Cisco Cisco Expressway 维护手册
1.
Each traversal client connects via the firewall to a unique port on the Expressway-E.
2.
The server identifies each client by the port on which it receives the connection, and the authentication
credentials provided by the client.
credentials provided by the client.
3.
After the connection has been established, the client regularly sends a probe to the Expressway-E to keep the
connection alive.
connection alive.
4.
When the Expressway-E receives an incoming call for the client, it uses this initial connection to send an
incoming call request to the client.
incoming call request to the client.
5.
The client then initiates one or more outbound connections. The destination ports used for these connections
differ for signaling and/or media, and depend on the protocol being used (see the following sections for more
details).
differ for signaling and/or media, and depend on the protocol being used (see the following sections for more
details).
Configuring the Firewall
For Expressway firewall traversal to function correctly, your firewall must be configured to:
■
allow initial outbound traffic from the client to the ports being used by the Expressway-E
■
allow return traffic from those ports on the Expressway-E back to the originating client
Note:
we recommend that you turn off any H.323 and SIP protocol support on the firewall: these are not needed in
conjunction with the Expressway solution and may interfere with its operation.
Configuring Traversal Server Ports
The Expressway-E has specific listening ports used for firewall traversal. Rules must be set on your firewall to allow
connections to these ports. In most cases the default ports should be used. However, you have the option to change
these ports if necessary by going to the Ports page (Configuration > Traversal > Ports).
connections to these ports. In most cases the default ports should be used. However, you have the option to change
these ports if necessary by going to the Ports page (Configuration > Traversal > Ports).
The configurable ports for signaling are:
■
H.323 Assent call signaling port; default is 2776
■
H.323 H.460.18 call signaling port; default is 2777
RTP and RTCP Media Demultiplexing Ports
:
■
Small/Medium systems: 1 pair of RTP and RTCP media demultiplexing ports are used. They can either be
explicitly specified or they can be allocated from the start of the general range of traversal media ports.
explicitly specified or they can be allocated from the start of the general range of traversal media ports.
■
Large systems: 6 pairs of RTP and RTCP media demultiplexing ports are used. They are always allocated from
the start of the traversal media ports range.
the start of the traversal media ports range.
Configuring Ports for Connections From Traversal Clients
Each traversal server zone specifies an H.323 port and a SIP port to use for the initial connection from the client. Each
time you configure a new traversal server zone on the Expressway-E, you are allocated default port numbers for these
connections:
time you configure a new traversal server zone on the Expressway-E, you are allocated default port numbers for these
connections:
■
H.323 ports start at UDP/6001 and increment by 1 for every new traversal server zone.
■
SIP ports start at TCP/7001 and increment by 1 for every new traversal server zone.
You can change these default ports if necessary but you must ensure that the ports are unique for each traversal
server zone. After the H.323 and SIP ports have been set on the Expressway-E, matching ports must be configured on
the corresponding traversal client. Note that:
server zone. After the H.323 and SIP ports have been set on the Expressway-E, matching ports must be configured on
the corresponding traversal client. Note that:
■
The default port used for the initial connections from MXP endpoints is the same as that used for standard RAS
messages, that is UDP/1719. While you can change this port on the Expressway-E, most endpoints will not
messages, that is UDP/1719. While you can change this port on the Expressway-E, most endpoints will not
57
Cisco Expressway Administrator Guide
Firewall Traversal