Security Guide for Cisco Unity Release 5.x (With Microsoft Exchange)
IP Communications Required by Cisco Unity
Download this chapter
IP Communications Required by Cisco UnityIP Communications Required by Cisco Unity
Download the complete book
PDF Version of the Entire GuidePDF Version of the Entire Guide (PDF - 2 MB)
give_us_feedback

Table Of Contents

IP Communications Required by Cisco Unity

Overview

Network Traffic from Cisco Unity to Various Servers and to Clients

Network Traffic from Cisco Unity to a Domain Controller

Network Traffic from Cisco Unity to a Global Catalog Server

Network Traffic from Cisco Unity to a DNS Server

Network Traffic from Cisco Unity to the Partner Exchange Server

Network Traffic Between Cisco Unity Failover Servers

Network Traffic from Cisco Unity to Cisco Unified Communications Manager and Phones

Network Traffic from Cisco Unity to SIP Endpoints, Including PIMG Devices and Phones

Network Traffic from Cisco Unity to Subscriber Workstations (for the Cisco PCA or ViewMail for Outlook)

Network Traffic from Clients to Cisco Unity

Network Traffic from Cisco Unified Communications Manager and Phones to Cisco Unity

Network Traffic from SIP Endpoints, Including PIMG Devices and Phones, to Cisco Unity

Network Traffic from VNC Client Workstations to Cisco Unity

Network Traffic from SNMP Management Stations to Cisco Unity

Network Traffic from Administrator Workstations to Cisco Unity

Network Traffic from Subscriber Workstations to Cisco Unity (for the Cisco PCA or ViewMail for Outlook)

Network Traffic to and from Exchange

Network Traffic from Exchange to Cisco Unity

Network Traffic from Exchange to DNS

Network Traffic from Exchange to a Domain Controller

Network Traffic from Exchange to a Global Catalog Server

Network Traffic Between Exchange Servers

Network Traffic Between Exchange and Other Voice-Messaging Systems

Network Traffic Between Other Voice-Messaging Systems and Exchange

Network Traffic from Cisco Unity Subscriber Workstations to Various Servers

Network Traffic from Cisco Unity Subscriber Workstations to a DNS Server

Network Traffic from Cisco Unity Subscriber Workstations to the Exchange Server on Which the Subscriber Mailbox Is Homed

Restricting DCOM Dynamic Port Allocation


IP Communications Required by Cisco Unity

See the following sections:

Overview

Network Traffic from Cisco Unity to Various Servers and to Clients

Network Traffic from Clients to Cisco Unity

Network Traffic to and from Exchange

Network Traffic from Cisco Unity Subscriber Workstations to Various Servers

Restricting DCOM Dynamic Port Allocation

Overview

Companies have long used firewalls to protect their networks from external threats, but they are now starting to protect mission-critical infrastructure from other internal networks. This chapter details the minimum protocol dependencies for Cisco Unity to function. Note the following:

This document describes both the client and server communication vectors for each of the roles in the environment. If a server performs multiple roles, consider the protocol dependencies for all of the roles of that server. For example, if an Exchange server is also a domain controller and global catalog server, consider the needs described for each of those three roles as applying to that one server.

The information in this document cites Microsoft-recommended procedures to make Windows RPC negotiations more predictable, as well as manual procedures to configure some Exchange services to static port numbers. The information presented in this document assumes that the mentioned procedures are followed.

For more information, see the "Securing TCP/UDP Ports" section on page 1-6.

Network Traffic from Cisco Unity to Various Servers and to Clients

See the following sections:

Network Traffic from Cisco Unity to a Domain Controller

Network Traffic from Cisco Unity to a Global Catalog Server

Network Traffic from Cisco Unity to a DNS Server

Network Traffic from Cisco Unity to the Partner Exchange Server

Network Traffic Between Cisco Unity Failover Servers

Network Traffic from Cisco Unity to Cisco Unified Communications Manager and Phones

Network Traffic from Cisco Unity to SIP Endpoints, Including PIMG Devices and Phones

Network Traffic from Cisco Unity to Subscriber Workstations (for the Cisco PCA or ViewMail for Outlook)

Network Traffic from Cisco Unity to a Domain Controller

Revised April 17, 2008
Caution Do not separate the Cisco Unity server (or the primary server in a failover or standby-redundancy configuration) by a firewall from the domain controller that Cisco Unity monitors for directory updates.

In a failover or standby-redundancy configuration in which the secondary server is separated by a firewall from the domain controller that Cisco Unity monitors for directory updates, the secondary server must be able to establish TCP and UDP client connections to the following ports on the domain controller:

Port on the Domain Controller
Protocol or Service

TCP and UDP 88

Kerberos

TCP and UDP 464

Kerberos Password v5

TCP and UDP 389

LDAP

TCP 636

LDAP over SSL

UDP 137

UDP 138

TCP 139

TCP 445

NetBIOS

UDP 123

NTP

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.


Network Traffic from Cisco Unity to a Global Catalog Server

Revised April 17, 2008
Caution Do not separate the Cisco Unity server (or the primary server in a failover or standby-redundancy configuration) by a firewall from the global catalog server that Cisco Unity monitors for directory updates or from the global catalog server with which the Cisco Unity MAPI client communicates.

In a failover or standby-redundancy configuration in which the secondary server is separated by a firewall from either:

the global catalog server that Cisco Unity monitors for directory updates, or

the global catalog server with which the Cisco Unity MAPI client communicates,

the Cisco Unity secondary server must be able to establish TCP and UDP client connections to the following ports on the GCs.

Port on the Global Catalog Server
Protocol or Service

TCP and UDP 88

Kerberos

TCP and UDP 464

Kerberos Password v5

TCP and UDP 389 (only the GC that Cisco Unity monitors for directory updates)

LDAP

TCP 636 (only the GC that Cisco Unity monitors for directory updates)

LDAP over SSL

TCP and UDP 3268 (only the GC that Cisco Unity monitors for directory updates)

LDAP

TCP 3269 (only the GC that Cisco Unity monitors for directory updates)

LDAP over SSL

UDP 137

UDP 138

TCP 139

TCP 445

NetBIOS

TCP 135 (only the GC with which the Cisco Unity MAPI client communicates)

WinRPC endpoint locator

TCP and UDP 5000-5020 (only the GC with which the Cisco Unity MAPI client communicates

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.


Network Traffic from Cisco Unity to a DNS Server

Cisco Unity must be able to establish TCP and UDP connections to its DNS server at port 53.

Network Traffic from Cisco Unity to the Partner Exchange Server

Revised April 17, 2008
Caution Do not separate the Cisco Unity server (or the primary server in a failover or standby-redundancy configuration) by a firewall from the partner Exchange server.

In a failover or standby-redundancy configuration in which the secondary server is separated by a firewall from the partner Exchange server, the secondary server must be able to establish TCP and UDP connections to the partner server on the following ports:

Port on the Partner Exchange Server
Protocol or Service

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.

UDP 137

UDP 138

TCP 139

TCP 445

NetBIOS

Static TCP and UDP Exchange ports configured according to Microsoft Knowledge Base article 270836, Exchange Server Static Port Mappings

See Microsoft Knowledge Base article 270836, Exchange Server Static Port Mappings.


Network Traffic Between Cisco Unity Failover Servers

Revised April 17, 2008

When failover is configured and the Cisco Unity servers are separated by a firewall, the servers in the failover pair must be able to establish the following connections to each other:

Port on Each Cisco Unity Server
Protocol or Service

UDP 137

UDP 138

TCP 139

TCP 445

NetBIOS

TCP 1433 and UDP 1434

Microsoft SQL Server

TCP 3372

Microsoft Distributed Transaction Coordinator

TCP 3653

Failover node manager


Network Traffic from Cisco Unity to Cisco Unified Communications Manager and Phones

Cisco Unity has the same communications requirements as a SCCP phone. Cisco Unity must be able to establish the following connections:

Port on the Cisco Unified Communications Manager Server or on Each Phone
Protocol or Service

TCP 2000 or 2443

Port 2000 is the default SCCP port.

If SCCP is secured with TLS, Cisco Unity must be able to connect to port 2443, the TLS port configured on the Cisco Unified Communications Manager server.

TCP 8443

Web server port on Cisco Unified Communications Manager 5.0 and later.

UDP 22800-32767

RTP (voice media traffic). This traffic must also be allowed to VoIP phones and gateways that Cisco Unity will communicate directly with.


Network Traffic from Cisco Unity to SIP Endpoints, Including PIMG Devices and Phones

If SIP is used, Cisco Unity must be able to establish the following connections with the SIP endpoints (including PIMG devices) that Cisco Unity directly connects to:

Port on SIP Endpoints
Protocol or Service

TCP 5060

Default SIP control port of the SIP device.

UDP 22800-32767

RTP (voice media traffic). This traffic must also be allowed to SIP phones and gateways that Cisco Unity will communicate directly with.


Network Traffic from Cisco Unity to Subscriber Workstations (for the Cisco PCA or ViewMail for Outlook)

If Cisco Unity subscribers are using the Cisco Personal Communications Assistant (PCA) or ViewMail for Outlook, subscriber workstations must be able to serve the following TCP and UDP connections from Cisco Unity servers:

Port on Subscriber Workstations
Protocol or Service

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.


Network Traffic from Clients to Cisco Unity

See the following sections:

Network Traffic from Cisco Unified Communications Manager and Phones to Cisco Unity

Network Traffic from SIP Endpoints, Including PIMG Devices and Phones, to Cisco Unity

Network Traffic from VNC Client Workstations to Cisco Unity

Network Traffic from SNMP Management Stations to Cisco Unity

Network Traffic from Administrator Workstations to Cisco Unity

Network Traffic from Subscriber Workstations to Cisco Unity (for the Cisco PCA or ViewMail for Outlook)

Network Traffic from Cisco Unified Communications Manager and Phones to Cisco Unity

If you are using Cisco Unified Communications Manager (CM) (formerly known as Cisco Unified CallManager) (using SCCP), Cisco Unified CM and IP phones need to be able to deliver UDP RTP traffic to Cisco Unity UDP ports 22800-32767.

Network Traffic from SIP Endpoints, Including PIMG Devices and Phones, to Cisco Unity

(If SIP is used) Those SIP endpoints that will directly communicate with Cisco Unity will need to be able to establish the following connections to Cisco Unity:

Port on the Cisco Unity Server
Protocol or Service

TCP 5060

Default SIP control port of the SIP device.

UDP 22800-32767

RTP (voice media traffic).


Network Traffic from VNC Client Workstations to Cisco Unity

If Cisco Unity will be managed over VNC, VNC client workstations used for remote management must be able to connect to the selected VNC desktop on the Cisco Unity server(s). The default VNC remote desktop port is TCP port 5900.

Network Traffic from SNMP Management Stations to Cisco Unity

If Cisco Unity will be monitored over SNMP, SNMP management stations must be able to deliver data to UDP port 161 on the Cisco Unity server.

Network Traffic from Administrator Workstations to Cisco Unity

If Cisco Unity will be administered over HTTP or HTTPS, workstations performing web administration must be able to establish connections to the following ports on Cisco Unity servers:

Port on the Cisco Unity Server
Protocol or Service

If HTTPS is disabled, TCP 80

IIS web server

If HTTPS is enabled, TCP 443

IIS web server

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.

UDP 137

UDP 138

TCP 139

TCP 445

NetBIOS. Required if the Windows file share for Cisco Unity reports will be directly accessed by administrators.

TCP 3389

If Cisco Unity is managed over WTS or RDP.


Network Traffic from Subscriber Workstations to Cisco Unity (for the Cisco PCA or ViewMail for Outlook)

If subscribers will use ViewMail for Outlook, subscriber workstations must be able to establish connections to the following ports on Cisco Unity servers:

Port on the Cisco Unity Server
Protocol or Service

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.


If subscribers will access the Cisco PCA, subscriber workstations must be able to establish connections to the following ports on Cisco Unity servers:

Port on the Cisco Unity Server
Protocol or Service

If HTTPS is disabled, TCP 80

IIS web server

If HTTPS is enabled, TCP 443

IIS web server

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.


Network Traffic to and from Exchange

See the following sections:

Network Traffic from Exchange to Cisco Unity

Network Traffic from Exchange to DNS

Network Traffic from Exchange to a Domain Controller

Network Traffic from Exchange to a Global Catalog Server

Network Traffic Between Exchange Servers

Network Traffic Between Exchange and Other Voice-Messaging Systems

Network Traffic Between Other Voice-Messaging Systems and Exchange

Network Traffic from Exchange to Cisco Unity

Revised April 17, 2008
Caution Do not separate the Cisco Unity server (or the primary server in a failover or standby-redundancy configuration) by a firewall from the partner Exchange server.

The Exchange message store must be able to deliver UDP traffic to dynamic ports on the Cisco Unity server; ports are negotiated by MAPI. These notifications tell Cisco Unity when a message for a subscriber has been read, when a new message has been delivered, and similar information. If a firewall is between Cisco Unity and the Exchange message store, and the firewall is not Exchange-client aware, Exchange must be able to deliver UDP traffic to Cisco Unity ports 1024-65535. For more information, see Microsoft Knowledge Base article 264035, No Way to Configure Port for UDP New Mail Notification Packets.

The executables on Cisco Unity servers that need to receive these UDP packets are AvMsgStoreMonitorSvr.exe and AvCsMgr.exe.

Network Traffic from Exchange to DNS

Each Exchange server must be able to establish TCP and UDP connections to its DNS Server at port 53.

Network Traffic from Exchange to a Domain Controller

Revised April 17, 2008
Caution Do not separate the partner Exchange server by a firewall from the domain controllers that the partner server communicates with.

The Exchange message store must be able to establish the following connections to all domain controllers in the Active Directory forest:

Port on the Domain Controller
Protocol or Service

TCP and UDP 88

Kerberos

TCP and UDP 464

Kerberos Password v5

TCP and UDP 389

LDAP

TCP 636

LDAP over SSL

UDP 137

UDP 138

TCP 139

TCP 445

NetBIOS

UDP 123

NTP

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.


Network Traffic from Exchange to a Global Catalog Server

Revised April 17, 2008
Caution Do not separate the partner Exchange server by a firewall from the global catalog server that the partner server communicates with.

The Exchange message store must be able to establish the following connections to all global catalog servers in the Active Directory forest:

Port on the Global Catalog Server
Protocol or Service

TCP and UDP 88

Kerberos

TCP and UDP 464

Kerberos Password v5

TCP and UDP 389

LDAP

TCP 636

LDAP over SSL

TCP and UDP 3268

LDAP

TCP 3269

LDAP over SSL

UDP 137

UDP 138

TCP 139

TCP 445

NetBIOS

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.


Network Traffic Between Exchange Servers

If Cisco Unity subscriber mailboxes are homed on an Exchange server other than the partner Exchange server, the partner server and all Exchange message store servers on which Cisco Unity subscriber mailboxes are homed must be able to establish connections with one another on the following ports:

Port on Exchange Servers
Protocol or Service

TCP 25

SMTP

TCP 135

WinRPC endpoint locator

TCP 691

Message routing

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.

Static TCP and UDP Exchange ports configured according to Microsoft Knowledge Base article 270836, Exchange Server Static Port Mappings

See Microsoft Knowledge Base article 270836, Exchange Server Static Port Mappings.


Network Traffic Between Exchange and Other Voice-Messaging Systems

If Cisco Unity is using Cisco Unity Bridge networking or VPIM networking to communicate with other voice-messaging systems, the Exchange server on which the Cisco Unity Voice Connector for Microsoft Exchange is installed must be able establish SMTP connections to TCP port 25 on the Bridge server(s), on the other voice-messaging systems, and on SMTP relay server(s).

Network Traffic Between Other Voice-Messaging Systems and Exchange

If Cisco Unity is using VPIM or Cisco Unity Bridge networking to communicate with other voice-messaging systems, the Bridge server(s), the other voice-messaging systems, and SMTP relay server(s) must be able to establish SMTP connections to TCP port 25 on the Exchange server on which the Cisco Unity Voice Connector for Microsoft Exchange is installed.

Network Traffic from Cisco Unity Subscriber Workstations to Various Servers

See the following sections:

Network Traffic from Cisco Unity Subscriber Workstations to a DNS Server

Network Traffic from Cisco Unity Subscriber Workstations to the Exchange Server on Which the Subscriber Mailbox Is Homed

Network Traffic from Cisco Unity Subscriber Workstations to a DNS Server

Each Cisco Unity subscriber workstation must be able to establish TCP and UDP connections to its DNS Server at port 53.

Network Traffic from Cisco Unity Subscriber Workstations to the Exchange Server on Which the Subscriber Mailbox Is Homed

Subscriber workstations must be able to make TCP and UDP connections to its Exchange mail server on the following ports:

Port on the Exchange Servers on Which Subscriber Mailboxes Are Homed
Protocol or Service

TCP 135

WinRPC endpoint locator

TCP and UDP 5000-5020

DCOM RPC range after restriction. See the "Restricting DCOM Dynamic Port Allocation" section.

UDP 137

UDP 138

TCP 139

TCP 445

NetBIOS

Static TCP and UDP Exchange ports configured according to Microsoft Knowledge Base article 270836, Exchange Server Static Port Mappings

See Microsoft Knowledge Base article 270836, Exchange Server Static Port Mappings.


Restricting DCOM Dynamic Port Allocation

By default, DCOM dynamically allocates TCP and UDP ports in the range 1024-65535. To restrict dynamic port allocation to a narrower range, do the following procedure.

To Restrict DCOM Dynamic Port Allocation

Step 1 On the Windows Start menu, click Programs > Administrative Tools > Component Services.

Step 2 Expand the Component Services and Computers nodes. Right-click My Computer, and then click Properties.

Step 3 On the Default Protocols tab, in the DCOM Protocols list, click Connection-Oriented TCP/IP, and then click Properties.

Step 4 In the Properties for COM Internet Services dialog box, click Add.

Step 5 In the Port range text box, add a port range (for example, enter 5000-5020), and then click OK.

Note Entering a port range smaller than 20 ports will cause some services not to start.

Step 6 Leave the Port Range Assignment and the Default Dynamic Port Allocation options set to Internet Range.

Step 7 Click OK three times.

Step 8 Restart the Cisco Unity server.

For more information on restricting dynamic port ranges, refer to Microsoft Knowledge Base article 300083, How To Restrict TCP/IP Ports on Windows 2000 and Windows XP, available on the Microsoft support website.