Allowing any kind of traffic from the private network to the DMZ or outside networks (for example, the Internet).
Block
Any
Outside networks
Any
LAN networks, DMZ network
Any
Blocking any kind of traffic to the protected networks (DMZ and internal network).
Block
Any
DMZ network
Any
LAN networks
Any
Blocking any kind of traffic from the DMZ to the private network.
Table D-2 describes rules that you must add to enable connectivity between the internal gatekeeper located in the DMZ and the MCU components located on the internal network.
TCP High ports from Gatekeeper to MCU on the LAN. Enables H.245 control signaling channels to be opened.
Pass
TCP
Gatekeeper IP address as it appears in the DMZ
Any
MCU IP address
2720
H.323 signaling to MCU on the LAN. Enables call setup signaling between the Internal Gatekeeper and the MCUs.
Table D-3 describes rules that you must add to enable connectivity between the internal Cisco Unified Videoconferencing Manager located on the DMZ and the Cisco Unified Videoconferencing 3500 Series MCU located on the internal network.
Cisco Unified Videoconferencing Manager IP address as it appears on the DMZ
Any
Cisco Unified Videoconferencing 3500 Series MCU IP address
3336
Login (XML) to MCU on the LAN. Enables XML management interface connectivity between the Cisco Unified Videoconferencing Manager and the Cisco Unified Videoconferencing 3500 Series MCU components.
Pass
UDP
Cisco Unified Videoconferencing Manager IP address as it appears on the DMZ
Any
Cisco Unified Videoconferencing 3500 Series MCU IP address
161
SNMP from Cisco Unified Videoconferencing Manager to Cisco Unified Videoconferencing 3500 Series MCU on the LAN. Enables SNMP management interface connectivity between the Cisco Unified Videoconferencing Manager and the Cisco Unified Videoconferencing 3500 Series MCU components.
Table D-4 describes a rule that you must add to enable connectivity between the internal gatekeeper located on the DMZ and Cisco Unified Videoconferencing 3500 Series Gateway components located on the private network.
Room system IP address as it appears on the private network
1720
H.323 signaling to a room system on the LAN. Enables call setup signaling between the Internal Gatekeeper and room systems.
Pass
TCP
Gatekeeper IP address as it appears on the DMZ
Any
Room system IP address as it appears on the private network
1025 - 65535
TCP High ports from Gatekeeper to room system on the LAN. Enables H.245 control signaling channels to be opened.
Table D-6 describes rules that you must add to enable connectivity between the internal Cisco Unified Videoconferencing Manager located on the DMZ and Cisco Unified Videoconferencing 3500 Series Gateway components located on the internal network.
Cisco Unified Videoconferencing Manager IP address as it appears on the DMZ
Any
GW IP address
1820
H.323 Signaling from Gatekeeper to GW320 on the LAN. Enables call setup signaling between the Internal Gatekeeper and the Cisco Unified Videoconferencing 3500 Series Gateways.
Pass
UDP
Cisco Unified Videoconferencing Manager IP address as it appears on the DMZ
Any
GW IP address
161
SNMP from Cisco Unified Videoconferencing Manager to gateway on the LAN. Enables SNMP management interface connectivity between the Cisco Unified Videoconferencing Manager and the gateway components.
NAT Rules
Table D-7 describes static NAT entries in the firewall WAN interface that you must configure to enable connectivity between the Desktop Server Clients located on the external networks and the Desktop Servers located in the DMZ.
Table D-7 NAT Rules defining traffic from Desktop Clients to Web Services
Protocol
External Port Range
NAT IP
Internal Port Range
Description
TCP
80 (HTTP)
Desktop Server IP address as it appears on the DMZ
80 (HTTP)
For external Desktop Server Client web access. Alternatively you can configure the Desktop Server Clients to connect via TCP port 443. For more information about configuring TCP port 443, see "Configuring Desktop Server for HTTPS" section on page A-1.
TCP
443 (HTTPS)
Desktop Server IP address as is appears on the DMZ
443 (HTTPS)
Control connection between Desktop Server and Desktop Server Client (mandatory).
TCP
8080
Cisco Unified Videoconferencing Manager Desktop Server IP address as is appears on the DMZ
8080
For external Desktop Server Client web access to a virtual room configuration. Enables Desktop Server Client access to Cisco Unified Videoconferencing Manager virtual room settings.
Table D-8 describes a static NAT entry in the firewall WAN interface that you must add to enable connectivity between the Desktop Server Web Cast clients located on the external networks and the Cisco Unified Videoconferencing Streaming Server located on the DMZ.
Table D-8 NAT Rules defining traffic from Desktop Webcast Clients to the Cisco Unified Videoconferencing Streaming Server
Protocol
External Port Range
NAT IP
Internal Port Range
Description
TCP
7070
Cisco Unified Videoconferencing Streaming Server IP as appears on the DMZ
7070
Streaming tunneling connection enables the Web Cast client to access the streamed conference.
