SX20 \ MX200 standalone H.323 ports

Daniele De Bruyn · ‎09-20-2012

Hi Guys,

topic is pretty explicative, i'm looking for a detailed list of TCP\UDP ports (inbound\outbound) that need to be opened on corporate firewall to let MX200 and SX20 work standalone. So far i have found details for C-Series:

: Gatekeeper Discovery (RAS) Port 1719 UDP

Q.931 call Setup Port 1720 TCP
H.245(Static) Port Range 5555-6555 TCP
Video* Port Range 2326-2485 UDP
Audio* Port Range 2326-2485 UDP
Data/FECC Port Range 2326-2485 UDP

Even if not specified, i assume these are inbound ports ( WAN -> LAN) , having "ANY" for outbound ports (LAN -> WAN).

Does anybody have a some sort of "magic table" i can use?

Thanks for you precious help.

Regards

Dan

Patrick Sparkman · ‎09-20-2012

C-Series port information I believe would apply for the SX and MX series, they both utilize either a C-Series codec or a flavor of it.

KY_ · ‎08-09-2017

Hi Team

I have configure mx200 standalone h323 services but I'm getting fake unwanted call on my endpoint screen.How can I prevent this ? Is there anyway ?

Thanks

Patrick Sparkman · ‎08-09-2017

You can turn off SIP under NetworkServices, but there will still be some calls that might come across as H323.

Putting it behind your firewall and restricting incoming traffic from known IPs that you want to conference with is really the only option to completely stop toll fraud calls. Giving the endpoint a public IP address is not recommended as it makes it vulnerable to attackers and those trying to use it for toll fraud.

If you search the forums for "unwanted calls", you'll find many discussions regarding this and possible solutions.

KY_ · ‎08-09-2017

Thanks Patrick , but It will not make tall fraud for my system because its only standalone system there is no pbx and SBC connected ITSP for sip &h323 services.

We did make static not private mx300 ip to public ip on fw.

Thanks a lot.

Patrick Sparkman · ‎08-09-2017

There are systems out on the internet that are performing scans and probing for possible systems to exploit, they're scanning for the known open ports that could be used, and attempt a call when one is found. Most of the calls will be over SIP, which is why I recommend you turn SIP off, but on occasion you might have a few trying H323 which there is no way to mitigate unless you restrict access on your firewall.

Tomonori Taniguchi · ‎09-20-2012

Port range is correct.

For H.323:

Gatekeeper Discovery (RAS): Port 1719 (UDP)
Q.931 call Setup: Port 1720 (TCP)
H.245(Static): Port Range 5555-6555 (TCP)
H.245(Dynamic): Port Range 11000-20999 (TCP)
Video*: Port Range 2326-2485 (UDP)
Audio*: Port Range 2326-2485 (UDP)
Data/FECC*: Port Range 2326-2485 (UDP)

*Configurable by "RTP Ports Range Start" and "RTP Ports Range Stop"

Please note, restart Endpoint will require after modify Static/Dynamic port configuration before change affect.

Tomonori Taniguchi · ‎09-20-2012

> Even if not specified, i assume these are inbound ports ( WAN -> LAN) ,

> having "ANY" for outbound ports (LAN -> WAN).

> Does anybody have a some sort of "magic table" i can use?

This is bit difficult as H.245 negotiation port and RTP port is depend on far end device to specify.

If using 3rd party, these port range is different from Cisco Endpoint port range.

Patrick Sparkman · ‎09-20-2012

As Tomonori has stated, they are correct.

If you'd like a document that lists them all and some other port information, you could look at the following document.

Daniele De Bruyn · ‎09-20-2012

Thanks Patrick & Tomonori,

with this recent endpoints galore was uncertain if changes were made on ports range!

Regards