Samsung VC240, Scopia Series Reference Manual
RADVISION Port Security
Reference Guide
Version 7.6
| 2
RADVISION | Reference Guide for RADVISION Port Security Version 7.6
© 2000-2011 RADVISION Ltd. All intellectual property rights in this publication are owned by RADVISION Ltd. and are
protected by United States copyright laws, other applicable copyright laws and international treaty provisions.
RADVISION Ltd. retains all rights not expressly granted.
All product and company names herein may be trademarks of their registered owners.
This publication is RADVISION confidential. No part of this publication may be reproduced in any form whatsoever or used
to make any derivative work without prior written approval by RADVISION Ltd.
No representation of warranties for fitness for any purpose other than what is specifically mentioned in this guide is made
either by RADVISION Ltd. or its agents.
RADVISION Ltd. reserves the right to revise this publication and make changes without obligation to notify any person of
such revisions or changes. RADVISION Ltd. may make improvements or changes in the product(s) and/or the program(s)
described in this documentation at any time.
If there is any software on removable media described in this publication, it is furnished under a license agreement
included with the product as a separate document. If you are unable to locate a copy, please contact RADVISION Ltd.
and a copy will be provided to you.
Unless otherwise indicated, RADVISION registered trademarks are registered in the United States and other territories.
All registered trademarks recognized.
For further information contact RADVISION or your local distributor or reseller.
Reference Guide for RADVISION Port Security Version 7.6, March 2011
http://www.radvision.com
1
| 3RADVISION |Reference Guide forRADVISION Port Security Versio n 7 .6
Port Security Reference Guide
This document details the use of TCP/IP/UDP ports throughout the SCOPIA Solution, organized by
product name.
Each port entry includes a description of the protocol used by the specific port, the role that the
port serves, the direction of traffic through the port (in, out or both), and the results of blocking
the port on the firewall.
The following SCOPIA Solution products are described in this document:
• SCOPIA Elite MCU ............................................................................... page 4
• SCOPIA Video Gateway for Microsoft Lync .................................................. page 8
• SCOPIA ECS Gatekeeper........................................................................ page 9
• SCOPIA iVIEW Management Suite............................................................ page 12
• SCOPIA PathFinder............................................................................. page 15
• SCOPIA Desktop ................................................................................ page 21
• SCOPIA XT Desktop Server.................................................................... page 26
• SCOPIA XT1000 ................................................................................. page 28
• SCOPIA VC240................................................................................... page 30
• SCOPIA Gateway................................................................................ page 32
• 3G Gateway..................................................................................... page 34
• SCOPIA MCU..................................................................................... page 36
This document does not include details of ports required by additional servers such as LDAP, SQL,
or Oracle servers. Always check which ports your back-end servers require and open only these
ports.
| 4
RADVISION | RADVISION Port Security Reference Guide
SCOPIA Elite MCU
SCOPIA Elite MCU 5000 Series
Table 1-1 lists the ports supported by all the models in the SCOPIA Elite MCU 5000 Series, including
SCOPIA Elite 5100 Series MCU and SCOPIA Elite 5200 Series MCU.
Table 1-1 Ports Supported by SCOPIA Elite MCU 5000 Series
Port Range Protocol Functionality Direction Result of Blocking Port
on Firewall
Description
21 FTP (TCP) Audio stream recording In Cannot record audio
streams
FTP Server
22 SSH (TCP) MCU In Cannot view logs in real
time (logs are collected
on the compact flash
card)
SSH Client
80
(configurable)
HTTP (TCP) MCU Administrator and
Conference Control
web user interfaces
In Cannot administer MCU Web client
Used for software
upgrade
161 SNMP (UDP) Configuration and
status
In Cannot configure or
check the status of the
MCU via SNMP
iVIEW Network Manager,
iVIEW Management Suite
or any other SNMP
manager station
162 SNMP (UDP) SNMP Trap events Out Cannot receive Traps iVIEW Network Manager,
iVIEW Management Suite
or any other SNMP
manager station
443 HTTPS (TCP) Secure web interface In Cannot administer MCU
1024-1324
(configure
within this
range)
H.245 (TCP) H.245 signaling Both Cannot connect H.323
calls
Any H.323 entity.
The SCOPIA Elite 5100
Series MCU uses 90 ports
for H.245, while the
SCOPIA Elite 5200 Series
MCU uses 180 ports.
To configure, use the
MCU Advanced
Commands section.
Enter the command
h245baseport to set the
lower port value, and
h245portrange to specify
the number of ports
above the base port to be
used.
| 5
RADVISION | RADVISION Port Security Reference Guide
In addition to the ports listed in Table 1-1, the SCOPIA Elite MCU offers configurable security
access levels enabling and disabling Telnet, FTP, SNMP and ICMP (ping) services. The security
settings are accessed in the MCU from Configuration > Setup > Security and entering the
Security Mode. Table 1-2 details the implications of each security mode on each communication
type.
1719
(configurable)
RAS (UDP) RAS signaling Out Cannot communicate
with H.323 gatekeeper
H.323 gatekeeper
1720
(configurable)
Q.931 (TCP) Q.931 signaling Both Cannot connect H.323
calls
Any H.323 entity
3336 XML (TCP) MCU version 3 XML API Both Cannot use MCU
Conference Control web
user interface. Cannot
use version 3 XML API to
control MCU
Conference Control web
client terminal, iVIEW
Management Suite or
third-party controlling
applications
3337 XML (TCP) MCU version 3
Cascading XML API
Both Cannot cascade
between two MCUs
Other MCUs
3338 XML (TCP) Administration XML API Both Cannot be blocked
5060
(configurable)
SIP
(TCP/UDP)
SIP signaling Both Cannot connect SIP calls Any SIP entities
Table 1-1 Ports Supported by SCOPIA Elite MCU 5000 Series
Port Range Protocol Functionality Direction Result of Blocking Port
on Firewall
Description
Table 1-2 MCU Security Mode
Security Mode Telnet FTP SNMP ICMP (ping)
Standard Active Active Active Active
High Inactive Inactive Active Active
Maximum Inactive Inactive Inactive Inactive
| 6
RADVISION | RADVISION Port Security Reference Guide
Ports specific to the SCOPIA Elite 5100 Series MCU
Table 1-3 lists the ports specific to th e SCO PIA Elite 5100 Series MCU.
Ports Specific to the SCOPIA Elite 5200 Series MCU
Table 1-4 lists the ports supported by the SCOP IA Elite 5200 Series MCU.
Table 1-3 Ports supported by SCOPIA Elite 5100 Series MCU
Port Range Protocol Functionality Direction Results of
blocking port
on firewall
Description
12000-13200
16384-16984
(configure
within these
ranges)
RTP/RTCP
(UDP)
RTP video and
audio media
Both Cannot
transmit/recei
ve video media
streams
Any H.323 or SIP media enabled entity.
Every call uses two audio ports and six
video ports. For highly utilized systems
(above 90%), we recommend multiplying
by a factor of 1.5. Using its full capacity,
the SCOPIA Elite 5100 Series MCU uses 180
ports for audio and 540 ports for video.
To configure the video base port, use the
MCU Advanced Commands section. Enter
the command advcmdmpcsetval with the
parameter mf.BasePort to set the lower
port value.
To configure the audio base port, use the
MCU Advanced Commands section. Enter
the command setmprtpbaseport to set
the lower port value.
Table 1-4 Ports supported by SCOPIA Elite 5200 Series MCU
Port Range Protocol Functionality Direction Result of
Blocking Port
on Firewall
Description
22 SSH (TCP) MCU In Cannot view
logs in real
time (logs are
collected on
the compact
flash card)
SSH Client
| 7
RADVISION | RADVISION Port Security Reference Guide
12000-13200
(configure
within this
range)
RTP/RTCP (UDP) RTP/RTCP video
media - lower
blade only
Both Cannot
transmit /
receive video
media
streams
Any RTP/RTCP media enabled entity.
Every call uses two audio ports and six
video ports. For highly utilized
systems (above 90%), we recommend
multiplying the number of ports
required by a factor of 1.5.
At full capacity , the SCOPIA Elite 5200
Series MCU uses 1180 ports for video.
To configure the video base port, use
the MCU Advanced Commands
section. Enter the command
advcmdmpcsetval with the
parameter mf.BasePort to set the
lower port value.
16384-16984
(configure
within this
range)
RTP/RTCP (UDP) RTP/RTCP audio
media - upper
blade only
Both Cannot
transmit /
receive audio
media
streams
Any H.323 or SIP media-enabled
entity.
Every call uses two audio ports and six
video ports. For highly utilized
systems (above 90%), we recommend
multiplying the number of ports
required by a factor of 1.5.
At full capacity , the SCOPIA Elite 5200
Series MCU uses 360 ports for video.
To configure the audio base port, use
the MCU Advanced Commands
section. Enter the command
setmprtpbaseport to set the lower
port value.
Table 1-4 Ports supported by SCOPIA Elite 5200 Series MCU
Port Range Protocol Functionality Direction Result of
Blocking Port
on Firewall
Description
| 8
RADVISION | RADVISION Port Security Reference Guide
SCOPIA Video Gateway for Microsoft Lync
Table 1-5 lists the ports supported by SCOPIA Video Gateway for Microsoft Lync.
Table 1-5 Ports supported by SCOPIA Video Gateway for Microsoft Lync
Port Protocol/Use Functionality Direction Result of Blocking
Port on Firewall
Description
21 FTP (TCP) Audio stream recording In Cannot record
audio streams
FTP Server. Note that this
feature is disabled by
default.
22 SSH (TCP) Logs for the SCOPIA
Video Gateway for
Microsoft Lync
In Cannot view logs in
real time (logs are
collected on the
compact flash
card)
SSH Client
80
(configurable)
HTTP (TCP) Application upgrade
and upload customer
support information
In Cannot upgrade
the SCOPIA Video
Gateway for
Microsoft Lync
Web client
162 SNMP (UDP) SNMP Trap events Out Cannot receive
Traps
iVIEW Network Manager,
iVIEW Management Suite
or any other SNMP
manager station
1024-1174
(configurable)
H.245 (TCP) H.245 signaling Both Cannot connect
H.323 calls
Any H.323 entity
1719
(configurable)
RAS (UDP) RAS signaling Both Cannot
communicate with
H.323 gatekeeper
H.323 gatekeeper
1720
(configurable)
Q.931 (TCP) Q.931 signaling Both Cannot connect
H.323 calls
Any H.323 entity
3336 XML (TCP) Management XML API Both Cannot be blocked iVIEW Management Suite
3338 XML (TCP) Administration XML API Both Cannot be blocked
5060, 5061
(configurable)
SIP (TCP/UDP) SIP signaling Both Cannot connect SIP
calls
Any SIP entities
12000-13200
(configurable)
RTP/RTCP RTP video media Both Cannot
transmit/receive
video media
streams
Any H.323 or SIP media
enabled entity
16384-16984
(configurable)
RTP/RTCP
(UDP)
RTP audio media Both Cannot
transmit/receive
audio media
streams
Any H.323 or SIP media
enabled entity
| 9
RADVISION | RADVISION Port Security Reference Guide
SCOPIA ECS Gatekeeper
Table 1-6 and Table 1-7 list the ports supported by the ECS.
Table 1-6 ECS incoming port connections
Port Range Protocol Functionality Direction Result of
Blocking Port
on Firewall
Description
21 FTP (TCP) File Transfer
Protocol for
offline viewing
of ECS logs and
CDRs
Both Cannot view
logs or
retrieve CDR
files
FTP client/CDR server
80 (configure
via webs.ini
file)
HTTP (TCP) Web interface Both Cannot view
ECS web user
interface
Web client terminal
161 SNMP (UDP) Configuration
and status
Both Cannot
configure or
check the
status of the
ECS
iVIEW Network Manager, or any other SNMP
manager station
| 10
RADVISION | RADVISION Port Security Reference Guide
1024-5000
(configure
within that
range in the
Windows
registry)
H.245 (TCP) H.245 routed
calls
Both No H.245
(except in
Q.931 routed
and direct
mode)
Any H.323 entity H.245 port
The number of ports ECS needs for this
purpose is the maximum calls allowed by
your license multiplied by four.
To limit ECS’s use of ports within the range
of 1024-5000:
1. Close ECS.
2. Open the registry.
3. Navigate to HKEY_LOCAL_MACHINE\
SOFTWARE\RADVISION\
Enhanced Communication Server\
Storage\Config\Stack
4. Create a new key of type REG_SZ called
PortMin. Give it the value of the
minimum port number ECS should use.
5. Create a new key of type REG_SZ called
PortMax. Give it the value of the
highest port number ECS should use.
6. Restart ECS.
There may be other applications on the
same computer which altered the global
maximum port for all processes running on
that Windows PC. Verify this global
maximum is unchanged in the
HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters\MaxUserPort registry
key. If this key is not defined, its default
value is 5000.
1719 RAS (UDP) RAS Both No RAS
capabilities
Any H.323 entity using RAS sign aling
1720 Q.931 (TCP) Q.931 routed
calls
Both No signaling
capabilities
(except in
direct mode)
Any H.323 entity using Q.931 signaling
3271 ECS XML Incoming XML
connection
Both No incoming
XML
connection
XML server
Table 1-6 ECS incoming port connections
Port Range Protocol Functionality Direction Result of
Blocking Port
on Firewall
Description
| 11
RADVISION | RADVISION Port Security Reference Guide
12378
(configurable)
Alternate
Gatekeeper
protocol
Synchronizatio
n and
negotiation
between
Alternate
Gatekeepers
Both No Alternate
Gatekeeper
functionality
Alternate Gatekeeper
Table 1-6 ECS incoming port connections
Port Range Protocol Functionality Direction Result of
Blocking Port
on Firewall
Description
Table 1-7 ECS outgoing ports connections
Port Range Protocol Functionality Direction Result of Blocking
Port on Firewall
Description
23 Telnet (TCP) Control of Sony
endpoints
Out No control over
endpoints
Sony endpoint
53 DNS (TCP) Query DNS for domains
per call
Out DNS disabled DNS server
162
(configurable)
SNMP (UDP) SNMP T rap events Out No traps are sent To iVIEW Network Manager,
or to any other SNMP
manager station
1719 RAS (UDP) Sending LRQ messages to
Neighbor Gatekeepers
Both No RAS Neighbor Gatekeepers
| 12
RADVISION | RADVISION Port Security Reference Guide
SCOPIA iVIEW Management Suite
Table 1-8 lists the ports su pported by iVIEW Managemen t Suite.
Table 1-8 Ports supported by iVIEW Management Suite
Port Range Protocol Functionality Direction Result of Blocking Port on Firewall
7 TCP Detects online status of video
network devices. Mandatory.
Out
21 TCP Downloading logs from ECS or
from other devices which
allow logs to be downloaded
via FTP
Importing and Exporting
TANDBERG Local Address Book
Upgrading software
Out
22 TCP Detecting LifeSize endpoints
Downloading PathFinder
Server logs
Detecting and managing
SCOPIA VC240
Out
23 Telnet (TCP) Sony PCS address book,
element logs, MCM control and
endpoint control.
Both iVIEW Management Suite cannot use Sony
PCS address book feature. Cannot retrieve
logs from some devices such as MCM.
24 Telnet (TCP) P olycom endpoint control.
Optional.
Out Disables Polycom endpoint control.
25 TCP Connect SMTP server for
sending email notifications
Out iVIEW Management Suite cannot send
email notifications.
53 UDP DNS query Out Cannot parse domain name
80
(configurable)
HTTP (TCP) In: iVIEW Management Suite
web interface. When installing
the Bundle version with the
gatekeeper, this port defaults
to 8080.
Out: iVIEW Management Suite
web interface and T ANDBERG
MXP management (XML API via
HTTP)
Both Cannot view iVIEW Management Suite web
interface.
161 SNMP SNMP configuration to any
managed element
Both iVIEW Management Suite cannot operate
the SNMP service with devices, and
forward trap events do not function.
162 SNMP SNMP Trap events: from any
managed element to any
third-party SNMP manager
Both iVIEW Management Suite cannot operate
the SNMP service with devices, and
forward trap events do not function.
Loading...