tcp and udp port usage guide for cisco unified ... · 12 ol-27064-01 port descriptions. from...

TCP and UDP Port Usage Guide for Cisco Unified CommunicationsManager, Release 9.0(1)First Published: July 18, 2012

Last Modified: July 18, 2012

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883

Text Part Number: OL-27064-01

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnershiprelationship between Cisco and any other company. (1110R)

© 2012 Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/go/trademarks

http://www.cisco.com/go/trademarks

C O N T E N T S

P r e f a c e Preface v

Purpose v

Organization v

Related documentation vi

Obtain documentation and support vi

Cisco product security overview vi

P A R T I Cisco Unified CM TCP and UDP port usage 1

C H A P T E R 1 Cisco Unified Communications Manager TCP and UDP port usage 3

Port usage for release 9.0(1) 3

Port descriptions 4

References 17

Firewall application inspection guides 17

IETF TCP/UDP port assignment list 17

IP telephony configuration and port utilization guides 17

VMware port assignment list 17

P A R T I I IM and Presence Service TCP and UDP port usage 19

C H A P T E R 2 Port Usage Information for the IM and Presence Service Release 9.0 21

Port usage overview 21

Information collated in table 21

IM and Presence service port list 22

Glossary 35

TCP and UDP Port Usage Guide for Cisco Unified Communications Manager, Release 9.0(1) OL-27064-01 iii

TCP and UDP Port Usage Guide for Cisco Unified Communications Manager, Release 9.0(1)iv OL-27064-01

Contents

Preface

• Purpose, page v

• Organization, page v

• Related documentation, page vi

• Obtain documentation and support, page vi

• Cisco product security overview, page vi

PurposeThis document lists the TCP and UDP ports that the Cisco Unified Communications Manager release 9.0(1)and the IM and Presence Service Release 9.x use for intracluster connections and communication with externalapplications or devices. Important information about the configuration of firewalls, Access Control Lists(ACLs), and quality of service (QoS) on a network when an IP Communications solution is implemented isalso provided.

OrganizationThe following table shows the organization for this guide:

Table 1: Organization of TCP and Port Usage Guide for Cisco Unified Communications Manager

DescriptionPart

“Cisco Unified CM TCP and UDP port usage”

Provides information about TCP and port usage settings for CiscoUnified CommunicationsManagerrelease 9.0(1).

Part 1

“IM and Presence Service TCP and UDP port usage”

Provides information about TCP and port usage settings for the IM and Presence Service.

Part 2

TCP and UDP Port Usage Guide for Cisco Unified Communications Manager, Release 9.0(1) OL-27064-01 v

Related documentationCisco strongly recommends that you review the following documents for more details about installing andmaintaining Cisco Unified Communications Manager and the IM and Presence Service.

• For the latest Cisco Unified Communications Manager and IM and Presence Service requirements, seethe Release Notes for Cisco Unified Communications Manager.

• Installing Cisco Unified Communications Manager

This document describes procedures to follow when installing Cisco Unified CommunicationsManagerand the IM and Presence Service.

• Upgrade Guide for Cisco Unified Communications Manager

This document describes procedures to followwhen upgrading Cisco Unified CommunicationsManagerand the IM and Presence Service.

• Cisco Unified Communications Operating System Administration Guide

This document provides information about using the Cisco Unified Communications Platform graphicaluser interface (GUI) to perform many common system- and network-related tasks.

• Deployment Guide for IM and Presence Service on Cisco Unified Communications Manager

This document provides an overview of the configuration process for the IM and Presence Service.

• Cisco Unified Serviceability Administration Guide

This document provides descriptions and procedures for configuring alarms, traces, SNMP, and so on,through Cisco Unified Serviceability. It also describes how to activate, start, and stop feature and networkservices.

• Disaster Recovery System Administration Guide for Cisco Unified Communications Manager

This document provides an overview of the Disaster Recovery System and provides procedures forperforming various backup-related tasks and restore-related tasks.

All related documentation can be found at the following URL: http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_series_home.html

Obtain documentation and supportFor information on obtaining documentation, obtaining support, providing documentation feedback, securityguidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New inCisco Product Documentation, which also lists all new and revised Cisco technical documentation, at

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Cisco product security overviewThis product contains cryptographic features and is subject to United States and local country laws governingimport, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authorityto import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for

TCP and UDP Port Usage Guide for Cisco Unified Communications Manager, Release 9.0(1)vi OL-27064-01

PrefaceRelated documentation

http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_series_home.html

http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_series_home.html

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

compliance with U.S. and local country laws. By using this product you agree to comply with applicable lawsand regulations. If you are unable to comply with U.S. and local laws, return this product immediately.

Further information regarding U.S. export regulations may be found at

http://www.access.gpo.gov/bis/ear/ear_data.html

TCP and UDP Port Usage Guide for Cisco Unified Communications Manager, Release 9.0(1) OL-27064-01 vii

PrefaceCisco product security overview

http://www.access.gpo.gov/bis/ear/ear_data.html

TCP and UDP Port Usage Guide for Cisco Unified Communications Manager, Release 9.0(1)viii OL-27064-01

PrefaceCisco product security overview

P A R T ICisco Unified CM TCP and UDP port usage• Cisco Unified Communications Manager TCP and UDP port usage, page 3

C H A P T E R 1Cisco Unified Communications Manager TCP andUDP port usage

This chapter provides a list of the TCP and UDP ports that Cisco Unified Communications Manager release9.0(1) uses for intracluster connections and for communication with external applications or devices. Youwill also find important information for the configuration of firewalls, Access Control Lists (ACLs), andquality of service (QoS) on a network when an IP Communications solution is implemented.

• Port usage for release 9.0(1), page 3

• Port descriptions, page 4

• References, page 17

Port usage for release 9.0(1)Cisco Unified Communications Manager TCP and UDP ports are organized into the following categories:

• Table 2: Intracluster Ports Between Cisco Unified Communications Manager Servers, on page 4

• Table 3: Common Service Ports, on page 7

• Table 4: Ports Between Cisco Unified Communications Manager and LDAP Directory, on page 10

• Table 5: Web Requests From CCMAdmin or CCMUser to Cisco Unified Communications Manager,on page 10

• Table 6: Web Requests From Cisco Unified Communications Manager to Phone, on page 11

• Table 7: Signaling, Media, and Other Communication Between Phones and Cisco UnifiedCommunications Manager, on page 11

• Table 8: Signaling, Media, and Other Communication Between Gateways and Cisco UnifiedCommunications Manager, on page 12

• Table 9: Communication Between Applications and Cisco Unified Communications Manager, on page14

• Table 10: Communication Between CTL Client and Firewalls, on page 16

• Table 11: Special Ports on HP Servers, on page 16

TCP and UDP Port Usage Guide for Cisco Unified Communications Manager, Release 9.0(1) OL-27064-01 3

Cisco has not verified all possible configuration scenarios for these ports. If you are having configurationproblems using this list, contact Cisco technical support for assistance.

Note

Port references apply specifically to Cisco Unified Communications Manager Release 9.0(1). Some portschange from one release to another, and future releases may introduce new ports. Therefore, make sure thatyou are using the correct version of this document for the version of Cisco Unified Communications Managerthat is installed.

While virtually all protocols are bidirectional, directionality from the session originator perspective is presumed.In some cases, the administrator can manually change the default port numbers, though Cisco does notrecommend this as a best practice. Be aware that Cisco Unified CommunicationsManager opens several portsstrictly for internal use.

Installing Cisco Unified Communications Manager software automatically installs the following networkservices for serviceability and activates them by default. Refer to Table 2: Intracluster Ports Between CiscoUnified Communications Manager Servers, on page 4 for details:

• Cisco Log Partition Monitoring (To monitor and purge the common partition. This uses no customcommon port.)

• Cisco Trace Collection Service (TCTS port usage)

• Cisco RIS Data Collector (RIS server port usage)

• Cisco AMC Service (AMC port usage)

Configuration of firewalls, ACLs, or QoS will vary depending on topology, placement of telephony devicesand services relative to the placement of network security devices, and which applications and telephonyextensions are in use. Also, bear in mind that ACLs vary in format with different devices and versions.

You can also configureMulticastMusic on Hold (MOH) ports in Cisco Unified CommunicationsManager.Port values for multicast MOH are not provided because the administrator specifies the actual port values.

Note

The Ephemeral port range for the system is 32768 – 61000.Note

Port descriptionsTable 2: Intracluster Ports Between Cisco Unified Communications Manager Servers

PurposeDestination PortTo (Listener)From (Sender)

System logging service514 / UDPUnified CMEndpoint

TCP and UDP Port Usage Guide for Cisco Unified Communications Manager, Release 9.0(1)4 OL-27064-01

Port descriptions

http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html


Cisco AMC Service forRTMT performancemonitors, data collection,logging, and alerting

1090, 1099 / TCPRTMTUnified CM

Database connection(1501 / TCP is thesecondary connection)

1500, 1501 / TCPUnified CM (DB)Unified CM (DB)

CAR IDS DB. CAR IDSengine listens on waitingfor connection requestsfrom the clients.

1510 / TCPUnified CM (DB)Unified CM (DB)

CAR IDS DB. Analternate port used tobring up a secondinstance of CAR IDSduring upgrade.


Database replicationbetween nodes duringinstallation


Allows subscribers toreceive Cisco UnifiedCommunicationsManager database changenotification

2552 / TCPUnified CM (DB)Cisco Extended Functions(QRT)

Intraclustercommunication betweenCisco Extended Servicesfor Active/Backupdetermination

2551 / TCPUnified CMUnified CM

Real-time InformationServices (RIS) databaseserver

2555 / TCPUnified CM (RIS)Unified CM (RIS)

Real-time InformationServices (RIS) databaseclient for Cisco RIS

2556 / TCPUnified CM (RIS)Unified CM(RTMT/AMC/SOAP)

DRS Master Agent4040 / TCPUnified CM (DRS)Unified CM (DRS)

SOAP monitor5007 / TCPUnified CM (SOAP)Unified CM (Tomcat)


Port descriptions


Cisco Trace CollectionTool Service (TCTS) --the back end service forRTMT Trace and LogCentral (TLC)

Ephemeral / TCPUnified CM (TCTS)Unified CM (RTMT)

This port is used forcommunication betweenCisco Trace CollectionTool Service and CiscoTrace Collection servlet.

7000, 7001, 7002 / TCPUnified CM (TCTS)Unified CM (Tomcat)

Certificate Managerservice

7070 / TCPCertificate ManagerUnified CM

Client database changenotification

8001 / TCPUnified CM (CDLM)Unified CM (DB)

Intraclustercommunication service

8002 / TCPUnified CM (SDL)Unified CM (SDL)

Intraclustercommunication service(to CTI)

8003 / TCPUnified CM (SDL)Unified CM (SDL)

Intraclustercommunication betweenCisco UnifiedCommunicationsManager and CMIManager

8004 / TCPCMI ManagerUnified CM

Internal listening portused by Tomcat shutdownscripts

8005 / TCPUnified CM (Tomcat)Unified CM (Tomcat)

Communication betweenservers used fordiagnostic tests

8080 / TCPUnified CM (Tomcat)Unified CM (Tomcat)

Intracluster replication ofsystem data by IPSecCluster Manager

8500 / TCP and UDPUnified CM (IPSec)Unified CM (IPSec)

RIS Service Managerstatus request and reply

8888 - 8889 / TCPUnified CM (RIS)Unified CM (RIS)


Port descriptions


Intraclustercommunication betweenLBMs

9004 / TCPLocation BandwidthManager (LBM)

Location BandwidthManager (LBM)

Dialed Number Analyzer(DNA)

Port used by the serverthat handles DNAinitialization. JNIWrapperfunctions respond torequests that the DNAJava service sends.

30000 / TCPJNIWrapper serverUnified CM [DialedNumber Analyzer (DNA)initializing server]

Table 3: Common Service Ports


Internet Control MessageProtocol (ICMP) Thisprotocol number carriesecho-related traffic. Itdoes not constitute a portas indicated in the columnheading.

7Unified CMEndpoint

EndpointUnified CM

Secure FTP service, SSHaccess

22 / TCPEndpointUnified CM

Cisco UnifiedCommunicationsManager acting as a DNSserver or DNS client

Ciscorecommends thatCisco UnifiedCommunicationsManager not actas a DNS serverand that all IPtelephonyapplications andendpoints usestatic IPaddresses insteadof hostnames.

Note

Ephemeral / UDPUnified CM (DNSServer)

Endpoint

DNS ServerUnified CM


Port descriptions


Cisco UnifiedCommunicationsManager acting as aDHCP server

Cisco does notrecommendrunning DHCPserver on CiscoUnifiedCommunicationsManager.

Note

67 / UDPUnified CM (DHCPServer)

Endpoint

Cisco UnifiedCommunicationsManager acting as aDHCP client

Cisco does notrecommendrunning DHCPclient on CiscoUnifiedCommunicationsManager.Configure CiscoUnifiedCommunicationsManager withstatic IPaddressesinstead.)

Note

68 / UDPDHCP ServerUnified CM

Trivial File TransferProtocol (TFTP) serviceto phones and gateways

69, 6969, then Ephemeral/ UDP

Unified CMEndpoint or Gateway

Trivial File TransferProtocol (TFTP) betweenmaster and proxy servers.

HTTP service from theTFTP server to phonesand gateways.

6970 / TCPUnified CMEndpoint or Gateway

Network Time Protocol(NTP)

123 / UDPNTP ServerUnified CM

SNMP service response(requests frommanagement applications)

161 / UDPUnified CMSNMP Server


Port descriptions


SNMP traps162 / UDPSNMP trap destinationCUCM Server SNMPMaster Agent application

Native SNMP agentlistening port for SMUXsupport

199 / TCPUnified CMSNMP Server

DHCPv6. DHCP port forIPv6.

546 / UDPDHCP ServerUnified CM

Enhanced Location CACServiceability


Unified CMServiceability

Call Admission requestsand bandwidth deductions


Unified CM

Used for communicationbetween Master Agentand Native Agent toprocess Native agentMIBrequests

6161 / UDPUnified CMUnified CM

Used for communicationbetween Master Agentand Native Agent toforward notificationsgenerated from NativeAgent


Netdump server6666 / UDPUnified CMUnified CM

Centralized TFTP FileLocator Service

6970 / TCPAlternate TFTPCentralized TFTP

Used for communicationbetween SNMP MasterAgent and subagents


Cisco Discovery Protocol(CDP) agentcommunicates with CDPexecutable

7999 / TCPUnified CMSNMP Server

Service CRS requeststhrough the TAPSresiding on Cisco UnifiedCommunicationsManager



Port descriptions


Cisco UnifiedCommunicationsManager applicationssend out alarms to thisport through UDP. CiscoUnified CommunicationsManager MIB agentlistens on this port andgenerates SNMP traps perCisco UnifiedCommunicationsManager MIB definition.


Provide trunk-based SIPservices

EphemeralUnified CMUnified CM

Table 4: Ports Between Cisco Unified Communications Manager and LDAP Directory


Lightweight DirectoryAccess Protocol (LDAP)query to externaldirectory (ActiveDirectory, NetscapeDirectory)

Ephemeral/ TCPExternal DirectoryUnified CM

Unified CMExternal Directory

Table 5: Web Requests From CCMAdmin or CCMUser to Cisco Unified Communications Manager


Hypertext TransportProtocol (HTTP)

80, 8080 / TCPUnified CMBrowser

Hypertext TransportProtocol over SSL(HTTPS)

443, 8443 / TCPUnified CMBrowser

Log audit events from theCLI andWeb applications

2355, 2356 / TCPUnified CMBrowser or CLI


Port descriptions

Table 6: Web Requests From Cisco Unified Communications Manager to Phone


Hypertext TransportProtocol (HTTP)

80 / TCPPhoneUnified CM

• QRT

• RTMT

• Find and ListPhones page

• PhoneConfiguration page

Table 7: Signaling, Media, and Other Communication Between Phones and Cisco Unified Communications Manager


Trivial File TransferProtocol (TFTP) used todownload firmware andconfiguration files

69, then Ephemeral / UDPUnified CM (TFTP)Phone

Phone URLs for XMLapplications,authentication,directories, services, etc.You can configure theseports on a per-servicebasis.

8080 / TCPUnified CMPhone

Skinny Client ControlProtocol (SCCP)


Secure Skinny ClientControl Protocol(SCCPS)


Provide trust verificationservice to endpoints.


Certificate AuthorityProxy Function (CAPF)listening port for issuingLocally SignificantCertificates (LSCs) to IPphones

3804 / TCPUnified CM (CAPF)Phone


Port descriptions


Session InitiationProtocol (SIP) phone

5060 / TCP and UDPUnified CMPhone

PhoneUnified CM

Secure Session InitiationProtocol (SIPS) phone

5061 TCP and UDPUnified CMPhone

PhoneUnified CM

HTTP-based download offirmware andconfiguration files

6970 TCPUnified CM (TFTP)Phone

Real-Time Protocol(RTP), Secure Real-TimeProtocol (SRTP)

Cisco UnifiedCommunicationsManager onlyuses24576-32767although otherdevices use thefull range.

Note

16384 - 32767 / UDPPhoneIP VMS

IP VMSPhone

Table 8: Signaling, Media, and Other Communication Between Gateways and Cisco Unified Communications Manager


Generic RoutingEncapsulation (GRE),Encapsulating SecurityPayload (ESP),Authentication Header(AH). These protocolsnumbers carry encryptedIPSec traffic. They do notconstitute a port asindicated in the columnheading.

47, 50, 51Unified CMGateway

GatewayUnified CM

Internet Key Exchange(IKE) for IP Securityprotocol (IPSec)establishment

500 / UDPUnified CMGateway

GatewayUnified CM

Trivial File TransferProtocol (TFTP)

69, then Ephemeral / UDPUnified CM (TFTP)Gateway


Port descriptions


Port mapping service.Only used in the CIMEoff-path deploymentmodel.

1024-65535 / TCPCIME ASACUCM with CiscoIntercompany MediaEngine (CIME) trunk

Gatekeeper (H.225) RAS1719 / UDPUnified CMGatekeeper

H.225 signaling servicesfor H.323 gateways andIntercluster Trunk (ICT)

1720 / TCPUnified CMGateway

GatewayUnified CM

H.225 signaling serviceson gatekeeper-controlledtrunk

Ephemeral / TCPUnified CMGateway

GatewayUnified CM

H.245 signaling servicesfor establishing voice,video, and data

Ephemeral / TCPUnified CMGateway

GatewayUnified CM

Skinny Client ControlProtocol (SCCP)


Upgrade port for 6608gateways with CiscoUnified CMdeployments


Upgrade port for 6624gateways with CiscoUnified CMdeployments


Media Gateway ControlProtocol (MGCP)gateway control

2427 / UDPUnified CMGateway

Media Gateway ControlProtocol (MGCP)backhaul


These ports are used asphantom Real-TimeTransport Protocol (RTP)and Real-Time TransportControl Protocol (RTCP)ports for audio, video anddata channel when CiscoUnified CM does nothave ports for thesemedia.

4000 - 4005 / TCP----


Port descriptions


Session InitiationProtocol (SIP) gatewayand Intercluster Trunk(ICT)

5060 / TCP and UDPUnified CMGateway

GatewayUnified CM

Secure Session InitiationProtocol (SIPS) gatewayand Intercluster Trunk(ICT)

5061 / TCP and UDPUnified CMGateway

GatewayUnified CM

Real-Time Protocol(RTP), Secure Real-TimeProtocol (SRTP)

Cisco UnifiedCommunicationsManager onlyuses24576-32767although otherdevices use thefull range.

Note

16384 - 32767 / UDPUnified CMGateway

GatewayUnified CM

Table 9: Communication Between Applications and Cisco Unified Communications Manager


Certificate Trust List(CTL) provider listeningservice in Cisco UnifiedCommunicationsManager

2444 / TCPUnified CM CTLProvider

CTL Client

CTI application server2748 / TCPUnified CMCisco UnifiedCommunications App

TLS connection betweenCTI applications(JTAPI/TSP) andCTIManager

2749 / TCPUnified CMCisco UnifiedCommunications App

JTAPI application server2789 / TCPUnified CMCisco UnifiedCommunications App

Cisco UnifiedCommunicationsManager Assistant server(formerly IPMA)

2912 / TCPUnified CMUnified CM AssistantConsole


Port descriptions


Cisco UnifiedCommunicationsManager AttendantConsole (AC) JAVARMIRegistry server

1103 -1129 / TCPUnified CMUnified CM AttendantConsole

RMI server sends RMIcallback messages toclients on these ports.

1101 / TCPUnified CMUnified CM AttendantConsole

Attendant Console (AC)RMI server bind port --RMI server sends RMImessages on these ports.

1102 / TCPUnified CMUnified CM AttendantConsole

Cisco UnifiedCommunicationsManager AttendantConsole (AC) server linestate port receives pingand registration messagefrom, and sends line statesto, the attendant consoleserver.

3223 / UDPUnified CMUnified CM AttendantConsole

Cisco UnifiedCommunicationsManager AttendantConsole (AC) clientsregister with the ACserver for line and devicestate information.


Cisco UnifiedCommunicationsManager AttendantConsole (AC) clientsregister to the AC serverfor call control.


Multi-Service IOSRouterrunning EIGRP/SAFProtocol.

5050 / TCPIOS Router running SAFimage

Unified CM withSAF/CCD


Port descriptions


VAP protocol used tocommunicate to the CiscoIntercompany MediaEngine server.

5620 / TCP

Cisco recommends avalue of 5620 for thisport, but you can changethe value by executing theadd ime vapserver or setime vapserver port CLIcommand on the CiscoIME server.

Cisco IntercompanyMedia Engine (IME)Server

Unified CM

AXL / SOAP API forprogrammatic reads fromor writes to the CiscoUnified CommunicationsManager database thatthird parties such asbilling or telephonymanagement applicationsuse.

8443 / TCPUnified CMCisco UnifiedCommunications App

Table 10: Communication Between CTL Client and Firewalls


Certificate Trust List(CTL) provider listeningservice in an ASAfirewall

2444 / TCPTLS Proxy ServerCTL Client

Table 11: Special Ports on HP Servers


HTTP port to HP agent2301 / TCPHP SIMEndpoint

HTTPS port to HP agent2381 / TCPHP SIMEndpoint

COMPAQ ManagementAgent extension (cmaX)

25375, 25376, 25393 /UDP

Compaq ManagementAgent

Endpoint

HTTPS port to HP SIM50000 - 50004 / TCPHP SIMEndpoint


Port descriptions

References

Firewall application inspection guidesASA Series reference information


PIX 6.3 Application Inspection Configuration Guide

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/fixup.html

PIX 7.1 Application Inspection Configuration Guide

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/inspect.html

FWSM 3.1 Application Inspection Configuration Guide

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/inspct_f.html

IETF TCP/UDP port assignment listInternet Assigned Numbers Authority (IANA) IETF assigned Port List

http://www.iana.org/assignments/port-numbers

IP telephony configuration and port utilization guidesCisco CRS 4.0 (IP IVR and IPCC Express) Port Utilization Guide

http://www.cisco.com/en/US/products/sw/custcosw/ps1846/products_installation_and_configuration_guides_list.html

Port Utilization Guide for Cisco ICM/IPCC Enterprise and Hosted Editions


Cisco Unified Communications Manager Express Security Guide to Best Practices

http://www.cisco.com/en/US/netsol/ns340/ns394/ns165/ns391/networking_solutions_design_guidance09186a00801f8e30.html

Cisco Unity Express Security Guide to Best Practices

http://www.cisco.com/en/US/netsol/ns340/ns394/ns165/ns391/networking_solutions_design_guidance09186a00801f8e31.html#wp41149

VMware port assignment listTCP and UDP Ports for vCenter Server, ESX hosts, and Other Network Components Management Access


References


http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/fixup.html

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/inspect.html

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/inspct_f.html

http://www.iana.org/assignments/port-numbers









http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382


References

P A R T IIIM and Presence Service TCP and UDP portusage• Port Usage Information for the IM and Presence Service Release 9.0, page 21

C H A P T E R 2Port Usage Information for the IM and PresenceService Release 9.0

• Port usage overview, page 21

• Information collated in table, page 21

• IM and Presence service port list, page 22

Port usage overviewThis document provides a list of the TCP and UDP ports that the IM and Presence Service Release 9.x usesfor intracluster connections and for communications with external applications or devices. It provides importantinformation for the configuration of firewalls, Access Control Lists (ACLs), and quality of service (QoS) ona network when an IP Communications solution is implemented.

Cisco has not verified all possible configuration scenarios for these ports. If you are having configurationproblems using this list, contact Cisco technical support for assistance.

Note

While virtually all protocols are bidirectional, this document gives directionality from the session originatorperspective. In some cases, the administrator can manually change the default port numbers, though Ciscodoes not recommend this as a best practice. Be aware that the IM and Presence Service opens several portsstrictly for internal use.

Ports in this document apply specifically to the IM and Presence Service Release 9.x. Some ports change fromone release to another, and future releases may introduce new ports. Therefore, make sure that you are usingthe correct version of this document for the version of IM and Presence Service that is installed.

Configuration of firewalls, ACLs, or QoS will vary depending on topology, placement of devices and servicesrelative to the placement of network security devices, and which applications and telephony extensions arein use. Also, bear in mind that ACLs vary in format with different devices and versions.

Information collated in tableTable 1 defines the information collated in each of the tables in this document.


Table 12: Definition of Table Information

DescriptionTable Heading

The client sending requests to this portFrom

The client receiving requests on this portTo

A client or server application or processRole

Either a Session-layer protocol used for establishingand ending communications, or an Application-layerprotocol used for request and response transactions

Protocol

A Transport-layer protocol that is connection-oriented(TCP) or connectionless (UDP)

Transport Protocol

The port used for receiving requestsDestination / Listener

The port used for sending requestsSource / Sender

IM and Presence service port listThe following tables show the ports that the IM and Presence Service uses for intracluster and interclustertraffic.

Table 13: IM and Presence Service Release 9.x Ports - SIP Proxy Requests

RemarksSource /Sender

Destination/ Listener

TransportProtocol

ProtocolTo (Listener)From(Sender)

Default SIP Proxy UDPand TCP Listener

Ephemeral5060TCP/UDPSIPIM andPresence

--------------

SIP Gateway

SIP Gateway

--------------

IM andPresence

TLS ServerAuthentication listenerport

Ephemeral5061TLSSIPIM andPresence

SIP Gateway

TLS MutualAuthentication listenerport

Ephemeral5062TLSSIPIM andPresence

IM andPresence

Internal port. Localhosttraffic only.

Ephemeral5049UDP /TCP

SIPIM andPresence

IM andPresence


IM and Presence service port list



TransportProtocol


Used for HTTP requestsfrom the Config Agent toindicate a change inconfiguration.

Ephemeral8081TCPHTTPIM andPresence

IM andPresence

Default IM and PresenceHTTP Listener. Used forThird-Party Clients toconnect

Ephemeral8082TCPHTTPIM andPresence

Third-partyClient

Default IM and PresenceHTTPS Listener. Usedfor Third-Party Clients toconnect

Ephemeral8083TLS / TCPHTTPSIM andPresence

Third-partyClient

Table 14: IM and Presence Service Release 9.x Ports - Presence Engine Requests



TransportProtocol


Default SIP UDP/TCPListener port

Ephemeral5070UDP /TCP

SIPIM andPresence(PresenceEngine)

IM andPresence

Internal port. Localhosttraffic only. LiveBusmessaging port. The IMand Presence Serviceuses this port for clustercommunication.

Ephemeral50000UDPLivebusIM andPresence(PresenceEngine)

IM andPresence(PresenceEngine)

Table 15: IM and Presence Service Release 9.x Ports - Cisco Tomcat WebRequests



TransportProtocol


Used for web accessEphemeral8080TCPHTTPSIM andPresence

Browser

Provides database andserviceability access viaSOAP

Ephemeral8443TLS / TCPAXL /HTTPS

IM andPresence

Browser





TransportProtocol


Provides access to Webadministration


Browser

Provides access to Useroption pages


Browser

Provides access to CiscoUnified PersonalCommunicator, CiscoUnified MobilityAdvantage, andthird-party API clientsvia SOAP

Ephemeral8443TLS / TCPSOAPIM andPresence

Browser

Table 16: IM and Presence Service Release 9.x Ports - External Corporate Directory Requests



TransportProtocolProtocolTo (Listener)From

(Sender)

Allows the Directoryprotocol to integrate withthe external CorporateDirectory. The LDAPport depends on theCorporate Directory (389is the default). In case ofNetscape Directory,customer can configuredifferent port to acceptLDAP traffic.

Ephemeral389TCPLDAPExternalCorporateDirectory

--------------

IM andPresence

IM andPresence

--------------

ExternalCorporateDirectory

Allows the Directoryprotocol to integrate withthe external CorporateDirectory. LDAP portdepends on the CorporateDirectory (636 is thedefault).

Ephemeral636TCPLDAPSExternalCorporateDirectory

IM andPresence



Table 17: IM and Presence Service Release 9.x Ports - Configuration Requests



TransportProtocol


Config Agent heartbeatport

Ephemeral8600TCPTCPIM andPresence(ConfigAgent)

IM andPresence(ConfigAgent)

Table 18: IM and Presence Service Release 9.x Ports - Certificate Manager Requests



TransportProtocol


Internal port - Localhosttraffic only

Ephemeral7070TCPTCPCertificateManager

IM andPresence

Table 19: IM and Presence Service Release 9.x Ports - IDS Database Requests



TransportProtocol


Internal IDS port forDatabase clients.Localhost traffic only.

Ephemeral1500TCPTCPIM andPresence(Database)

IM andPresence(Database)

Internal port - this is analternate port to bring upa second instance of IDSduring upgrade.Localhost traffic only.

Ephemeral1501TCPTCPIM andPresence(Database)


Internal port. Localhosttraffic only. DBreplication port

Ephemeral1515TCPXMLIM andPresence(Database)




Table 20: IM and Presence Service Release 9.x Ports - IPSec Manager Requests



TransportProtocol


Internal port - clustermanager port used by theipsec_mgr daemon forcluster replication ofplatform data (hosts)certs

85008500UDP/TCPProprietaryIM andPresence(IPSec)

IM andPresence(IPSec)

Table 21: IM and Presence Service Release 9.x Ports - DRF Master Agent Server Requests



TransportProtocol


DRF Master Agentserver port, whichaccepts connections fromLocal Agent, GUI, andCLI

Ephemeral4040TCPTCPIM andPresence(DRF)

IM andPresence(DRF)

Table 22: IM and Presence Service Release 9.x Ports - RISDC Requests



TransportProtocol


Real-time InformationServices (RIS) databaseserver. Connects to otherRISDC services in thecluster to provideclusterwide real-timeinformation

Ephemeral2555TCPTCPIM andPresence(RIS)

IM andPresence(RIS)

Real-time InformationServices (RIS) databaseclient for Cisco RIS.Allows RIS clientconnection to retrievereal-time information

Ephemeral2556TCPTCPIM andPresence(RIS)

IM andPresence(RTMT/AMC/

SOAP)





TransportProtocol


Internal port. Localhosttraffic only. Used byRISDC (System Access)to link to servM via TCPfor service status requestand reply

88888889TCPTCPIM andPresence(RIS)

IM andPresence(RIS)

Table 23: IM and Presence Service Release 9.x Ports - SNMP Requests



TransportProtocol


Provides services forSNMP-basedmanagement applications

Ephemeral161, 8161UDPSNMPIM andPresence

SNMPServer

Native SNMP agent thatlistens for requestsforwarded by SNMPmaster agents

Ephemeral6162UDPSNMPIM andPresence

IM andPresence

SNMPMaster agent thatlistens for traps from thenative SNMP agent, andforwards to managementapplications

Ephemeral6161UDPSNMPIM andPresence

IM andPresence

Used as a socket for thecdp agent tocommunicate with thecdp binary

Ephemeral7999TCPTCPIM andPresence

SNMPServer

Used for communicationbetween the SNMPmaster agent andsubagents


IM andPresence

Sends SNMP traps tomanagement applications

Ephemeral162UDPSNMPSNMP TrapMonitor

IM andPresence

Internal SNMP trapreceiver

61441ConfigurableUDPSNMPIM andPresence

IM andPresence



Table 24: IM and Presence Service Release 9.x Ports - Racoon Server Requests



TransportProtocol


Enables Internet SecurityAssociation and theKey ManagementProtocol

Ephemeral500UDPIpsecIM andPresence

--------------

Gateway

Gateway

--------------

IM andPresence

Table 25: IM and Presence Service Release 9.x Ports - System Service Requests



TransportProtocol


Internal port. Localhosttraffic only. Used tolisten to clientscommunicating with theRIS Service Manager(servM).

Ephemeral8888 and8889

TCPXMLIM andPresence(RIS)

IM andPresence(RIS)

Table 26: IM and Presence Service Release 9.x Ports - DNS Requests



TransportProtocol


The port that DNS serverlisten on for IM andPresence DNS queries.

To: DNS Server | From:IM and Presence

Ephemeral53UDPDNSDNS ServerIM andPresence

Table 27: IM and Presence Service Release 9.x Ports - SSH/SFTP Requests



TransportProtocol


Used by manyapplications to getcommand line access tothe server. Also usedbetween nodes forcertificate and other fileexchanges (sftp)

Ephemeral22TCPSSH /SFTP

EndpointIM andPresence



Table 28: IM and Presence Service Release 9.x Ports - ICMP Requests



TransportProtocol


Internet ControlMessageProtocol (ICMP). Usedto communicate with theCisco UnifiedCommunicationsManager server

EphemeralNotApplicable

IPICMPCiscoUnifiedCommunicationsManager

--------------

IM andPresence

IM andPresence

--------------

CiscoUnifiedCommunicationsManager

Table 29: IM and Presence Service Release 9.x Ports - NTP Requests



TransportProtocol


Cisco UnifiedCommunicationsManager is the actingNTP server. Used bysubscriber nodes tosynchronize time withthe publisher node.

Ephemeral123UDPNTPNTP ServerIM andPresence



Table 30: IM and Presence Service Release 9.x Ports - Microsoft Exchange Notify Requests



TransportProtocol


Microsoft Exchange usesthis port to sendnotifications (usingNOTIFY message) toindicate a change to aparticular subscriptionidentifier for calendarevents. Used to integratewith any Exchangeserver in the networkconfiguration. Both portsare created. The kind ofmessages that are sentdepend on the type ofCalendar PresenceBackend gateway(s) thatare configured.

EphemeralIM andPresenceserver port(default50020)

)WebDAV- HTTP/UDP/IPnotifications

2) EWS -HTTP/TCP/IP SOAPnotifications

HTTP(HTTPu)

IM andPresence

MicrosoftExchange

Table 31: IM and Presence Service Release 9.x Ports - SOAP Services Requests



TransportProtocol


SOAP monitor portEphemeral5007TCPTCPIM andPresence(SOAP)

IM andPresence(Tomcat)

Table 32: IM and Presence Service Release 9.x Ports - AMC RMI Requests



TransportProtocol


AMC RMI Object port.Cisco AMC Service forRTMT performancemonitors, data collection,logging, and alerting.

Ephemeral1090TCPTCPRTMTIM andPresence

AMCRMIRegistry port.Cisco AMC Service forRTMT performancemonitors, data collection,logging, and alerting.

Ephemeral1099TCPTCPRTMTIM andPresence



Table 33: IM and Presence Service Release 9.x Ports - XCP Requests



TransportProtocol


Client access portEphemeral5222TCPTCPIM andPresence

XMPPClient

Server to Serverconnection (S2S) port


IM andPresence

HTTP listening port usedby the XCP WebConnection Manager forBOSH third-party APIconnections


Third-partyBOSH client

XCP Router MasterAccept Port. XCPservices that connect tothe router from an OpenPort Configuration (forexample XCPAuthenticationComponent Service)typically connect on thisport.

Ephemeral7400TCPTCPIM andPresence(XCP Router

IM andPresence(XCPServices)

MDNSport. XCP routersin a cluster use this portto discover each other.

Ephemeral5353UDPUDPIM andPresence(XCP Router

IM andPresence(XCP Router

Table 34: IM and Presence Service Release 9.x Ports - External Database (PostgreSQL) Requests



TransportProtocol


PostgreSQL databaselistening port

Ephemeral54321TCPTCPPostgreSQLdatabase

IM andPresence

1 This is the default port, however you can configure the PostgreSQL database to listen on any port.



Table 35: IM and Presence Service Release 9.x Ports - High Availability Requests



TransportProtocol


The port that CiscoServer RecoveryManager uses to provideadmin rpc requests.

Ephemeral20075TCPTCPIM andPresence(ServerRecoveryManager)

IM andPresence(ServerRecoveryManager)

The port that CiscoServer RecoveryManager uses tocommunicate with itspeer.

Ephemeral22001UDPUDPIM andPresence(ServerRecoveryManager)

IM andPresence(ServerRecoveryManager)

Table 36: IM and Presence Service Release 9.x Ports - In Memory Database Replication Messages



TransportProtocol


Cisco PresenceDatastoredual node subclusterreplication.

Ephemeral9003TCPProprietaryIM andPresence

IM andPresence

Cisco Login Datastoredual node subclusterreplication.


IM andPresence

Cisco SIP RegistrationDatastore dual nodesubcluster replication.


IM andPresence

Table 37: IM and Presence Service Release 9.x Ports - In Memory Database SQL Messages



TransportProtocol


Cisco PresenceDatastoreSQL Queries.


IM andPresence

Cisco Login DatastoreSQL Queries.


IM andPresence

Cisco SIP RegistrationDatastore SQL Queries.


IM andPresence





TransportProtocol


Cisco Route DatastoreSQL Queries.


IM andPresence

Table 38: IM and Presence Service Release 9.x Ports - In Memory Database Notification Messages



TransportProtocol


Cisco PresenceDatastoreXML-based changenotification.


IM andPresence

Cisco Login DatastoreXML-based changenotification.


IM andPresence

Cisco SIP RegistrationDatastore XML-basedchange notification.


IM andPresence

Cisco Route DatastoreXML-based changenotification.


IM andPresence

See the Cisco Unified Serviceability Administration Guide for information about SNMP.



Glossary

AXL / SOAP

Cisco Unified Communications XML Layer / Simple Object Access Protocol – API that applications use toread from or write to the Cisco Unified Communications Manager database.

CAPF

Certificate Authority Proxy Function – Used to load X.509 digital certificates into IP phones.

CDLM

Cisco Database Layer Monitor – Used to synchronize the database with what is running in active memory.

CTI

Computer Telephony Integration—Provides a link between telephone systems and computers to facilitateincoming and outgoing call handling and control; the physical link between a telephone and server.

CTL Client

Certificate Trust List Client—Application that creates the Certificate Trust List that gets loaded into IP phones.This plug-in comes with Cisco Unified Communications Manager and can be run on any computer that hasIP connectivity to all Cisco Unified Communications Managers in the cluster and has a USB port.

DRF

Disaster Recovery Framework

Ephemeral Ports

In virtually all cases, source ports are ephemeral, meaning randomwithin a specified range.When an outgoingrequest is made, the application solicits the host device for a port from its ephemeral pool. In a few cases, thedestination port is also ephemeral, meaning that both the source and destination ports are random.

JTAPI

Java Telephony Application Program Interface—Sun Microsystems telephony programming interface forJava. It provides a set of classes and interfaces that provide access to call control and telephony device controlas well as media and administrative services.

LDAP

Lightweight Directory Access Protocol—Used to validate user credentials against the designated directoryservice.

LDAPS

Lightweight Directory Access Protocol over TLS/SSL—Used to validate user credentials against the designateddirectory service.


IP VMS

Cisco IP VoiceMedia Streaming Application—Used for music on hold, annunciator, conference bridge, mediatermination point (MTP), and so on.

RIS

Real-Time Information Services database—Used by the Real-Time Monitoring Tool (RTMT) in theServiceability application.

RTMT

Real-Time Monitoring Tool

SDL

Signal Distribution Layer Link—Used for intracluster communications.

SOAP

Simple Object Access Protocol

TCTS

Trace Collection Tool Service—The backend service for RTMT Trace and Log Central (TLC)

TFTP

Trivial File Transfer Protocol—Used to load firmware and configurations into phones, gateways, and so on.

Tomcat

Web server


Glossary

tcp and udp port usage guide for cisco unified ... · 12 ol-27064-01 port descriptions. from...

Documents