Cisco Expressway IP Port Usage For Firewall Traversal Deployment Guide X8 11 1
Cisco Expressway IP Port Usage For Firewall Traversal Deployment Guide X8 11 1
Cisco Expressway IP Port Usage For Firewall Traversal Deployment Guide X8 11 1
Configuration Guide
First Published: April 2017
Last Updated: September 2018
X8.11.1
Preface
Change History
Table 1 Cisco Expressway IP Port Usage Configuration Guide Change History
September Update Updated software version from X8.11 to X8.11.1, as version X8.11 is no longer
2018 available.
August 2018 Corrections Errors in IM&P Federation with Microsoft Clients and Web Proxy for Cisco Meeting
Server connections.
April 2018 Corrections Errors in SIP Edge for CMS media connections.
December Corrections For SIP traversal calls, B2BUA on Expressway-C may need to make TURN requests
2017 to Expressway-E.
April 2017 New New format for information previously held in Expressway IP Port Usage for Firewall
document Traversal.
2
Cisco Expressway IP Port Usage Configuration Guide
Related Documents
Table 2 Links to Related Documentation
For VCS: Cisco Video Communication Server CE1100 Appliance Installation Guide on
the VCS installation guides page
For VCS:
Cisco TelePresence VCS Administrator Guide on the Cisco TelePresence VCS
maintain and operate guides page
Cisco TelePresence VCS Serviceability Guide on the Cisco TelePresence VCS
maintain and operate guides page
Registrar/ basic call For Expressway: Cisco Expressway Registrar Deployment Guide on the Expressway
control configuration guides page
For VCS: Cisco Single VCS Control - Basic Configuration Deployment Guide on the
VCS configuration guides page
Firewall traversal For Expressway: Cisco Expressway-E and Expressway-C Basic Configuration
Deployment Guide on the Expressway configuration guides page
For VCS: Cisco TelePresence VCS Basic Configuration (Control with Expressway)
Deployment Guide on the VCS configuration guides page
Clustering Cisco Expressway Cluster Creation and Maintenance Deployment Guide on the Cisco
Expressway Series configuration guides page
Certificates Cisco Expressway Certificate Creation and Use Deployment Guide on the Expressway
configuration guides page
Unified Communications Mobile and Remote Access Through Cisco Expressway on the Expressway
configuration guides page
3
Cisco Expressway IP Port Usage Configuration Guide
Cisco Meeting Server Cisco Meeting Server with Cisco Expressway Deployment Guide on the Expressway
configuration guides page
Cisco Meeting Server API Reference Guide on the Cisco Meeting Server programming
guides page
Other Cisco Meeting Server guides are available on the Cisco Meeting Server
configuration guides page
Microsoft infrastructure Cisco Expressway with Microsoft Infrastructure Deployment Guide on the Expressway
configuration guides page
Multiway Conferencing Cisco TelePresence Multiway Deployment Guide on the Expressway configuration
guides page
Rest API Cisco Expressway REST API Reference Guide on the Expressway configuration guides
page
4
Cisco Expressway IP Port Usage Configuration Guide
Contents
Preface 2
Change History 2
Related Documents 3
How to Use This Document 7
Firewall Configuration 7
Default Port Ranges 7
Basic Networking Connections 10
Basic Networking: Expressway 10
Networking Port Reference: Expressway 10
Basic Networking: Traversal Pair 12
Networking Port Reference: Expressway Traversal Pair 13
Clustering Connections 15
Cluster Connections Before X8.8 15
Cluster Port Reference Before X8.8 15
Cluster Connections X8.8 Onwards 16
Cluster Port Reference X8.8 Onwards 16
Provisioning, Registrations, Authentication, and Calls 17
SIP Calls 18
SIP Calls Port Reference 19
H.323 Calls 21
H.323 Calls Port Reference 22
TMS Connections 24
TMS Port Reference 24
LDAP Connections 26
LDAP Port Reference 26
Mobile and Remote Access 28
MRA Connections 28
MRA Port Reference 29
Jabber Guest Services 31
Jabber Guest: Dual NIC Deployment 32
Jabber Guest: Dual NIC Deployment Ports 33
Jabber Guest: Single NIC Deployment 34
5
Cisco Expressway IP Port Usage Configuration Guide
6
Cisco Expressway IP Port Usage Configuration Guide
Firewall Configuration
Here are some points to keep in mind when you are configuring your firewalls to permit the connections described in
this document:
■ If you have a cluster of Expressways, ensure that the destination ports to the public IP address of each
Expressway peer are open on the external firewall.
■ Sometimes there are different connection types that could be used to achieve the same task. You do not need
to always open every port shown in the diagrams and tables. We recommend that you close any that you are
not using.
For example, if your web administration port is TCP 7443 but you only ever use SSH to configure the
Expressway, you can close 7443 and leave TCP 22 open. Management ports should only be open to
connections originating from inside the network.
■ Some firewalls actively close connections that appear inactive, which could interfere with the operation of
your video infrastructure.
For example, TCP port 1720 is used for H.323 call signaling but may be inactive during the call. If this is
prematurely closed by the firewall, the H.323 endpoint could interpret that as a dropped call and respond by
tearing down the call.
We recommend extending inactivity timeouts on the known ports to at least two hours, particularly if you are
seeing calls fail after a specific duration.
■ Firewalls that contain ALG (Application Layer Gateway) for SIP / H.323 protocols may not work as expected
with Expressway-E.
We strongly recommend that you disable SIP or H.323 ALG inspection / awareness on the NAT firewall. We
may not be able to support your configuration if you cannot make this change.
■ In some deployments, media packets can hairpin on the Expressway-E external NIC. Some firewalls cannot
allow for hairpinning, and mistrust packets that are destined to their own source.
We recommend configuring an exception to allow hairpinning on the Expressway-E public interface, if your
deployment requires it.
■ If you want to use the static NAT feature of Expressway-E, we strongly recommend using two NICs.
Dedicating one NIC to the external interface and the other to the internal interface is much better for your
network than using one NIC with the static NAT enabled.
7
Cisco Expressway IP Port Usage Configuration Guide
Note: In some cases throughout this document we list port ranges used by third party infrastructure. These are default
values and we cannot guarantee that these are correct for your environment. We recommend you follow the
supplier's documentation to configure those connections.
UDP&TCP Inbound TURN 3478 On Expressway-E only. Configurable to 443 or any port >= 1024
requests on
Small/Medium
Expressway-E
UDP&TCP Inbound TURN 3478-3483 On Large Expressway-E only. Configurable to a six port range with
requests on first port >=1024.
Large
Expressway-E Configurable to a single port, if port multiplexing is enabled. For
more information on TURN port multiplexing, see the Expressway
Administrator Guide
TCP Inbound TCP 443 On Expressway-E only if TCP 443 TURN service is enabled.
TURN request on
Cisco
Expressway-E
UDP RTP/RTCP media 36000- The range is configurable within the default bounds. Eg. 37000-
59999 38200, but not 35000-36200.
On L Expressway, the first twelve ports of the range are used for
multiplexed media. You cannot customize that subrange.
8
Cisco Expressway IP Port Usage Configuration Guide
UDP Multiplexed 2776/2777 2776/2777 is older pair but kept as default by the ability to
media on OR customize when the new default range was introduced with
Small/Medium 36000/36001 S/M system options. Custom pair is defined on Configuration
Expressway-E > Traversal > Ports.
systems
On Expressway-E only.
UDP Multiplexed 36000- New range introduced with Large system option. This range is
media on Large 36011 always the first twelve ports of the RTP/RTCP media range, so it will
Expressway-E be different if you configure a different media range.
systems
On Expressway-E Large OVAs or large scale appliances only.
TCP SIP traversal 7001 Configurable. SIP listening port on the first Expressway-E traversal
server zone. Subsequent traversal server zones will use incremental
port numbers, eg. 7002, by default.
UDP H.323 traversal 6001 Configurable. H.323 listening port on the first Expressway-E
traversal server zone. Subsequent traversal server zones will use
incremental port numbers, eg. 6002, by default.
9
Cisco Expressway IP Port Usage Configuration Guide
Time synchronization (NTP) Expressway-C 123 UDP Internal time server 123
10
Cisco Expressway IP Port Usage Configuration Guide
* Expressway redirects HTTP to HTTPS by default. You don't need to open the HTTP port, but you can allow HTTP for
convenience and redirect to HTTPS.
† Expressway will attempt DNS resolution over TCP if the response is too large.
11
Cisco Expressway IP Port Usage Configuration Guide
12
Cisco Expressway IP Port Usage Configuration Guide
Time synchronization (NTP) Expressway-C 123 UDP Internal time server 123
* Expressway redirects HTTP to HTTPS by default. You don't need to open the HTTP port, but you can allow HTTP for
convenience and redirect to HTTPS.
† Expressway will attempt DNS resolution over TCP if the response is too large.
Internal name resolution (DNS)* Expressway-E 30000- UDP Internal name server 53
private IP 35999 & TCP
External name resolution (DNS) Expressway-E public 30000- UDP External name server 53
IP 35999 & TCP
Internal time synchronization Expressway-E 123 UDP Internal time server 123
(NTP)* private IP
External time synchronization Expressway-E public 123 UDP External time server 123
(NTP) IP
* You may prefer to connect Expressway-E to external DNS and NTP. You do not need both.
13
Cisco Expressway IP Port Usage Configuration Guide
14
Cisco Expressway IP Port Usage Configuration Guide
Clustering Connections
Cluster Connections Before X8.8
Key exchange between peers (ISAKMP) This 500 UDP Other 500
peer peers
15
Cisco Expressway IP Port Usage Configuration Guide
16
Cisco Expressway IP Port Usage Configuration Guide
17