If your VCS Expressway does not have any endpoints registering directly with it, and it is not part of a
cluster, then UDP/1719 is not required. You therefore do not need to allow outbound connections to this port
through the firewall between the VCS Control and VCS Expressway.
Configuring TURN ports
The VCS Expressway can be enabled to provide
TURN services
(Traversal Using Relays around NAT)
which can be used by ICE-enabled SIP endpoints.
The ports used by these services are configurable via
Configuration > Traversal > TURN
.
The ICE clients on each of the SIP endpoints must be able to discover these ports, either by using SRV
records in DNS or by direct configuration.
Configuring ports for connections out to the public internet
In situations where the VCS Expressway is attempting to connect to an endpoint on the public internet, you
will not know the exact ports on the endpoint to which the connection will be made. This is because the ports
to be used are determined by the endpoint and advised to the VCS Expressway only after the server has
located the endpoint on the public internet. This may cause problems if your VCS Expressway is located
within a DMZ (where there is a firewall between the VCS Expressway and the public internet) as you will not
be able to specify in advance any rules that will allow you to connect out to the endpoint’s ports.
You can however specify the ports on the VCS Expressway that are used for calls to and from endpoints on
the public internet so that your firewall administrator can allow connections via these ports. The ports that
can be configured for this purpose are:
H.323
SIP
TURN
TCP/1720: signaling
UDP/1719: signaling
UDP/36000-59999: media*
TCP/15000-19999: signaling
TCP/5061: signaling
UDP/5060 (default): signaling
UDP/36000-59999: media*
TCP: a temporary port in the range
25000-29999 is allocated
UDP/3478 (default): TURN services
**
UDP/24000-29999 (default range):
media **
Table 2: Port connections out to the public internet
* The default media port range of 36000 to 59999 applies to new installations of X8.1 or later. The first 2 ports
in the range are used for multiplexed traffic only (with Large VM deployments the first 12 ports in the range –
36000 to 36011 – are used). The previous default range of 50000 - 54999 still applies to earlier releases that
have upgraded to X8.1.
** On Large VM server deployments you can configure a range of TURN request listening ports. The default
range is 3478 – 3483. The default TURN relay media port range of 24000 – 29999 applies to new installations
of X8.1 or later. The previous default range of 60000 – 61799 still applies to earlier releases that have
upgraded to X8.1.
Cisco VCS Administrator Guide (X8.1.1)
Page 60 of 507
Firewall traversal
Configuring ports for firewall traversal