Cisco Cisco Expressway 维护手册
determined by the endpoint and advised to the Expressway-E only after the server has located the endpoint on the
public internet. This may cause problems if your Expressway-E is located within a DMZ (where there is a firewall
between the Expressway-E and the public internet) as you will not be able to specify in advance any rules that will
allow you to connect out to the endpoint’s ports.
public internet. This may cause problems if your Expressway-E is located within a DMZ (where there is a firewall
between the Expressway-E and the public internet) as you will not be able to specify in advance any rules that will
allow you to connect out to the endpoint’s ports.
You can however specify the ports on the Expressway-E that are used for calls to and from endpoints on the public
internet so that your firewall administrator can allow connections via these ports. The ports that can be configured for
this purpose are:
internet so that your firewall administrator can allow connections via these ports. The ports that can be configured for
this purpose are:
H.323
SIP
TURN
TCP/1720: signaling
UDP/1719: signaling
UDP/36000-59999: media*
TCP/15000-19999: signaling
TCP/5061: signaling
UDP/5060 (default): signaling
UDP/36000-59999: media*
TCP: a temporary port in the range
25000-29999 is allocated
25000-29999 is allocated
UDP/3478 (default): TURN services **
UDP/24000-29999 (default range):
media
media
Table 8 Port connections out to the public internet
* The default media traversal port range is 36000 to 59999, and is set on the Expressway-C at Configuration
> Traversal Subzone. In Large Expressway systems the first 12 ports in the range – 36000 to 36011 by default – are
always reserved for multiplexed traffic. The Expressway-E listens on these ports. You cannot configure a distinct
range of demultiplex listening ports on Large systems: they always use the first 6 pairs in the media port range. On
Small/Medium systems you can explicitly specify which 2 ports listen for multiplexed RTP/RTCP traffic, on the
Expressway-E (Configuration > Traversal > Ports). If you choose not to configure a particular pair of ports (Use
configured demultiplexing ports = No), then the Expressway-E will listen on the first pair of ports in the media
traversal port range (36000 and 36001 by default).
> Traversal Subzone. In Large Expressway systems the first 12 ports in the range – 36000 to 36011 by default – are
always reserved for multiplexed traffic. The Expressway-E listens on these ports. You cannot configure a distinct
range of demultiplex listening ports on Large systems: they always use the first 6 pairs in the media port range. On
Small/Medium systems you can explicitly specify which 2 ports listen for multiplexed RTP/RTCP traffic, on the
Expressway-E (Configuration > Traversal > Ports). If you choose not to configure a particular pair of ports (Use
configured demultiplexing ports = No), then the Expressway-E will listen on the first pair of ports in the media
traversal port range (36000 and 36001 by default).
** On Large systems you can configure a range of TURN request listening ports. The default range is 3478 – 3483.
Firewall Traversal and Authentication
The Expressway-E allows only authenticated client systems to use it as a traversal server.
Upon receiving the initial connection request from the traversal client, the Expressway-E asks the client to
authenticate itself by providing its authentication credentials. The Expressway-E then looks up the client’s credentials
in its own authentication database. If a match is found, the Expressway-E accepts the request from the client.
authenticate itself by providing its authentication credentials. The Expressway-E then looks up the client’s credentials
in its own authentication database. If a match is found, the Expressway-E accepts the request from the client.
The settings used for authentication depend on the type of traversal client:
Traversal client
Expressway-E traversal server
Expressway-C
The Expressway client provides its Username and
Password. These are set on the traversal client
zone by using Configuration > Zones > Zones >
Edit zone, in the Connection credentials section.
Password. These are set on the traversal client
zone by using Configuration > Zones > Zones >
Edit zone, in the Connection credentials section.
The traversal server zone for the Expressway client must be
configured with the client's authentication Username. This is
set on the Expressway-E by using Configuration > Zones >
Zones > Edit zone, in the Connection credentials section.
configured with the client's authentication Username. This is
set on the Expressway-E by using Configuration > Zones >
Zones > Edit zone, in the Connection credentials section.
There must also be an entry in the Expressway-E’s
authentication database with the corresponding client
username and password.
authentication database with the corresponding client
username and password.
Endpoint
The endpoint client provides its Authentication ID
and Authentication Password.
and Authentication Password.
There must be an entry in the Expressway-E’s authentication
database with the corresponding client username and
password.
database with the corresponding client username and
password.
Note that all Expressway traversal clients must authenticate with the Expressway-E.
59
Cisco Expressway Administrator Guide
Firewall Traversal