DNS : Quick Definition

DNS is the tool which associate an IP Address with a name, an URL. So using name instead IP Address can also introduce failures because if your DNS down , you can’t resolve anymore IP addresses. But it can be very helpful in the case of a DR mode ( where you need to point the server to a different IP address)

Network Address Translation – NAT

To work correctly with your voice flows, a NAT device must inspect Layer3 and Layer4 protocol ,port information and sometimes the embedded payload.

Cisco IOS NAT ALG can support the following voip protocols :

  • H323v2
  • H225
  • H245
  • RAS
  • SIP
  • SCCP

So if you change the default port number of these protocols, then you have to change it also in the configuration with the following command ip nat service <<protocol>> tcp port <<port-number>>.

Pay attention also that NAT doesn’t support voice signaling encryption

Firewalls and Application Layer Gateway – ALG

Firewalls are commonly used to protect networks, including those that transport voice traffic. Firewalls inspect the header and sometimes can inspect also the payload of packets. Stateful firewalls also maintain state information so that they know which traffic forms part of permitted flows and should be allowed.

For voice traffic, mandatory traffic are required as MGCP,H323,SIP,SCCP,RTP and RTCP. In case of RTP and RTCP, the amount of ports must be larger as it represents thousands ports.

Be also cautious where you put your VPN gateway because if the VPN gateway is placed in front of a firewall, the VPN IPSec will be added or removed so then you can inspect your traffic. But in the case where your VPN gateway is behind the firewall, this one can’t inspect anymore the traffic so it could be a backdoor for intruder.Same thing for the placement of NAT in your firewall.

Note also that ALG doesn’t work with signaling encryption

So pay attention that by default, Cisco firewalls/ALG don’t support in native Unity, IPCC Express, IPCC Enterprise, Attendant Console and SCCP video. It is then require to configure manually your firewall manually to authorize the traffic for these ports.

TCP/UDP Port List

Here is as a reminder a collection of TCP/ UDP Ports used in an IP Telephony network:

PORT PURPOSE
TCP/1433 SQL
TCP/2552 Call Manager database change notifications
TCP/2555 RIS database server
TCP/2556 RIS database client
UDP/3000 Receive change notification from Call Manager database
UDP/3001 Database change notification from publisher to applications
UDP/3020 Dialed Number Analyzer plug-in database
TCP/3372 SQL Distributed Transaction Coordinator
TCP/7727 Application database change notification, CTI, voicemail, and so on
TCP/8001 Client database change notification
TCP/8002 Intracluster Communication Service
TCP/8003 Intracluster Communication Service
TCP/8009 Internal Tomcat requests
TCP/8111 IPMA Web requests
TCP/8222 Extension Mobility web requests
TCP/8333 Webdialer web requests
TCP/8444 Extension Mobility service requests
TCP/8555 Apache-SOAP web requests
TCP/8666 IPMA web requests for nondefault locales
TCP/8777 Tomcat manager web requests
TCP/9007 CDR Aalysis and Recording web requests
TCP/102 Directory Access Protocol (DAP) for DC Directory
TCP/8404 Local Directory Access Protocol (LDAP) for DC Directory
TCP/8405 LDAPS for DC Directory
TCP/389 LDAP query to external directory (AD, Netscape)
TCP/636 LDAPS query to external directory (AD, Netscape)
TCP/2000 SCCP
TCP/2443 Secure SCCP (SCCPS)
TCP/3804 CAPF
UDP/16384 – 32768 RTP,SRTP
TCP/4224 Cisco VT Advantage
UDP/1718 Gatekeeper H225 Discovery
UDP/1719 Gatekeeper H225 RAS
TCP/1720 H225 signaling services for H323 gateways and Inter-Cluster Trunk (ICT)
UDP/2427 MGCP gateway control
TCP/2428 MGCP gateway backhaul
TCP/UDP/5060 SIP Gateway and Inter-Cluster Trunk
TCP/2444 CTL Provider
TCP/2748 CTI Application Server
TCP/2789 JTAPI Application Server
TCP/2912 IPMA Server
TCP/1099-1129 Attendant Console
UDP/3223 Attendant Console
UDP/4321 Attendant Console

Page 12 of 49« First...891011121314151617...3040...Last »