Security Guide for Cisco Unity Release 5.x (With IBM Lotus Domino)
IP Communications Required by Cisco Unity
Download this chapter
IP Communications Required by Cisco UnityIP Communications Required by Cisco Unity
Download the complete book
PDF Version of the Entire GuidePDF Version of the Entire Guide (PDF - 1 MB)
give_us_feedback

Table Of Contents

IP Communications Required by Cisco Unity

Overview

Network Traffic from Cisco Unity to Various Servers and to Clients

Network Traffic from Cisco Unity to a Domain Controller

Network Traffic from Cisco Unity to a DNS Server

Network Traffic from the Cisco Unity Server to Domino

Network Traffic Between Cisco Unity Failover Servers

Network Traffic from Cisco Unity to Cisco Unified Communications Manager and Phones

Network Traffic from Cisco Unity to SIP Endpoints, Including PIMG Devices and Phones

Network Traffic from Cisco Unity to Subscriber Workstations (for DUC for Cisco and for the Cisco PCA)

Network Traffic from Clients to Cisco Unity

Network Traffic from Cisco Unified Communications Manager and Phones to Cisco Unity

Network Traffic from SIP Endpoints, Including PIMG Devices and Phones, to Cisco Unity

Network Traffic from VNC Client Workstations to Cisco Unity

Network Traffic from SNMP Management Stations to Cisco Unity

Network Traffic from Administrator Workstations to Cisco Unity

Network Traffic from Subscriber Workstations to Cisco Unity (for DUC for Cisco and for the Cisco PCA)

Network Traffic from Cisco Unity Subscriber Workstations to Various Servers

Network Traffic from Cisco Unity Subscriber Workstations to a DNS Server

Restricting DCOM Dynamic Port Allocation


IP Communications Required by Cisco Unity

See the following sections:

Overview

Network Traffic from Cisco Unity to Various Servers and to Clients

Network Traffic from Clients to Cisco Unity

Network Traffic from Cisco Unity Subscriber Workstations to Various Servers

Restricting DCOM Dynamic Port Allocation

Overview

Companies have long used firewalls to protect their networks from external threats, but they are now starting to protect mission-critical infrastructure from other internal networks. This chapter details the minimum protocol dependencies for Cisco Unity to function. Note the following:

This document describes both the client and server communication vectors for each of the roles in the environment. If a server performs multiple roles, consider the protocol dependencies for all of the roles of that server. For example, if an Exchange server is also a domain controller and global catalog server, consider the needs described for each of those three roles as applying to that one server.

The information in this document cites Microsoft-recommended procedures to make Windows RPC negotiations more predictable, as well as manual procedures to configure some Exchange services to static port numbers. The information presented in this document assumes that the mentioned procedures are followed.

For more information, see the "Securing TCP/UDP Ports" section on page 1-6.

Network Traffic from Cisco Unity to Various Servers and to Clients

See the following sections:

Network Traffic from Cisco Unity to a Domain Controller

Network Traffic from Cisco Unity to a DNS Server

Network Traffic from the Cisco Unity Server to Domino

Network Traffic Between Cisco Unity Failover Servers

Network Traffic from Cisco Unity to Cisco Unified Communications Manager and Phones

Network Traffic from Cisco Unity to SIP Endpoints, Including PIMG Devices and Phones

Network Traffic from Cisco Unity to Subscriber Workstations (for DUC for Cisco and for the Cisco PCA)

Network Traffic from Cisco Unity to a Domain Controller

Revised April 17, 2008
Caution Do not separate the Cisco Unity server (or either Cisco Unity server in a failover configuration) by a firewall from the domain controller on which the Cisco Unity installation and services accounts were created.

Network Traffic from Cisco Unity to a DNS Server

Cisco Unity must be able to establish TCP and UDP connections to its DNS server at port 53.

Network Traffic from the Cisco Unity Server to Domino

Revised April 17, 2008

Do not separate the Cisco Unity server by a firewall from:

Domino servers on which mailboxes for Cisco Unity subscribers are homed.

Domino servers on which Cisco Unity accesses Domino address books.

The Domino server that the installer specified while installing IBM Lotus Notes on the Cisco Unity server. (Cisco Unity delivers all voice messages to Mail.box this server for routing.)

Network Traffic Between Cisco Unity Failover Servers

Revised April 17, 2008
Caution When failover is configured, do not separate the Cisco Unity servers from one another by a firewall.

Network Traffic from Cisco Unity to Cisco Unified Communications Manager and Phones

Cisco Unity has the same communications requirements as a SCCP phone. Cisco Unity must be able to establish the following connections:

Port on the Cisco Unified Communications Manager Server or on Each Phone
Protocol or Service

TCP 2000 or 2443

Port 2000 is the default SCCP port.

If SCCP is secured with TLS, Cisco Unity must be able to connect to port 2443, the TLS port configured on the Cisco Unified Communications Manager server.

TCP 8443

Web server port on Cisco Unified Communications Manager 5.0 and later.

UDP 22800-32767

RTP (voice media traffic). This traffic must also be allowed to VoIP phones and gateways that Cisco Unity will communicate directly with.


Network Traffic from Cisco Unity to SIP Endpoints, Including PIMG Devices and Phones

If SIP is used, Cisco Unity must be able to establish the following connections with the SIP endpoints (including PIMG devices) that Cisco Unity directly connects to:

Port on SIP Endpoints
Protocol or Service

TCP 5060

Default SIP control port of the SIP device.

UDP 22800-32767

RTP (voice media traffic). This traffic must also be allowed to SIP phones and gateways that Cisco Unity will communicate directly with.


Network Traffic from Cisco Unity to Subscriber Workstations (for DUC for Cisco and for the Cisco PCA)

IBM Lotus Domino Unified Communications (DUC) for Cisco requires that subscriber workstations serve the following TCP and UDP connections from Cisco Unity servers. The same TCP and UDP connections are required if Cisco Unity subscribers are using the Cisco Personal Communications Assistant (PCA).

Port on Subscriber Workstations
Protocol or Service

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.


Network Traffic from Clients to Cisco Unity

See the following sections:

Network Traffic from Cisco Unified Communications Manager and Phones to Cisco Unity

Network Traffic from SIP Endpoints, Including PIMG Devices and Phones, to Cisco Unity

Network Traffic from VNC Client Workstations to Cisco Unity

Network Traffic from SNMP Management Stations to Cisco Unity

Network Traffic from Administrator Workstations to Cisco Unity

Network Traffic from Subscriber Workstations to Cisco Unity (for DUC for Cisco and for the Cisco PCA)

Network Traffic from Cisco Unified Communications Manager and Phones to Cisco Unity

If you are using Cisco Unified Communications Manager (CM) (formerly known as Cisco Unified CallManager) (using SCCP), Cisco Unified CM and IP phones need to be able to deliver UDP RTP traffic to Cisco Unity UDP ports 22800-32767.

Network Traffic from SIP Endpoints, Including PIMG Devices and Phones, to Cisco Unity

(If SIP is used) Those SIP endpoints that will directly communicate with Cisco Unity will need to be able to establish the following connections to Cisco Unity:

Port on the Cisco Unity Server
Protocol or Service

TCP 5060

Default SIP control port of the SIP device.

UDP 22800-32767

RTP (voice media traffic).


Network Traffic from VNC Client Workstations to Cisco Unity

If Cisco Unity will be managed over VNC, VNC client workstations used for remote management must be able to connect to the selected VNC desktop on the Cisco Unity server(s). The default VNC remote desktop port is TCP port 5900.

Network Traffic from SNMP Management Stations to Cisco Unity

If Cisco Unity will be monitored over SNMP, SNMP management stations must be able to deliver data to UDP port 161 on the Cisco Unity server.

Network Traffic from Administrator Workstations to Cisco Unity

If Cisco Unity will be administered over HTTP or HTTPS, workstations performing web administration must be able to establish connections to the following ports on Cisco Unity servers:

Port on the Cisco Unity Server
Protocol or Service

If HTTPS is disabled, TCP 80

IIS web server

If HTTPS is enabled, TCP 443

IIS web server

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.

UDP 137

UDP 138

TCP 139

TCP 445

NetBIOS. Required if the Windows file share for Cisco Unity reports will be directly accessed by administrators.

TCP 3389

If Cisco Unity is managed over WTS or RDP.


Network Traffic from Subscriber Workstations to Cisco Unity (for DUC for Cisco and for the Cisco PCA)

IBM Lotus Domino Unified Communications (DUC) for Cisco requires that subscriber workstations be able to establish connections to the following TCP and UDP ports on Cisco Unity servers.

Port on the Cisco Unity Server
Protocol or Service

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.


If subscribers will access the Cisco PCA, subscriber workstations must be able to establish connections to the following ports on Cisco Unity servers:

Port on the Cisco Unity Server
Protocol or Service

If HTTPS is disabled, TCP 80

IIS web server

If HTTPS is enabled, TCP 443

IIS web server

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.


Network Traffic from Cisco Unity Subscriber Workstations to Various Servers

Network Traffic from Cisco Unity Subscriber Workstations to a DNS Server

Each Cisco Unity subscriber workstation must be able to establish TCP and UDP connections to its DNS Server at port 53.

Restricting DCOM Dynamic Port Allocation

By default, DCOM dynamically allocates TCP and UDP ports in the range 1024-65535. To restrict dynamic port allocation to a narrower range, do the following procedure.

To Restrict DCOM Dynamic Port Allocation

Step 1 On the Windows Start menu, click Programs > Administrative Tools > Component Services.

Step 2 Expand the Component Services and Computers nodes. Right-click My Computer, and then click Properties.

Step 3 On the Default Protocols tab, in the DCOM Protocols list, click Connection-Oriented TCP/IP, and then click Properties.

Step 4 In the Properties for COM Internet Services dialog box, click Add.

Step 5 In the Port range text box, add a port range (for example, enter 5000-5020), and then click OK.

Note Entering a port range smaller than 20 ports will cause some services not to start.

Step 6 Leave the Port Range Assignment and the Default Dynamic Port Allocation options set to Internet Range.

Step 7 Click OK three times.

Step 8 Restart the Cisco Unity server.

For more information on restricting dynamic port ranges, refer to Microsoft Knowledge Base article 300083, How To Restrict TCP/IP Ports on Windows 2000 and Windows XP, available on the Microsoft support website.