Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Firewall ports for the VCS Expressway deployment

Dear All,

I am currently working on the VCS Expressway deployment with a public sector client who’s security team is unwilling to open the below ports (between Internet & VCS Expressway)

UDP 50000 to 52399

UDP 30000 to 39999

UDP 60000 to 61399

TCP 25000 to 29999

TCP 15000 to 19999

TCP 40000 to 49999

They believes this are lot of ports to be opened on the Internet FW which can be a high security risk.

Is there any way we can use few ports instead of the large number of range?

  • How can we setup and what will be the implications

Have anyone encountered any security risk opening this port range?

Is there anyway I can convince the security team that this is a safe way and they will not have any security challenges with this approach.

Thanks.   

Everyone's tags (4)
4 REPLIES

Firewall ports for the VCS Expressway deployment

Hi,

you can modify the ports under maintenance-->tools-->port usage, here you can modify the local inbound & outbound port range.

its implications depends on traffic you have in your enviornment. i remember a case where customer modified the sip port range which stopped presence to be shown on endpoints .

regards

Alok

Firewall ports for the VCS Expressway deployment

I am not really sure where they see the big issue.

Voice / Video over IP (h323/sip) is a very chatty protocol, yes, so many ports needs to be open,

This is used for media connection (udp) and parts of signaling (h323).

Thats the intention to use the VCS-C and -E combination so that this huge range of ports

does not need to be open from the out to the inside.

If a port is used then its fine, if its not used it will simply not be used. If you want to have

something malicious running on the VCS on any of these ports or if its a security issue

in the application it does not really matter if its one or dozens of ports.

Ports also changed in between versions, especially towards X8.1, so I would already prepare for that!

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X7-2.pdf

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide-X8-1.pdf

There are ports which will be used as the source port and only on an outbound connection

your firewall needs to allow an answer back in, but I can not really picture that if you have

a firewall team that you do not have a stateful firewall.

These ports would be for example 40000-499999 udp/tcp.

Limiting the ports can be a problem if you have a lot of calls or sip messages, as they need ports for this

communication. A single call can for example use a two digit number of ports.

The big port ranges I would expect to see to be open on the VCS-E to the internet are X8.1 (X7.2.2):

* TCP (h.245) 15000-19999 (stayed the same)

* UDP (Media) 36002-59999 (that was before 50000-54999)

* UDP (TURN) 24000-29999 (that was before 60000-61799)

* B2BUA (most likely not used on the VCS-E): (56000-57000)

So your ports do not look 100% correct anyhow. Which vcs version did you initially start and upgrade with,

what do you have currently running and what do you think these port ranges do and where did you take them from?

A handy thing on the vcs are the Local inbound and outbound ports pages found under maintenance>Tools>Port usage

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify

Firewall ports for the VCS Expressway deployment

Hi mkazim,

I will agree here with Martin. We have multiple (50+) VCS-C to VCS-E deployments in the public sector organisations throughout our country (as this is what we do). The point of the VCS-C to VCS-E deployments are to reduce the number of ports required to be opened so only a handfull of out bound ports (assuming established traffic is allowed back) need to be opened.

You could then either deploy the VCS-C internally, with the VCS-E ina DMZ, or the VCS-C in the DMZ with the VCS-E on the public internet.

Chris

Cisco Employee

Firewall ports for the VCS Expressway deployment

mkazim wrote:

They believes this are lot of ports to be opened on the Internet FW which can be a high security risk.

Is there any way we can use few ports instead of the large number of range?

  • How can we setup and what will be the implications

Have anyone encountered any security risk opening this port range?

Is there anyway I can convince the security team that this is a safe way and they will not have any security challenges with this approach.

Yes, tell them that you are only opening the port range to the single IP address of the expressway box - not multiple destinations.

All the ports are handled by the same application... so opening 1 vs 100 it doesn't really change the security exposure because it's all to the same service.

The reason the range is large is two fold

1) to support concurrent connections you need more ports

2) The standards for H323 and SIP require the use of dynamic ports in the unrestricted range.  The port range is not the same for all implementations or vendors because it is not standardized on WHICH ports to use.. just that it should be the unreserved ports.

The safety comes because the Expressway works as your application level proxy... you expose IT to the outside world, so you don't expose your internal elements directly.  Unlike a webserver, etc...  H323/SIP traffic is not restricted to reserved, defined ports.

Efforts to narrow the port range expose you to potential interoperability or capacity issues

4742
Views
3
Helpful
4
Replies