cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2354
Views
0
Helpful
4
Replies

Cisco C-series - Open TCP Ports 4043 & 4044

Mattias Widman
Beginner
Beginner

Anybody that can answer what these ports do on C-Series codecs?

They are usually used for Neighbour Identity Resolution Protocol and Location Tracking Protocol and known for being used by malware. Are they used for these protocols, can they be closed without losing functionality. I have a client that has a lot of systems placed on public networks and they are asking if this can be done/should be done

I have looked in this document without finding any answer:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X7-2.pdf

Any ideas?

//MW

2 Accepted Solutions

Accepted Solutions

Martin Koch
Advocate
Advocate

Hei Mattias, how are you?

The vcs firewall guide does not help you here.

If I see it right the 4043 and 4044 tcp ports are used for the endeavour (cisco in touch 8) communication&upgrades.

So no malware :-)

You can be pretty sure that you can close it from external networks. A intouch would most likely be

connected to the secondary port or the local network anyhow.

I would do it vice versa, close everything and just open ssh & http(s) to networks which need management access

and only allow the needed media ports and signaling from the outside.

You find the media ports used ports of TC5.1 in the admin guide

Value space: 
Dynamic: The system will allocate which ports to use when opening a TCP connection. The reason for doing this is to avoid using the same ports for subsequent calls, as some firewalls consider this as a sign of attack. When Dynamic is selected, the H.323 ports used are from 11000 to 20999. Once 20999 is reached they restart again at 11000. For RTP and RTCP media data, the system is using UDP ports in the range 2326 to 2487. Each media channel
is using two adjacent ports, ie 2330 and 2331 for RTP and RTCP respectively. The ports are automatically selected by the system within the given range. Firewall administrators should not try to deduce which ports are used when, as the allocation schema within the mentioned range may change without any further notice.
Static: When set to Static the ports are given within a static predefined range [5555-6555].

Which signaling ports shall be open depends also on the deployment.

In general 1720/tcp for h323 and 5060 (udp/tcp) or 5061 (tcp-tls)

If the systems are connected to a VCS-E no ports need to be open from the outside at all.

Its enough to allow outbound connections and the answers back in and works fine if a n>m nat is involved.

If the system is located on a public ip I would think of blocking/disabling sip as there is a lot of  scan calls

going on on the internet which will just annoy the user of the system.

Please remember to rate helpful responses and identify

View solution in original post

Danny De Ridder
Cisco Employee
Cisco Employee

Hello,

these ports are used by the TelePresence Touch panel to check the version and to upgrade it.

[dderidde-ex90-home:/etc/xinetd.d] $ pwd

/etc/xinetd.d

[dderidde-ex90-home:/etc/xinetd.d] $ cat endeavour-upgrade

service endeavour-poke

{

        type            = UNLISTED

        flags           = IPV6

        port            = 4044

        disable         = no

        socket_type     = stream

        wait            = no

        user            = root

        server          = /bin/endeavour-upgrade-info

        log_on_failure  += USERID

}

[dderidde-ex90-home:/etc/xinetd.d] $ ls ende*             

endeavour-dl  endeavour-upgrade

[dderidde-ex90-home:/etc/xinetd.d] $ cat endeavour-dl

service endeavour-dl

{

        type            = UNLISTED

        flags           = IPV6

        port            = 4043

        disable         = no

        socket_type     = stream

        wait            = no

        user            = root

        server          = /extra/bin/rsync

        server_args     = --daemon --config=/etc/rsyncd.endeavour.conf

        log_on_failure  += USERID

}

[dderidde-ex90-home:/etc/xinetd.d] $

View solution in original post

4 Replies 4

Martin Koch
Advocate
Advocate

Hei Mattias, how are you?

The vcs firewall guide does not help you here.

If I see it right the 4043 and 4044 tcp ports are used for the endeavour (cisco in touch 8) communication&upgrades.

So no malware :-)

You can be pretty sure that you can close it from external networks. A intouch would most likely be

connected to the secondary port or the local network anyhow.

I would do it vice versa, close everything and just open ssh & http(s) to networks which need management access

and only allow the needed media ports and signaling from the outside.

You find the media ports used ports of TC5.1 in the admin guide

Value space: 
Dynamic: The system will allocate which ports to use when opening a TCP connection. The reason for doing this is to avoid using the same ports for subsequent calls, as some firewalls consider this as a sign of attack. When Dynamic is selected, the H.323 ports used are from 11000 to 20999. Once 20999 is reached they restart again at 11000. For RTP and RTCP media data, the system is using UDP ports in the range 2326 to 2487. Each media channel
is using two adjacent ports, ie 2330 and 2331 for RTP and RTCP respectively. The ports are automatically selected by the system within the given range. Firewall administrators should not try to deduce which ports are used when, as the allocation schema within the mentioned range may change without any further notice.
Static: When set to Static the ports are given within a static predefined range [5555-6555].

Which signaling ports shall be open depends also on the deployment.

In general 1720/tcp for h323 and 5060 (udp/tcp) or 5061 (tcp-tls)

If the systems are connected to a VCS-E no ports need to be open from the outside at all.

Its enough to allow outbound connections and the answers back in and works fine if a n>m nat is involved.

If the system is located on a public ip I would think of blocking/disabling sip as there is a lot of  scan calls

going on on the internet which will just annoy the user of the system.

Please remember to rate helpful responses and identify

Thanx Martin, once I read it I remembered

Danny De Ridder
Cisco Employee
Cisco Employee

Hello,

these ports are used by the TelePresence Touch panel to check the version and to upgrade it.

[dderidde-ex90-home:/etc/xinetd.d] $ pwd

/etc/xinetd.d

[dderidde-ex90-home:/etc/xinetd.d] $ cat endeavour-upgrade

service endeavour-poke

{

        type            = UNLISTED

        flags           = IPV6

        port            = 4044

        disable         = no

        socket_type     = stream

        wait            = no

        user            = root

        server          = /bin/endeavour-upgrade-info

        log_on_failure  += USERID

}

[dderidde-ex90-home:/etc/xinetd.d] $ ls ende*             

endeavour-dl  endeavour-upgrade

[dderidde-ex90-home:/etc/xinetd.d] $ cat endeavour-dl

service endeavour-dl

{

        type            = UNLISTED

        flags           = IPV6

        port            = 4043

        disable         = no

        socket_type     = stream

        wait            = no

        user            = root

        server          = /extra/bin/rsync

        server_args     = --daemon --config=/etc/rsyncd.endeavour.conf

        log_on_failure  += USERID

}

[dderidde-ex90-home:/etc/xinetd.d] $

Thanx, once I read it I remembered

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: