IX System Ports and Protocols
Revised: May 11, 2017
Contents
This chapter contains the following sections:
Overview
Immersive Cisco TelePresence Systems are designed to be deployed on a converged IP network. Many enterprise customers rely on firewalls and/or Access Control Lists (ACLs) to protect the systems registered to Cisco Unified Communications Manager (Unified CM) from various sorts of malicious threats. ACLs are also frequently used to enforce Quality of Service (QoS) settings, including marking, shaping and policing traffic at various places in the network, such as at the access edge of a local area network (LAN), or at the intersection of a LAN and wide area network (WAN).
There are three key considerations for using Firewalls and/or Access Control Lists with Cisco TelePresence:
1. The specific TCP and UDP ports that need to be permitted between each component of the solution.
2. The bandwidth required for the audio and video media streams of a Cisco TelePresence meeting is significantly higher and far less tolerant to latency, jitter and loss than a typical voice call and should be taken into consideration when considering specific router, switch, firewall, and intrusion prevention (IPS) platforms and their performance characteristics.
3. Firewalls that rely on Application Layer Inspection in order to dynamically open/close certain UDP ports may not support the specific SIP protocol implementation of Cisco TelePresence, or may not be able to inspect the contents of the application layer protocol because it is encrypted.
This document only addresses the first of the above three considerations. It provides the list of TCP and UDP ports used by Cisco TelePresence. It does not provide guidance on which router, firewall or IPS platforms or configurations customers should use. For more information about network design, refer to the Solution Reference Network Design (SRND) guides at https://www.cisco.com/go/ucsrnd. Use this document along with the information in the SRND guide for your Unified CM release.
Note Customers are advised to thoroughly test Cisco TelePresence against their specific firewall, ACL, and IPS configurations before deploying them in production.
Ports and Protocols Used by the IX System
This chapter contains information about ports used by IX systems that are relevant to a firewall or ACL administrator. Ports used for internal system communication are not included in this appendix.
Table 7-1 Protocols and Ports Used by the IX System
|
|
|
|
|
CDP |
N/A |
IX codec: N/A |
Switch: N/A |
Advertises its existence to the upstream Cisco Catalyst Ethernet Switch to which it is attached and learn what Virtual LAN (VLAN) it should tag its packets with. Note CDP is a layer-2 protocol and hence does not use TCP or UDP for transport. |
DHCP |
UDP |
0.0.0.0: 68 IX codec: 68 |
Broadcast: 67 |
Requests an IP address from the DHCP server. Note It is recommended to use static IP addressing instead of DHCP on every CTS endpoint. |
UDP |
0.0.0.0: 67 DHCP: 67 |
Broadcast: 68 |
Sent by the DHCP server in response to a request for an IP address. |
ICMP |
N/A |
ANY: N/A |
ANY: N/A |
ICMP may sometimes to be used to determine whether a device is reachable (for example, ICMP echo request and response). ICMP unreachables may sometimes be sent by a device to indicate that a device or port is no longer reachable. ICMP time-exceeded may be sent by a device to indicate that the Time to Live (TTL) of a packet was exceeded. |
NTP |
UDP |
IX codec: 123 |
NTP: 123 |
Synchronizes the hardware clock on the CTS with an NTP server. |
DNS |
UDP |
IX codec: Ephemeral |
DNS: 53 |
Resolves hostnames to IP addresses. |
HTTP |
TCP |
ANY: Ephemeral |
IX codec: 80, 443 |
Accesses the administrative web interface of the IX codec. Port 80 is automatically redirected to port 443. |
|
IX codec: Ephemeral |
CUCM: 6970 |
Downloads configuration and firmware files from the Cisco Unified CM TFTP service. Note The IX codec uses HTTP instead of TFTP for accessing these files. |
IX codec: Ephemeral |
CUCM: 8080 |
Used by the Directories feature on the CTS Cisco Unified IP Phone user interface to search the Cisco Unified CM LDAP directory. |
- IX codec: Ephemeral
- CTS-Manager: Ephemeral
|
- CTS-Manager: 8080, 8444
- IX codec: 8081, 9501
|
Uses XML/SOAP to coordinate meeting schedule and system operational status with CTS-Manager:
- When security is enabled, the CTS uses port 8444 and CTS-Manager uses port 9501 on the CTS (recommended).
- When security is not enabled, CTS uses port 8080 on CTS-Manager and CTS-Manager uses port 8081 on the CTS.
|
IX codec: Ephemeral |
CTMS: 9501 |
Uses XML between each CTS and the CTMS for in-meeting controls such as Site/Segment Switching and Meeting Lock/Unlock. |
SSH |
TCP |
ANY: Ephemeral |
IX codec: 22 |
Accesses the IX codec administrative command-line interface (CLI). |
SNMP |
UDP |
ANY: Ephemeral |
IX codec: 161 |
Receives SNMP queries from a management station. |
IX codec: Ephemeral |
SNMP: 162 |
Sends SNMP traps to a management station. |
CAPF |
TCP |
IX codec: Ephemeral |
CUCM: 3804 |
Registers its Manufacturing Installed Certificate (MIC), or obtains a Locally Significant Certificate (LSC) from the Cisco Unified CM Certificate Authority Proxy Function (CAPF) service. |
CTL |
TCP |
IX codec: Ephemeral |
CUCM: 6970 and 2444 (see notes) |
Downloads the Certificate Trust List (CTL) from the Cisco Unified CM Certificate Trust List (CTL) Provider service. When downloading the CTL, port 2444 is used. |
SIP |
UDP |
IX codec: Ephemeral |
CUCM: 5060 |
Used for registration and call signaling between the CTS and Cisco Unified CM. Can be one of the following:
- UDP port 5060
- TCP port 5060
- TCP port 5061 if SIP over TLS is enabled (recommended).
|
TCP |
CUCM: 5060, 5061 |
RTP |
UDP |
IX codec: 16384 – 32768 |
ANY: ANY |
Sends and receives audio and video media. |
XML-RPC |
TCP |
IX codec: Ephemeral |
Phone: 61456 |
Autostarts the MIDlet phone user interface (UI). |
Phone: Ephemeral |
IX codec: 61457 |
Sends notifications to the MIDlet phone UI. |
Phone: Ephemeral |
IX codec: 61458 |
Receives notifications from the MIDlet phone UI. |
Ports and Protocols Used by Cisco TelePresence Server
Table 7-2 provides you with a list of the ports used by the Cisco TelePresence Server.
Note This table provides the default list for a Cisco TelePresence Server MSE 8710. The following TelePresence Server products do not use the FTP or H.323 ports:
- Cisco TelePresence Server on Multiparty Media 3 x 0
- Cisco TelePresence Server on Virtual Machine
Table 7-2 Protocols and Ports Used for Cisco TelePresence Server
|
|
|
|
HTTP |
TCP |
80 |
HTTP port |
HTTPS |
TCP |
443 |
HTTPS port |
H.323 |
TCP |
1720 |
Incoming port for H.323 |
SIP (TCP) |
TCP |
5060 |
SIP port |
Encrypted SIP (TLS) |
TCP |
5061 |
Encrypted SIP port |
FTP |
TCP |
21 |
FTP port |
SIP (UDP) |
UDP |
5060 |
Encrypted SIP port |
N/A |
N/A |
49152-65535 |
Ephemeral ports |
Ports and Protocols Used by Cisco TelePresence Multipoint Switch (CTMS)
Table 7-3 contains information about the Cisco TelePresence Multipoint Switch.
Table 7-3 Cisco TelePresence Multipoint Switch
|
|
|
|
|
CDP |
N/A |
N/A |
N/A |
Advertises its existence to the upstream Cisco Catalyst Ethernet Switch to which it is attached. Note CDP is a layer-2 management protocol and hence does not use TCP or UDP. |
DHCP |
UDP |
0.0.0.0: 68 CTMS: 68 |
Broadcast: 67 |
Requests an IP address from the DHCP server. Note It is recommended to use static IP addressing instead of DHCP. |
0.0.0.0: 67 DHCP: 67 |
Broadcast: 68 |
Sent by the DHCP server in response to a request for an IP address. |
ICMP |
N/A |
ANY: N/A |
ANY: N/A |
ICMP may sometimes to be used to determine whether a device is reachable (for example, ICMP echo request and response). ICMP unreachables may sometimes be sent by a device to indicate that a device or port is no longer reachable. ICMP time-exceeded may be sent by a device to indicate that the Time to Live (TTL) of a packet was exceeded. |
NTP |
UDP |
CTMS: 123 |
NTP: 123 |
Synchronizes the hardware clock on the CTMS with an NTP server. |
DNS |
UDP |
CTMS: Ephemeral |
DNS: 53 |
Resolves hostnames to IP addresses. |
HTTP |
TCP |
- CTMS: Ephemeral
- CTS-Manager: Ephemeral
|
- CTS-Manager: 8080, 8444
- CTMS: 8080, 8444
|
Uses XML/SOAP over HTTP or HTTPs to coordinate meeting schedule and system operational status between CTS-Manager and the CTMS.
- When security is enabled, the CTMS uses port 8444 on CTS-Manager and CTS-Manager uses port 8444 on the CTMS (recommended).
- When security is not enabled, CTMS uses port 8080 on CTS-Manager, and CTS-Manager uses port 8080 on the CTMS.
|
ANY: Ephemeral |
CTMS: 80,443 |
Accessed the CTMS administrative web interface. Port 80 is automatically redirected to port 443. |
IX codec: Ephemeral |
CTMS: 9501 |
Uses XML between each CTS and the CTMS for in-meeting controls such as Site/Segment Switching and Meeting Lock/Unlock. This port is the same for both secure and non-secure modes. |
SSH |
TCP |
ANY: Ephemeral |
CTMS: 22 |
Accesses the CTMS administrative command-line interface (CLI). |
SNMP |
UDP |
ANY: Ephemeral |
CTMS: 161 |
Receives SNMP queries from a management station. |
CTMS: Ephemeral |
SNMP: 162 |
Sends SNMP traps to a management station. |
SIP |
UDP |
CTMS: Ephemeral |
CUCM: 5060, 5061 |
Used for call signaling with Cisco Unified CM.
- When security is not enabled, use UDP or TCP port 5060.
- When security is enabled, use UDP or TCP.
Note Unlike the CTS endpoints which always initiate the SIP TCP socket to Cisco Unified CM, in the case of CTMS either side can initiate the connection. |
CUCM: Ephemeral |
CTMS: 5060, 5061 |
TCP |
CTMS: Ephemeral |
CUCM: 5060, 5061 |
CUCM: Ephemeral |
CTMS: 5060, 5061 |
RTP |
UDP |
CTMS: 16384 – 32768 |
ANY: ANY |
Send and receives audio and video media. |
Ports and Protocols Used for Cisco IOS IP Service Level Agreements (IPSLA)
Cisco IOS IP Service Level Agreements (IPSLA) is commonly used prior to the installation of Cisco TelePresence to measure and assess the network path.
Table 7-4 lists the specific ports relevant for the IPSLA UDP Jitter probe operation used to conduct Cisco TelePresence Network Path Assessment (NPA) testing. The term “Agent” refers to the router who generates the IPSLA test packets, and “Responder” refers to the router which replies to those requests. “Both” means that either the Agent or the Responder could generate such a packet.
Note Table 7-4 provides the ports most commonly used by IPSLA Agent and IPSLA Responder routers. Because IPSLA runs on Cisco IOS, there may be other ports used for communications by those routers.
Table 7-4 Cisco IOS IP Service IPSLA Support
|
|
|
|
|
CDP |
N/A |
N/A |
N/A |
Advertises its existence to the upstream Cisco Catalyst Ethernet Switch to which it is attached. Note CDP is a layer-2 management protocol and hence does not use TCP or UDP. |
ICMP |
N/A |
ANY: N/A |
ANY: N/A |
ICMP may sometimes to be used to determine whether a device is reachable (for example, ICMP echo request and response). ICMP unreachables may sometimes be sent by a device to indicate that a device or port is no longer reachable. ICMP time-exceeded may be sent by a device to indicate that the Time to Live (TTL) of a packet was exceeded. |
NTP |
UDP |
Both: 123 |
NTP: 123 |
Synchronizes the hardware clock on the Cisco IOS IPSLA router with an NTP server. |
DNS |
UDP |
Both: Ephemeral |
DNS: 53 |
Resolves hostnames to IP addresses. |
SSH |
TCP |
ANY: Ephemeral |
Both: 22 |
Accesses the Cisco IOS IPSLA router administrative command-line interface (CLI). |
SNMP |
UDP |
ANY: Ephemeral |
Both: 161 |
Receives SNMP queries from a management station. |
Both: Ephemeral |
ANY: 162 |
Sends SNMP traps to a management station. |
IPSLA |
UDP |
Agent: Ephemeral |
Responder: 1967 |
Signals a new IPSLA operation between the Agent and the Responder. |
RTP |
UDP |
Agent: Ephemeral |
Responder: 16384 – 32768 (configurable) |
Sends and receives audio and video media from the Agent to the Responder. The Responder then returns these packets back to the Agent. The specific destination UDP ports can be defined in the IPSLA Agent configuration. |