TFTP : Quick Definition
TFTP is the part of Call Manager where you store all phone’s configuration so that you are able to retrieve then at the bootup sequence. TFTP IP Address will be communicated to IP Phones via the DHCP option 150.
DNS : Quick Definition
DNS is the tool which associate an IP Address with a name, an URL. So using name instead IP Address can also introduce failures because if your DNS down , you can’t resolve anymore IP addresses. But it can be very helpful in the case of a DR mode ( where you need to point the server to a different IP address)
Network Address Translation – NAT
To work correctly with your voice flows, a NAT device must inspect Layer3 and Layer4 protocol ,port information and sometimes the embedded payload.
Cisco IOS NAT ALG can support the following voip protocols :
- H323v2
- H225
- H245
- RAS
- SIP
- SCCP
So if you change the default port number of these protocols, then you have to change it also in the configuration with the following command ip nat service <<protocol>> tcp port <<port-number>>.
Pay attention also that NAT doesn’t support voice signaling encryption
Firewalls and Application Layer Gateway – ALG
Firewalls are commonly used to protect networks, including those that transport voice traffic. Firewalls inspect the header and sometimes can inspect also the payload of packets. Stateful firewalls also maintain state information so that they know which traffic forms part of permitted flows and should be allowed.
For voice traffic, mandatory traffic are required as MGCP,H323,SIP,SCCP,RTP and RTCP. In case of RTP and RTCP, the amount of ports must be larger as it represents thousands ports.
Be also cautious where you put your VPN gateway because if the VPN gateway is placed in front of a firewall, the VPN IPSec will be added or removed so then you can inspect your traffic. But in the case where your VPN gateway is behind the firewall, this one can’t inspect anymore the traffic so it could be a backdoor for intruder.Same thing for the placement of NAT in your firewall.
Note also that ALG doesn’t work with signaling encryption
So pay attention that by default, Cisco firewalls/ALG don’t support in native Unity, IPCC Express, IPCC Enterprise, Attendant Console and SCCP video. It is then require to configure manually your firewall manually to authorize the traffic for these ports.
TCP/UDP Port List
Here is as a reminder a collection of TCP/ UDP Ports used in an IP Telephony network:
| PORT | PURPOSE |
| TCP/1433 | SQL |
| TCP/2552 | Call Manager database change notifications |
| TCP/2555 | RIS database server |
| TCP/2556 | RIS database client |
| UDP/3000 | Receive change notification from Call Manager database |
| UDP/3001 | Database change notification from publisher to applications |
| UDP/3020 | Dialed Number Analyzer plug-in database |
| TCP/3372 | SQL Distributed Transaction Coordinator |
| TCP/7727 | Application database change notification, CTI, voicemail, and so on |
| TCP/8001 | Client database change notification |
| TCP/8002 | Intracluster Communication Service |
| TCP/8003 | Intracluster Communication Service |
| TCP/8009 | Internal Tomcat requests |
| TCP/8111 | IPMA Web requests |
| TCP/8222 | Extension Mobility web requests |
| TCP/8333 | Webdialer web requests |
| TCP/8444 | Extension Mobility service requests |
| TCP/8555 | Apache-SOAP web requests |
| TCP/8666 | IPMA web requests for nondefault locales |
| TCP/8777 | Tomcat manager web requests |
| TCP/9007 | CDR Aalysis and Recording web requests |
| TCP/102 | Directory Access Protocol (DAP) for DC Directory |
| TCP/8404 | Local Directory Access Protocol (LDAP) for DC Directory |
| TCP/8405 | LDAPS for DC Directory |
| TCP/389 | LDAP query to external directory (AD, Netscape) |
| TCP/636 | LDAPS query to external directory (AD, Netscape) |
| TCP/2000 | SCCP |
| TCP/2443 | Secure SCCP (SCCPS) |
| TCP/3804 | CAPF |
| UDP/16384 – 32768 | RTP,SRTP |
| TCP/4224 | Cisco VT Advantage |
| UDP/1718 | Gatekeeper H225 Discovery |
| UDP/1719 | Gatekeeper H225 RAS |
| TCP/1720 | H225 signaling services for H323 gateways and Inter-Cluster Trunk (ICT) |
| UDP/2427 | MGCP gateway control |
| TCP/2428 | MGCP gateway backhaul |
| TCP/UDP/5060 | SIP Gateway and Inter-Cluster Trunk |
| TCP/2444 | CTL Provider |
| TCP/2748 | CTI Application Server |
| TCP/2789 | JTAPI Application Server |
| TCP/2912 | IPMA Server |
| TCP/1099-1129 | Attendant Console |
| UDP/3223 | Attendant Console |
| UDP/4321 | Attendant Console |