01-16-2013 04:30 AM - edited 03-18-2019 12:26 AM
Anybody that can answer what these ports do on C-Series codecs?
They are usually used for Neighbour Identity Resolution Protocol and Location Tracking Protocol and known for being used by malware. Are they used for these protocols, can they be closed without losing functionality. I have a client that has a lot of systems placed on public networks and they are asking if this can be done/should be done
I have looked in this document without finding any answer:
Any ideas?
//MW
Solved! Go to Solution.
01-16-2013 05:53 AM
Hei Mattias, how are you?
The vcs firewall guide does not help you here.
If I see it right the 4043 and 4044 tcp ports are used for the endeavour (cisco in touch 8) communication&upgrades.
So no malware :-)
You can be pretty sure that you can close it from external networks. A intouch would most likely be
connected to the secondary port or the local network anyhow.
I would do it vice versa, close everything and just open ssh & http(s) to networks which need management access
and only allow the needed media ports and signaling from the outside.
You find the media ports used ports of TC5.1 in the admin guide
Value space:
Dynamic: The system will allocate which ports to use when opening a TCP connection. The reason for doing this is to avoid using the same ports for subsequent calls, as some firewalls consider this as a sign of attack. When Dynamic is selected, the H.323 ports used are from 11000 to 20999. Once 20999 is reached they restart again at 11000. For RTP and RTCP media data, the system is using UDP ports in the range 2326 to 2487. Each media channel
is using two adjacent ports, ie 2330 and 2331 for RTP and RTCP respectively. The ports are automatically selected by the system within the given range. Firewall administrators should not try to deduce which ports are used when, as the allocation schema within the mentioned range may change without any further notice.
Static: When set to Static the ports are given within a static predefined range [5555-6555].
Which signaling ports shall be open depends also on the deployment.
In general 1720/tcp for h323 and 5060 (udp/tcp) or 5061 (tcp-tls)
If the systems are connected to a VCS-E no ports need to be open from the outside at all.
Its enough to allow outbound connections and the answers back in and works fine if a n>m nat is involved.
If the system is located on a public ip I would think of blocking/disabling sip as there is a lot of scan calls
going on on the internet which will just annoy the user of the system.
Please remember to rate helpful responses and identify
01-16-2013 05:59 AM
Hello,
these ports are used by the TelePresence Touch panel to check the version and to upgrade it.
[dderidde-ex90-home:/etc/xinetd.d] $ pwd
/etc/xinetd.d
[dderidde-ex90-home:/etc/xinetd.d] $ cat endeavour-upgrade
service endeavour-poke
{
type = UNLISTED
flags = IPV6
port = 4044
disable = no
socket_type = stream
wait = no
user = root
server = /bin/endeavour-upgrade-info
log_on_failure += USERID
}
[dderidde-ex90-home:/etc/xinetd.d] $ ls ende*
endeavour-dl endeavour-upgrade
[dderidde-ex90-home:/etc/xinetd.d] $ cat endeavour-dl
service endeavour-dl
{
type = UNLISTED
flags = IPV6
port = 4043
disable = no
socket_type = stream
wait = no
user = root
server = /extra/bin/rsync
server_args = --daemon --config=/etc/rsyncd.endeavour.conf
log_on_failure += USERID
}
[dderidde-ex90-home:/etc/xinetd.d] $
01-16-2013 05:53 AM
Hei Mattias, how are you?
The vcs firewall guide does not help you here.
If I see it right the 4043 and 4044 tcp ports are used for the endeavour (cisco in touch 8) communication&upgrades.
So no malware :-)
You can be pretty sure that you can close it from external networks. A intouch would most likely be
connected to the secondary port or the local network anyhow.
I would do it vice versa, close everything and just open ssh & http(s) to networks which need management access
and only allow the needed media ports and signaling from the outside.
You find the media ports used ports of TC5.1 in the admin guide
Value space:
Dynamic: The system will allocate which ports to use when opening a TCP connection. The reason for doing this is to avoid using the same ports for subsequent calls, as some firewalls consider this as a sign of attack. When Dynamic is selected, the H.323 ports used are from 11000 to 20999. Once 20999 is reached they restart again at 11000. For RTP and RTCP media data, the system is using UDP ports in the range 2326 to 2487. Each media channel
is using two adjacent ports, ie 2330 and 2331 for RTP and RTCP respectively. The ports are automatically selected by the system within the given range. Firewall administrators should not try to deduce which ports are used when, as the allocation schema within the mentioned range may change without any further notice.
Static: When set to Static the ports are given within a static predefined range [5555-6555].
Which signaling ports shall be open depends also on the deployment.
In general 1720/tcp for h323 and 5060 (udp/tcp) or 5061 (tcp-tls)
If the systems are connected to a VCS-E no ports need to be open from the outside at all.
Its enough to allow outbound connections and the answers back in and works fine if a n>m nat is involved.
If the system is located on a public ip I would think of blocking/disabling sip as there is a lot of scan calls
going on on the internet which will just annoy the user of the system.
Please remember to rate helpful responses and identify
01-16-2013 06:44 AM
Thanx Martin, once I read it I remembered
01-16-2013 05:59 AM
Hello,
these ports are used by the TelePresence Touch panel to check the version and to upgrade it.
[dderidde-ex90-home:/etc/xinetd.d] $ pwd
/etc/xinetd.d
[dderidde-ex90-home:/etc/xinetd.d] $ cat endeavour-upgrade
service endeavour-poke
{
type = UNLISTED
flags = IPV6
port = 4044
disable = no
socket_type = stream
wait = no
user = root
server = /bin/endeavour-upgrade-info
log_on_failure += USERID
}
[dderidde-ex90-home:/etc/xinetd.d] $ ls ende*
endeavour-dl endeavour-upgrade
[dderidde-ex90-home:/etc/xinetd.d] $ cat endeavour-dl
service endeavour-dl
{
type = UNLISTED
flags = IPV6
port = 4043
disable = no
socket_type = stream
wait = no
user = root
server = /extra/bin/rsync
server_args = --daemon --config=/etc/rsyncd.endeavour.conf
log_on_failure += USERID
}
[dderidde-ex90-home:/etc/xinetd.d] $
01-16-2013 06:43 AM
Thanx, once I read it I remembered
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide