Transcription
Cisco Expressway IP Port UsageConfiguration GuideFirst Published: April 2017Last Updated: June 2020X12.6Cisco Systems, Inc.www.cisco.com
Cisco Expressway IP Port Usage Configuration GuidePrefaceChange HistoryTable 1 Cisco Expressway IP Port Usage Configuration Guide Change HistoryDateChangeJune 2020Updated for X12.6 release.X12.6April 2020CorrectionFix entry for Tunneled media in Web Proxy for Meeting Server Port Reference table fromport 443 to 3478. Also clarify TLS as transport is the same thing as TCP in context of thisguide.March2020CorrectionAdd missing Webbridge signaling entries to Web Proxy for Meeting Server PortReference table.February2020CorrectionMRA connection for Headset Configuration file fixed to HTTPS/TLS.December2019UpdateIn the Point to Point Microsoft Interoperability Using Meeting Server diagram, showmedia paths both with and without Meeting Server load balancing.July 2019UpdateUpdated the MRA Connections for Headset Management.May 2019UpdateNAT reflection is not needed for Web Proxy for CMS connection (only for standaloneExpressways).February2019UpdateAdded details on how to configure NAT reflection on firewall for Web Proxy for MeetingServer.January2019Updated for X12.5 release. ACME certificates, SIP OAuth, and ICE passthrough for MRA.X12.5September Update2018ReasonUpdated software version from X8.11 to X8.11.1 (version X8.11 withdrawn).August2018Corrections Errors in IM&P Federation with Microsoft Clients and Web Proxy for Cisco Meeting Serverconnections.July 2018Updated for X8.11 release.X8.11April 2018Corrections Errors in SIP Edge for CMS media connections.December2017Corrections For SIP traversal calls, B2BUA on Expressway-C may need to make TURN requests toExpressway-E.November2017Corrections Errors in Web Proxy media connections.July 2017Updated for X8.10 release. TURN listening port configurable to 443.X8.10April 2017NewdocumentNew format for information previously held in Expressway IP Port Usage for FirewallTraversal.2
Cisco Expressway IP Port Usage Configuration GuideRelated DocumentationTable 2 Links to Related Documents and VideosSupport videosVideos provided by Cisco TAC engineers about certain common Expresswayconfiguration procedures are available on the Expressway/VCS Screencast Video ListpageInstallation - virtualmachinesCisco Expressway Virtual Machine Installation Guide on the Expressway installationguides pageInstallation - physicalappliancesCisco Expressway CE1200 Appliance Installation Guide on the Expressway installationguides pageBasic configuration forregistrar / singlesystemsCisco Expressway Registrar Deployment Guide on the Expressway configuration guidespageBasic configuration forfirewall traversal /paired systemsCisco Expressway-E and Expressway-C Basic Configuration Deployment Guide on theExpressway configuration guides pageAdministration andmaintenanceCisco Expressway Administrator Guide on the Expressway maintain and operate guidespageCisco Expressway Serviceability Guide on the Expressway maintain and operate guidespageClusteringCisco Expressway Cluster Creation and Maintenance Deployment Guide on theExpressway configuration guides pageCertificatesCisco Expressway Certificate Creation and Use Deployment Guide on the Expresswayconfiguration guides pagePortsCisco Expressway IP Port Usage Configuration Guide on the Expressway configurationguides pageUnifiedCommunicationsMobile and Remote Access Through Cisco Expressway on the Expressway configurationguides pageCisco Meeting ServerCisco Meeting Server with Cisco Expressway Deployment Guide on the Expresswayconfiguration guides pageCisco Meeting Server API Reference Guide on the Cisco Meeting Server programmingguides pageOther Cisco Meeting Server guides are available on the Cisco Meeting Serverconfiguration guides pageCisco Webex HybridServicesHybrid services knowledge base3
Cisco Expressway IP Port Usage Configuration GuideTable 2 Links to Related Documents and Videos (continued)Cisco HostedCollaboration Solution(HCS)HCS customer documentationMicrosoft infrastructureCisco Expressway with Microsoft Infrastructure Deployment Guide on the Expresswayconfiguration guides pageCisco Jabber and Microsoft Skype for Business Infrastructure Configuration Cheatsheeton the Expressway configuration guides pageRest APICisco Expressway REST API Summary Guide on the Expressway configuration guidespage (high-level information only as the API is self-documented)Multiway ConferencingCisco TelePresence Multiway Deployment Guide on the Expressway configuration guidespage4
Cisco Expressway IP Port Usage Configuration GuideContentsPreface2Change History2Related Documentation3How to Use This Guide7Firewall Configuration7Default Port Ranges7Basic Networking Connections10Basic Networking: Expressway10Networking Port Reference: Expressway10Basic Networking: Traversal Pair12Networking Port Reference: Expressway Traversal Pair13Clustering Connections15Cluster Connections Before X8.815Cluster Port Reference Before X8.815Cluster Connections X8.8 Onwards16Cluster Port Reference X8.8 Onwards16Provisioning, Registrations, Authentication, and Calls17SIP Calls18SIP Calls Port Reference19H.323 Calls21H.323 Calls Port Reference22TMS Connections25TMS Port Reference25LDAP Connections27LDAP Port Reference27Mobile and Remote Access29MRA Connections29MRA Port Reference30Jabber Guest Services33Jabber Guest: Dual NIC Deployment34Jabber Guest: Dual NIC Deployment Ports35Jabber Guest: Single NIC Deployment365
Cisco Expressway IP Port Usage Configuration GuideJabber Guest: Single NIC Deployment PortsMicrosoft Interoperability Using Gateway Expressway3738On-Premises Microsoft Clients38Off-Premises Microsoft Clients39Expressway with Microsoft Infrastructure Port Reference40IM&P Federation with Microsoft Clients42IM and Presence Service Federation with Microsoft Connections42IM&P Federation with Microsoft Clients Port Reference43Cisco Meeting Server44Web Proxy for Cisco Meeting Server Connections44Web Proxy for Cisco Meeting Server Port Reference45SIP Edge for Meeting Server Connections (Standards-based Endpoints)47SIP Edge for Cisco Meeting Server Port Reference (Standards-based Endpoints)48SIP Edge for Meeting Server Connections (Microsoft Clients)50SIP Edge for Cisco Meeting Server Port Reference (Microsoft Clients)51Connection Map: Point to Point Microsoft Interoperability Using Meeting Server53Port Reference: Point to Point Microsoft Interoperability Using Meeting Server54XMPP Federation55XMPP Federation Connections55XMPP Port Reference56Serviceability57Serviceability: Expressway-C57Serviceability: Traversal Pair58Serviceability Ports: Traversal Pair58ACME Certificate Management59ACME Certificate Management Connections59Expressway-E ACME Port Reference59Cisco Legal Information60Cisco Trademark606
Cisco Expressway IP Port Usage Configuration GuideHow to Use This GuideThe purpose of this guide is to help you configure and troubleshoot connections between infrastructure componentsrelated to Expressway deployments.There is a section for each of the popular Expressway deployments. Each has a diagram showing the majorinfrastructure components and the connections between them, and also lists the connections in a table format.The deployments build on each other where necessary. For example, if you want to implement Mobile and RemoteAccess (MRA), you first configure a traversal pair. These relationships are described in the relevant deploymentguides.References in the guide to TLS (transport layer security protocol) as transport, in the context of Expresswayeffectively mean the same thing as the underlying TCP transport protocol on which TLS is built.Firewall ConfigurationHere are some points to keep in mind when you are configuring your firewalls to permit the connections described inthis document: If you have a cluster of Expressways, ensure that the destination ports to the public IP address of eachExpressway peer are open on the external firewall. Sometimes there are different connection types that could be used to achieve the same task. You do not needto always open every port shown in the diagrams and tables. We recommend that you close any that you arenot using.For example, if your web administration port is TCP 7443 but you only ever use SSH to configure theExpressway, you can close 7443 and leave TCP 22 open. Management ports should only be open toconnections originating from inside the network. Some firewalls actively close connections that appear inactive, which could interfere with the operation ofyour video infrastructure.For example, TCP port 1720 is used for H.323 call signaling but may be inactive during the call. If this isprematurely closed by the firewall, the H.323 endpoint could interpret that as a dropped call and respond bytearing down the call.We recommend extending inactivity timeouts on the known ports to at least two hours, particularly if you areseeing calls fail after a specific duration. Firewalls that contain ALG (Application Layer Gateway) for SIP / H.323 protocols may not work as expectedwith Expressway-E.We strongly recommend that you disable SIP or H.323 ALG inspection / awareness on the NAT firewall. Wemay not be able to support your configuration if you cannot make this change. In some deployments, media packets can hairpin on the Expressway-E external NIC. Some firewalls cannotallow for hairpinning, and mistrust packets that are destined to their own source.We recommend configuring an exception to allow hairpinning on the Expressway-E public interface, if yourdeployment requires it. If you want to use the static NAT feature of Expressway-E, we strongly recommend using two NICs.Dedicating one NIC to the external interface and the other to the internal interface is much better for yournetwork than using one NIC with the static NAT enabled.Default Port RangesThe following defaults are used throughout this document. Default port ranges may occasionally change (ifunavoidable) as new features are developed. Our documents list the current default ports for the given versionnumber.7
Cisco Expressway IP Port Usage Configuration GuideNote: In some cases throughout this document we list port ranges used by third party infrastructure. These are defaultvalues and we cannot guarantee that these are correct for your environment. We recommend you follow thesupplier's documentation to configure those connections.Table 3 Default Port Ranges on emeral ports1024-65535Outbound HTTP/S, LDAPUDPEphemeral ports1024-65535DNS, outbound TURN requestsTCPEphemeral ports3000035999UDPEphemeral ports3000035999TCPOutbound SIP2500029999UDP&TCP Inbound TURNrequests onSmall/MediumExpressway-E3478On Expressway-E only. Configurable to 443 or any port 1024UDP&TCP Inbound TURNrequests onLargeExpressway-E3478-3483On Large Expressway-E only. Configurable to a six port range withfirst port 1024.TCPInbound TCPTURN request onCiscoExpressway-E443On Expressway-E only if TCP 443 TURN service is enabled.UDPTURN relays2400029999On Expressway-E only.UDPRTP/RTCP media 3600059999Configurable to a single port, if port multiplexing is enabled. Formore information on TURN port multiplexing, see the ExpresswayAdministrator GuideThe range is configurable within the default bounds. Eg. 3700038200, but not 35000-36200.On S/M Expressway, the first two ports can be used for multiplexedmedia if you do not use default/custom ports.On L Expressway, the first twelve ports of the range are used formultiplexed media. You cannot customize that subrange.8
Cisco Expressway IP Port Usage Configuration GuideTable 3 Default Port Ranges on Expressway ltiplexedmedia onSmall/MediumExpressway-Esystems2776/2777 is older pair but kept as default by the ability to2776/2777customize when the new default range was introduced withOR36000/36001 S/M system options. Custom pair is defined on Configuration Traversal Ports.On Expressway-E only.Note: In the connection maps and port references we do not showall the port options for the sake of clarity. For example, if thediagram shows 2776/2777, but you have chosen to use36000/36001 instead, then you don't need to also open 2776/2777.UDPMultiplexedmedia on LargeExpressway-Esystems3600036011New range introduced with Large system option. This range isalways the first twelve ports of the RTP/RTCP media range, so it willbe different if you configure a different media range.On Expressway-E Large OVAs or large scale appliances only.Note: In the connection maps and port references we do not showall the port options for the sake of clarity. For example, if thediagram shows 2776/2777, but you have a large Expressway, thenyou should open the first twelve ports of the media range instead of2776/2777.TCPSIP traversal7001Configurable. SIP listening port on the first Expressway-E traversalserver zone. Subsequent traversal server zones will use incrementalport numbers, eg. 7002, by default.UDPH.323 traversal6001Configurable. H.323 listening port on the first Expressway-Etraversal server zone. Subsequent traversal server zones will useincremental port numbers, eg. 6002, by default.9
Cisco Expressway IP Port Usage Configuration GuideBasic Networking ConnectionsBasic Networking: ExpresswayNetworking Port Reference: ExpresswayTable 4 Basic Networking Ports for Expressway-CPurposeSrc. IPSrc. portsProtocolDest. IPDst. PortsAdministrator SSHAdmin PCs1024-65535TCPExpressway-C22Administrator HTTP *Admin PCs1024-65535TCPExpressway-C80Administrator HTTPSAdmin PCs1024-65535TCPExpressway-C443Name resolution (DNS)Expressway-C30000-35999UDP & TCP †Internal name server53Time synchronization (NTP)Expressway-C123UDPInternal time server12310
Cisco Expressway IP Port Usage Configuration Guide* Expressway redirects HTTP to HTTPS by default. You don't need to open the HTTP port, but you can allow HTTP forconvenience and redirect to HTTPS.† Expressway will attempt DNS resolution over TCP if the response is too large.11
Cisco Expressway IP Port Usage Configuration GuideBasic Networking: Traversal Pair12
Cisco Expressway IP Port Usage Configuration GuideNetworking Port Reference: Expressway Traversal PairTable 5 Basic Networking Ports for Expressway-CPurposeSrc. IPSrc. portsProtocolDest. IPDst. PortsAdministrator SSHAdmin PCs1024-65535TCPExpressway-C22Administrator HTTP *Admin PCs1024-65535TCPExpressway-C80Administrator HTTPSAdmin PCs1024-65535TCPExpressway-C443Name resolution (DNS)Expressway-C30000-35999UDP & TCP †Internal name server53Time synchronization (NTP)Expressway-C123UDPInternal time server123* Expressway redirects HTTP to HTTPS by default. You don't need to open the HTTP port, but you can allow HTTP forconvenience and redirect to HTTPS.† Expressway will attempt DNS resolution over TCP if the response is too large.Table 6 Basic Networking Ports for Expressway-EPurposeSrc. IPSrc. portsProtocolDest. IPDst.PortsAdministrator SSHAdmin PCs102465535TCPExpressway-Eprivate IP22Administrator HTTPAdmin PCs102465535TCPExpressway-Eprivate IP80Administrator HTTPSAdmin PCs102465535TLSExpressway-Eprivate IP443Internal name resolution (DNS)*Expressway-Eprivate IP3000035999UDP& TCPInternal name server53External name resolution (DNS)Expressway-E publicIP3000035999UDP& TCPExternal name server53Internal time synchronization(NTP)*Expressway-Eprivate IP123UDPInternal time server123External time synchronization(NTP)Expressway-E publicIP123UDPExternal time server123* You may prefer to connect Expressway-E to external DNS and NTP. You do not need both.13
Cisco Expressway IP Port Usage Configuration Guide14
Cisco Expressway IP Port Usage Configuration GuideClustering ConnectionsCluster Connections Before X8.8Cluster Port Reference Before X8.8Table 7 Cluster Synchronization and CommunicationsPurposeSrc. IPSrc. portsProtocol Dest. IPDst. PortsCluster database synchronization (IPSec AH)ThispeerN/A51OtherpeersN/AKey exchange between peers (ISAKMP)Thispeer500UDPOtherpeers500Cluster recoveryThispeer3000035999UDPOtherpeers4371Cluster 80Bandwidth management (Expressway-C clusteronly)Thispeer1719UDPOtherpeers171915
Cisco Expressway IP Port Usage Configuration GuideCluster Connections X8.8 OnwardsCluster Port Reference X8.8 OnwardsTable 8 Expressway-C Cluster Database Synchronization and CommunicationsPurposeSrc. IPSrc. portsProtocolDest. IPDst. PortsCluster recoveryThis peer30000-35999TCPOther peers4371Cluster communicationThis peer30000-35999TLSOther peers4372Bandwidth managementThis peer1719UDPOther peers1719Table 9 SIP Calls Routed Between Peers (not shown on diagram)PurposeSrc. IPSrc. portsProtocolDest. IPDst. PortsSIP TCP SignalingThis peer25000-29999TCPOther peers5061SIP TLS SignalingThis peer25000-29999TLSOther peers5061RTP/RTCPThis peer36000-59999UDPOther peers36000-59999Bandwidth managementThis peer1719UDPOther peers171916
Cisco Expressway IP Port Usage Configuration GuideProvisioning, Registrations, Authentication, and CallsSIP Calls18SIP Calls Port Reference19H.323 Calls21H.323 Calls Port Reference22TMS Connections25TMS Port Reference25LDAP Connections27LDAP Port Reference2717
Cisco Expressway IP Port Usage Configuration GuideSIP Calls18
Cisco Expressway IP Port Usage Configuration GuideSIP Calls Port ReferenceTable 10 SIP Calls Port ReferencePurposeSrc. IPSrc. portsProtocol Dest. IPDst. PortsSIP signalingExpressway- 25000-29999CTCP orTLSExpressway- 7001 (for first traversal zone;E7002 for second etc.)SIP signalingExpressway- 5060CUDPSIP endpoint5060 (often, but could bedifferent, 1024)Port number defined byregistration (if registered) or byDNS lookupSIP signaling 1024Expressway- 25000-29999CTCP orTLSSIP endpointExpressway- 25000-29999ETCP orTLSSIP endpoint(or itsfirewall)SIP signalingSIP endpoint(or itsfirewall) 1024UDPExpressway- 5060ESIP UDP disabled by default.Not recommended for internetfacing connections.SIP signalingSIP endpoint(or itsfirewall) 1024TCPExpressway- 5060ESIP TCP disabled by default(X8.9.2 and later).SIP signalingSIP endpoint(or itsfirewall) 1024TLSExpressway- 5061ESIP signalingSIP endpoint(or itsfirewall) 1024MTLSExpressway- 5062EAssent RTPExpressway- 36000-59999CUDPExpressway- 2776 or 36000 (Small/Medium)E36000 - 36010 (even ports)(Large)Expressway- 36000-59999CUDPExpressway- 2777 or 36001 (Small/Medium)E36001 - 36011 (odd ports)(Large)SIP signaling(traversedmedia)Assent RTCP(traversedmedia)19Port number defined byregistration (if registered) or byDNS lookup 1024Port number defined byregistration (if registered) or byDNS lookup
Cisco Expressway IP Port Usage Configuration GuideTable 10 SIP Calls Port Reference (continued)PurposeSrc. IPSrc. portsProtocol Dest. IPAssent RTPSIP endpoint(or itsfirewall) 1024UDPExpressway- 36000-59999ESIP endpoint(or itsfirewall) 1024UDPExpressway- 36000-59999EUDPSIP endpoint(or itsfirewall)(traversedmedia)Assent RTCP(traversedmedia)Assent RTP(traversedmedia)Could be the firewallport where the mediaegressed, rather than anendpoint portCould be translated bythe firewall to portwhere the mediaegressed, rather than anendpoint portExpressway- 36000-59999EDst. Ports 1024Expressway waits until itreceives media, then sendsmedia to that source port(which could be the port wherethe media egressed the firewall,not an endpoint port)UDP& TCPExpressway- 3478 (Small/Medium)E3478-3483 (Large)TURN control Expressway- 1024CUDP& TCPExpressway- 3478 (Small/Medium)E3478-3483 (Large)TURN mediaExpressway- 24000-29999EUDP& TCPAnyIP addressTURN mediaAnyIP address‡UDP& TCPExpressway- 24000-29999ETURN control AnyIP address† 1024 (signaling portfrom endpoint or thefirewall) 1024Port of relevantICE candidate: hostIP port, server reflexiveport (outside firewallport), or TURN serverport 1024† The request could be from any IP address, unknown to the TURN server. Assume for example, that endpoint A andendpoint C (TURN clients) can use the Expressway-E TURN server. The actual IP address from which the TURN serverreceives the request could be the endpoint's firewall egress address (NATed).‡ The media could go to any of the candidate addresses. For example, before ICE negotiation the TURN server doesnot know which of endpoint B's candidate addresses will be the highest priority.20
Cisco Expressway IP Port Usage Configuration GuideH.323 CallsNote: The source port from which an H.323 endpoint sends requests cannot be determined at the Expressway side,as it depends on the local configuration for the endpoint.21
Cisco Expressway IP Port Usage Configuration GuideH.323 Calls Port ReferenceNote: The source port from which an H.323 endpoint sends requests cannot be determined at the Expressway side, asit depends on the local configuration for the endpoint.Table 11 H.323 Ports ReferencePurposeSrc. IPSrc. ports Protocol Dest. IPDst. PortsInitialRegistered endpoint in theRAS connection Internet1719UDPExpressway- 1719E (public)InitialExpressway-E (public)RAS connection1719UDPRegisteredendpoint inthe InternetInitialExternal address of firewallRAS connection protecting off-premisesendpoint 1024UDPExpressway- 1719E (public)InitialExpressway-CRAS connection1719UDPExpressway- 6001 (for first traversalE (private)zone, 6002 for secondetc.)Q.931 / H.225signalingAny (endpoint in the Internet)1720TCPExpressway- 1720E (public)Q.931 / H.225signalingExternal address of firewallprotecting off-premisesAssent endpoint 1024TCPExpressway- 2776E (public)Q.931 / H.225signalingExternal address of firewallprotecting off-premisesH.460.18/19 endpoint 1024TCPExpressway- 1720E (public)Q.931 / H.225signalingExpressway-E (public)1500019999TCPAny(endpoint inthe Internet)Q.931 / H.225signalingExpressway-C1500019999TCPExpressway- 2776 (Assent calls)E (private)Q.931 / H.225signalingExpressway-C1500019999TCPExpressway- 1720 (H.460.18 calls)E (private)H.245Expressway-C1500019999TCPExpressway- 2776 (Assent calls)E (private)H.245Expressway-C1500019999TCPExpressway- 2777 (H.460.18 calls)E (private)H.245Any (endpoint in the Internet) 1024TCPExpressway- 15000-19999E (public)H.245Expressway-E (public)1500019999TCPAny(endpoint inthe Internet)H.245External address of firewallprotecting off-premisesAssent endpoint 1024TCPExpressway- 2776E (public)2217191720 (endpoint signalingport, specified duringregistration. Could beanother port 1024) 1024 (endpoint H.245signaling port)
Cisco Expressway IP Port Usage Configuration GuideTable 11 H.323 Ports Reference (continued)PurposeSrc. IPSrc. ports Protocol Dest. IPH.245External address of firewallprotecting off-premisesH.460.18/19 endpoint 1024TCPExpressway- 2777E (public)RTP(multiplexedtraversal ay- 2776 (Small/Medium)E (private)or 36000-36010 (evenports) (Large)RTCP(multiplexedtraversal y- 2777 (Small/Medium)E (private)or 36001-36011 (oddports) (Large)RTP (nonmultiplexedtraversal ay- 36000-59998 (even ports)E (private)RTCP (nonmultiplexedtraversal y- 36001-59999 (odd ports)E (private)RTP (nonmultiplexed)Expressway-E (public)3600059998(evenports)UDPAny(endpoint inthe Internet) 1024 (endpoint mediarange)RTCP (nonmultiplexed)Expressway-E (public)3600159999(oddports)UDPAny(endpoint inthe Internet) 1024 (endpoint mediarange)RTP (nonmultiplexed)Any (endpoint in the Internet) 1024(endpointmediarange)UDPExpressway- 36000-59998 (even ports)E (public)RTCP (nonmultiplexed)Any (endpoint in the Internet) 1024(endpointmediarange)UDPExpressway- 36001-59999 (odd ports)E (public)RTP(multiplexedtraversal media)External address of firewall 1024protecting off-premises H.460endpoint (multiplexed media)UDPExpressway- 2776 (Small/Medium)E (public)or 36000-36010 (evenports) (Large)RTCP(multiplexedtraversal media)External address of firewall 1024protecting off-premises H.460endpoint (multiplexed media)UDPExpressway- 2777 (Small/Medium)E (public)or 36001-36011 (oddports) (Large)23Dst. Ports
Cisco Expressway IP Port Usage Configuration GuideTable 11 H.323 Ports Reference (continued)PurposeSrc. IPSrc. ports Protocol Dest. IPRTP(multiplexedtraversal media)External address of firewall 1024protecting off-premises H.460endpoint (non-multiplexedmedia)UDPExpressway- 36000-59998 (even ports)E (public)RTCP(multiplexedtraversal media)External address of firewall 1024protecting off-premises H.460endpoint (non-multiplexedmedia)UDPExpressway- 36001-59999 (odd ports)E (public)24Dst. Ports
Cisco Expressway IP Port Usage Configuration GuideTMS ConnectionsTMS Port ReferenceCisco TMS can have two IP addresses; for managing public systems, or managing systems on the LAN. On CiscoTMS, go to Administrative Tools Configuration Network Settings Advanced Network Settings. You should usethe TMS public address with the Expressway-E, and the default LAN address with the Expressway-C.25
Cisco Expressway IP Port Usage Configuration GuideTable 12 TMS Port ReferencePurposeSrc. IPSrc. portsProtocol Dest. IPSNMP for discovery ofExpressway-ECisco TMS ExternalIP102465535UDPExpressway-E private 161SNMP for discovery ofExpressway-CCisco TMS102465535UDPExpressway-CHTTP Management ofExpressway-ECisco TMS ExternalIP102465535TCPExpressway-E private 80IPHTTP Management ofExpressway-CCisco TMS102465535TCPExpressway-E private 80IPHTTPS Management ofExpressway-ECisco TMS ExternalIP102465535TCPExpressway-E private 443HTTPS Management ofExpressway-CCisco TMS102465535TCPExpressway-C443Feedback events (HTTP)Expressway-Eprivate102465535TCPCisco TMS ExternalIP80Feedback events (HTTP)Expressway-C102465535TCPCisco TMS80Feedback events (HTTPS)Expressway-Eprivate102465535TCPCisco TMS ExternalIP443Feedback events (HTTPS)Expressway-C102465535TCPCisco TMS44326Dst.Ports161
Cisco Expressway IP Port Usage Configuration GuideLDAP ConnectionsLDAP Port ReferenceYou can choose to use an LDAP server to authenticate and authorize administrator or user logins. You would onlyneed to allow the LDAP ports inbound from the Expressway-E in the rare case where you want a user to log in fromoutside the network and you also do not allow credentials to be stored on the Expressway.27
Cisco Expressway IP Port Usage Configuration GuideTable 13 LDAP Port ReferencePurposeSrc. IPSrc. portsProtocol Dest. IPDst.PortsAuthentication requests from the r389Authentication requests from the ryServer389Encrypted authentication requests from rver636Encrypted authentication requests from ctoryServer63628
Cisco Expressway IP Port Usage Configuration GuideMobile and Remote AccessMRA Connections29
Cisco Expressway IP Port Usage Configuration GuideMRA Port ReferenceTable 14 ICE Passthrough Connections Between Off-premises EndpointsPurposeSrc. IPSrc.portsProtocol Dest. IPDst.PortsRTP/RTCP (ICE ff-premisesendpoint† ICE passthrough calls are supported only between off-premises endpoints. Not supported between off-premisesand on-premises endpoints.Table 15 Connections Between Off-premises Endpoints and the Expressway-EPurposeSrc. IPSrc. portsProtocol Dest. IPDst. int1024-65535TLSExpressway- 8443E Public IPSIP y- 5061E Public ressway- 36000-59999E Public IPRTP/RTCPmediaExpressway- 36000-59999E Public IPUDPOffpremisesendpoint1024-65535XMPP (IM and y- 5222E Public IPTURN control 1024 (signaling port from endpoint orthe firewall)UDPExpressway- 3478(Small/Medium)E(ICEpassthrough)TURN media(ICEpassthrough)AnyIP address†3478-3483(Large)AnyIP address‡ 1024UDPPort of relevant ICE candidate: hostIP port, server reflexive port (outsidefirewall port), or TURN server portExpressway- 24000-29999E† The request could be from any IP address, unknown to the TURN server. For example, assume that endpoint A andendpoint B (TURN clients) can use the Expressway-E TURN server. The actual IP address from which the TURN serverreceives the request could be the endpoint's firewall egress address (NATed).‡ The media could go to any of the candidate addresses. For example, before ICE passthrough negotiation theTURN server does not know which of endpoint B's candidate addresses will be the highest priority.30
Cisco Expressway IP Port Usage Configuration GuideTable 16 Connections Between Expressway-C and Expressway-EPurposeSrc. IPSrc. portsProtocolDest. IPDst. PortsSSH tunnelsExpresswayC3000035999TLSExpressway-E PrivateIP2222SIP signalingExpresswayC2500029999TLSExpressway-E PrivateIP7001SIP mediaExpresswayC3600059999UDPExpressway-E PrivateIP2776/7 or 36000-11XMPP (IM andPresence)ExpresswayC3000035999TCPExpressway-E PrivateIP7400TURN controlExpresswayC 1024UDP& TCPExpressway-E3478(Small/Medium)3478-3483 (Large)Table 17 Connections Between Expressway-C and On-premises InfrastructurePurposeSrc. IPSrc. portsProtocol Dest. IPDst. PortsSIP signaling (TCP)Expressway- 25000C29999TCP5060†SIP signaling (TCP)Unified CMSIP signaling (TLS)Expressway- 25000C29999SIP signaling (TLS)Unified CMSIP signaling (OAuth)Expressway- 25000C29999TLSUnified CMSIP signaling (OAuth)Unified CMTLSExpressway- 5061CHTTP Configuration file download(TFTP)Expressway- 30000C35999TCPUnified CMNode6970HTTPS Headset Configuration filedownload (TFTP)Expressway- 30000C35999TLSUnified CM6971HTTPS Configuration file download(TFTP)Expressway- 30000C35999TLSUnified CMNode6972Expressway- 30000C35999TLSUnified CMNode443 or 8443Ephemeral TCPTLSEphemeral TLS5091Unified CMExpressway- 5060CUnified CM5061*Expressway- 5061C5091(Pre 11.x Jabber and pre 1
Administrator Guide TCP Inbound TCP TURN request on Cisco Expressway-E 443 On Expressway-E only if TCP 443 TURN service is enabled. UDP TURN relays 24000-29999 On Expressway-E only. UDP RTP/RTCP media 36000-59999 The range is configurable within the default bounds. Eg. 37
