Manual
Table Of Contents
- Preface
- Introduction
- Process Summary
- Prerequisites
- Run the Service Setup Wizard
- VCS System Configuration
- Routing Configuration
- Pre-search Transforms
- Search Rules
- Task 8: Configuring Transforms
- Task 9: Configuring Local Zone Search Rules
- Task 10: Configuring the Traversal Zone
- Neighboring Between VCS Clusters
- Task 11: Configuring Traversal Zone Search Rules
- Task 12: Configuring the DNS Zone
- Task 13: Configuring DNS Zone Search Rules
- Task 14: Configuring External (Unknown) IP Address Routing
- Endpoint Registration
- System Checks
- Maintenance Routine
- Optional Configuration Tasks
- Appendix 1: Configuration Details
- Appendix 2: DNS Records
- Appendix 3: Firewall and NAT Settings
- Appendix 4: Advanced Network Deployments
- Obtaining Documentation and Submitting a Service Request
- Cisco Legal Information
- Cisco Trademark
Appendix 3: Firewall and NAT Settings
Internal Firewall Configuration
In many deployments outbound connections (from internal network to DMZ) will be permitted by the NAT/firewall
device. If the administrator wants to restrict this further, the following tables provide the permissive rules required. For
further information, seeVCS IP Port Usage for Firewall Traversal.
Ensure that any SIP or H.323 ‘fixup’ ALG or awareness functionality is disabled on the NAT firewall – if enabled this
will adversely interfere with the VCS functionality.
Outbound (Internal Network > DMZ)
Purpose Source Dest. Source
IP
Source
port
Transport
protocol
Dest. IP Dest. port
Management Management
computer
VCSe As
required
>=1024 TCP 192.0.2.2 80 / 443 / 22 / 23
SNMP
monitoring
Management
computer
VCSe As
required
>=1024 UDP 192.0.2.2 161
H.323 traversal calls using Assent
RAS Assent VCSc VCSe Any 1719 UDP 192.0.2.2 6001
Q.931/H.225
and H.245
VCSc VCSe Any 15000 to
19999
TCP 192.0.2.2 2776
RTP Assent VCSc VCSe Any 36002 to
59999 *
UDP 192.0.2.2 36000 *
RTCP Assent VCSc VCSe Any 36002 to
59999 *
UDP 192.0.2.2 36001 *
SIP traversal calls
SIP TCP/TLS VCSc VCSe 10.0.0.2 25000 to
29999
TCP 192.0.2.2 Traversal zone
ports, e.g. 7001
RTP Assent VCSc VCSe 10.0.0.2 36002 to
59999 *
UDP 192.0.2.2 36000 *
RTCP Assent VCSc VCSe 10.0.0.2 36002 to
59999 *
UDP 192.0.2.2 36001 *
When ICE is enabled on VCS Control zones and the VCS Expressway is used as the TURNserver
TURN server
control
VCSc VCSe Any >=1024 UDP 192.0.2.2 3478 **
TURN server
media
VCSc VCSe Any >=1024 UDP 192.0.2.2 24000 to 29999
**
* On new installations of X8.1 or later, the default media traversal port range is 36000 to 59999, and is set on the VCS
Control (Configuration >Local Zones >Traversal Subzone). In Large VCS Expressway systems the first 12 ports in
the range – 36000 to 36011 by default – are always reserved for multiplexed traffic. The VCS Expressway listens on
these ports. You cannot configure a distinct range of demultiplex listening ports on Large systems: they always use
the first 6 pairs in the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for
multiplexed RTP/RTCP traffic, on the VCS Expressway (Configuration > Traversal >Ports). On upgrades to X8.2 or
59
Cisco VCS Expressway and VCS Control - Basic Configuration Deployment Guide
Appendix 3: Firewall and NAT Settings