP/1719 is not required. You therefore do not need to allow outbound connections to this
port through the firewall between the VCS Control and VCS Expressway.
TURN ports
The VCS Expressway can be enabled to provide
(Traversal Using Relays around NAT)
which can be used by SIP endpoints that support the ICE firewall traversal protocol.
The ports used by these services are configurable on the
page (
VCS configuration >
Expressway > TURN
).
The ICE clients on each of the SIP endpoints must be able to discover these ports, either by using SRV
records in DNS or by direct configuration.
records in DNS or by direct configuration.
Ports for connections out to the public internet
In situations where the VCS Expressway is attempting to connect to an endpoint on the public internet,
you will not know the exact ports on the endpoint to which the connection will be made. This is because
the ports to be used are determined by the endpoint and advised to the VCS Expressway only after the
server has located the endpoint on the public internet. This may cause problems if your VCS
Expressway is located within a DMZ (that is, there is a firewall between the VCS Expressway and the
public internet) as you will not be able to specify in advance rules that will allow you to connect out to the
endpoint’s ports.
you will not know the exact ports on the endpoint to which the connection will be made. This is because
the ports to be used are determined by the endpoint and advised to the VCS Expressway only after the
server has located the endpoint on the public internet. This may cause problems if your VCS
Expressway is located within a DMZ (that is, there is a firewall between the VCS Expressway and the
public internet) as you will not be able to specify in advance rules that will allow you to connect out to the
endpoint’s ports.
You can however specify the ports on the VCS Expressway that are used for calls to and from endpoints
on the public internet so that your firewall administrator can allow connections via these ports. The ports
that can be configured for this purpose are:
on the public internet so that your firewall administrator can allow connections via these ports. The ports
that can be configured for this purpose are:
H.323
SIP
TURN
TCP/1720: signaling
UDP/1719: signaling
UDP/50000-52399: media
TCP/15000-19999: signaling
TCP/5061: signaling
UDP/5060 (default): signaling
UDP/50000-52399: media
TCP: a temporary port in the
range 25000-29999 is allocated
range 25000-29999 is allocated
UDP/3478 (default): TURN
services
services
UDP/60000-61200 (default range):
media
media