IP Communications Required by the Cisco TelePresence Exchange System
This appendix contains the following sections:
•Firewall and Access List Considerations
•Ports that are Used Between Cisco TelePresence Exchange System Servers
•Administration Server Ports
•Call Engine Server Ports
•Database Server Ports
Firewall and Access List Considerations
The Cisco TelePresence Exchange System is a component of the Cisco Unified Communications suite and is designed to be deployed on a converged IP network. You can use access control lists (ACLs) and firewalls to secure IP communications between the servers in the Cisco TelePresence Exchange System and other solution components.
This appendix covers the specific TCP and UDP ports that you must allow between each server component (administration, call engine and database) in the Cisco TelePresence Exchange System system and other solution components. Other solution components and resources used by the Cisco TelePresence Exchange System have their own set of security requirements and needs for IP communications with other devices. These additional requirements are not within the scope of this appendix, but must be considered if a firewall or ACL is used to further secure those devices.
When you install the Cisco TelePresence Exchange System, you place the administration, call engine, and database servers in a dedicated VLAN. Do not place any firewall (transparent and/or routed) between the administration, call engine, and database servers. Doing so causes issues with multicast communications. The Cisco TelePresence Exchange System servers implement an application firewall that restricts communication to the server. The application firewall rules can be viewed by logging in to the CLI of the server and entering the utils firewall ipv4 list command.
This appendix does not provide guidance on specific router, firewall, or IPS platforms or configurations you should use to secure IP communications between Cisco TelePresence Exchange System and other devices. We strongly recommend that you thoroughly test your Cisco TelePresence Exchange System components with your specific security configuration prior to deploying the configuration in a production deployment.
Note Firewalls that rely on Application Layer Inspection in order to dynamically open or close certain UDP ports may not support the specific SIP protocol implementation used by Cisco TelePresence, or may not be able to inspect the contents of the application layer protocol because it is encrypted.
Ports that are Used Between Cisco TelePresence Exchange System Servers
Table F-1 lists the ports used between Cisco TelePresence Exchange System servers.
Caution
Do not place any firewall (transparent and/or routed) between the administration, call engine, and database servers. The Cisco TelePresence Exchange System servers share a dedicated VLAN and implement an application firewall that restricts communications.
Table F-1 Ports Required for Cisco TelePresence Exchange System Administration Server IP Communications
|
|
|
|
|
ActiveMQ |
TCP |
Administration:61616 |
Administration, Call Engine, or Database:Ephemeral |
Used by all Cisco TelePresence Exchange System servers to send events via the Active MQ Event Framework. |
TCP |
Administration, Call Engine, or Database:Ephemeral |
Administration:61616 |
Used by all Cisco TelePresence Exchange System servers to send events via the Active MQ Event Framework. |
Zookeeper |
TCP |
Administration, Call Engine, or Database:Ephemeral |
Administration, Call Engine, or Database:2888, 3888 |
Used by Zookeeper. |
Tomcat |
TCP |
Administration, Call Engine, or Database:Ephemeral |
Administration, Call Engine, or Database:9010 |
Used by the NodeManager WS API. |
Corosync |
UDP |
Administration, Call Engine, or Database:Ephemeral |
Administration, Call Engine, or Database:9999, 10000 |
Used by Corosync. |
Administration Server Ports
Table F-2 lists the ports required by the administration server.
Table F-2 Ports Required for Cisco TelePresence Exchange System Administration Server IP Communications
|
|
|
|
|
CDP |
N/A |
Administration, Call Engine, or Database:N/A |
Cisco Catalyst Switch:N/A |
Used to advertise the existence of a server to the upstream Cisco Catalyst Ethernet Switch to which the server is attached and learn which Virtual LAN (VLAN) it should use to tag packets. CDP is a layer 2 protocol and does not use TCP or UDP for transport. |
ICMP |
N/A |
Any:N/A |
Any:N/A |
ICMP may sometimes be used to determine whether a device is reachable (for example, by using an ICMP echo request/response). A device may occasionally send an ICMP unreachable to indicate that a device or port is no longer reachable. A device may send ICP time-exceeded to indicate that the Time to Live (TTL) of a packet is exceeded. |
NTP |
UDP |
Administration, Call Engine, or Database:123 |
NTP server:123 |
Used to synchronize the hardware clock on the Cisco TelePresence Exchange System server with an NTP server. |
DNS |
UDP |
Administration: Ephemeral |
DNS server:53 |
Used to resolve host names to IP addresses. Note DNS is not supported on the Cisco TelePresence Exchange System servers in release 1.1. We recommend that you keep DNS disabled on the administration, call engine, and database servers. |
Flow-Thru |
TCP |
Administration: Ephemeral |
Cisco TelePresence Manager:8080, 8443 |
Used between the Cisco TelePresence Exchange System and the Cisco TelePresence Manager for One-Button-to-Push (OBTP) scheduling via XML/SOAP API. |
Administration: Ephemeral |
Cisco TelePresence Server MSE 8710:80 |
XML_RPC: Used to configure the Cisco TelePresence Server MSE 8710. |
Administration: Ephemeral |
Cisco TelePresence MCU MSE 8510:80 |
XML_RPC: Used to configure the Cisco TelePresence MCU MSE 8510. |
Administration: Ephemeral |
Cisco Unified Communications Manager:8443 |
Used by the Cisco TelePresence Exchange System to request SFTP/SCP transfer of CDR records for intra-company (direct dial) hosted calls. |
Cisco Unified Communications Manager: Ephemeral |
Administration:22 |
Used by the Cisco Unified Communications Manager to send CDR records to the administration server via SFTP/SCP. |
HTTP— Admin UI |
TCP |
Any client:Ephemeral |
Administration:80, 8080 |
Used to access the administration console web interface. |
Event API |
TCP |
Administration: Ephemeral |
Any:80 (default—can use any port) |
Used by the Cisco TelePresence Exchange System to send HTTP SOAP/XML POST events to configured event notification management systems. |
SSH |
TCP |
Any client:Ephemeral |
Administration:22 |
Used to access the administrative CLI interface of the Cisco TelePresence Exchange System. |
SNMP |
UDP |
Any client:Ephemeral |
Administration:161 |
Used for get/set SNMP queries from a management station to the Cisco TelePresence Exchange System server. |
UDP |
Administration, Call Engine, or Database:Ephemeral |
SNMP Management Station:162 |
Used to send SNMP traps to a management station. |
JBoss |
TCP |
Any:Ephemeral |
Administration, Call Engine:1100 |
Used on administration and call engine servers by the JBoss High Availability—Java Naming and Directory Interface (HA-JNDI) service. |
|
TCP |
Any:Ephemeral |
Administration, Call Engine, or Database:32768-61000 |
Ephemeral port range. |
UDP |
Any:Ephemeral |
Administration, Call Engine, or Database:32768-61000 |
Ephemeral port range. |
Tomcat |
TCP |
Any client:Ephemeral |
Administration, Call Engine, or Database:9010 |
Used by the Upgrade application (on the administration server) and by the NodeManager WS API (on the administration, call engine, and database servers). |
Call Engine Server Ports
Table F-3 lists the ports required by the call engine server.
Table F-3 Ports Required for Cisco TelePresence Exchange System Call Engine Server IP Communications
|
|
|
|
|
CDP |
N/A |
Administration, Call Engine, or Database:N/A |
Cisco Catalyst Switch:N/A |
Used to advertise the existence of a server to the upstream Cisco Catalyst Ethernet Switch to which the server is attached and learn which Virtual LAN (VLAN) it should use to tag packets. CDP is a layer 2 protocol and does not use TCP or UDP for transport. |
ICMP |
N/A |
Any:N/A |
Any:N/A |
ICMP may sometimes be used to determine whether a device is reachable (for example, by using an ICMP echo request/response). A device may occasionally send an ICMP unreachable to indicate that a device or port is no longer reachable. A device may send ICP time-exceeded to indicate that the Time to Live (TTL) of a packet is exceeded. |
NTP |
UDP |
Administration, Call Engine, or Database:123 |
NTP server:123 |
Used to synchronize the hardware clock on the Cisco TelePresence Exchange System server with an NTP server. |
DNS |
UDP |
Administration, Call Engine, or Database:Ephemeral |
DNS server:53 |
Used to resolve host names to IP addresses. Note DNS is not supported on the Cisco TelePresence Exchange System servers in release 1.1. We recommend that you keep DNS disabled on the administration, call engine, and database servers. |
Flow-Thru |
TCP |
Cisco TelePresence Server MSE 8710: Ephemeral |
Call Engine:5050 |
Used by the Cisco TS MSE 8710 to send events to the call engine servers. |
Cisco TelePresence MCU MSE 8510: Ephemeral |
Call Engine:5050 |
Used by the MCU MSE 8510 to send events to the call engine servers. |
VXML |
TCP |
IVR router:Ephemeral |
Call Engine:80, 8080 |
Used for VXML interaction for IVR prompt downloads. |
SSH |
TCP |
Any client:Ephemeral |
Call Engine:22 |
Used to access the administrative CLI interface of the Cisco TelePresence Exchange System. |
SNMP |
UDP |
Any client:Ephemeral |
Call Engine:161 |
Used for get/set SNMP queries from a management station to the Cisco TelePresence Exchange System server. |
UDP |
Administration, Call Engine, or Database:Ephemeral |
SNMP Management Station:162 |
Used to send SNMP traps to a management station. |
SIP |
TCP |
Any:Ephemeral |
Call Engine:5060 |
Used for SIP protocol over TCP. |
UDP |
Any:Ephemeral |
Call Engine:5060 |
Used for SIP protocol over UDP. |
JBoss |
TCP |
Administration, Call Engine, or Database:Ephemeral |
Call Engine:4446 |
eCache peer discovery & Socket for JBoss Remote Connector used by Unified Invoker. |
TCP |
Administration, Call Engine, or Database:Ephemeral |
Call Engine:1098 |
Socket Naming service used to receive RMI requests from client proxies. |
TCP |
Administration, Call Engine, or Database:Ephemeral |
Call Engine:1099 |
JBoss listening socket for the Naming service. |
TCP |
Administration or Call Engine:1100 |
Any:Ephemeral |
Used on administration and call engine servers by the JBoss High Availability—Java Naming and Directory Interface (HA-JNDI) service. |
TCP |
Administration, Call Engine, or Database:Ephemeral |
Call Engine:1101 |
HA-JNDI Rmi Port. |
UDP |
Administration, Call Engine, or Database:Ephemeral |
Call Engine:1102 |
HA-JNDI Auto Discovery Port. |
TCP |
Administration, Call Engine, or Database:Ephemeral |
Call Engine:3873 |
JBoss Invoker location. |
TCP |
Administration, Call Engine, or Database:Ephemeral |
Call Engine:4457 |
Socket for JBoss Messaging 1.x. |
TCP |
Administration, Call Engine, or Database:Ephemeral |
Call Engine:4458 |
Bisocket Transport Connector secondary port. |
TCP |
Administration, Call Engine, or Database:Ephemeral |
Call Engine:7900 |
JBoss port used for the JGroups 'jbm-data' stack. |
|
TCP |
Any:Ephemeral |
Call Engine:32768-61000 |
Ephemeral port range. |
UDP |
Any:Ephemeral |
Call Engine:32767-61000 |
Ephemeral port range. |
IGMP |
N/A |
Call Engine:N/A |
IGMPv2/v3 multicast:N/A |
IGMP v2 and v3—used to maintain the multicast memberships. |
N/A |
Mrouter (IGMPv2/v3):N/A |
Call Engine:N/A |
IGMP v2 and v3—used to maintain the multicast memberships. |
Tomcat |
TCP |
Any client:Ephemeral |
Administration, Call Engine, or Database:9010 |
Used by the Upgrade application (on the Administration server) and by the NodeManager WS API (on the Administration, Call Engine, and Database servers). |
Database Server Ports
Table F-4 lists the ports required by the database server.
Table F-4 Ports Required for Cisco TelePresence Exchange System Database Server IP Communications
|
|
|
|
|
CDP |
N/A |
Administration, Call Engine, or Database:N/A |
Cisco Catalyst Switch:N/A |
Used to advertise the existence of a server to the upstream Cisco Catalyst Ethernet Switch to which the server is attached and learn which Virtual LAN (VLAN) it should use to tag packets. CDP is a layer 2 protocol and does not use TCP or UDP for transport. |
ICMP |
N/A |
Any:N/A |
Any:N/A |
ICMP may sometimes be used to determine whether a device is reachable (for example, by using an ICMP echo request/response). A device may occasionally send an ICMP unreachable to indicate that a device or port is no longer reachable. A device may send ICP time-exceeded to indicate that the Time to Live (TTL) of a packet is exceeded. |
NTP |
UDP |
Database:123 |
NTP server:123 |
Used to synchronize the hardware clock on the Cisco TelePresence Exchange System server with an NTP server. |
DNS |
UDP |
Database:Ephemeral |
DNS server:53 |
Used to resolve host names to IP addresses. Note DNS is not supported on the Cisco TelePresence Exchange System servers in release 1.1. We recommend that you keep DNS disabled on the administration, call engine, and database servers. |
SSH |
TCP |
Any client:Ephemeral |
Database:22 |
Used to access the administrative CLI interface of the Cisco TelePresence Exchange System. |
SNMP |
UDP |
Any client:Ephemeral |
Database:161 |
Used for get/set SNMP queries from a management station to the Cisco TelePresence Exchange System server. |
UDP |
Database:Ephemeral |
SNMP Management Station:162 |
Used to send SNMP traps to a management station. |
DRBD |
TCP |
Any:Ephemeral |
Database:7788 |
Used for database replication. |
MySQL |
TCP |
Administration, Call Engine, or Database:Ephemeral |
Database:3306 |
Used for MySQL client access from other Cisco TelePresence Exchange System servers (administration, call engine, and database). |
High Availability |
UDP |
Database:Ephemeral |
Database:694 |
Heartbeat—High Availability Clustering between database servers. |
|
TCP |
Any:Ephemeral |
Administration, Call Engine, or Database:32768-61000 |
Ephemeral port range. |
UDP |
Any:Ephemeral |
Administration, Call Engine, or Database:32768-61000 |
Ephemeral port range. |
Tomcat |
TCP |
Any client:Ephemeral |
Administration, Call Engine, or Database:9010 |
Used by the Upgrade application (on the administration server) and by the NodeManager WS API (on the administration, call engine, and database servers). |