UDP/TCP ports that need to be open on firewall for IP Softphone

[VOIPeng]

Can you please tell me the ports and protocol that the IP Softphone/Agent use, so I can set the firewall to allow IP Softphone/Agent access for telecommuters? If you can supply me the link of where this information is it would be much appreciated.

Thank you
VOIPeng

 

[pansophic]

I don't know off-hand, but you can download a free-ware sniffer called ethereal at

http://www.ethereal.com

and then you can get some H.323 decodes at

http://www.voice2sniff.com.

One of the issues with the RTP and RTCP protocols is that they use dynamic port assignment. RTP is typically UDP and RTCP is typically TCP. Normally they will be assigned with a pair of ports, like RTP on 1024 and RTCP on 1025. Can't recall which uses odd and which uses even off-hand.

Many H.323 implementations do not handle NAT very well either (like at all), so if you are trying to go through the firewall to the outside world, you may be SOL. It depends on the implementation.

If you find out, please post the info here or at least send it to me at spyke_at_erols.com.

 

[VOIPeng]

My guess is that the Medpro uses the ports assigned on the form change ip-interface on the Min port and Max port, like you said you take the total number of IP stations and multiple it by 2 and add one, starting with an even number.

Other ports are according to 4600 series Administration Guide: "The default value for MCPORT is 1719. DEFINITY must be administered to use a port within the
proper range for the specific LAN, and the IP Telephone(s) will copy that port. A related parameter
is PORTAUD, which is the RTP port used by DEFINITY. In accordance with standards RFC 1889
and 1890, the IP Telephone uses a default value for PORTAUD of 5004. MCPORT and PORTAUD
are both administerable" So now we add UDP ports 1719 (Call server transport-layer port number) and 5004 (transport-layer port number for audio).

I'll look into this more, let me know if anyone else has more on this issue.

Thanks,
VOIPeng

 

[pansophic]

I am curious how you are trying to go about this. Are you letting users who are on the internet into your network, or are you allowing people who are inside your network access a Definity that is outside your network, or are you simply segmenting and firewalling your internal network?











If you are allowing Internet attached users into your network, you may have trouble with any dynamically assigned ports on the server end, but it sounds like Avaya uses just the assigned ports.










Also, if the users are doing NAT on their end (many ISPs do this) then the Definity may not set up the call at all.









Have you tried it with the firewall in bypass mode, just to be certain that your configuration works?









What I have read in RFC 1889 and 1890 indicates that the RTP and RTCP ports can be dynamically assigned, because we would be dealing with unicast sessions. However, there is nothing that says that Lucent developed their system with dynamic port assignment. Just because it is allowed, doesn't mean that it must be that way.









Excerpt from RFC 1889:





-----------------------------------------------------------


RTP session: The association among a set of participants communicating with RTP. For each participant, the session is defined by a particular pair of destination transport addresses (one network address plus a port pair for RTP and RTCP). The destination transport address pair may be common for all participants, as in the case of IP multicast, or may be different for each, as in the case of individual unicast network addresses plus a common port pair. In a multimedia session, each medium is carried in a separate RTP session with its own RTCP packets. The multiple RTP sessions are distinguished by different port number pairs and/or different multicast addresses.


-----------------------------------------------------------






Excerpt from RFC 1890:





-----------------------------------------------------------


Applications operating under this profile may use any such UDP port pair. For example, the port pair may be allocated randomly by a session management program. A single fixed port number pair cannot be required because multiple applications using this profile are likely to run on the same host, and there are some operating systems that do not allow multiple processes to use the same UDP port with different multicast addresses.





However, port numbers 5004 and 5005 have been registered for use with this profile for those applications that choose to use them as the default pair. Applications that operate under multiple profiles may use this port pair as an indication to select this profile if they are not subject to the constraint of the previous paragraph.


Applications need not have a default and may require that the port pair be explicitly specified. The particular port numbers were chosen to lie in the range above 5000 to accomodate port number allocation practice within the Unix operating system, where port numbers below 1024 can only be used by privileged processes and port numbers between 1024 and 5000 are automatically assigned by the operating system.


-----------------------------------------------------------









I have worked with platforms that use static port numbers for the RTP and RTCP, and it is possible to put them behind a firewall. I've also had problems with NAT, especially when the system uses the source IP address as the call identifier.



Don't forget that you should need to add TCP port 5005 to support the RTCP.

 

[VOIPeng]

With our application the clients at home will be connecting in via VPN then access the Definity using the Private IP addressing scheme so their will be no issues with NAT translations. I would not recommend anyone to leave these ports open to the Internet directly, as it leaves a portal for hackers, all traffic should be authenticated. I agree with you that if there is NAT taking place between the client and the Definity it is nearly impossible to get it to work properly.

The firewall would be within the internal infrastructure segmenting lan's, specifically the Voice LAN from the Data LAN.


So from our discusion so far we have found the following ports are used:
UDP 1719 MCPORT
UDP 5004 PORTAUD
TCP 5005 RTCP
And UDP ports assigned on ip-interface


I guess the only way to completely find out is test, but I think that these as well UDP 69 for TFTP on an IP Hardphone would allow access.

Any help is much appreciated,
VOIPeng

 

[pansophic]

Excellent!

VPN is definitely the way to go. That also protects the Audio portion of the call, which many people forget is simply encoded audio and can be decoded by anyone with a compatible CODEC.

I also like the separate LANs. I preach that all of the time for various reasons, not the least of which is QoS. Then I get into the really messy stuff about eavesdropping.

I do use some H.323 devices that work even with NAT, but it is an open source solution and doesn't allow calling to the PSTN. It also doesn't do any authentication, so anyone can be anyone else.

Sounds like you are ready to test. I'd be interested if you find that you have to open anything else.

 

[dialtone]

Go to Program Options, Event Logging in IP Agent and make sure Enable logging for DEFINITY Login is checked. You can then view the pwregistLog file (located in the DEFINITY IP Service Provider folder - or view in the Event Logging window in IP Agent) and see the ports that are being used during login. An Avaya TSO tech said that UDP ports 1719,1720, & 5002 would be used, but we're seeing 1719 & 4200 in the logs. Also, we put a sniffer on the remote end, and the sniffer op said he saw TCP port 1719 being used, not UDP...let me know what anyone else finds out, the info is somewhat cloudy on the Avaya side...

 

[lopes1211]

I'm using R3V2 softphone via VPN AND NAT. The VPN client I use gives the local IP when the VPN session is established. The R3V2 softphone asks for this local address when it initializes. Works like a charm! -CL

 

[nknook]

Hello all,

Protocols and Ports: The C-LAN is used for call control (signaling) and the MedPro is used for audio.
The following tables list the protocols and ports used by both boards:
//C-LAN
UDP 1719 RAS - IP station registration <- Could also be TCP (not sure, just try or use a sniffer)
TCP 1720 H.225 call setup
TCP 1037 CCMS signaling (phone display updates)
//MedPro
UDP 2048 – 65535 (configurable)
UDP 2048 – 3049 (R9.5 default)
(RTP-encapsulated audio)

Apart from this (like already mentioned by VOIPeng), if you use hardphone(tftp), or LDAP or whatever, you should open those ports as well. Please also remember that there is no such thing as a default firewall config, you should always try things out, close the FW a little more, then try again etc.

Last but not least: the number of open UDP ports (medpro) should at least be (in a static config) the maximum amount of simultanious calls times 2 (RTP + RTCP). Some FW's can also do dynamic filtering, by looking in the IP packet for H.323 message's. This works fine, but usually means a lot of overhead (because this is mainly done in software, as opposed to hardware filtering).

Another thing you can try (with hardphones at least) is to use the company identifier in the MAC address to give out a special range of IP's wich you can use to filter traffic.

Regards,
Nico

 

[cceng]

Has anyone tried using the IP agent through Cisco's 3000 vpn concentrators?

I havn't been able to get it to work.