Cisco Support Community
Community Member

Movi registration through VPN connection

I am trying to determine what ports need to be opened on a firewall to allow a movi client to register to my VCS-Control through a VPN connection.  This is what I am thinking.  Did I miss anything?

Ports for VPN.jpg


Re: Movi registration through VPN connection

Hi Darren,

Please take a look at the pictures below:

The RTP stream will normally use 2 ports (one for video and one for audio).

The RTCP stream will normally use 2 ports (one to control video and one to control audio).

The SIP signaling will use one port (to 5060 (tcp) or 5061 (tls)).

BTW: Please note if you experience any problems with Movi over VPN, it’s usually a problem with the MTU size. The default MTU for most networks is configured to 1500 bytes. If you have set a lower MTU value than 1500 bytes on the VPN tunnel, Movi can get intermittent problems as the fragments won’t be packed as efficiently as for a network with 1500 bytes set for MTU.

Movi use 1300 MTU + headers (about 1356 bytes in total). You can define your own Movi MTU size in Windows registry, if necessary.

Let me know if you have any questions.

Hope this helps,


Community Member

Movi registration through VPN connection

So my plan is to have the Movi client register to the VCS Control.  The ephemeral ports in the diagrams you show are not listed in the firewall documents I have been reading.  What port range needs to be added to the firewall rules and in what direction to make this work?


Re: Movi registration through VPN connection

The signaling ephemeral port for Movi (from Movi to VCS) could be any port between 1024 and 65535, going to either 5060 (SIP) or 5061 (SIP Secure). The port selection will be determined by the operative system, e.g. Windows.

Normally, these ephemeral ports won’t be needed to be specified in your firewall (as it’s outbound traffic).

Movi registration through VPN connection

Hello Darren!

First of all, yes, its absolut possible to run movi in a firewalled enviroment on vpn clients.

but (as Arne also remarked)

* check your MTU settings

* double load of encrypting traffic on computers with a vpn client will occur (one for the movi/jabber media encryption and then again for the vpn)

* a hole range of ports need to be open to many internal video sites

You can picture it like this, the signalling (port 5061 / 5060) will always go towards the VCS.

Media on some calls can come from the VCS-C, but in the case of a "local call" media will come

directly from the remote site to the client, and the remote site is not only movi, its everything

like other movi/jabber clients, endpoints, lync/moc clients (if you do not use the b2bua), mcus, ...

Often you do not have control over the port ranges used on the remote endpoints, so you might end up

having to open from to the movi rtp range to 1024-65535.

But this is all dependent on your setup and your security demands.

If this is a bit "chatty" for you, you could always consider about deploying an extra VCS-E, also

inside your organization, with or without using your VPN on top.

This would give you the full and easy control on how the traffic is flowing as the movi/jabber

client will only talk to the VCS-E for signalling and media and the VCS-E will talk to the rest

of your network.


Please remember to rate helpful responses and identify

CreatePlease to create content