Cisco Meeting Server

Web Proxy for Cisco Meeting Server Connections

Web Proxy for Cisco Meeting Server Port Reference

Table 1. Web Proxy for Meeting Server

Purpose

Src. IP

Src. ports

Protocol

Dest. IP

Dst. Ports

CMA Web client signaling

Guest PCs

1024-65535

TLS

Expressway-E public IP

443 11

Tunneled media

CMA Cisco Meeting WebRTC App

1024-65535

UDP

Expressway-E public IP

3478 (and TCP override port if configured)

Web interface access

Administrator PCs

1024-65535

TLS

Expressway-E IP

NOT 443 22

8443 33

SSH tunnels for firewall traversal

Expressway-C

30000-35999

TCP

Expressway-E private IP

2222

SIP signaling

Expressway-C

25000-29999

TCP or TLS

Expressway-E

7001 (for first traversal zone; 7002 for second etc.)

CMA Cisco Meeting WebRTC App TURN requests

Any IP

1024-65535

UDP

Expressway-E TURN server public IP

3478

CMA Cisco Meeting WebRTC App TURN requests (TCP fallback)

Any IP

1024-65535

TCP

Expressway-E TURN server public IP

3478 44

Webbridge signaling (HTTPS)

Expressway-C

30000-35999

HTTPS

Meeting Server

443

Webbridge signaling (HTTPS)

Meeting Server

>=1024

HTTPS

Expressway-C

30000-35999

TURN client requests

Meeting Server

1024-65535

UDP

Expressway-E TURN server private IP

3478
TURN relays 55

Original Source: Expressway-E Private IP Translated Source: Expressway-E Public IP

24000- 29999

UDP and TCP

Original Destination: Expressway-E Public IP Translated Destination: Expressway-E Private IP

24000-29999

TURN relay (On premises)

Expressway-E Private IP

24000- 29999

UDP and TCP

Expressway-E Private IP

24000-29999

TURN relays 66

Meeting Server

Ephemeral

UDP

Expressway-E public IP

24000-29999
1 You must change the administration port because WebRTC clients use 443. If the WebRTC browser tries to access port 80, the Expressway-E redirects the connection to 443.
2 Options for alternative management ports are shown on the web interface. You can use the CLI to change it to a different port, eg. 7443, so that you can lock it down. We strongly advise against opening an external management port on the public IP address. If the browser tries to access port 80, the Expressway-E redirects the connection to your chosen port
3 If your Meeting Server and Expressway deployment is coexisting with MRA, you must not use port 8443 for web administration.
4 In version X8.10, the Expressway cannot listen on TCP 443 for TURN at the same time as it is listening on TCP 443 for signaling from the Cisco Meeting WebRTC App. TCP 3478 is shown, because the Expressway listens on the configured TURN port for both transport protocols. From X8.11, Expressway-E can listen to both TURN and Cisco Meeting Server requests on the TCP port 443.
5 You must configure your external firewall to allow NAT reflection for the Expressway-E public IP address. (Firewalls typically mistrust packets that have the same source and destination IP address). From X12.5.3 release, there is no need to configure NAT reflection on external firewall. This is because Expressway has the ability to detect its own address without NAT reflection.

Important

 

From X12.5.5, support for static NAT functionality on TURN is extended to clustered systems. However, peers which are configured as TURN servers must be reachable using the private addresses for their corresponding public interfaces.

6 If the relay ports are not open, then the Meeting Server will use UDP port 3478 to relay media in all cases. This adds load on the TURN server in cases where the CMA web client is also using a relay.

SIP Edge for Meeting Server Connections (Standards-based Endpoints)

SIP Edge for Cisco Meeting Server Port Reference (Standards-based Endpoints)

Table 2. SIP Edge for Meeting Server Port Reference

Purpose

Src. IP

Src. ports

Protocol

Dest. IP

Dst. Ports

SIP signaling

Expressway-C

25000-29999

TCP or TLS

Expressway-E

7001 (for first traversal zone; 7002 for second etc.)

SIP signaling

Expressway-C

5060

UDP

Meeting Server

5060

SIP signaling

Expressway-C

25000-29999

TLS

Meeting Server

5061

SIP signaling

SIP endpoint (or its firewall)

>=1024

TCP

Expressway-E

5060

SIP signaling

SIP endpoint (or its firewall)

>=1024

TLS

Expressway-E

5061

Assent RTP

(traversed media)

Expressway-C

36000-59999

UDP

Expressway-E

2776 or 36000 (Small/Medium)

36000 - 36010 (even ports) (Large)

Assent RTCP

(traversed media

Expressway-C

36000-59999

UDP

Expressway-E

2777 or 36001 (Small/Medium)

36001 - 36011 (odd ports) (Large)

Assent RTP

(traversed media)

SIP endpoint (or its firewall)

>=1024

Could be the firewall port where the media egressed, rather than an endpoint port

UDP

Expressway-E

36000-59999

Assent RTCP

(traversed media)

SIP endpoint (or its firewall)

>=1024

Could be the firewall port where the media egressed, rather than an endpoint port

UDP

Expressway-E

36000-59999

Assent RTP

(traversed media)

Expressway-E

36000-59999

UDP

SIP endpoint (or its firewall)

>=1024

Expressway waits until it receives media, then sends media to that source port (which could be the port where the media egressed the firewall, not an endpoint port)

TURN request

Any IP address

>=1024 (signaling port from endpoint or the firewall)

UDP & TCP

Expressway-E public IP

3478 (Small/Medium)

3478-3483 (Large)

TURN request

Meeting Server

>=1024

UDP

Expressway-E private IP

3478 (Small/Medium)

3478-3483 (Large)

TURN media

Expressway-E

24000-29999

UDP & TCP

Any IP address

>=1024

TURN media

Any

>=1024

Port of relevant ICE candidate: host IP port, server reflexive port (outside firewall port), or TURN server port

UDP & TCP

Expressway-E

24000-29999

TURN media

Meeting Server

50000-51000

UDP

Expressway-E private IP

24000-29999

SIP Edge for Meeting Server Connections (Microsoft Clients)

SIP Edge for Cisco Meeting Server Port Reference (Microsoft Clients)

Table 3. SIP Edge for Meeting Server Port Reference

Purpose

Src. IP

Src. ports

Protocol

Dest. IP

Dst. Ports

SIP signaling

Expressway-C

25000-29999

TCP or TLS

Expressway-E

7001 (for first traversal zone; 7002 for second etc.)

SIP signaling

Expressway-C

25000-29999

TLS

Meeting Server

5061

SIP signaling

SIP endpoint (or its firewall)

>=1024

TCP

Expressway-E

5060

SIP signaling

SIP endpoint (or its firewall)

>=1024

TLS

Expressway-E

5061

Assent RTP

(traversed media)

Expressway-C

36000-59999

UDP

Expressway-E

2776 or 36000 (Small/Medium)

36000 - 36010 (even ports) (Large)

Assent RTCP

(traversed media)

Expressway-C

36000-59999

UDP

Expressway-E

2777 or 36001 (Small/Medium)

36001 - 36011 (odd ports) (Large)

Assent RTP

(traversed media)

SIP endpoint (or its firewall)

>=1024

Could be the firewall port where the media egressed, rather than an endpoint port

UDP

Expressway-E

36000-59999

Assent RTCP

(traversed media)

SIP endpoint (or its firewall)

>=1024

Could be the firewall port where the media egressed, rather than an endpoint port

UDP

Expressway-E

36000-59999

Assent RTP

(traversed media)

Expressway-E

36000-59999

UDP

SIP endpoint (or its firewall)

>=1024

Expressway waits until it receives media, then sends media to that source port (which could be the port where the media egressed the firewall, not an endpoint port)

TURN control

Any IP address

>=1024 (signaling port from endpoint or the firewall)

UDP & TCP

Expressway-E

3478 (Small/Medium)

3478-3483 (Large)

TURN media

Expressway-E

24000-29999

UDP & TCP

Any IP address

>=1024

TURN media

Any

>=1024

Port of relevant ICE candidate: host IP port, server reflexive port (outside firewall port), or TURN server port

UDP & TCP

Expressway-E

24000-29999

Connection Map-Point to Point Microsoft Interoperability Using Meeting Server

Port Reference-Point to Point Microsoft Interoperability Using Meeting Server

Table 4. Point to Point Microsoft Interoperability Using Meeting Server Port Reference

Purpose

Src. IP

Src. ports

Protocol

Dest. IP

Dst. Ports

SIP Signaling

Expressway-C

25000-29999

TCP or TLS

Expressway-E

7001 (for first traversal zone; 7002 for second etc.)

SIP Signaling

Expressway-C

25000-29999

TLS

Meeting Server

5061

SIP Signaling

Expressway-C

25000-29999

TCP

Meeting Server

5060

SIP Signaling

Microsoft client or its firewall

>=1024

TLS

Expressway-E

5061

SIP Signaling

Expressway-C

25000-29999

TLS

Unified CM

5061

SIP Signaling

Expressway-C

25000-29999

TCP

Unified CM

5060

SIP Signaling

Unified CM

Ephemeral

TLS

Expressway-C

5061

SIP Signaling

Unified CM

Ephemeral

TCP

Expressway-C

5060

TURN control

Any IP address

>=1024 (signaling port from endpoint or the firewall)

UDP & TCP

Expressway- E

3478 (Small/Medium)

TURN request

Meeting Server

>=1024

UDP/TCP

Expressway-E private IP

3478 (Small/Medium) 3478-3483 (Large)

TURN media

Expressway- E

24000-29999

UDP & TCP

Any IP address

>=1024

TURN media

Any

>=1024 Port of relevant ICE candidate: host IP port, server reflexive port (outside firewall port), or TURN server port

UDP & TCP

Expressway- E

24000-29999

TURN media

Meeting Server

50000-51000

UDP

Expressway-E private IP

24000-29999