Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Firewall traversal
The ports used by these services are configurable on the
page (
VCS configuration >
Expressway > TURN
).
The ICE clients on each of the SIP endpoints must be able to discover these ports, either by using
SRV records in DNS or by direct configuration.
SRV records in DNS or by direct configuration.
Ports for connections out to the public internet
In situations where the Cisco VCS Expressway is attempting to connect to an endpoint on the public
internet, you will not know the exact ports on the endpoint to which the connection will be made. This
is because the ports to be used are determined by the endpoint and advised to the Cisco VCS
Expressway only after the server has located the endpoint on the public internet. This may cause
problems if your Cisco VCS Expressway is located within a DMZ (that is, there is a firewall between
the Cisco VCS Expressway and the public internet) as you will not be able to specify in advance rules
that will allow you to connect out to the endpoint’s ports.
internet, you will not know the exact ports on the endpoint to which the connection will be made. This
is because the ports to be used are determined by the endpoint and advised to the Cisco VCS
Expressway only after the server has located the endpoint on the public internet. This may cause
problems if your Cisco VCS Expressway is located within a DMZ (that is, there is a firewall between
the Cisco VCS Expressway and the public internet) as you will not be able to specify in advance rules
that will allow you to connect out to the endpoint’s ports.
You can however specify the ports on the Cisco VCS Expressway that are used for calls to and from
endpoints on the public internet so that your firewall administrator can allow connections via these
ports. The ports that can be configured for this purpose are:
endpoints on the public internet so that your firewall administrator can allow connections via these
ports. The ports that can be configured for this purpose are:
H.323
SIP
TURN
TCP/1720: signaling
UDP/1719: signaling
UDP/50000-52399: media
TCP/15000-19999: signaling
TCP/5061: signaling
UDP/5060 (default): signaling
UDP/50000-52399: media
TCP: a temporary port in the
range 25000-29999 is
allocated
range 25000-29999 is
allocated
UDP/3478 (default): TURN
services
services
UDP/60000-61200 (default
range): media
range): media
Firewall traversal and authentication
To control which systems can use the Cisco VCS Expressway as a traversal server, each Cisco VCS
Control or Gatekeeper that wants to be its client must first authenticate with it.
Control or Gatekeeper that wants to be its client must first authenticate with it.
Upon receiving the initial connection request from the traversal client, the Cisco VCS Expressway
asks the client to authenticate itself by providing its authentication credentials. The Cisco VCS
Expressway then looks up the client’s credentials in its own authentication database. If a match is
found, the Cisco VCS Expressway accepts the request from the client.
asks the client to authenticate itself by providing its authentication credentials. The Cisco VCS
Expressway then looks up the client’s credentials in its own authentication database. If a match is
found, the Cisco VCS Expressway accepts the request from the client.
The settings used for authentication depend on the combination of client and server being used. These
are detailed in the table below.
are detailed in the table below.
Cisco VCS Administrator Guide (X6)
Page 174 of 295