Each traversal server zone specifies an H.323
port and a SIP port to be used for the initial
connection from the client.
Each time you configure a new traversal
server zone on the VCS Expressway, you will
be allocated default port numbers for these
connections:

•

H.323 ports start at UDP/6001 and
increment by 1 for every new traversal
server zone

•

SIP ports start at TCP/7001 and increment
by 1 for every new traversal server zone.

You can change these default ports if
necessary but you must ensure that the ports
are unique for each traversal server zone.
After the H.323 and SIP ports have been set
on the VCS Expressway, matching ports must
be configured on the corresponding traversal
client.

The default port used for the initial
connections from MXP endpoints is the
same as that used for standard RAS

messages, i.e. UDP/1719. While it is possible
to change this port on the VCS Expressway,
most endpoints will not support connections to
ports other than UDP/1719. You are therefore
recommended to leave this as the default.

You must allow outbound connections
through your firewall to each of the
unique SIP and H.323 ports that are

configured on each of the VCS Expressway’s
traversal server zones.

For connections to the VCS Expressway using
the H.460.18/19 protocols, the default ports
are:

Call signaling

•

UDP/1719: listening port for RAS messages

•

TCP/1720: listening port for H.225 protocol

•

TCP/2777: listening port for H.245 protocol

Media

•

UDP/2776: RTP media port

•

UDP/2777: RTCP media control port

•

UDP/50000-52399: demultiplex media port
range

For connections to the VCS Expressway using
the Assent protocol, the default ports are:

Call signaling

•

UDP/1719: listening port for RAS messages

•

TCP/2776: listening port for H.225 and
H.245 protocols

Media

•

UDP/2776: RTP media port

•

UDP/2777: RTCP media control port

Ports for initial connections from

traversal clients

Assent ports

H.460.18/19 ports

SIP ports

In situations where the VCS Expressway is
attempting to connect to an endpoint on the
public internet, you will not know the exact
ports on the endpoint to which the connection
will be made. This is because the ports to
be used are determined by the endpoint and
advised to the VCS Expressway only after the
server has located the endpoint on the public
internet. This may cause problems if your VCS
Expressway is located within a DMZ (i.e. there
is a firewall between the VCS Expressway and
the public internet) as you will not be able to
specify in advance rules that will allow you to
connect out to the endpoint’s ports.
You can however specify the ports on the
VCS Expressway that will be used for calls
to and from endpoints on the public internet
so that your firewall administrator can allow
connections via these ports. The ports that
can be configured for this purpose are:
H.323

•

TCP/1720: signaling

•

UDP/1719: signaling

•

UDP/50000-52399: media

•

TCP/15000-19999: signaling

SIP

•

TCP/5061: signaling

•

UDP/5060 (default): signaling

•

UDP/50000-52399: media

•

TCP: a temporary port in the range
25000-29999 is allocated.

TURN

•

UDP/3478 (default): TURN services

•

UDP/60000-61200 (default range): media

The VCS Expressway can be enabled to provide

TURN services

(Traversal Using Relays around

NAT) which can be used by SIP endpoints that
support the

ICE firewall traversal protocol

The ports used by these services are
configurable using:

•

VCS configuration > Expressway > TURN

•

xConfiguration Traversal Server

TURN

The ICE clients on each of the SIP endpoints
must be able to discover these ports, either
by using SRV records in DNS or by direct
configuration.

Ports for connections out to the public

internet

TURN ports

If your VCS Expressway does not have any endpoints registering directly with it, and it is not
part of a cluster, then UDP/1719 is not required. You therefore do not need to allow
outbound connections to this port through the firewall between the VCS Control and VCS
Expressway.