Avaya Port Matrix Avaya IX Collaboration Unit - CU360 - Avaya Support
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Avaya Port Matrix
Avaya IX Collaboration Unit
CU360
11.0.0
Issue 1.4
April 18, 2020
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 1
Comments? Infodev@avaya.comALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF
PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC. DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE AND FURTHERMORE, AVAYA INC. MAKES NO REPRESENTATIONS
OR WARRANTIES THAT THE INFORMATION PROVIDED HEREIN WILL
ELIMINATE SECURITY THREATS TO CUSTOMERS’ SYSTEMS. AVAYA INC.,
ITS RELATED COMPANIES, DIRECTORS, EMPLOYEES,
REPRESENTATIVES, SUPPLIERS OR AGENTS MAY NOT, UNDER ANY
CIRCUMSTANCES BE HELD LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL,
PUNITIVE, EXEMPLARY, INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OF THE INFORMATION PROVIDED HEREIN.
THIS INCLUDES, BUT IS NOT LIMITED TO, THE LOSS OF DATA OR LOSS OF
PROFIT, EVEN IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. YOUR USE OF THIS INFORMATION CONSTITUTES ACCEPTANCE
OF THESE TERMS.
© 2020 Avaya Inc. All Rights Reserved. All trademarks identified by the ®
or ™ are registered trademarks or trademarks, respectively, of Avaya Inc.
All other trademarks are the property of their respective owners.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 2
Comments? Infodev@avaya.com1. Avaya IX Collaboration Unit Components
The Avaya IX Collaboration Unit provides video technology for room conferencing, including support for dual
stream 1080p video, high quality data sharing, and high-quality audio and smart features.
To enable an external collaboration unit to communicate with other Avaya Equinox Solution/ Avaya IX
Workplace components within the organization's network, you need to open firewall ports between the external
unit and the organization.
This section details the ports used for the Avaya IX Collaboration Unit and the relevant configuration
procedures.
One Ethernet port (GLAN1, 10/100/1000) is always available for Ethernet connectivity on a Avaya IX
Collaboration Unit; an additional Wi-Fi network connection can be available.
1.1 Opening Ports for the Avaya CU360
You can deploy CU360 endpoints either inside or outside the enterprise network.
When Avaya Equinox / IX Workspace Solution components are located inside the network, and one or more
CU360 endpoints are outside the network, you must open ports in the firewall to enable the endpoint's
functionality.
Since the location of the CU360 is not fixed, the ports' source and destination differ depending on your network
topology. The typical deployment is the Avaya Equinox/ IX Workspace Conferencing Solution, with optional
additional components. In this deployment CU360 endpoints connect to a conference managed by Avaya
Equinox Management, and hosted on the Avaya Equinox Media Server.
Figure 1 - Standard topology for Avaya CU360
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 3
Comments? Infodev@avaya.comIn addition, using Avaya PathFinder or Avaya SBCE in DMZ, this deployment represents a complete solution for
H.323 and SIP connection, enabling secure connectivity between enterprise networks and remote sites.
The CU360 endpoints can be located either inside or outside the enterprise. You need to open different ports
depending on the topology, and the location of the endpoints.
The source for a port is the sender of data packets, and the destination is the receiver.
A Firewall is a network entity blocking TCP/UDP traffic to a specific port. If the traffic is directed to a destination
protected by the firewall, the port is inbound (X). Firewall could also block traffic to outbound ports (Y), when
connection is initiated by a source that is protected by the firewall.
If the CU endpoint or the element with which CU should communicate is protected by a firewall, to allow
incoming UDP/TCP traffic to the protected element, rules in the firewall must be applied. A rule establishes that
a port must be open in the firewall to allow traffic directed towards that port.
If the CU endpoint or the element with which CU should communicate is protected by a firewall, to allow
incoming UDP/TCP traffic to the protected element, rules in the firewall must be applied. A rule establishes that
a port must be open in the firewall to allow traffic directed towards that port.
There are two types of ports which require firewall rules for opening.
• Ports which require bidirectional rules: they allow the CU360 to send and receive data packets on the same
port. The initiator of the traffic is the source.
• Ports which require unidirectional rules: they allow the CU360 to either initiate communication or receive data
packets. The initiator of the traffic is the source.
For each port, you must designate it as inbound or outbound relatively to the firewall. A port is inbound if its
source is sending to a destination protected by the firewall. A port is outbound if its source is protected by the
firewall. If the same port is both outbound and inbound for CU, it will require a bidirectional opening rule on the
firewall.
Figure 2 - Inbound and outbound ports for the CU360
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 4
Comments? Infodev@avaya.comOn stateful firewalls, ports are left open to response data for an allocated period of time after the initial request.
For unidirectional ports, this response is the only data allowed through in the opposite direction. On
bidirectional ports, data can be initiated and sent through in both directions.
1.2 Opening Ports for Spaces Connectivity
The CU360 Application needs to connect to Spaces via SIP.
Outgoing ports to Spaces Backend, SIP and Media Server must be open in the local NAT/FW if they are blocked.
TLS traffic is used for both HTTPS and WSS, any TLS-inspection should support these protocols or have an
exception for Spaces’ hosts.
Check that a device inside the company can connect to
spaces.avayacloud.com (HTTPS + WSS, 443) (CU360 App and Spaces Room APp)
spaces.sip.mpaas.avayacloud.com (TCP/TLS 5061) (CU 360 App)
And to UDP 3000-4999 for these addresses:
35.227.0.176/29
35.243.1.0/29
35.192.193.192/27
34.90.202.88/29
34.90.54.64/27
35.240.211.240/29
34.87.164.64/27
34.93.186.64/27
34.89.118.64/27
See also https://spaces.avayacloud.com/developers/docs/guides/network_requirements.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 5
Comments? Infodev@avaya.com2. Port Usage Tables
CU360 endpoints need to use a series of UDP/TCP ports to communicate over a network with other audio-video
endpoints in SIP/H323 calls, or with other network elements, companion applications or entities in the Avaya IX
Workspace/Equinox Solution Deployment. For the purpose of this document, we will use the following terms.
2.1 Port Usage Table Heading Definitions
Source System: System name or type that initiates connection requests.
Source Port: This is the default layer-4 port number of the connection source. Valid values include: 0 – 65535. A
“(C)” next to the port number means that the port number is configurable.
Destination System: System name or type that receives connection requests.
Destination Port: This is the default layer-4 port number to which the connection request is sent. Valid values
include: 0 – 65535. A “(C)” next to the port number means that the port number is configurable.
Network/Application Protocol: This is the name associated with the layer-4 protocol and layers-5-7 application.
Optionally Enabled / Disabled: This field indicates whether customers can enable or disable a layer-4 port
changing its default port setting. Valid values include: Yes or No
“No” means the default port state cannot be changed (e.g. enable or disabled).
“Yes” means the default port state can be changed and that the port can either be enabled or disabled.
Default Port State: The “product” source or destination port is either open, closed, filtered or N/A.
Open: ports will respond to queries
Closed: ports may or may not respond to queries and are listed when they can be optionally enabled.
Filtered: ports can be open or closed, filtered UDP ports will not respond to queries, filtered TCP will
respond to queries but will not allow connectivity.
N/A: primarily ephemeral ports used to connect to external sources such as DNS, NTP, etc.
Description: Connection details. Add a reference to refer to the Notes section after each table for specifics on
any of the row data, if necessary.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 6
Comments? Infodev@avaya.com2.2 Port Table
Below is the table with the port usage for this product. It details ports used by the destinations to receive UDP/TCP data sent by the source. Some
items apply to both Avaya CU360 (CU) and to Avaya XT Series Endpoints (XT) as source or destination. Generic SIP or H323 endpoints (SIP EP/H323
EP) can also be used as sources or destinations to place SIP/H323 calls.
Table 1. Ports for CU360 Management and Connectivity
Source Destination Network / Optionally Enabled/Disabled? Default Description
Port System Port Application Mandatory/Recommended Port
System Protocol State
(Configurable (Configurable
Range) Range)
Web client (HTTP) Ephemeral CU/XT 80 HTTP (TCP) Yes; Open Remotely performs management tasks
Recommended to access CU via a Web via the CU Web user interface
Browser using HTTP A web client cannot access the CU web
Note: will be automatically redirected to server using HTTP
Https: 443
IX Workspace/ Equinox Ephemeral CU/XT 80 HTTP (TCP) Yes; Open Manual activation of Screen/Mobile Link
/Scopia® Desktop Clients Recommended Screen/Mobile Link cannot be activated
Note: will be automatically redirected to manually by a Client
Https: 443
Web client (HTTPS) Ephemeral CU/XT 443 HTTPS (TCP) Yes; Open Remotely performs management tasks
Recommended to access CU via a Web via the CU Web user interface
Browser using HTTPS A web client cannot access the CU web
server using HTTPS
IX Workspace/ Equinox Ephemeral CU/XT 443 HTTPS (TCP) Yes; Open Manual activation of Screen/Mobile Link
/Scopia® Desktop Clients Recommended Screen/Mobile Link cannot be activated
manually by a Client
CU/XT Ephemeral Avaya Aura, 5222 XMPP(TCP) Yes; NA XMPP Presence
Avaya One-X portal for IPO, Recommended Ep Presence status cannot be
XMPP Server communicated to the XMPP server.
EP cannot see the presence status for
other entities
Scopia Control App (iOS) Ephemeral CU/XT 3338 XT/CU XML API Yes; Open Sends GET/SET/ACTIONS request to ep
Avaya Collaboration (TCP) Mandatory if using a Control App Control app cannot connect to ep
Control App (Android)
Scopia Control App (iOS) Ephemeral CU/XT 3339 XT/CU HINTS Yes; Closed Receives indications of system status
Avaya Collaboration (TCP) Mandatory if using a Control App changes
Control App (Android) Control app cannot align its status to
reflect ep status.
Equinox Management Ephemeral CU/XT 3341 SM XML API (TCP) Yes; Closed Sends notifications of changes in
(iView) Recommended for Calendar/Roster Roster/Calendar
functionalities when not in cloud mode. CU cannot update the list of meetings
scheduled for that day or the list of
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 7
Comments? Infodev@avaya.comparticipants for meetings, or any meeting
updates.
CU/XT Signed Software Ephemeral CU/XT 55090 CU Signed Yes; Open Upgrades the CU Software with signed
Upgrade Agent Software Upgrade Mandatory to upgrade CU software packages
(TCP) remotely with mode=local or with CU software cannot be upgraded with a
standalone app signed package by Equinox Management
(local mode) or a standalone CU Sw
upgrade application
CU/XT Unsigned Software Ephemeral CU/XT 55099 CU Software Yes; Closed Special upgrade packages for
Upgrade Agent Upgrade (TCP) Optional special package upgrades CustomerSupport or internal demo
Equinox Management Ephemeral CU/XT 55003 CU AT Commands Yes; Open Uses XT/CU SDK API for Remote
(iView) or XT/CU SDK (TCP) Mandatory if using Equinox Management
Client (Creston/Extron) Management to manage the CU in Management/Client cannot manage CU.
mode=local;
Mandatory if using a Third Party device
to control CU
Telnet Client Ephemeral CU/XT 60123 CU CLI (TCP) Yes; Closed Accesses CU console (CLI)
Optional CU proprietary console application (CLI)
If Telnet Service is disabled, connections cannot be accessed via Telnet
will be refused even if the port is open
CU/XT Ephemeral FTP, SFTP Server 21 FTP, SFTP(TCP) Yes; NA Sends files to a file server (passivemode).
Optional Additional ports on the FTP server must
be opened
CU cannot send/receive files to/from a
file transfer server.
CU/XT Ephemeral DNS Server 53 DNS (UDP) No; NA Resolve a DNS address
Mandatory CU cannot resolve a DNS address
CU/XT Ephemeral Web Servers on the 80 HTTP (TCP) Yes; NA Performs NAT auto discovery and geo-
Internet Recommended localization
CU cannot perform NAT Auto-discovery
and geo-localization
CU/XT Ephemeral Server Proxy 80 HTTP (TCP) Yes; NA Mobile Link
Recommended Mobile Link cannot be activated by a
Clients
CU/XT Ephemeral Web Collab Server 80/443 HTTP(s) (TCP) Yes; NA Web Collaboration
Mandatory to support Web Collab CU cannot join web collab session
CU/XT Ephemeral Exchange Web Server 80/443 HTTP(s) (TCP) Yes; NA Exchange Calendar integration.
Mandatory to support Exchange CU cannot retrieve calendar items from
Calendar EWS.
CU/XT Ephemeral SNTP Server 123 SNTP (UDP) Yes; NA Gets the Internet UTC time
Recommended CU cannot get the Internet UTC time from
a server
CU/XT Ephemeral Avaya Equinox Mgmt 443 HTTPS (wss) Yes; NA Cloud connection and provisioning
(SXMP)
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 8
Comments? Infodev@avaya.comMandatory to support Avaya Mgmt with Mgmt in cloud mode cannot control CU
cloud mode
CU/XT Ephemeral Avaya Equinox 389 LDAP(TCP) Yes; NA Retrieves contacts from LDAP database
Mgmt/CU/LDAP server Mandatory if using remote directory CU cannot retrieve contacts from remote
LDAP directory
CU/XT Ephemeral Server Proxy 443 HTTPS (TCP) Yes; NA Mobile Link
Recommended Mobile Link cannot be activated by a
Clients
CU/XT Ephemeral Web Collab Server 443 HTTPS (wss) Yes; NA Web Collaboration
Mandatory to support Web Collab CU cannot join web collab session
(Equinox/Spaces)
CU/XT Ephemeral Spaces Backend 443 HTTPS (TCP) Yes; NA Spaces
HTTPS (wss Mandatory to connect to Spaces with CU cannot connect to Spaces with CU360
CU360 app or Spaces Room App app or Spaces Room App
CU/XT 1719 Multicast IP address 1718 H.225.0/RAS Yes; NA “H.323 Gatekeeper Automatic Discovery”
224.0.0.41 (“all GK”) (UDP) Optional procedure
CU cannot automatically discover a
gatekeeper to which register (only
manual configuration available).
CU/XT 1719 H323 GK 1719 H.225.0/RAS Yes; NA H.323 call signaling to a GK
(UDP) Recommended CU cannot use the services of a
gatekeeper.
CU/XT/H323 EP 3230-3250* CU/XT/H323 EP 1720 H.225.0/Q.931 Yes; Open H.323 call signaling (Q.931)
Mandatory to CU cannot establish H.323 calls
support H.323 calls
CU/XT Ephemeral Avaya Equinox 3336 SM XML API (TCP) Yes; NA CU requires to iView the list of scheduled
Management(iView) Recommended for Calendar/Roster meetings or the list of participants in
functionalities current meeting
CU cannot
receive the list of
meetings scheduled for
that day or the list of
participants for the current meeting.
CU/XT/H323 EP Predefined XT/CU/H323 EP Predefined H.245 Yes; Open H.323 media control signaling (H.245)
Range or Range or (TCP) Mandatory to support H323 calls on TCP Cannot connect H.323 calls.
3230-3250* 3230-3250*
(*if XT/CU) (*if XT/CU)
CU/XT/SIP or H323 EP Predefined CU/XT/SIP or H323 EP Predefined RTP and RTCP Yes; Open H.323 and SIP media (audio, video,
Range or Range or (UDP) Mandatory to support H323 calls and SIP H.224/data RTP) and media control
3230-3313* 3230-3313* calls (RTCP)
(*if XT/CU) No media exchanged in the H.323 or SIP
call.
CU/XT 3230-3313* Spaces Media Server 3000-4999 RTP and RTCP Yes, NA No media exchanged in the H.323 or SIP
(UDP) Mandatory tp call Spaces Media servers call
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 9
Comments? Infodev@avaya.comSee Opening Ports for Spaces
Connectivity
CU/XT 3478-3479 STUN Server 3478-3479 STUN Yes; NA Contact the STUN Server
(UDP) Optional Cannot discover the presence of a
firewall or NAT (only manual
configuration available).
CU/XT/SIP EP Predefined CU/XT/SIP EP 5060 SIP(TCP) Yes; Open SIP call signaling
Range or Mandatory to support SIP calls on Cannot connect SIP calls over TCP or TLS
3230-3313* TCP/TLS over TCP over TCP
(*if XT/CU)
CU/XT/SIP EP 5060 CU/XT/SIP EP 5060 SIP(UDP) Yes; Open SIP call signaling
Mandatory to support SIP calls on UDP Cannot connect SIP calls over UDP.
CU/XT/SIP EP Predefined CU/XT/SIP EP/ Sip Server or 5061 SIP(TCP-TLS) Yes; Open SIP call signaling for TLS
Range or SipGW/Spaces SIP Server Mandatory to support SIP calls on TCP Cannot connect SIP calls over TCP for TLS
3230-3313* (MPaaS) for TLS Cannot Connect to Spaces using CU360
(*if XT/CU) App.
CU/XT/SIP EP Predefined CU/XT/SIP EP Predefined BFCP(TCP) Yes; Open SIP content (presentation) video signaling
Range or Range or Mandatory to support content video in No SIP content video available.
5070-5077* 5070-5077* SIP calls
(*if CU/XT) (*if CU/XT)
CU/XT Ephemeral Avaya Equinox/IX 8554 RTSP(TCP) Yes; NA Screen Link
Workspace/Scopia® Recommended CU/XT cannot receive shared desktop
Desktop Clients content from clients
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 10
Comments? Infodev@avaya.comNOTES:
1. * The maximum port range is specified. The used port range could be lower than the specified one, depending on available license and active settings.
Please check on CU UI (Networks>Preferences>Dynamic ports> Manual mode) for the used range.
2. Response data, if any, are sent to the port specified by the source in the request, or in the same port used to receive (this is common for UDP).
Response traffic over TCP socket is never blocked. Stateful firewalls are usually able to allow response TCP and UDP traffic flow back for a limited
amount of time (usually hours for TCP, minutes or less for UDP).
Unless a source (client) explicitly requests a specific port number for a TCP or UPD socket connection, the source port number used is
an ephemeral port number.
3. Ephemeral ports are temporary ports assigned by the client machine's IP stack, and are assigned from a designated range of ports for this purpose.
When the connection terminates, the ephemeral port is available for reuse, although most IP stacks won't reuse that port number until the entire pool
of ephemeral ports have been used. So, if the client program reconnects, it will be assigned a different ephemeral port number for its side of the new
connection. Similarly, for UDP/IP, when a datagram is sent by a client from an unbound port number, an ephemeral port number is assigned
automatically so the receiving end can reply to the sender. CU uses ephemeral source ports in the range 32768-60999.
2.3 Port Table Changes
• [Issue 1.2] Added details about ports used by Avaya Collaboration Control app (3338, 3339) in 10.1
• [Issue 1.2] Added HTTP/HTTPS connection to EWS for calendar.
• [Issue 1.3] Avaya Equinox is now called Avaya IX Workspace for some components.
• [Issue 1.4] Added details for connection to Spaces.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 11
Comments? Infodev@avaya.com3. Port Usage Diagram
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 12
Comments? Infodev@avaya.com3.1 Port Usage Diagram Changes
• [Issue 1.2] Added icon for Avaya Collaboration Control (ports 3338,3339) in 10.1
• [Issue 1.2] Added reference to EWS
• [Issue 1.3] Avaya Equinox Clients are now called Avaya IX Workspace Clients.
• [Issue 1.3] Extended description for some port usages in the drawing
• [Issue 1.4]Added details for Spaces and other SIP/H323 servers.
• [Issue 1.4]Removed reference to Scopia Control, now Collaboration Control.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 13
Comments? Infodev@avaya.comAppendix A: Overview of TCP/IP Ports
What are ports and how are they used?
TCP and UDP use ports (defined at http://www.iana.org/assignments/port-numbers) to route traffic arriving at
a particular IP device to the correct upper layer application. These ports are logical descriptors (numbers) that
help devices multiplex and de-multiplex information streams. For example, your PC may have multiple
applications simultaneously receiving information: email using destination TCP port 25, a browser using
destination TCP port 443 and a ssh session using destination TCP port 22. These logical ports allow the PC
to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC. Each of the
mini-streams is directed to the correct high-level application identified by the port numbers. Every IP device
has incoming (Ingress) and outgoing (Egress) data streams.
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows. TCP and
UDP streams have an IP address and port number for both source and destination IP devices. The pairing of
an IP address and a port number is called a socket. Therefore, each data stream is uniquely identified with
two sockets. Source and destination sockets must be known by the source before a data stream can be sent
to the destination. Some destination ports are “open” to receive data streams and are called “listening” ports.
Listening ports actively wait for a source (client) to make contact with the known protocol associated with the
port number. HTTPS, as an example, is assigned port number 443. When a destination IP device is contacted
by a source device using port 443, the destination uses the HTTPS protocol for that data stream
conversation.
Port Types
Port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic Ports
(sometimes called Private Ports). The Well Known and Registered ports are assigned by IANA (Internet
Assigned Numbers Authority) and are found here: http://www.iana.org/assignments/port-numbers.
Well Known Ports
Well Known Ports are those numbered from 0 through 1023.
For the purpose of providing services to unknown clients, a service listen port is defined. This port is used
by the server process as its listen port. Common services often use listen ports in the well-known port
range. A well-known port is normally active meaning that it is “listening” for any traffic destined for a specific
application. For example, well known port 23 on a server is actively waiting for a data source to contact the
server IP address using this port number to establish a Telnet session. Well known port 25 is waiting for an
email session, etc. These ports are tied to a well understood application and range from 0 to 1023.
In UNIX and Linux operating systems, only root may open or close a well-known port. Well Known Ports are
also commonly referred to as “privileged ports”.
Registered Ports
Registered Ports are those numbered from 1024 through 49151.
Unlike well-known ports, these ports are not restricted to the root user. Less common services register ports
in this range. Avaya uses ports in this range for call control. Some, but not all, ports used by Avaya in this
range include: 1719/1720 for H.323, 5060/5061 for SIP, 2944 for H.248 and others. The registered port
range is 1024 – 49151. Even though a port is registered with an application name, industry often uses these
ports for different applications. Conflicts can occur in an enterprise when a port with one meaning is used by
two servers with different meanings.
Dynamic Ports
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 14
Comments? Infodev@avaya.comDynamic Ports are those numbered from 49152 through 65535.
Dynamic ports, sometimes called “private ports”, are available to use for any general purpose. This means
there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage). These are the
safest ports to use because no application types are linked to these ports. The dynamic port range is 49152
– 65535.
Sockets
A socket is the pairing of an IP address with a port number. An example would be 192.168.5.17:3009, where
3009 is the socket number associated with the IP address. A data flow, or conversation, requires two sockets
– one at the source device and one at the destination device. The data flow then has two sockets with a total
of four logical elements. Each data flow must be unique. If one of the four elements is unique, the data flow is
unique. The following three data flows are uniquely identified by socket number and/or IP address.
Data Flow 1: 172.19.19.14:1234 - 10.1.2.3:2345
two different port numbers and IP addresses and is a valid and typical socket pair
Data Flow 2: 172.19.19.14.1235 - 10.1.2.3:2345
same IP addresses and port numbers on the second IP address as data flow 1, but since
the port number on the first socket differs, the data flow is unique
Data Flow 3: 172.19.19.14:1234 - 10.1.2.4:2345
If one IP address octet changes, or one port number changes, the data flow is unique.
Socket Example Diagram
Client HTTP-Get Source 192.168.1.10:1369 Destination 10.10.10.47:80 Web Server
TCP-info Destination 192.168.1.10:1369 Source 10.10.10.47:80
`
Figure 1. Socket example showing ingress and egress data flows from a PC to a web server
The client egress stream includes the client’s source IP and socket (1369) and the destination IP and socket
(80). The ingress stream from the server has the source and destination information reversed.
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types:
• Packet Filtering
• Application Level Gateways (Proxy Servers)
• Hybrid (Stateful Inspection)
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 15
Comments? Infodev@avaya.comPacket Filtering is the most basic form of the firewalls. Each packet that arrives or leaves the network has
its header fields examined against criterion to either drop the packet or let it through. Routers configured
with Access Control Lists (ACL) use packet filtering. An example of packet filtering is preventing any source
device on the Engineering subnet to telnet into any device in the Accounting subnet.
Application level gateways (ALG) act as a proxy, preventing a direct connection between the foreign device
and the internal destination device. ALGs filter each individual packet rather than blindly copying bytes.
ALGs can also send alerts via email, alarms or other methods and keep log files to track significant events.
Hybrid firewalls are dynamic systems, tracking each connection traversing all interfaces of the firewall and
making sure they are valid. In addition to looking at headers, the content of the packet, up through the
application layer, is examined. A stateful inspection firewall also monitors the state of the connection and
compiles the information in a state table. Stateful inspection firewalls close off ports until the connection to
the specific port is requested. This is an enhancement to security against port scanning 1.
Firewall Policies
The goals of firewall policies are to monitor, authorize and log data flows and events. They also restrict
access using IP addresses, port numbers and application types and sub-types.
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies
can be created without disrupting business communications or opening unnecessary access into the
network.
Knowing that the source column in the following matrices is the socket initiator is key in building some types
of firewall policies. Some firewalls can be configured to automatically create a return path through the
firewall if the initiating source is allowed through. This option removes the need to enter two firewall rules,
one for each stream direction, but can also raise security concerns.
Another feature of some firewalls is to create an umbrella policy that allows access for many independent
data flows using a common higher layer attribute. Finally, many firewall policies can be avoided by placing
endpoints and the servers that serve those endpoints in the same firewall zone.
1
The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a
computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
April 2020 Avaya Port Matrix: Avaya IX Collaboration Unit 16
Comments? Infodev@avaya.comYou can also read
