Hei Mattias, how are you?
The vcs firewall guide does not help you here.
If I see it right the 4043 and 4044 tcp ports are used for the endeavour (cisco in touch 8) communication&upgrades.
So no malware :-)
You can be pretty sure that you can close it from external networks. A intouch would most likely be
connected to the secondary port or the local network anyhow.
I would do it vice versa, close everything and just open ssh & http(s) to networks which need management access
and only allow the needed media ports and signaling from the outside.
You find the media ports used ports of TC5.1 in the admin guide
Value space:
Dynamic: The system will allocate which ports to use when opening a TCP connection. The reason for doing this is to avoid using the same ports for subsequent calls, as some firewalls consider this as a sign of attack. When Dynamic is selected, the H.323 ports used are from 11000 to 20999. Once 20999 is reached they restart again at 11000. For RTP and RTCP media data, the system is using UDP ports in the range 2326 to 2487. Each media channel
is using two adjacent ports, ie 2330 and 2331 for RTP and RTCP respectively. The ports are automatically selected by the system within the given range. Firewall administrators should not try to deduce which ports are used when, as the allocation schema within the mentioned range may change without any further notice.
Static: When set to Static the ports are given within a static predefined range [5555-6555].
Which signaling ports shall be open depends also on the deployment.
In general 1720/tcp for h323 and 5060 (udp/tcp) or 5061 (tcp-tls)
If the systems are connected to a VCS-E no ports need to be open from the outside at all.
Its enough to allow outbound connections and the answers back in and works fine if a n>m nat is involved.
If the system is located on a public ip I would think of blocking/disabling sip as there is a lot of scan calls
going on on the internet which will just annoy the user of the system.
