99
D 14049.01
07.2007
99
Introduction
Getting
Started
System
Overview
System
Configuration
H.323 & SIP
Configuration
Registration
Control
Zones and
Neighbors
Call
Processing
Firewall
Traversal
Bandwidth
Control
Maintenance
Appendices
Firewall
Traversal
Firewall Traversal Protocols and Ports
Ports for Connections out to the Public Internet
In situations where the VCS Border Controller is attempting to
connect to an endpoint on the public internet, you will not know
the exact port(s) on the endpoint to which the connection will
be made. This is because the ports to be used are determined
by the endpoint and advised to the VCS Border Controller only
once the server has located the endpoint on the public internet.
This may cause problems if your VCS Border Controller is
located within a DMZ (i.e. there is a firewall between the VCS
Border Controller and the public internet) as you will not be able
to specify in advance rules that will allow you to connect out to
the endpoint’s ports.
You can however specify the ports on the VCS Border Controller
that will be used for calls to endpoints on the public internet so
that your firewall administrator can allow connections via these
ports. The ports that can be configured for this purpose are:
H.323
UDP/1719: signaling
UDP/50,000-51200: media
TCP/15,000-19999: signaling
SIP
UDP/5060 (default): signaling
UDP/50,000-51200: media
TCP: a temporary port is allocated
•
•
•
•
•
•
STUN Ports
The VCS Border Controller can be enabled to provide STUN
services (STUN Relay and STUN Binding Discovery) that can be
used by SIP endpoints which support the ICE firewall traversal
protocol.
The ports used by these services are configurable via:
VCS Configuration > Border Controller > STUN
xConfiguration Traversal Server STUN
The ICE clients on each of the SIP endpoints must be able to
discover these ports, either via SRV records in DNS or by direct
configuration.
•
•
In order for Expressway™ firewall traversal to function correctly,
the firewall must be configured to:
allow initial outbound traffic from the client to the ports
being used by the VCS Border Controller
allow return traffic from those ports on the VCS Border
Controller back to the originating client.
TANDBERG offers a downloadable tool, the Expressway Port
Tester, that allows you to test your firewall configuration for
compatibility issues with your network and endpoints. It will
advise if necessary which ports may need to be opened on
your firewall in order for the Expressway™ solution to function
correctly. Contact your TANDBERG representative for more
information.
•
•
Firewall Configuration
!
We recommend that you turn off any H.323 and SIP
protocol support on the firewall: these are not needed in
conjunction with the TANDBERG Expressway™ solution
and may interfere with its operation.
TANDBERG VIDEO COMMUNICATION SERVER
ADMINISTRATOR GUIDE
Firewall TraversalFirewall Traversal