firewall configured for H.323 Polycom video & Network Products

From Polycom Knowledgebase - 2011-08 - What H.323 TCP_UDP ports are needed or used by Polycom Video and Network Products?

TCP/IP ports needed: This is provided as a summary and more details are generally available in the documentation for the specific product.

� SIP Related Port Usage

� 5060 � UDP or TCP depending on the SIP server � Signalling

LCS & Alcatel OXE use TCP

� RTP data is the same as for H.323 so same media ports apply

� H.323 Related Port Usage

H.323 Ports:

� 80 - Static TCP - HTTP Interface (optional) Address Book Utility

� 389 - Static TCP - ILS Registration (LDAP)

� 1503 - Static TCP - T.120

� 1718 - Static UDP - Gatekeeper discovery (Must be bidirectional)

� 1719 - Static UDP - Gatekeeper RAS (Must be bidirectional)

� 1720 - Static TCP - H.323 call setup (Must be bidirectional)

� 1731 - Static TCP - Audio Call Control (Must be bidirectional)

� 1024-65535 Dynamic TCP H245

� 1024-65535 Dynamic UDP - RTP (Video data)

� 1024-65535 Dynamic UDP - RTP (Audio data)

� 1024-65535 Dynamic UDP RTCP (Control Information)

These ports above, can be set to "Fixed Ports" on Polycom systems, as opposed to dynamic.

Other ViewStations/VSX/HDX Ports:

� 21 (FTP) - Software Updates, GMS Provisioning, & Address Book Utility

� 23 (Telnet) - For Diagnostics & API Control (used by PCS) by MP/512/ect.

� 24 (Telnet) � For Diagnostics & API Control (used by PCS) by FX/EX/4000, VSX, and HDX

� 123 � UDP � Used for NTP (time server) on the VSX

� 3231 to 3236 - TCP Ports (default fixed ports VSX version 8.5)

� 3231 to 3254 - UDP Ports (default fixed ports VSX version 8.5)

� 16384 & 16386 � Multicast Streaming ports for audio & video

VSX/HDX Security Mode additional/alternate ports:

� 443 (TCP) � secure HTTP; HTTPS

� 992 or 993 (TLS) � secure Telnet

� 990 (FTPS-TLS) � secure FTP

People+Content IP Ports:

� 5001 - Static TCP

GMS Ports:

� 21 (FTP/TCP) - Software Updates & Provisioning

� 23 (Telnet/TCP) � Diagnostic Logging

� 25 (SMTP:TCP) � Remote e-mail alerts

� 80 (HTTP) - Pulling ViewStation/VS4000/VSX/HDX info

� 162 (SMTP:UDP) � Remote Alerts to an SNMP server

� 389 (LDAP:TCP) - LDAP and ILS

� 1002 (LDAP:ILS) - ILS

� 3601 (Proprietary/TCP) (Data Traffic) - GAB data

� 3603 (TCP)- Pulling ViaVideo / PVX info (since might be non-web server PC)

� 9090 (formally 8080) (https:TCP) � Proprietary database communications, port is user-configurable

GMS listens for connections on ports 80 and 3601 (GAB) and in the future will listen on port 3604 (ViaVideo) and other potentials later.

PCS Ports:

Communication between PCS and devices:

� 23 (Telnet) � Management & Control � Tandberg Codecs.

� 24 (Telnet) � Management & Control � Polycom ViewStations, VSX, and HDX.

� 161(SNMP) � Managed device

� 2000 (TCP/IP) � Gatekeeper call authorization for outbound communications � Cisco MCM

� 2773 (TCP/IP) � Management & Control � Polycom iPower, VCON codecs

� 3603 (HTTP) � Management & Control � Polycom ViaVideo and PVX

� 4000-4004 (TCP/IP) � Management & Control � Lantronix

� 5001 (API via TCP/IP) � Management & Control � Polycom MGC

� 8000 (TCP/IP) � Gatekeeper call authorization for outbound communications � Cisco MCM, RADVision ECS

Communication between PCS and client:

� 80 (HTTP) � General Communication � Web browser.

� 2771 (TCP/IP) � Data communication � Remote SQL server, Outlook / Notes Mail server

� 2773 (TCP/IP) � remote � Polycom Conferencing Suite Server

� 2777 (TCP/IP) � Mail & Calendar communication � Outlook / Notes mail server

Communication between PCS servers:

� 700 (TCP/IP) � Redundant server communication - PCS

� 2771 (TCP/IP) � Distributed Server communication - PCS

Other ViaVideo / PVX Ports:

� 3230-3235 (TCP / UDP) Signaling and control for audio, call, video and data/FECC

� 3230-3237 (TCP / UDP) Signaling and control for audio, call, video and data/FECC, version 8.0 and beyond

� 3604 (GMS Server Discovery)(Used by ViaVideo & PVX)(Broadcast) used by PCS

MGC (Polycom Network Systems) Additional Ports:

� 5001/1025 Static TCP for MGC Manager.

� MGC Manager can also use TCP 443 for secure connections or TCP 80 unsecured access.

� 21 - Static TCP - FTP (retrieve MGC config. Files etc.)

� 5003 TCP for diagnostics access.

� TCP 17 For Diagnostic Remote Desktop access to MGC's running XPEK OS.

PathNavigator Ports:

From PathNavigator to endpoint

� Varies by endpoint - UDP � RAS (Registration, Admission and Status)

� 1720 � TCP (Q.931) � Setting up calls when PathNavigator is in routed mode

From endpoint to PathNavigator

� 1719 � UDP � RAS

� 1720 � TCP (Q.931) - Setting up calls when PathNavigator is in routed mode

From Monitoring Workstation

� 80 � TCP � for HTTP communication with PathNavigator UI

SE200 Ports:

Open ports on the SE200

� 80 / 85 (HTTP / TCP) � The Apache Web server through which the web application displays and where the Polycom endpoints post status messages

� 123 � An NTP listener

� 135 � The Microsoft RPC port

� 137 � The NetBIOS name service listener

� 139 � The NetBIOS SMB listener

� 161 � The SNMP listener

� 781, 782, 783, 784, 785 � Used by the Administrative Diagnostic Tool

� 1042 � A .NET listener used for the SQL server

� 1063 � A .NET listener

� 1167 � A .NET listener

� 1433 The internal NSDE server listens on this port which enables views into the database from outside the SE200

� 1720 The gatekeeper listener for RAS messages

� 2771, 2773 � Used by the scheduling plug-ins

� 3601 The Global Management System listener that endpoints register with

� 5005 � The .NET listener for the MGC Authentication Service and API adapter

� 8009 � the .NET listener for Tomcat-related services

� 8080 � The Apache Tomcat Java server which displays the Java Sever Pages for the user interface. It is proxied through the Apache server running on port 80

� 8085 � The .NET listener for remote access

Ports used by the SE200

� 20,21 � Used to FTP data to endpoints

� 23 - Used to access the Telnet interfaces on endpoints

� 24 � Used to access a secondary Telnet interface on endpoints

� 25 � Used to send e-mail messages to SMTP servers

� 53 � Used to access domain name servers (DNS)

� 80 � Used to access the web application on endpoints and MGCs (version 7.x and higher)

� 389 � Access by the SE200 when contacting Active Directory

� 1205 � Used to access MGCs for management and monitoring

� 1719 � Used by the gatekeeper for H.323 datagrams

� 1720 � Used by the gatekeeper for H.323 RAS messages

� 3268 � Used to access the Active Directory Global catalog

� 5001 � Used to access MGCs for management and monitoring

Polycom, Inc. by: Steven Zabriski 11

WebOffice Ports:

� 80 / 85 (HTTP / TCP) � WO client communications with WO sever

� 443 / 85 (HTTP / TCP) � WO client communications with WO sever

� 5005 (proprietary) � WO Server uses this service to translate commands to MGC (usually internal port)

� 5001 / 1205 (proprietary) � WO server and MGC communication

V 2 IU (firewall must allow these ports to and from the V 2 IU):

In all cases

� 21 (FTP / TCP) - optional

� 80 (HTTP / TCP) - optional for management

� 443 (HTTPS / TCP) - optional for management

� 16386:17286 (RTP / UDP) - 4300T-E3

� 16386:25386 (RTP / UDP) - 5300-E10 and E25

� 16386:34386 (RTP / UDP) - 6400-E and S85

� 161 (SNMP / UDP) - optional for management

� 22 (SSH / TCP) - optional for management

� 23 (Telnet / TCP ) - optional for management

� 69 (TFTP / UDP) � optional

� 123 (SNTP / TCP) � 123 optional

MGCP phones

� 2427, 2429, 2432, 272 (MGCP / UDP) � optional

SIP Phones

� 5060 (SIP / UDP) - plus and additional ports specified on the VoIP ALG page � optional

� 5050 (SIP / UDP) � when survivability enabled optional

H.323 Endpoints

� 1720 (Q.931 (H.225) / TCP)

� 1719 (RAS / UDP)

� 14085:15084 (H.245 / TCP)

Please see the Polycom knowledge base for the White Paper defining this information for the V 2 IU ports.

RSS 2000 Recording and Streaming device:

In all cases

� 81 (TCP) - Manger

� 80 (HTTP / TCP) - Web

� 30011 (UDP) � Trace

� Endpoint H.323

� 1719 - Static UDP - Gatekeeper RAS (Must be bidirectional)

� 1720 - Static UDP - RAS (Must be bidirectional)

� 1720 - Static TCP � Q931 socket

� 1730 -1739 - Static TCP � H.245 Socket

� 2000 � 2099 � UDP - Audio/Video/Data

� Media

� 1800 -1801 - Static TCP � Live Broadcast

� 2800 � 2859 � Static TCP � On Demand Archive

RTP Type (VSX, HDX and MGC applicable):

See 6/RFC3551. RFC3551 it defines static payload type values for some RTP data (such as G.722, G.711, H.261, H.263, etc), but not for the newer codecs such as G.722.1, H.263 +, H.263 ++ and H.264. For the newer codecs, dynamic payload type values in the range 96 - 127 are used.

Products

Global Management System
HDX Series
MGC +100 ReadiConvene
MGC +50 ReadiConvene
MGC -25
MGC-50/MGC-100
PathNavigator
PVX
ReadiManager SE200
RSS 2000
ViaVideo II
ViewStation EX
ViewStation FX
ViewStation H.323
ViewStation MP
ViewStation SP 128
ViewStation SP 384
VSX Series
Group Series

All Software Versions

Port	Type	Protocol	Function	On By Default? (Minimum Security Profile)	Location of Setting in Web Interface to Enable or Disable	Configurable Port Number? If Yes, Location of Setting
Inbound Ports (connections to the HDX system)
23	Static	TCP	Telnet Diagnostics	Yes	Admin Settings/General Settings/ Security/Security Settings/Enable Remote Access: Telnet	No
24	Static	TCP	Polycom API	Yes	Admin Settings/General Settings/ Security/Security Settings/Enable Remote Access: Telnet	No
80	Static	TCP	HDX Web UI over HTTP	Yes	Admin Settings/General Settings/ Security/Security Settings/Enable Remote Access: Web	Admin Settings/General Settings/ Security/Security Settings/Web Access Port
161	Static	UDP	SNMP	No	Admin Settings/Global Services/ SNMP/Enable SNMP	No
443	Static	TLS	HDX Web UI over HTTPS	Yes	Admin Settings/General Settings/ Security/Security Settings/Enable Remote Access: Web	No
1719	Static	UDP	H.323 Gatekeeper (H.225.0 RAS)	No	Admin Settings/Network/IP Network/H.323 Settings/Use Gatekeeper = Auto, Specify, Specify with PIN	No
1720	Static	TCP	H.323 Calling (H.225.0 Call Signaling)	Yes	Admin Settings/Network/IP Network/H.323 Settings/Enable IP H.323	No
4122	Static	TLS	Polycom Touch Control over TLS	Yes	Admin Settings/Polycom Touch Control/Allow Polycom Touch Control to Pair with this System (Disabled in Maximum Security Profile)	No
5001	Static	TCP/ UDP	People+Content	Yes	Not Configurable (Disabled in Maximum Security Profile)	No


5060	Static	TCP UDP	SIP (Protocol depends on Transport Protocol setting)	Yes	Admin Settings/Network/IP Network/SIP Settings/Enable SIP	No
5061	Static	TLS	SIP over TLS (dynamically opened only when a Proxy/Registrar Server is configured)	Yes	Admin Settings/Network/IP Network/SIP Settings/Enable SIP " Admin Settings/Network/IP Network/SIP Settings/Transport Protocol (Auto or TLS) " Admin Settings/Network/IP Network/SIP Settings/Registrar Server " Admin Settings/Network/IP Network/SIP Settings/Proxy Server "	No
49152 -65535	Dynamic	TCP	H.323 Control (H.245)	Yes	Admin Settings/Network/IP Network/H.323 Settings/Enable IP H.323	Admin Settings/Network/IP Network/ Firewall/Fixed Ports/TCP Ports (1024-65535)
49152 -65535	Dynamic	UDP	RTP/RTCP Audio/Video/ Far-end Camera Control	Yes	Admin Settings/Network/IP Network/H.323 Settings/Enable IP H.323 " Admin Settings/Network/IP Network/SIP Settings/Enable SIP " Admin Settings/Cameras/ Cameras:/Far Control of Near Camera "	Admin Settings/Network/IP Network/ Firewall/Fixed Ports/UDP Ports (1024-65535)
Outbound Ports (connections from the HDX system)
80	Static	TCP	GMS/SE200/CMA/ RealPresence Resource Manager Legacy Management	No	Admin Settings/Global Services/ Management Servers Remove HDX from Management list on GMS/SE200/CMA/ RealPresence Resource Manager system	No
80	Static	TCP	Polycom Product Registration	Yes	Uncheck Register checkbox during OOB setup	No
123	Static	UDP	NTP	Yes	Admin Settings/General Settings/ Date and Time/Time Server	No
162	Static	UDP	SNMP TRAP	No	Admin Settings/Global Services/ SNMP/Enable SNMP	No
389	Static	TLS	LDAP	No	Admin Settings/Global Services/ Directory Services/LDAP	No

443	Static	TLS	Resource Management (Provisioning, Monitoring, Software Update)	No	Admin Settings/Global Services/ Provisioning Service	No
443	Static	TLS	Microsoft Exchange Server (Calendaring)	No	Admin Settings/Global Services/ Calendaring Service/Enable Calendaring Service	No
443	Static	TLS	Microsoft Lync Address Book	No	Admin Settings/Global Services/ Directory Services/Microsoft Lync Server 2010	No
514	Static	UDP	SYSLOG	No	Diagnostics/Remote Logging Enabled	No
1718	Static	UDP	H.323 Gatekeeper Discovery (H.225.0)	No	Admin Settings/Network/IP Network/H.323 Settings/Use Gatekeeper = Auto	No
1719	Static	UDP	H.225.0 RAS	No	Admin Settings/Network/Call Preference/IP Network/H.323 Settings/Use Gatekeeper = Auto, Specify, Specify with PIN	Yes - outgoing port can be specified in the Primary Gatekeeper IP Address field
1720	Static	TCP	H.323 Calling (H.225.0 Call Signaling)	Yes	Admin Settings/Network/IP Network/H.323 Settings/Enable IP H.323	No
3601	Static	TCP	Polycom GDS	No	Admin Settings/Global Services/ Directory Servers/Polycom GDS	No
5060	Static	TCP UDP	SIP	Yes	Admin Settings/Network/IP Network/SIP Settings/Enable SIP	Yes - outgoing port can be specified in the dial string (user@domain:port)
5061	Static	TLS	SIP over TLS	Yes	Admin Settings/Network/IP Network/SIP Settings/Enable SIP " Admin Settings/Network/IP Network/SIP Settings/Transport Protocol (Auto or TLS) "	Yes - outgoing port can be specified in the dial string (user@domain:port)
5222	Static	TCP	Resource Management: XMPP	No	Provisioned by the RealPresence Resource Manager system	No
49152 -65535	Dynamic	TCP	H.323 Control (H.245)	Yes	Admin Settings/Network/IP Network/H.323 Settings/Enable IP H.323	Admin Settings/Network/IP Network/ Firewall/Fixed Ports/TCP Ports (1024-65535)
49152 -65535	Dynamic	UDP	RTP/RTCP Audio/Video/ Far-end Camera Control	Yes	Admin Settings/Network/IP Network/H.323 Settings/Enable IP H.323 " Admin Settings/Network/IP Network/SIP Settings/Enable SIP "	Admin Settings/Network/IP Network/ Firewall/Fixed Ports/UDP Ports (1024-65535)

How is a firewall configured for H.323 Polycom video & Network Products?