Avaya Port Matrix Avaya Video Conferencing XT Series 9.2.4 - Avaya Support
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Avaya Port Matrix
Avaya Video Conferencing
XT Series 9.2.4
Issue 0.16
March 10, 2021
Avaya Equinox Solution 9.1.x
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS".
AVAYA INC. DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA INC. MAKES NO
REPRESENTATIONS OR WARRANTIES THAT THE INFORMATION PROVIDED HEREIN WILL ELIMINATE SECURITY
THREATS TO CUSTOMERS’ SYSTEMS. AVAYA INC., ITS RELATED COMPANIES, DIRECTORS, EMPLOYEES,
REPRESENTATIVES, SUPPLIERS OR AGENTS MAY NOT, UNDER ANY CIRCUMSTANCES BE HELD LIABLE FOR ANY
DIRECT, INDIRECT, SPECIAL, PUNITIVE, EXEMPLARY, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT
OF THE USE OF THE INFORMATION PROVIDED HEREIN. THIS I3NCLUDES, BUT IS NOT LIMITED TO, THE LOSS OF
DATA OR LOSS OF PROFIT, EVEN IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF
THIS INFORMATION CONSTITUTES ACCEPTANCE OF THESE TERMS.
© 2021 Avaya Inc. All Rights Reserved. All trademarks identified by the ® or ™ are registered trademarks or
trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
March 2021 Avaya Port Matrix: Avaya Video Conferencing XT Series 9.2 2
Comments? Infodev@avaya.com
1. Avaya Video Conferencing XT Series
The Avaya Video Conferencing XT Series provides video technology for room conferencing, including support for
dual stream 1080p video, high quality data sharing, high quality full band audio and a high-capacity embedded
MCU (selected models).
To enable an external XT Series endpoint to communicate with other Avaya Equinox Solution components within
the organization's network, you need to open firewall ports between the external XT Series endpoint and the
organization.
This section details the ports used for the Avaya XT Series and the relevant configuration procedures.
One Ethernet port (GLAN1, 10/100/1000) is always available for Ethernet connectivity on an XT Series Endpoint;
an additional GLAN2 port can be available as option.
2. Opening Ports for the XT Series
You can deploy Avaya XT Series endpoints either inside or outside the enterprise network.
When Avaya Equinox Solution components are located inside the network, and one or more XT Series endpoints
are outside the network, you must open ports in the firewall to enable the endpoint's functionality.
Since the location of the XT Series is not fixed, the ports' source and destination differ depending on your XT
Series topology. There are two main deployment topologies for the XT Series, each with optional additional
components:
• XT Series as an endpoint (standard topology)
• XT Series with Avaya XT Desktop Server (Avaya XT Series SMB Edition)
Typically, XT Series endpoints connect to a conference managed by Avaya Equinox Management, and hosted on
the Avaya Equinox Media Server/MCU.
Figure 1 - Standard topology for Avaya XT Series
In contrast, in the Avaya XT Series SMB Edition topology, Avaya Desktop Clients join the conference via Avaya XT
Desktop Server (XTD), located in the DMZ. The Desktop Server then connects to an XT Series endpoint with built-
in MCU located inside the enterprise. External and internal XT Series endpoints connect directly to the XT Series
endpoint with built-in MCU.
Figure 2 - Avaya XT Series SMB Edition topology
In addition, when using Avaya PathFinder or Avaya SBCE, it provides a complete solution for H.323 and SIP
deployments, enabling secure connectivity between enterprise networks and remote sites.
In each of the topologies described above, the XT Series endpoints can be located either inside or outside the
enterprise. You need to open different ports depending on the topology, and the location of the endpoints.
The source for a port is the sender of data packets, and the destination is the receiver.
There are two types of ports which require firewall rules for opening.
• Ports which require bidirectional rules: they allow the XT Series to send and receive data packets on the same
port. The initiator of the traffic is the source.
• Ports which require unidirectional rules: they allow the XT Series to either initiate communication or receive
data packets. The initiator of the traffic is the source.
For each port, you must designate it as inbound or outbound relatively to the firewall. A port is inbound if its
source is sending to a destination protected by the firewall. A port is outbound if its source is protected by the
firewall. If the same port is both outbound and inbound for XT, it will require a bidirectional opening rule on the
firewall.
Figure 3 - Inbound and outbound ports for the XT Series
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
March 2021 Avaya Port Matrix: Avaya Video Conferencing XT Series 9.2 4
Comments? Infodev@avaya.comImportant:
On stateful firewalls, ports are left open to response data for an allocated period of time after the initial request.
For unidirectional ports, this response is the only data allowed through in the opposite direction. On
bidirectional ports, data can be initiated and sent through in both directions.
3. Opening Ports for Spaces Connectivity
The XT series devices need to connect to Spaces Meetings through SIP (TCP/TLS), in addition to standard
connection to Spaces Meetings backend in HTTPS/WSS.
Outgoing ports to Spaces Backend, SIP and Media Server must be open in the local NAT/FW if they are blocked.
TLS traffic is used for both HTTPS and WSS, any TLS-inspection should support these protocols or have an
exception for Spaces’ hosts.
Check that a device inside the company can connect to
spaces.avayacloud.com (HTTPS + WSS, 443)
spaces.sip.mpaas.avayacloud.com (TCP/TLS 5061) (CU 360 App)
And to UDP 3000-4999 for these addresses:
35.227.0.176/29
35.243.1.0/29
35.192.193.192/27
34.90.202.88/29
34.90.54.64/27
35.240.211.240/29
34.87.164.64/27
34.93.186.64/27
34.89.118.64/27
See also https://spaces.avayacloud.com/developers/docs/guides/network_requirements.4. Port Usage Tables
4.1 Port Usage Table Heading Definitions
XT series endpoints need to use a series of UDP/TCP ports to communicate over a network with other audio-
video endpoints in SIP/H323 calls, or with other network elements, companion applications or entities in the
Avaya Solution Deployment.
For the purpose of this document, we will use the following terms.
Firewall: Network entity blocking TCP/UDP traffic to a specific port. If the traffic is directed to a destination
protected by the firewall, the port is inbound (X). Firewall could also block traffic to outbound ports (Y), when
connection is initiated by a source that is protected by the firewall.
If the XT endpoint or the element with which XT should communicate is protected by a firewall, to allow
incoming UDP/TCP traffic to the protected element, rules in the firewall must be applied. A rule establishes that
a port must be open in the firewall to allow traffic directed towards that port.
If the XT endpoint or the element with which XT should communicate is protected by a firewall, to allow
incoming UDP/TCP traffic to the protected element, rules in the firewall must be applied. A rule establishes that
a port must be open in the firewall to allow traffic directed towards that port.
Source: Entity sending UDP packets to destination port range or connecting to a TCP port as client.
Port Range: Specifies the TCP/IP/UDP port/port range.
Protocol: Specifies the protocol used by the port/port range.
Destination: Specifies the recipient of the traffic.
Functionality: Specifies the function of the port/port range.
Result of Blocking Port: Specifies the system limitations that occur when this port/port range is blocked by a
firewall.
Required: Specifies whether opening this port/port range is mandatory, recommended, or optional, relative to
the standard usage of the product. To obtain the functionality described for a particular port/port range, it is
mandatory to open the particular port/port range.
4.2 Port Table
Below is the table with the port usage for this product. It details ports used by the destinations to receive
UDP/TCP data sent by the source.
Response data, if any, are sent to the port specified by the source in the request, or in the same port used to
receive (this is common for UDP). Response traffic over TCP socket is never blocked. Stateful firewalls are
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
March 2021 Avaya Port Matrix: Avaya Video Conferencing XT Series 9.2 6
Comments? Infodev@avaya.comusually able to allow response TCP and UDP traffic flow back for a limited amount of time (usually hours for TCP,
minutes or less for UDP).
Unless a source (client) explicitly requests a specific port number for a TCP or UPD socket connection, the source port
number used is an ephemeral port number.
Ephemeral ports are temporary ports assigned by the client machine's IP stack, and are assigned from a designated range of
ports for this purpose. When the connection terminates, the ephemeral port is available for reuse, although most IP stacks
won't reuse that port number until the entire pool of ephemeral ports have been used. So, if the client program
reconnects, it will be assigned a different ephemeral port number for its side of the new connection.
Similarly, for UDP/IP, when a datagram is sent by a client from an unbound port number, an ephemeral port number is
assigned automatically so the receiving end can reply to the sender.
XT uses ephemeral source ports in the range 32768-61000.
Table 1. - Ports for XT Series Management on Ethernet Interfaces (GLAN1, GLAN2)
Source Dest. Port Protocol (Type) Destination Functionality Result of Blocking Port on Firewall Required Notes
Range
XT SDK Client 22 XT AT Commands XT Uses XT SDK API over SSH for SDK Client cannot manage XT over Mandatory if using 8.3.2.5xx
(Creston/Extron) using SSH(TCP) Remote Management SSH. an SSH SDK client to
manage the XT
Web client (HTTP) 80 HTTP (TCP) XT Remotely performs A web client cannot access the XT web Recommended to
management tasks via the XT server using HTTP access XT via a Web
Web user interface Browser using HTTP
Avaya Desktop 80 HTTP XT Manual activation of Screen/Mobile Link cannot be Recommended 8.3.2.2xx
Client Screen/Mobile Link activated manually by an Avaya
Desktop Client
Scopia 161 SNMP (UDP) XT Checks A management entity cannot check Mandatory if using No longer
Management the system status the status of the XT via SNMP Scopia Management needed
8.3.x/ 8.3.x to manage the swith
SNMP Manager XT. Mgmt 9.0
Station No longer needed in Cloud
with Avaya Equinox Mode
Management 9.0.
Web client(HTTPS) 443 HTTPS (TCP) XT Remotely performs A web client cannot access the XT web Recommended to
management tasks via the XT server using HTTPS access XT via a Web
Web user interface Browser using HTTPS
Avaya Desktop 443 HTTPS XT Manual activation of Screen/Mobile Link cannot be Recommended 8.3.2.2xx
Client Screen/Mobile Link activated manually by Avaya Desktop
Client
RTSP Client 554 RTSP XT RSTP streaming XT cannot act as a RTSP server Mandatory if using 9.2.3
XT as a RTSP server
XT Scopia Desktop 3336 XTD XML API (TCP) XT Sends requests and receives XTD clients cannot connect to XT Mandatory if using
Server (XTD) 3337 information about XT status XTD
Avaya 3338 XT XML API (TCP) XT Sends GET/SET/ACTIONS The control app cannot connect to XT Mandatory if using a
Collaboration request to XT mobile control app
Control App
(iOS/Android)
Avaya 3339 XT HINTS (TCP) XT Receives indications of system The control app cannot align its status Mandatory if using a
Collaboration status changes to reflect XT status. mobile control app
Control App
(iOS/Android)
Equinox 3341 SM XML API (TCP) XT Sends notifications of changes XT cannot Recommended for No longer
Management in Roster/Calendar update the list of Calendar/Roster needed
(iView) meetings scheduled for functionalities with 9.0
that day or the list of in Cloud
participants for Mode
meetings, or any meeting updates.
XT 5222 XMPP(TCP) Avaya Aura, XMPP Presence XT Presence status cannot be Recommended 9.0
Avaya One-X communicated to the XMPP server.
portal for XT cannot see the presence status for
IPO, other entities
XMPP
ServerXT Signed Software 55090 XT Signed Software XT Upgrades the XT Software with XT software cannot be upgraded with Mandatory to
Upgrade App Upgrade (TCP) signed packages (only 9.0 or a signed package by Equinox upgrade XT software
higher) Management (local mode) or a remotely with SM
standalone XT Sw upgrade application mode=local or with
standalone app
Equinox 55099 XT Software XT Upgrades the XT Software XT software cannot be upgraded with Mandatory to
Management Upgrade (TCP) an unsigned package by Equinox upgrade XT software
(iView)/ Management (local mode ) or a remotely with SM
XT Unsigned standalone XT Sw upgrade application mode=local or with
Software Upgrade standalone app
App
Equinox 55003 XT AT Commands XT Uses XT SDK API for Remote Equinox Management/Client cannot Mandatory if using
Management (TCP) Management manage XT. Equinox
(iView)/XT SDK Management to
Client manage the XT in
(Creston/Extron) mode=local;
Mandatory if using a
Third Party device to
control XT
XT PC Control 55000 TCP XT Control XT by PC/Mac XT PC Control app cannot manage Mandatory if using
(PC/Mac App for XTE240 XT PC Control
XTE) application to
control XT using
mouse/kbd
XT PC Control 55001 UDP XT Control XT by PC/Mac XT PC Control app cannot manage Mandatory if using
(PC/Mac App for XTE240 XT PC Control
XTE) application to
control XT using
mouse/kbd
Telnet Client 60123 XT CLI (TCP) XT Accesses XT console (CLI) XT proprietary console application Optional
(CLI) cannot be accessed via Telnet
XT 21 FTP, SFTP(TCP) FTP, SFTP Sends files to a file server XT cannot send/receive files to/from a Optional for sending 9.0.0
Server (passivemode). Additional ports file transfer server. files to a server 9.2.2(OTA
on the FTP server must be Mandatory for OTA )
opened. updates
Receives update sw bundle
from OTA server.
XT 53 DNS(UDP) DNS Server Resolve a DNS address XT cannot resolve a DNS address Mandatory
XT 80 HTTP (TCP) Web Servers Performs NAT auto discovery XT cannot perform NAT Auto- Recommended
on the and geo-localization discovery and geo-localization
Internet
XT 80 HTTP (TCP) SBCE Mobile Link Mobile Link cannot be activated by Recommended 8.3.2.5xx
Desktop Client
XT 80/443 HTTP(s) (TCP) Web Collab Web Collaboration XT cannot join web collab session Mandatory to 9.0.0
Server support Web Collab
XT 80/443 HTTP(s) (TCP) EWS Exchange Web Server XT cannot retrieve calendar items Mandatory to 9.2.0
support EWS
XT 443 HTTPS (wss) (TCP) Spaces Spaces Server XT cannot connect to Spaces Mandatory to 9.2.2
Backend support Spaces
XT 443 HTTPS (wss) (TCP) Conf.Mgmt Cloud connection and Mgmt in cloud mode cannot control Mandatory to New in
9.0 provisioning (SXMP) XT support Mgmt with 9.0
cloud mode
XT 443 HTTPS (wss) (TCP) Provisioning Autoprovisioning XT cannot connect to Avaya or other Mandatory to 9.1
Servers OTA Updates supported Auto-provisioning servers. support auto- 9.2.2
OTA server XT cannot retrieve info about OTA fw provisioning servers. (OTA)
updates Mandatory for OTA
updates
XT 123 SNTP (UDP) SNTP Server Gets the Internet UTC time XT cannot get the Internet UTC time Recommended
from a server
XT 162 SNMP (UDP) Scopia Sends SNTP Trap Events XT cannot send SNMP traps to a Mandatory if using
Manager/ Management entity Equinox
SNMP Management to
Managemen manage the XT
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
March 2021 Avaya Port Matrix: Avaya Video Conferencing XT Series 9.2 8
Comments? Infodev@avaya.comt Station
XT 389 LDAP(TCP) Equinox Retrieves contacts from LDAP XT cannot retrieve contacts from Mandatory if using
Manager/ database remote directory ( Equinox remote directory
LDAP Management or XT)
Directory
XT 443 HTTPS SBCE Mobile Link Mobile Link cannot be activated by a Recommended 8.3.2.5xx
Desktop Client
XT 443 HTTPS(wss) Web Collab Web Collaboration XT cannot join web collab session Mandatory to 9.0.0
Server support Web Collab
XT 1718 H.225.0/RAS (UDP) Multicast IP “H.323 Gatekeeper Automatic XT cannot automatically discover a Optional
address Discovery” procedure gatekeeper to which register (only
224.0.0.41 manual configuration available).
(“all GK”)
XT 1719 H.225.0/RAS (UDP) H323 GK H.323 call signaling to a GK XT cannot use the services of a Recommended
(source & gatekeeper.
dest)
XT/H323 Endpoint 1720 H.225.0/Q.931 XT/H323 EP H.323 call signaling (Q.931) XT cannot establish H.323 calls Mandatory to
support H.323 calls
XT 3336 SM XML API (TCP) Equinox XT requires to SM the list of XT cannot Recommended for No longer
Manager scheduled meetings or the list receive the list of Calendar/Roster needed
of participants in current meetings scheduled for functionalities with 9.0
meeting that day or the list of in Cloud
participants for the current meeting. Mode
XT/H323 Endpoint 3230- H.225.0/Q.931 and XT/ H323 EP H.323 call control signaling Cannot connect H.323 calls. Mandatory to
3250* H.245 (if XT same (Q.931) and media control support H323 calls
(source) (TCP) port range) signaling (H.245) on TCP
XT/SIP Endpoint 3230- SIP XT/ SIP EP SIP (TCP) call signaling and BFCP Cannot connect SIP calls on TCP Mandatory to
3250* (TCP) (if XT same signaling transport. support SIP calls on
(source) port range) TCP
XT/SIP or H323 3230- RTP and RTCP XT/SIP or H.323 and SIP media (audio, No media exchanged in the H.323 or Mandatory to
Endpoint 3313* (UDP) H323 EP video, H.224/data RTP) and SIP call. support H323 calls
(source) (if XT same media control (RTCP) and SIP calls
port range)
XT/SIP 3000- RTP and RTCP Spaces See Opening Ports for Spaces No call to SIP Spaces Media servers Mandatory to 9.2.2
4999 (UDP) Server Connectivity support Spaces calls
XT 3478- STUN STUN Server Contact the STUN Server Cannot discover the presence of a Optional
3479 (UDP) firewall or NAT (only manual
configuration available).
XT/SIP Endpoint 5060 SIP(TCP) XT/SIP EP SIP call signaling Cannot connect SIP calls over TCP or
Mandatory to
TLS over TCP support SIP calls on
TCP/TLS over TCP
XT/SIP Endpoint 5060 SIP(UDP) XT/SIP EP SIP call signaling Cannot connect SIP calls over UDP. Mandatory to
(source support SIP calls on
and dest) UDP
XT/SIP Endpoint 5061 SIP(TCP/TLS) XT/SIP EP SIP call signaling for TLS Cannot connect SIP calls over TCP for Mandatory to
Spaces TLS. support SIP calls on
Media Cannot connect to Spaces TCP for TLS or
Server connection to Spaces
XT/SIP Endpoint 5070- BFCP(TCP) XT/SIP EP SIP content (presentation) video No SIP content video available. Mandatory to
5077* (if XT same signaling support content
(if XT range) video in SIP calls
same
range)
XT 8554 RTSP(TCP) Avaya Screen Link XT cannot receive shared desktop Recommended 8.3.2.5xx
Desktop content from Avaya Client
Client
XT 1935 RTMP(TCP) RTMP RTMP streaming/livecast XT cannot stream to RTMP servers Mandatory to send 9.2.0
Servers streaming content to
RTMP Servers
XT 443 RTMPS RTMP RTMPs streaming/livecast XT cannot stream to RTMPs servers Mandatory to send 9.2.0
Servers streaming content to
RTMPs Servers* The maximum port range is specified. The used port range could be lower than the specified one, depending on available
license and active settings. Please check on XT UI (Networks>Preferences>Dynamic ports> Manual mode) for the used
range.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
March 2021 Avaya Port Matrix: Avaya Video Conferencing XT Series 9.2 10
Comments? Infodev@avaya.com4.3 Port Table Changes 9.2.0 - Added info for Avaya Collaboration Control (ports 3338,3339) 9.2.0 - Added info for EWS 9.2.2 - Added info for Spaces and RTMP/S 9.2.3 - Added info for RTSP 9.2.4 - Added info for OTA update
5. Port Usage Diagram
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
March 2021 Avaya Port Matrix: Avaya Video Conferencing XT Series 9.2 12
Comments? Infodev@avaya.com5.1 Port Usage Diagram Changes
• Added Mobile Link and Screen Link ports in 8.3.2
• Added AT commands over SSH in 8.3.2
• Added Presence port in 8.5/9.0
• Added Cloud mode for Avaya Equinox Management 9.0, tunneling several TCP connections to/from
different ports in a single secure web socket connection for managed endpoints. All the ports marked as
“No Longer needed with cloud mode” are referring to Avaya Equinox Management functionalities for a
provisioned XT endpoint, added in 8.5/9.0.
• Added Signed Software upgrade TCP port 55090, optional, in 8.5/9.0.
• Added SFTP port for file transfer of recorded files in 8.5/9.0. Corrected port used for FTP (21, not 69)
• Added 80/443 port to connect to WCS server (standalone or as part of the Avaya Equinox Media Server)
in 9.0 for Web Collaboration
• Added 443 port for cloud provisioning (default for Equinox Management, can be configured)
• Extended UDP BFCP port range and added note
• Added info about ephemeral source ports
• Clarified some port ranges
• Added icon for Avaya Collaboration Control (ports 3338,3339)
• Added EWS
• Added RTMP
• Added support for Spaces
• Added RTSPAppendix A: Overview of TCP/IP Ports
What are ports and how are they used?
TCP and UDP use ports (defined at http://www.iana.org/assignments/port-numbers) to route traffic arriving at
a particular IP device to the correct upper layer application. These ports are logical descriptors (numbers) that
help devices multiplex and de-multiplex information streams. For example, your PC may have multiple
applications simultaneously receiving information: email using destination TCP port 25, a browser using
destination TCP port 443 and a ssh session using destination TCP port 22. These logical ports allow the PC
to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC. Each of the
mini-streams is directed to the correct high-level application identified by the port numbers. Every IP device
has incoming (Ingress) and outgoing (Egress) data streams.
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows. TCP and
UDP streams have an IP address and port number for both source and destination IP devices. The pairing of
an IP address and a port number is called a socket. Therefore, each data stream is uniquely identified with
two sockets. Source and destination sockets must be known by the source before a data stream can be sent
to the destination. Some destination ports are “open” to receive data streams and are called “listening” ports.
Listening ports actively wait for a source (client) to make contact with the known protocol associated with the
port number. HTTPS, as an example, is assigned port number 443. When a destination IP device is
contacted by a source device using port 443, the destination uses the HTTPS protocol for that data stream
conversation.
Port Types
Port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic Ports
(sometimes called Private Ports). The Well Known and Registered ports are assigned by IANA (Internet
Assigned Numbers Authority) and are found here: http://www.iana.org/assignments/port-numbers.
Well Known Ports
Well Known Ports are those numbered from 0 through 1023.
For the purpose of providing services to unknown clients, a service listen port is defined. This port is used
by the server process as its listen port. Common services often use listen ports in the well-known port
range. A well-known port is normally active meaning that it is “listening” for any traffic destined for a
specific application. For example, well known port 23 on a server is actively waiting for a data source to
contact the server IP address using this port number to establish a Telnet session. Well known port 25 is
waiting for an email session, etc. These ports are tied to a well understood application and range from 0 to
1023.
In UNIX and Linux operating systems, only root may open or close a well-known port. Well Known Ports
are also commonly referred to as “privileged ports”.
Registered Ports
Registered Ports are those numbered from 1024 through 49151.
Unlike well-known ports, these ports are not restricted to the root user. Less common services register
ports in this range. Avaya uses ports in this range for call control. Some, but not all, ports used by Avaya in
this range include: 1719/1720 for H.323, 5060/5061 for SIP, 2944 for H.248 and others. The registered port
range is 1024 – 49151. Even though a port is registered with an application name, industry often uses
these ports for different applications. Conflicts can occur in an enterprise when a port with one meaning is
used by two servers with different meanings.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
March 2021 Avaya Port Matrix: Avaya Video Conferencing XT Series 9.2 14
Comments? Infodev@avaya.comDynamic Ports
Dynamic Ports are those numbered from 49152 through 65535.
Dynamic ports, sometimes called “private ports”, are available to use for any general purpose. This means
there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage). These are the
safest ports to use because no application types are linked to these ports. The dynamic port range is
49152 – 65535.
Sockets
A socket is the pairing of an IP address with a port number. An example would be 192.168.5.17:3009, where
3009 is the socket number associated with the IP address. A data flow, or conversation, requires two sockets
– one at the source device and one at the destination device. The data flow then has two sockets with a total
of four logical elements. Each data flow must be unique. If one of the four elements is unique, the data flow
is unique. The following three data flows are uniquely identified by socket number and/or IP address.
Data Flow 1: 172.19.19.14:1234 - 10.1.2.3:2345
two different port numbers and IP addresses and is a valid and typical socket pair
Data Flow 2: 172.19.19.14.1235 - 10.1.2.3:2345
same IP addresses and port numbers on the second IP address as data flow 1, but since
the port number on the first socket differs, the data flow is unique
Data Flow 3: 172.19.19.14:1234 - 10.1.2.4:2345
If one IP address octet changes, or one port number changes, the data flow is unique.
Socket Example Diagram
Client HTTP-Get Source 192.168.1.10:1369 Destination 10.10.10.47:80 Web Server
TCP-info Destination 192.168.1.10:1369 Source 10.10.10.47:80
`
Figure 1. Socket example showing ingress and egress data flows from a PC to a web server
The client egress stream includes the client’s source IP and socket (1369) and the destination IP and socket
(80). The ingress stream from the server has the source and destination information reversed.
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types:
• Packet Filtering
• Application Level Gateways (Proxy Servers)
• Hybrid (Stateful Inspection)Packet Filtering is the most basic form of the firewalls. Each packet that arrives or leaves the network has
its header fields examined against criterion to either drop the packet or let it through. Routers configured
with Access Control Lists (ACL) use packet filtering. An example of packet filtering is preventing any source
device on the Engineering subnet to telnet into any device in the Accounting subnet.
Application level gateways (ALG) act as a proxy, preventing a direct connection between the foreign device
and the internal destination device. ALGs filter each individual packet rather than blindly copying bytes.
ALGs can also send alerts via email, alarms or other methods and keep log files to track significant events.
Hybrid firewalls are dynamic systems, tracking each connection traversing all interfaces of the firewall and
making sure they are valid. In addition to looking at headers, the content of the packet, up through the
application layer, is examined. A stateful inspection firewall also monitors the state of the connection and
compiles the information in a state table. Stateful inspection firewalls close off ports until the connection to
the specific port is requested. This is an enhancement to security against port scanning1.
Firewall Policies
The goals of firewall policies are to monitor, authorize and log data flows and events. They also restrict
access using IP addresses, port numbers and application types and sub-types.
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies
can be created without disrupting business communications or opening unnecessary access into the
network.
Knowing that the source column in the following matrices is the socket initiator is key in building some types
of firewall policies. Some firewalls can be configured to automatically create a return path through the
firewall if the initiating source is allowed through. This option removes the need to enter two firewall rules,
one for each stream direction, but can also raise security concerns.
Another feature of some firewalls is to create an umbrella policy that allows access for many independent
data flows using a common higher layer attribute. Finally, many firewall policies can be avoided by placing
endpoints and the servers that serve those endpoints in the same firewall zone.
1
The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a
computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
March 2021 Avaya Port Matrix: Avaya Video Conferencing XT Series 9.2 16
Comments? Infodev@avaya.comYou can also read
