
Grey Headline (continued)
Firewall Traversal Protocols and Ports
TANDBERG VIDEO COMMUNICATIONS SERVER ADMINISTRATOR GUIDE
Ports for Initial Connections from
Traversal Clients
Assent Ports |
| H.460.18/19 Ports |
|
|
|
Ports for Connections out to the
Public Internet
Each traversal server zone specifies an H.323 port and a SIP port to be used for the initial connection from the client.
Each time you configure a new traversal server zone on the VCS Expressway, you will be allocated default port numbers for these connections:
•H.323 ports will start at UDP/6001 and increment by 1 for every new traversal server zone
•SIP ports will start at TCP/7001 and increment by 1 for every new traversal server zone.
For connections to the VCS Expressway using the Assent protocol, the default ports are:
Call signaling
•UDP/1719: listening port for RAS messages
•TCP/2776: listening port for H.225 and H.245 protocols
Media
•UDP/2776: RTP media port
•UDP/2777: RTCP media control port
For connections to the VCS Expressway using the H.460.18/19 protocols, the default ports are:
Call signaling
•UDP/1719: listening port for RAS messages
•TCP/1720: listening port for H.225 protocol
•TCP/2777: listening port for H.245 protocol
Media
•UDP/2776: RTP media port
•UDP/2777: RTCP media control port
In situations where the VCS Expressway is attempting to connect to an endpoint on the public internet, you will not know the exact port(s) on the endpoint to which the connection will be made. This is because the ports to
be used are determined by the endpoint and advised to the VCS Expressway only once the server has located the endpoint on the public internet. This may cause problems if your VCS Expressway is located within a DMZ (i.e. there is a firewall between the VCS Expressway and the public internet) as you will not be able to specify in advance rules that will allow you to connect out to the endpoint’s ports.
You can change these default ports if necessary but you must ensure that the ports are unique for each traversal server zone.
Once the H.323 and SIP ports have been set on the VCS Expressway, matching ports must be configured on the corresponding traversal client.
If your VCS Expressway does not have any endpoints registering directly with it, and it has
no Alternates configured, then UDP/1719 is not required. You therefore do not need to allow outbound connections to this port through the firewall between the VCS Control and
VCS Expressway.
You can however specify the ports on the VCS Expressway that will be used for calls to and from endpoints on the public internet so that your firewall administrator can allow connections via these ports. The ports that can be configured for this purpose are:
H.323
You must allow outbound connections
through your firewall to each of the
unique SIP and H.323 ports that are configured on each of the VCS Expressway’s traversal server zones.
The default port used for the initial
! connections from MXP endpoints is the same as that used for standard RAS
messages, i.e. UDP/1719. While it is possible to change this port on the VCS Expressway, most endpoints will not support connections to ports other than UDP/1719. We therefore recommend that this be left as the default.
SIP Ports
Call signaling
SIP call signaling uses the same port as used by the initial connection between the client and server.
Media
Where the traversal client is a VCS, SIP media uses Assent to traverse the firewall . The default ports are the same as for H.323, i.e.:
•UDP/2776: RTP media port
•UDP/2777: RTCP media control port
STUN Ports
The VCS Expressway can be enabled to provide STUN services (STUN Relay and STUN Binding Discovery) which can be used by SIP endpoints which support the ICE firewall traversal protocol.
The ports used by these services are configurable via:
•VCS Configuration > Expressway > STUN
•xConfiguration Traversal Server
STUN
The ICE clients on each of the SIP endpoints must be able to discover these ports, either via SRV records in DNS or by direct configuration.
•TCP/1720: signaling
•UDP/1719: signaling
•
•
SIP
•TCP/5061: signaling
•UDP/5060 (default): signaling
•
•TCP: a temporary port in the range
STUN
•3478/UDP (default): STUN Discovery
•4678/UDP: (default): STUN Relay
•
Introduction | Getting Started |
| Overview and |
| System |
| VCS |
| Zones and |
| Call |
| Bandwidth | Firewall | Maintenance |
| Appendices |
| Status |
| Configuration |
| Configuration |
| Neighbors |
| Processing |
| Control | Traversal |
| ||||
|
|
|
|
|
|
|
|
|
|
| |||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
D14049.03 |
|
|
|
|
|
|
|
| 149 |
|
|
|
|
|
| ||
MAY 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|