Avaya Port Matrix Avaya IX Collaboration Unit - CU360 - Avaya Support

 
Avaya Port Matrix Avaya IX Collaboration Unit - CU360 - Avaya Support
Avaya Port Matrix

             Avaya IX Collaboration Unit
             CU360
             11.0.0

                                                                                  Issue 1.4
                                                                            April 18, 2020

                                Avaya – Proprietary
        Use pursuant to the terms of your signed agreement or Avaya policy.

April 2020                 Avaya Port Matrix: Avaya IX Collaboration Unit               1
                               Comments? Infodev@avaya.com
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF
PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC. DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE AND FURTHERMORE, AVAYA INC. MAKES NO REPRESENTATIONS
OR WARRANTIES THAT THE INFORMATION PROVIDED HEREIN WILL
ELIMINATE SECURITY THREATS TO CUSTOMERS’ SYSTEMS. AVAYA INC.,
ITS RELATED COMPANIES, DIRECTORS, EMPLOYEES,
REPRESENTATIVES, SUPPLIERS OR AGENTS MAY NOT, UNDER ANY
CIRCUMSTANCES BE HELD LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL,
PUNITIVE, EXEMPLARY, INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OF THE INFORMATION PROVIDED HEREIN.
THIS INCLUDES, BUT IS NOT LIMITED TO, THE LOSS OF DATA OR LOSS OF
PROFIT, EVEN IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. YOUR USE OF THIS INFORMATION CONSTITUTES ACCEPTANCE
OF THESE TERMS.

© 2020 Avaya Inc. All Rights Reserved. All trademarks identified by the ®
or ™ are registered trademarks or trademarks, respectively, of Avaya Inc.
All other trademarks are the property of their respective owners.

                                     Avaya – Proprietary
             Use pursuant to the terms of your signed agreement or Avaya policy.

April 2020             Avaya Port Matrix: Avaya IX Collaboration Unit              2
                                        Comments? Infodev@avaya.com
1. Avaya IX Collaboration Unit Components
The Avaya IX Collaboration Unit provides video technology for room conferencing, including support for dual
stream 1080p video, high quality data sharing, and high-quality audio and smart features.

To enable an external collaboration unit to communicate with other Avaya Equinox Solution/ Avaya IX
Workplace components within the organization's network, you need to open firewall ports between the external
unit and the organization.

This section details the ports used for the Avaya IX Collaboration Unit and the relevant configuration
procedures.

One Ethernet port (GLAN1, 10/100/1000) is always available for Ethernet connectivity on a Avaya IX
Collaboration Unit; an additional Wi-Fi network connection can be available.

1.1 Opening Ports for the Avaya CU360
You can deploy CU360 endpoints either inside or outside the enterprise network.

When Avaya Equinox / IX Workspace Solution components are located inside the network, and one or more
CU360 endpoints are outside the network, you must open ports in the firewall to enable the endpoint's
functionality.

Since the location of the CU360 is not fixed, the ports' source and destination differ depending on your network
topology. The typical deployment is the Avaya Equinox/ IX Workspace Conferencing Solution, with optional
additional components. In this deployment CU360 endpoints connect to a conference managed by Avaya
Equinox Management, and hosted on the Avaya Equinox Media Server.

Figure 1 - Standard topology for Avaya CU360

                                    Avaya – Proprietary
            Use pursuant to the terms of your signed agreement or Avaya policy.

    April 2020                           Avaya Port Matrix: Avaya IX Collaboration Unit                     3
                                               Comments? Infodev@avaya.com
In addition, using Avaya PathFinder or Avaya SBCE in DMZ, this deployment represents a complete solution for
H.323 and SIP connection, enabling secure connectivity between enterprise networks and remote sites.

The CU360 endpoints can be located either inside or outside the enterprise. You need to open different ports
depending on the topology, and the location of the endpoints.

The source for a port is the sender of data packets, and the destination is the receiver.

A Firewall is a network entity blocking TCP/UDP traffic to a specific port. If the traffic is directed to a destination
protected by the firewall, the port is inbound (X). Firewall could also block traffic to outbound ports (Y), when
connection is initiated by a source that is protected by the firewall.

If the CU endpoint or the element with which CU should communicate is protected by a firewall, to allow
incoming UDP/TCP traffic to the protected element, rules in the firewall must be applied. A rule establishes that
a port must be open in the firewall to allow traffic directed towards that port.

If the CU endpoint or the element with which CU should communicate is protected by a firewall, to allow
incoming UDP/TCP traffic to the protected element, rules in the firewall must be applied. A rule establishes that
a port must be open in the firewall to allow traffic directed towards that port.

There are two types of ports which require firewall rules for opening.

• Ports which require bidirectional rules: they allow the CU360 to send and receive data packets on the same
port. The initiator of the traffic is the source.

• Ports which require unidirectional rules: they allow the CU360 to either initiate communication or receive data
packets. The initiator of the traffic is the source.

For each port, you must designate it as inbound or outbound relatively to the firewall. A port is inbound if its
source is sending to a destination protected by the firewall. A port is outbound if its source is protected by the
firewall. If the same port is both outbound and inbound for CU, it will require a bidirectional opening rule on the
firewall.

Figure 2 - Inbound and outbound ports for the CU360

                                     Avaya – Proprietary
             Use pursuant to the terms of your signed agreement or Avaya policy.

April 2020               Avaya Port Matrix: Avaya IX Collaboration Unit                                        4
                                          Comments? Infodev@avaya.com
On stateful firewalls, ports are left open to response data for an allocated period of time after the initial request.
For unidirectional ports, this response is the only data allowed through in the opposite direction. On
bidirectional ports, data can be initiated and sent through in both directions.

1.2 Opening Ports for Spaces Connectivity
The CU360 Application needs to connect to Spaces via SIP.

Outgoing ports to Spaces Backend, SIP and Media Server must be open in the local NAT/FW if they are blocked.
TLS traffic is used for both HTTPS and WSS, any TLS-inspection should support these protocols or have an
exception for Spaces’ hosts.

Check that a device inside the company can connect to

        spaces.avayacloud.com (HTTPS + WSS, 443) (CU360 App and Spaces Room APp)
        spaces.sip.mpaas.avayacloud.com (TCP/TLS 5061) (CU 360 App)
And to UDP 3000-4999 for these addresses:
        35.227.0.176/29
        35.243.1.0/29
        35.192.193.192/27
        34.90.202.88/29
        34.90.54.64/27
        35.240.211.240/29
        34.87.164.64/27
        34.93.186.64/27
        34.89.118.64/27
See also https://spaces.avayacloud.com/developers/docs/guides/network_requirements.

                                   Avaya – Proprietary
           Use pursuant to the terms of your signed agreement or Avaya policy.

   April 2020                        Avaya Port Matrix: Avaya IX Collaboration Unit                              5
                                         Comments? Infodev@avaya.com
2. Port Usage Tables
CU360 endpoints need to use a series of UDP/TCP ports to communicate over a network with other audio-video
endpoints in SIP/H323 calls, or with other network elements, companion applications or entities in the Avaya IX
Workspace/Equinox Solution Deployment. For the purpose of this document, we will use the following terms.

    2.1 Port Usage Table Heading Definitions
Source System: System name or type that initiates connection requests.

Source Port: This is the default layer-4 port number of the connection source. Valid values include: 0 – 65535. A
       “(C)” next to the port number means that the port number is configurable.

Destination System: System name or type that receives connection requests.

Destination Port: This is the default layer-4 port number to which the connection request is sent. Valid values
       include: 0 – 65535. A “(C)” next to the port number means that the port number is configurable.

Network/Application Protocol: This is the name associated with the layer-4 protocol and layers-5-7 application.

Optionally Enabled / Disabled: This field indicates whether customers can enable or disable a layer-4 port
       changing its default port setting. Valid values include: Yes or No
       “No” means the default port state cannot be changed (e.g. enable or disabled).
       “Yes” means the default port state can be changed and that the port can either be enabled or disabled.

Default Port State: The “product” source or destination port is either open, closed, filtered or N/A.
        Open: ports will respond to queries
        Closed: ports may or may not respond to queries and are listed when they can be optionally enabled.
        Filtered: ports can be open or closed, filtered UDP ports will not respond to queries, filtered TCP will
                  respond to queries but will not allow connectivity.
        N/A: primarily ephemeral ports used to connect to external sources such as DNS, NTP, etc.
Description: Connection details. Add a reference to refer to the Notes section after each table for specifics on
        any of the row data, if necessary.

                                     Avaya – Proprietary
             Use pursuant to the terms of your signed agreement or Avaya policy.

April 2020              Avaya Port Matrix: Avaya IX Collaboration Unit                                     6
                                         Comments? Infodev@avaya.com
2.2 Port Table
Below is the table with the port usage for this product. It details ports used by the destinations to receive UDP/TCP data sent by the source. Some
items apply to both Avaya CU360 (CU) and to Avaya XT Series Endpoints (XT) as source or destination. Generic SIP or H323 endpoints (SIP EP/H323
EP) can also be used as sources or destinations to place SIP/H323 calls.

                                                           Table 1. Ports for CU360 Management and Connectivity

                 Source                                 Destination                   Network /        Optionally Enabled/Disabled?          Default                  Description
                               Port               System                 Port        Application         Mandatory/Recommended                Port
        System                                                                        Protocol                                                State
                           (Configurable                             (Configurable
                              Range)                                    Range)
Web client (HTTP)         Ephemeral      CU/XT                      80             HTTP (TCP)       Yes;                                      Open     Remotely performs management tasks
                                                                                                    Recommended to access CU via a Web                 via the CU Web user interface
                                                                                                    Browser using HTTP                                 A web client cannot access the CU web
                                                                                                    Note: will be automatically redirected to          server using HTTP
                                                                                                    Https: 443
IX Workspace/ Equinox Ephemeral          CU/XT                      80             HTTP (TCP)       Yes;                                      Open     Manual activation of Screen/Mobile Link
/Scopia® Desktop Clients                                                                            Recommended                                        Screen/Mobile Link cannot be activated
                                                                                                    Note: will be automatically redirected to          manually by a Client
                                                                                                    Https: 443
Web client (HTTPS)        Ephemeral      CU/XT                      443            HTTPS (TCP)      Yes;                                      Open     Remotely performs management tasks
                                                                                                    Recommended to access CU via a Web                 via the CU Web user interface
                                                                                                    Browser using HTTPS                                A web client cannot access the CU web
                                                                                                                                                       server using HTTPS
IX Workspace/ Equinox Ephemeral          CU/XT                      443            HTTPS (TCP)      Yes;                                    Open       Manual activation of Screen/Mobile Link
/Scopia® Desktop Clients                                                                            Recommended                                        Screen/Mobile Link cannot be activated
                                                                                                                                                       manually by a Client
CU/XT                     Ephemeral      Avaya Aura,                 5222          XMPP(TCP)        Yes;                                    NA         XMPP Presence
                                         Avaya One-X portal for IPO,                                Recommended                                        Ep Presence status cannot be
                                         XMPP Server                                                                                                   communicated to the XMPP server.
                                                                                                                                                       EP cannot see the presence status for
                                                                                                                                                       other entities
Scopia Control App (iOS) Ephemeral       CU/XT                      3338           XT/CU XML API    Yes;                                    Open       Sends GET/SET/ACTIONS request to ep
Avaya Collaboration                                                                (TCP)            Mandatory if using a Control App                   Control app cannot connect to ep
Control App (Android)
Scopia Control App (iOS) Ephemeral       CU/XT                      3339           XT/CU HINTS      Yes;                                    Closed     Receives indications of system status
Avaya Collaboration                                                                (TCP)            Mandatory if using a Control App                   changes
Control App (Android)                                                                                                                                  Control app cannot align its status to
                                                                                                                                                       reflect ep status.
Equinox Management        Ephemeral      CU/XT                      3341           SM XML API (TCP) Yes;                                    Closed     Sends notifications of changes in
(iView)                                                                                             Recommended for Calendar/Roster                    Roster/Calendar
                                                                                                    functionalities when not in cloud mode.            CU cannot update the list of meetings
                                                                                                                                                       scheduled for that day or the list of
                                                              Avaya – Proprietary
                                      Use pursuant to the terms of your signed agreement or Avaya policy.

                            April 2020                              Avaya Port Matrix: Avaya IX Collaboration Unit                                                7
                                                                            Comments? Infodev@avaya.com
participants for meetings, or any meeting
                                                                                                                                                   updates.
CU/XT Signed Software     Ephemeral     CU/XT                  55090            CU Signed        Yes;                                    Open      Upgrades the CU Software with signed
Upgrade Agent                                                                   Software Upgrade Mandatory to upgrade CU software                  packages
                                                                                (TCP)            remotely with mode=local or with                  CU software cannot be upgraded with a
                                                                                                 standalone app                                    signed package by Equinox Management
                                                                                                                                                   (local mode) or a standalone CU Sw
                                                                                                                                                   upgrade application
CU/XT Unsigned Software Ephemeral       CU/XT                  55099            CU Software       Yes;                                   Closed    Special upgrade packages for
Upgrade Agent                                                                   Upgrade (TCP)     Optional special package upgrades                CustomerSupport or internal demo

Equinox Management        Ephemeral     CU/XT                  55003            CU AT Commands Yes;                                       Open     Uses XT/CU SDK API for Remote
(iView) or XT/CU SDK                                                            (TCP)          Mandatory if using Equinox                          Management
Client (Creston/Extron)                                                                        Management to manage the CU in                      Management/Client cannot manage CU.
                                                                                               mode=local;
                                                                                               Mandatory if using a Third Party device
                                                                                               to control CU
Telnet Client             Ephemeral     CU/XT                  60123            CU CLI (TCP)   Yes;                                       Closed   Accesses CU console (CLI)
                                                                                               Optional                                            CU proprietary console application (CLI)
                                                                                               If Telnet Service is disabled, connections          cannot be accessed via Telnet
                                                                                               will be refused even if the port is open
CU/XT                     Ephemeral     FTP, SFTP Server       21               FTP, SFTP(TCP) Yes;                                       NA       Sends files to a file server (passivemode).
                                                                                               Optional                                            Additional ports on the FTP server must
                                                                                                                                                   be opened
                                                                                                                                                   CU cannot send/receive files to/from a
                                                                                                                                                   file transfer server.
CU/XT                     Ephemeral     DNS Server             53               DNS (UDP)         No;                                    NA        Resolve a DNS address
                                                                                                  Mandatory                                        CU cannot resolve a DNS address
CU/XT                     Ephemeral     Web Servers on the     80               HTTP (TCP)        Yes;                                   NA        Performs NAT auto discovery and geo-
                                        Internet                                                  Recommended                                      localization
                                                                                                                                                   CU cannot perform NAT Auto-discovery
                                                                                                                                                   and geo-localization
CU/XT                     Ephemeral     Server Proxy           80               HTTP (TCP)        Yes;                                   NA        Mobile Link
                                                                                                  Recommended                                      Mobile Link cannot be activated by a
                                                                                                                                                   Clients
CU/XT                     Ephemeral     Web Collab Server      80/443           HTTP(s) (TCP)     Yes;                                   NA        Web Collaboration
                                                                                                  Mandatory to support Web Collab                  CU cannot join web collab session
CU/XT                     Ephemeral     Exchange Web Server    80/443           HTTP(s) (TCP)     Yes;                                   NA        Exchange Calendar integration.
                                                                                                  Mandatory to support Exchange                    CU cannot retrieve calendar items from
                                                                                                  Calendar                                         EWS.
CU/XT                     Ephemeral     SNTP Server            123              SNTP (UDP)        Yes;                                   NA        Gets the Internet UTC time
                                                                                                  Recommended                                      CU cannot get the Internet UTC time from
                                                                                                                                                   a server
CU/XT                     Ephemeral     Avaya Equinox Mgmt     443              HTTPS (wss)       Yes;                                   NA        Cloud connection and provisioning
                                                                                                                                                   (SXMP)

                                                              Avaya – Proprietary
                                      Use pursuant to the terms of your signed agreement or Avaya policy.

April 2020                     Avaya Port Matrix: Avaya IX Collaboration Unit                                                     8
                                                                       Comments? Infodev@avaya.com
Mandatory to support Avaya Mgmt with           Mgmt in cloud mode cannot control CU
                                                                                             cloud mode
CU/XT                  Ephemeral       Avaya Equinox           389           LDAP(TCP)       Yes;                                 NA        Retrieves contacts from LDAP database
                                       Mgmt/CU/LDAP server                                   Mandatory if using remote directory            CU cannot retrieve contacts from remote
                                                                                                                                            LDAP directory
CU/XT                  Ephemeral       Server Proxy            443           HTTPS (TCP)     Yes;                                  NA       Mobile Link
                                                                                             Recommended                                    Mobile Link cannot be activated by a
                                                                                                                                            Clients
CU/XT                  Ephemeral       Web Collab Server       443           HTTPS (wss)     Yes;                                  NA       Web Collaboration
                                                                                             Mandatory to support Web Collab                CU cannot join web collab session
                                                                                                                                            (Equinox/Spaces)
CU/XT                  Ephemeral       Spaces Backend          443           HTTPS (TCP)     Yes;                                  NA       Spaces
                                                                             HTTPS (wss      Mandatory to connect to Spaces with            CU cannot connect to Spaces with CU360
                                                                                             CU360 app or Spaces Room App                   app or Spaces Room App
CU/XT                  1719            Multicast IP address    1718          H.225.0/RAS     Yes;                                  NA       “H.323 Gatekeeper Automatic Discovery”
                                       224.0.0.41 (“all GK”)                 (UDP)           Optional                                       procedure
                                                                                                                                            CU cannot automatically discover a
                                                                                                                                            gatekeeper to which register (only
                                                                                                                                            manual configuration available).
CU/XT                  1719            H323 GK                 1719          H.225.0/RAS     Yes;                                  NA       H.323 call signaling to a GK
                                                                             (UDP)           Recommended                                    CU cannot use the services of a
                                                                                                                                            gatekeeper.
CU/XT/H323 EP          3230-3250*      CU/XT/H323 EP           1720          H.225.0/Q.931    Yes;                                 Open     H.323 call signaling (Q.931)
                                                                                              Mandatory to                                  CU cannot establish H.323 calls
                                                                                              support H.323 calls
CU/XT                  Ephemeral       Avaya Equinox           3336          SM XML API (TCP) Yes;                                 NA       CU requires to iView the list of scheduled
                                       Management(iView)                                      Recommended for Calendar/Roster               meetings or the list of participants in
                                                                                              functionalities                               current meeting
                                                                                                                                            CU cannot
                                                                                                                                            receive the list of
                                                                                                                                            meetings scheduled for
                                                                                                                                            that day or the list of
                                                                                                                                            participants for the current meeting.

CU/XT/H323 EP          Predefined      XT/CU/H323 EP           Predefined    H.245           Yes;                                   Open    H.323 media control signaling (H.245)
                       Range or                                Range or      (TCP)           Mandatory to support H323 calls on TCP         Cannot connect H.323 calls.
                       3230-3250*                              3230-3250*
                       (*if XT/CU)                             (*if XT/CU)
CU/XT/SIP or H323 EP   Predefined      CU/XT/SIP or H323 EP    Predefined    RTP and RTCP    Yes;                                    Open   H.323 and SIP media (audio, video,
                       Range or                                Range or      (UDP)           Mandatory to support H323 calls and SIP        H.224/data RTP) and media control
                       3230-3313*                              3230-3313*                    calls                                          (RTCP)
                       (*if XT/CU)                                                                                                          No media exchanged in the H.323 or SIP
                                                                                                                                            call.
CU/XT                  3230-3313*      Spaces Media Server     3000-4999     RTP and RTCP    Yes,                                   NA      No media exchanged in the H.323 or SIP
                                                                             (UDP)           Mandatory tp call Spaces Media servers         call

                                                             Avaya – Proprietary
                                     Use pursuant to the terms of your signed agreement or Avaya policy.

                         April 2020                            Avaya Port Matrix: Avaya IX Collaboration Unit                                          9
                                                                      Comments? Infodev@avaya.com
See Opening Ports for Spaces
                                                                                       Connectivity
CU/XT          3478-3479       STUN Server                3478-3479     STUN           Yes;                                     NA     Contact the STUN Server
                                                                        (UDP)          Optional                                        Cannot discover the presence of a
                                                                                                                                       firewall or NAT (only manual
                                                                                                                                       configuration available).
CU/XT/SIP EP   Predefined      CU/XT/SIP EP               5060          SIP(TCP)       Yes;                                     Open   SIP call signaling
               Range or                                                                Mandatory to support SIP calls on               Cannot connect SIP calls over TCP or TLS
               3230-3313*                                                              TCP/TLS over TCP                                over TCP
               (*if XT/CU)

CU/XT/SIP EP   5060            CU/XT/SIP EP               5060          SIP(UDP)       Yes;                                     Open   SIP call signaling
                                                                                       Mandatory to support SIP calls on UDP           Cannot connect SIP calls over UDP.
CU/XT/SIP EP   Predefined      CU/XT/SIP EP/ Sip Server or 5061         SIP(TCP-TLS)   Yes;                                     Open   SIP call signaling for TLS
               Range or        SipGW/Spaces SIP Server                                 Mandatory to support SIP calls on TCP           Cannot connect SIP calls over TCP for TLS
               3230-3313*      (MPaaS)                                                 for TLS                                         Cannot Connect to Spaces using CU360
               (*if XT/CU)                                                                                                             App.

CU/XT/SIP EP   Predefined      CU/XT/SIP EP               Predefined    BFCP(TCP)      Yes;                                  Open      SIP content (presentation) video signaling
               Range or                                   Range or                     Mandatory to support content video in           No SIP content video available.
               5070-5077*                                 5070-5077*                   SIP calls
               (*if CU/XT)                                (*if CU/XT)
CU/XT          Ephemeral       Avaya Equinox/IX           8554          RTSP(TCP)      Yes;                                     NA     Screen Link
                               Workspace/Scopia®                                       Recommended                                     CU/XT cannot receive shared desktop
                               Desktop Clients                                                                                         content from clients

                                                     Avaya – Proprietary
                             Use pursuant to the terms of your signed agreement or Avaya policy.

April 2020            Avaya Port Matrix: Avaya IX Collaboration Unit                                                       10
                                                                  Comments? Infodev@avaya.com
NOTES:

         1. * The maximum port range is specified. The used port range could be lower than the specified one, depending on available license and active settings.
            Please check on CU UI (Networks>Preferences>Dynamic ports> Manual mode) for the used range.
         2. Response data, if any, are sent to the port specified by the source in the request, or in the same port used to receive (this is common for UDP).
            Response traffic over TCP socket is never blocked. Stateful firewalls are usually able to allow response TCP and UDP traffic flow back for a limited
            amount of time (usually hours for TCP, minutes or less for UDP).
            Unless a source (client) explicitly requests a specific port number for a TCP or UPD socket connection, the source port number used is
            an ephemeral port number.
         3. Ephemeral ports are temporary ports assigned by the client machine's IP stack, and are assigned from a designated range of ports for this purpose.
            When the connection terminates, the ephemeral port is available for reuse, although most IP stacks won't reuse that port number until the entire pool
            of ephemeral ports have been used. So, if the client program reconnects, it will be assigned a different ephemeral port number for its side of the new
            connection. Similarly, for UDP/IP, when a datagram is sent by a client from an unbound port number, an ephemeral port number is assigned
            automatically so the receiving end can reply to the sender. CU uses ephemeral source ports in the range 32768-60999.

   2.3 Port Table Changes
     •      [Issue 1.2] Added details about ports used by Avaya Collaboration Control app (3338, 3339) in 10.1
     •      [Issue 1.2] Added HTTP/HTTPS connection to EWS for calendar.
     •      [Issue 1.3] Avaya Equinox is now called Avaya IX Workspace for some components.
     •      [Issue 1.4] Added details for connection to Spaces.

                                                       Avaya – Proprietary
                               Use pursuant to the terms of your signed agreement or Avaya policy.

                       April 2020                         Avaya Port Matrix: Avaya IX Collaboration Unit                                 11
                                                               Comments? Infodev@avaya.com
3. Port Usage Diagram

                                     Avaya – Proprietary
             Use pursuant to the terms of your signed agreement or Avaya policy.

April 2020             Avaya Port Matrix: Avaya IX Collaboration Unit              12
                                        Comments? Infodev@avaya.com
3.1 Port Usage Diagram Changes
   •   [Issue 1.2] Added icon for Avaya Collaboration Control (ports 3338,3339) in 10.1
   •   [Issue 1.2] Added reference to EWS
   •   [Issue 1.3] Avaya Equinox Clients are now called Avaya IX Workspace Clients.
   •   [Issue 1.3] Extended description for some port usages in the drawing
   •   [Issue 1.4]Added details for Spaces and other SIP/H323 servers.
   •   [Issue 1.4]Removed reference to Scopia Control, now Collaboration Control.

                                  Avaya – Proprietary
          Use pursuant to the terms of your signed agreement or Avaya policy.

  April 2020                      Avaya Port Matrix: Avaya IX Collaboration Unit          13
                                       Comments? Infodev@avaya.com
Appendix A: Overview of TCP/IP Ports

What are ports and how are they used?
    TCP and UDP use ports (defined at http://www.iana.org/assignments/port-numbers) to route traffic arriving at
    a particular IP device to the correct upper layer application. These ports are logical descriptors (numbers) that
    help devices multiplex and de-multiplex information streams. For example, your PC may have multiple
    applications simultaneously receiving information: email using destination TCP port 25, a browser using
    destination TCP port 443 and a ssh session using destination TCP port 22. These logical ports allow the PC
    to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC. Each of the
    mini-streams is directed to the correct high-level application identified by the port numbers. Every IP device
    has incoming (Ingress) and outgoing (Egress) data streams.

    Ports are used in TCP and UDP to name the ends of logical connections which carry data flows. TCP and
    UDP streams have an IP address and port number for both source and destination IP devices. The pairing of
    an IP address and a port number is called a socket. Therefore, each data stream is uniquely identified with
    two sockets. Source and destination sockets must be known by the source before a data stream can be sent
    to the destination. Some destination ports are “open” to receive data streams and are called “listening” ports.
    Listening ports actively wait for a source (client) to make contact with the known protocol associated with the
    port number. HTTPS, as an example, is assigned port number 443. When a destination IP device is contacted
    by a source device using port 443, the destination uses the HTTPS protocol for that data stream
    conversation.

Port Types
    Port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic Ports
    (sometimes called Private Ports). The Well Known and Registered ports are assigned by IANA (Internet
    Assigned Numbers Authority) and are found here: http://www.iana.org/assignments/port-numbers.

    Well Known Ports
      Well Known Ports are those numbered from 0 through 1023.
      For the purpose of providing services to unknown clients, a service listen port is defined. This port is used
      by the server process as its listen port. Common services often use listen ports in the well-known port
      range. A well-known port is normally active meaning that it is “listening” for any traffic destined for a specific
      application. For example, well known port 23 on a server is actively waiting for a data source to contact the
      server IP address using this port number to establish a Telnet session. Well known port 25 is waiting for an
      email session, etc. These ports are tied to a well understood application and range from 0 to 1023.

      In UNIX and Linux operating systems, only root may open or close a well-known port. Well Known Ports are
      also commonly referred to as “privileged ports”.

    Registered Ports
      Registered Ports are those numbered from 1024 through 49151.
      Unlike well-known ports, these ports are not restricted to the root user. Less common services register ports
      in this range. Avaya uses ports in this range for call control. Some, but not all, ports used by Avaya in this
      range include: 1719/1720 for H.323, 5060/5061 for SIP, 2944 for H.248 and others. The registered port
      range is 1024 – 49151. Even though a port is registered with an application name, industry often uses these
      ports for different applications. Conflicts can occur in an enterprise when a port with one meaning is used by
      two servers with different meanings.

    Dynamic Ports
                                     Avaya – Proprietary
             Use pursuant to the terms of your signed agreement or Avaya policy.

April 2020               Avaya Port Matrix: Avaya IX Collaboration Unit                                         14
                                          Comments? Infodev@avaya.com
Dynamic Ports are those numbered from 49152 through 65535.
     Dynamic ports, sometimes called “private ports”, are available to use for any general purpose. This means
     there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage). These are the
     safest ports to use because no application types are linked to these ports. The dynamic port range is 49152
     – 65535.

Sockets
   A socket is the pairing of an IP address with a port number. An example would be 192.168.5.17:3009, where
   3009 is the socket number associated with the IP address. A data flow, or conversation, requires two sockets
   – one at the source device and one at the destination device. The data flow then has two sockets with a total
   of four logical elements. Each data flow must be unique. If one of the four elements is unique, the data flow is
   unique. The following three data flows are uniquely identified by socket number and/or IP address.

   Data Flow 1:             172.19.19.14:1234 - 10.1.2.3:2345
                            two different port numbers and IP addresses and is a valid and typical socket pair

   Data Flow 2:             172.19.19.14.1235 - 10.1.2.3:2345
                            same IP addresses and port numbers on the second IP address as data flow 1, but since
                            the port number on the first socket differs, the data flow is unique

   Data Flow 3:             172.19.19.14:1234 - 10.1.2.4:2345

   If one IP address octet changes, or one port number changes, the data flow is unique.

                                               Socket Example Diagram

               Client       HTTP-Get   Source 192.168.1.10:1369        Destination 10.10.10.47:80     Web Server

                               TCP-info     Destination 192.168.1.10:1369     Source 10.10.10.47:80

                        `

               Figure 1. Socket example showing ingress and egress data flows from a PC to a web server

   The client egress stream includes the client’s source IP and socket (1369) and the destination IP and socket
   (80). The ingress stream from the server has the source and destination information reversed.

Understanding Firewall Types and Policy Creation
   Firewall Types
     There are three basic firewall types:

       • Packet Filtering
       • Application Level Gateways (Proxy Servers)
       • Hybrid (Stateful Inspection)

                                  Avaya – Proprietary
          Use pursuant to the terms of your signed agreement or Avaya policy.

  April 2020                              Avaya Port Matrix: Avaya IX Collaboration Unit                           15
                                               Comments? Infodev@avaya.com
Packet Filtering is the most basic form of the firewalls. Each packet that arrives or leaves the network has
      its header fields examined against criterion to either drop the packet or let it through. Routers configured
      with Access Control Lists (ACL) use packet filtering. An example of packet filtering is preventing any source
      device on the Engineering subnet to telnet into any device in the Accounting subnet.

      Application level gateways (ALG) act as a proxy, preventing a direct connection between the foreign device
      and the internal destination device. ALGs filter each individual packet rather than blindly copying bytes.
      ALGs can also send alerts via email, alarms or other methods and keep log files to track significant events.

      Hybrid firewalls are dynamic systems, tracking each connection traversing all interfaces of the firewall and
      making sure they are valid. In addition to looking at headers, the content of the packet, up through the
      application layer, is examined. A stateful inspection firewall also monitors the state of the connection and
      compiles the information in a state table. Stateful inspection firewalls close off ports until the connection to
      the specific port is requested. This is an enhancement to security against port scanning 1.

    Firewall Policies
      The goals of firewall policies are to monitor, authorize and log data flows and events. They also restrict
      access using IP addresses, port numbers and application types and sub-types.

      This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies
      can be created without disrupting business communications or opening unnecessary access into the
      network.

      Knowing that the source column in the following matrices is the socket initiator is key in building some types
      of firewall policies. Some firewalls can be configured to automatically create a return path through the
      firewall if the initiating source is allowed through. This option removes the need to enter two firewall rules,
      one for each stream direction, but can also raise security concerns.

      Another feature of some firewalls is to create an umbrella policy that allows access for many independent
      data flows using a common higher layer attribute. Finally, many firewall policies can be avoided by placing
      endpoints and the servers that serve those endpoints in the same firewall zone.

1
 The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a
computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.

                                     Avaya – Proprietary
             Use pursuant to the terms of your signed agreement or Avaya policy.

April 2020                Avaya Port Matrix: Avaya IX Collaboration Unit                                           16
                                            Comments? Infodev@avaya.com
You can also read
NEXT SLIDES ... Cancel