Standards and Protocols
Cisco Unified MeetingPlace Release 8.0 uses the following standards and protocols:
- SIP signaling as per RFC-3261
- SDP protocol RFC-2327
- Offer answer based on RFC-3264 (an Offer/Answer Model with the Session Description Protocol (SDP))
- RTP as RFC-3550
- Session Initiation Protocol (SIP) REFER Method RFC-3515
- Out of band DTMF digits as per either RFC-2833 or KPML-RFC4730 (indirectly RFC-3265)
- H.264 Video as per RFC-3984
- H.263 video as per RFC-2190
- MIME Type Registration of RTP Payload Formats RFC-3555
- isFocus flag as per RFC-4579
- SOCKS protocol for connecting to Cisco WebEx via a proxy configuration
WebEx Port Ranges for Firewalls Used in Cisco Unified MeetingPlace Deployment Options
To ensure traffic to and from the WebEx domain is routed appropriately through your firewall or proxy servers, review the settings below:
Web browser exceptions Add an exception for the entire webex.com domain = *.webex.com. We ask that WebEx sites are not cached (content, IP-path) on proxy servers. Cisco WebEx Production IP Exceptions
US production IP Exceptions: 64.68.96.0/19 (CIDR) or 64.68.96.0 - 64.68.127.255 (net range) 66.114.160.0/20 (CIDR) or 66.114.160.0 - 66.114.175.255 (net range) 66.163.32.0/20 (CIDR) or 66.163.32.0 - 66.163.47.255 (net range) 209.197.192.0/19 (CIDR) or 209.197.192.0 - 209.197.223.255 (net range)
Outside of the US: 210.4.192.0/20 (CIDR) or 210.4.192.0 - 210.4.207.255 (net range) 62.109.192.0/20 (CIDR) or 62.109.192.0 - 62.109.207.255 (net range) 114.29.192.0/19 (CIDR) or 114.29.192.0 - 114.29.223.255 (net range) *India
TCP/UDP Ports Used in Cisco Unified MeetingPlace Scheduling Deployment Options
This section lists the incoming and outgoing ports that are used by the various components of the Cisco Unified MeetingPlace Release 8.0 system. The information refers to Cisco Unified MeetingPlace Scheduling deployment options.
Use these tables to make sure that your firewalls do not block access to Cisco Unified MeetingPlace from users or integrated systems, and to make sure that you do not block communication among the Cisco Unified MeetingPlace components and servers.
The ports that you do not need to expose to system administrators or end users are used for local communication between the Cisco Unified MeetingPlace elements or between Cisco Unified MeetingPlace and local services such as Cisco Unified Communications Manager or Microsoft Exchange. Such ports should be blocked in the DMZ or external firewall, but should not be blocked between internal components of the Cisco Unified MeetingPlace solution.
Table: Incoming Ports Used in Cisco Unified MeetingPlace Scheduling Deployment Options
| Protocol | Port Type | Ports | Port Usage | Special Requirements |
|---|---|---|---|---|
| Application Server/Express Media Server | ||||
| SSH | TCP | 22 | Secure access | Expose to system administrators |
| HTTP, HTTPS | TCP | 80, 443 | Administrator web access for Cisco WebEx | Expose to system administrators |
| NTP | UDP | 123 | Network Time Protocol communication from the Web Servers and Hardware Media Servers | Expose to Web Server in the DMZ |
| SNMP | UDP | 161 | SNMP configuration | Expose to system administrators |
| - | TCP | 1270-1279 | For Cisco WebEx | - |
| MP_REPL | TCP | 2008 | Database replication between the active and standby servers for Application Server failover | - |
| - | TCP | 2000-2009 | For Cisco WebEx | - |
| GWSIM | TCP | 5003, 5005 | Receive attachments from the external Web Server to Application Servers (active server and standby server, if one exists) in segmented meeting access configurations. | Expose to Web Server in the DMZ.
|
| SIP | TCP UDP | 5060 | SIP B2BUA | - |
| - | TCP | 7676 | Accept the connection from the Cisco WebEx Node | - |
| HTTP | TCP | 8080 | HTTP services | - |
| HTTP | TCP | 9090 | Media Server Administration | Expose to system administrators |
| SIP | TCP UDP | 61002 | Recording signaling | - |
| Recording control | TCP | 61003 | Recording control | For remote RSS servers only |
| HTTP | TCP | 61004 | Communication from the external Web Server to the Application Server for prompts, recordings, attachment access, and login service for remote users | Expose to Web Server in the DMZ
|
| RTP, RTCP | UDP | 16384-32767 | Recording media for both Hardware Media Server and Express Media Server | - |
| Hardware Media Server | ||||
| FTP | TCP | 21 | Retrieving log files | Expose to system administrators |
| Telnet | TCP | 23 | Telnet | Expose to system administrators |
| HTTP | TCP | 80 | Web user interface | Expose to system administrators |
| NTP | UDP | 123 | Network Time Protocol | - |
| SNMP | UDP | 161 | SNMP configuration | Expose to system administrators |
| MPI | TCP | 2010 | MPI (Pompa control protocol) | - |
| MPI | TCP | 2010 | MPI (Pompa control protocol) | - |
| DCI | TCP | 3333 | DCI (DCS control protocol) | - |
| XML control | TCP | 3336 | XML control | - |
| XML cascading | TCP | 3337 | XML cascading | - |
| File server | TCP | 3340 | File server | - |
| SIP | TCP UDP | 5060 | SIP | - |
| RTP/RTCP | UDP | 16384-16683 | Audio Blades | Expose to system administrators and end users |
| RTP/RTCP | UDP | 20000-21799 | Video Blades | Expose to system administrators and end users |
| Video Blade control | TCP | 2944-2945 | Video Blade control (H.248) | - |
| Web Server | ||||
| HTTP | TCP | 80 | User web access
| Expose to system administrators and end users
|
| HTTPS | TCP | 443 | Secure user web access
| (Optional) Expose to system administrators and end users. If you have external users, then grant access from the Internet to the Web Server in the DMZ. |
| SQL | TCP | 1433 | Communication between the Web Server and the SQL Server database | - |
| RTMP | TCP | 1627 | Web meeting room Note: This port is only used for systems that were upgraded to Release 8.0 from Release 7.0. | (Optional but recommended for best performance) Expose to system administrators and end users. If you have external users, then grant access from the Internet to the Web Server in the DMZ. |
| DCOM | TCP | Dynamically open 1024 to 65535 | Cisco Unified MeetingPlace for Microsoft Outlook to Microsoft Exchange uses the CDO API | Required only for Release 7.0.1 systems using the back-end Microsoft Outlook integration. |
| Control connection | TCP | 5003 | Control connection between Web Servers and the Application Server | Expose to Application Server |
| Cisco WebEx Node for MCS (including WebEx Cloud) | ||||
| HTTP | TCP | 80 | User web access from Cisco WebEx client | Internal network use only |
| - | TCP | 1270-1279 | User web access from Cisco WebEx client | Internal network use only |
| - | TCP | 2000-2009 | User web access from Cisco WebEx client | Internal network use only |
| HTTPS | TCP | 443 | Meeting entry from the Cisco WebEx client
| The Cisco WebEx Site will redirect to the Cisco WebEx Node if configured. |
| IBM Lotus Sametime | ||||
| TCP/UDP | TCP UDP | 8083 | Java RMI lookup service for IBM Lotus Sametime (1) | - |
| TCP | TCP | 8086 | RMI calls (JRMP) for IBM Lotus Sametime web conferencing (2) | - |
(1) RMI = Remote Method Invocation
(2) RMP = Java Remote Method Protocol
| Protocol | Port Type | Port | Usage | Special Requirements |
|---|---|---|---|---|
| Application Server | ||||
| SMTP | TCP | 25 | Send information to the SMTP or Microsoft Exchange Server for email notification | - |
| HTTP | TCP | 80 | Send information to the Microsoft Exchange Server for Microsoft Exchange integration | - |
| SOCKS | TCP | 1080 | Optional configuration for connecting to Cisco WebEx via a proxy configuration | This is an optional configuration that is not used unless you specifically configure it. The standard SOCKS port is 1080 but is configurable. Other types of proxies (such as HTTP) are not supported by Cisco Unified MeetingPlace for Cisco WebEx connectivity. |
| HTTPS | TCP | 443 | Send information to the Microsoft Exchange Server when SSL is enabled
| - |
| - | TCP | 5003, 5005 | Control connection between the external Web Server and Application Servers (active server and standby server, if one exists) in segmented meeting access configurations | Open bidirectional
|
| Cisco WebEx Node for MCS (including Cisco WebEx Cloud) | ||||
| HTTPS | TCP | 443 | Tunnel meeting information from the Cisco WebEx Node to the Cisco WebEx cloud
| Only outbound firewall to Internet |
| - | TCP | 7676 | Control connection with the Application Server | Internal network use |
| Web Server | ||||
| NTP | UDP | 123 | Time synchronization between Web Servers and Application Server | - |
| Control connection | TCP | 5003 | Control connection between Web Servers and the Application Server | - |
| - | TCP | 5003, 5005 | Control connection between the external Web Server and Application Servers (active server and standby server, if one exists) in segmented meeting access configurations | Open bidirectional
|
| HTTP | TCP | 61004 | Recording control | - |
TCP/UDP Ports Used in Cisco WebEx Scheduling Deployment Options
This section lists the incoming and outgoing ports that are used by the various components of the Cisco Unified MeetingPlace Release 8.0 system. The information refers to Cisco WebEx Scheduling deployment options.
Use these tables to make sure that your firewalls do not block access from Cisco Unified MeetingPlace to users or integrated systems, and to make sure that you do not block communication among the Cisco Unified MeetingPlace components and servers.
Table: Incoming Ports Used in Cisco WebEx Scheduling Deployment Options
| Protocol | Port Type | Ports | Port Usage | Special Requirements |
|---|---|---|---|---|
| Application Server | ||||
| SSH | TCP | 22 | Secure access | Expose to system administrators |
| HTTP, HTTPS | TCP | 80, 443 | Administrator web access for Cisco WebEx | Expose to system administrators |
| NTP | UDP | 123 | Network Time Protocol communication from the Hardware Media Server | - |
| SNMP | UDP | 161 | SNMP configuration | Expose to system administrators |
| - | TCP | 1270-1279 | For Cisco WebEx | - |
| MP_REPL | TCP | 2008 | Database replication between the active and standby servers for Application Server failover | - |
| - | TCP | 2000-2009 | For Cisco WebEx | - |
| SIP | TCP UDP | 5060 | SIP B2BUA | - |
| - | TCP | 7676 | Accept the connection from the Cisco WebEx Node | - |
| HTTP | TCP | 8080 | HTTP services | - |
| HTTP | TCP | 9090 | Media Server Administration | Expose to system administrators |
| SIP | TCP UDP | 61002 | Recording signaling | - |
| Recording control | TCP | 61003 | Recording control | For remote RSS servers only |
| RTP, RTCP | UDP | 16384-32767 | Recording media for both Hardware Media Server and Express Media Server | - |
| Hardware Media Server | ||||
| FTP | TCP | 21 | Retrieving log files | Expose to system administrators |
| Telnet | TCP | 23 | Telnet | Expose to system administrators |
| HTTP | TCP | 80 | Web user interface | Expose to system administrators |
| NTP | UDP | 123 | Network Time Protocol | - |
| SNMP | UDP | 161 | SNMP configuration | Expose to system administrators |
| MPI | TCP | 2010 | MPI (Pompa control protocol) | - |
| DCI | TCP | 3333 | DCI (DCS control protocol) | - |
| XML control | TCP | 3336 | XML control | - |
| XML cascading | TCP | 3337 | XML cascading | - |
| File server | TCP | 3340 | File server | - |
| SIP | TCP UDP | 5060 | SIP | - |
| RTP/RTCP | UDP | 16384-16683 | Audio Blades | Expose to system administrators and end users |
| RTP/RTCP | UDP | 20000-21799 | Video Blades | Expose to system administrators and end users |
| Video Blade control | TCP | 2944-2945 | Video Blade control (H.248) | - |
| Cisco WebEx Node for MCS (including WebEx Cloud) | ||||
| HTTP | TCP | 80 | User web access from Cisco WebEx client | Internal network use only |
| - | TCP | 1270-1279 | User web access from Cisco WebEx client | Internal network use only |
| - | TCP | 2000-2009 | User web access from Cisco WebEx client | Internal network use only |
| HTTPS | TCP | 443 | Meeting entry from the Cisco WebEx client.
| The Cisco WebEx Site will redirect to the Cisco WebEx Node if configured. |
Table: Outgoing Ports Used in Cisco WebEx Scheduling Deployment Options
| Protocol | Port Type | Port | Usage | Special Requirements |
|---|---|---|---|---|
| Application Server/ Express Media Server | ||||
| SMTP | TCP | 25 | Send information to the SMTP or Microsoft Exchange Server for email notification | - |
| HTTP | TCP | 80 | Send information to the Microsoft Exchange Server for Microsoft Exchange integration | - |
| HTTPS | TCP | 443 | Send information to the Microsoft Exchange Server when SSL is enabled
| - |
| SOCKS | TCP | 1080 | Optional configuration for connecting to Cisco WebEx via a proxy configuration | This is an optional configuration that is not used unless you specifically configure it. The standard SOCKS port is 1080 but is configurable. Other types of proxies (such as HTTP) are not supported by Cisco Unified MeetingPlace for Cisco WebEx connectivity. |
| - | TCP | 5003, 5005 | Control connection between the external Web Server and Application Servers (active server and standby server, if one exists) in segmented meeting access configurations | Open bidirectional
|
| Cisco WebEx Node for MCS (including Cisco WebEx Cloud) | ||||
| HTTPS | TCP | 443 | Tunnel meeting information from the Cisco WebEx Node to the Cisco WebEx cloud
| Only outbound firewall to Internet |
| - | TCP | 7676 | Control connection with the Application Server | Internal network use |
Application Server to Hardware Media Server Connectivity
The Hardware Media Server should be on the same local network segment as the Application Server. Cisco Unified MeetingPlace does not support Hardware Media Server blades that are remotely located.
Application Server to Web Server Connectivity
Note: Cisco Unified MeetingPlace Web Servers are only required in Cisco Unified MeetingPlace Scheduling deployments.
Confirm that the system meets the following requirements so that the Web Server can communicate with the Application Server:
- The Web Server must be able to communicate with the Application Server on TCP port 5003. This can be achieved by opening port 5003 inbound from the Web Server to the Application Server, in which case the normal registration mechanism will operate. Alternately, the Application Server can initiate a reverse (outbound) connection to the Web Server. For the reverse connection to be initiated, you must enter the MeetingPlace Server name as a hostname instead of an IP address during the Web Server installation. You will also have to manually configure this Web Server unit on the Application Server.
- Connectivity between the Web Server and the Application Server is of high quality and not subject to interruptions because of traffic congestion. Any time the round-trip latency exceeds 100 ms or there is more than 1 percent packet loss, you should expect a noticeable reduction in service quality.
- TCP port 61004 must be open inbound from the Web Server to the Application Server. There is no "reverse" connection mechanism for this port.
- Cisco recommends opening UDP port 123 (NTP) bidirectionally between the Web Server and the Application Server. This is used for time synchronization. Alternate time synchronization mechanisms may be used, but any significant clock drift will result in failures.
Cisco WebEx Node for MCS Connectivity
Cisco Webex Node for MCS is an optional component. Cisco Unified MeetingPlace Release 8.0 also supports Webex Software as a Server (SaaS).
Cisco WebEx Node for MCS is deployed internally behind your corporate firewall. There are two separate connections:
- Cisco WebEx Node for MCS to the Cisco WebEx Cloud
- Cisco WebEx Node for MCS to the Cisco Unified MeetingPlace Application Server
Cisco WebEx Node for MCS must be installed on either a MCS 7835 or MCS 7845. The 7835 provides two TCP 443 dedicated socket connections to the Cisco Webex cloud outbound via the firewall. The 7845 provides four TCP 443 dedicated socked connections to the Cisco Webex cloud.
Be aware of the following when configuring the Cisco WebEx Node for MCS:
- Cisco WebEx Node for MCS does not support any HTTPS/TCP 443 proxy configured in a network.
- All Cisco WebEx Node for MCS outbound TCP Port 443 must be able to traverse firewalls directly without HTTPS proxy servers in between.
- Cisco Unified MeetingPlace Release 8.0 supports a maximum of three Cisco WebEx Nodes for MCS with a maximum of 1000 sessions load-shared amongst the deployed nodes.
- For meetings scheduled to allow external attendees, internal ports are consumed by internal users. Once the nodes are full, client connections overflow to the Cisco WebEx cloud. If all nodes fail, all clients failover to the cloud.
- For meetings scheduled for internal attendees only, internal ports are consumed by internal users. External users are not able to access the meeting. Once the Cisco WebEx Nodes for MCS are full, clients are blocked. If a node fails, client connections go to another node. Failover to the cloud is not possible for internal meetings.
Failover Requirements
To configure failover, you need two Application Servers with a high-speed network connection (preferably 100Mpbs or better) between them. Failover configuration requires the following:
- When you configure the Application Server for the Express Media Server, both the primary and secondary failover Express Media Servers must have the same licenses and port distribution for scheduled and ad-hoc meetings.
- The time must be synchronized between the two Application Servers. This is required to resolve conflicts when the same piece of data is modified simultaneously in both Application Servers.
- If the primary and failover Application Servers share a common set of Audio and Video Blades, you must add all the Audio Blades to both Applications Servers. Be sure to use the same passwords and SNMP community names on the two systems or the failover mechanism will not work.
- If the primary and failover Application servers are in different data centers (dual data center deployment), then the same VLAN must be extended between both data centers for the replication and failover to be supported.
0 comments:
Post a Comment