Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2247
Views
0
Helpful
7
Replies

Expressway E MRA Port Requirements

Go to solution
fdharmawan
Level 4
Level 4

‎12-21-2022 06:52 AM

Hi Community Members,

May I know what are the port or application required for Expressway E MRA deployment? Currently I am working on creating a rule on the firewall. The direction is from public internet to DMZ. So far from the Cisco documentation, I got the following. Do I miss some ports? Thank you.

8443; 5061; 5222; 3478; 36000-59999; 1024-65535; 3478-3483; 24000-29999;

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Roger Kallberg
VIP
VIP
In response to fdharmawan

‎12-22-2022 12:46 AM

This might help you as it's a breakdown of used ports that we have made for the entire MRA setup. Please note that we do not use IM&P as we have moved from Jabber to Webex and that part is now cloud based, so there are no need for us to have XMPP port open.

<<<<<<<<<<<<<<<Rules from internet to E>>>>>>>>>>>>>>>
Off-premises endpoint (Outside) -> MRA-E External (Host-DMZ)
TCP
•	5061			SIP TLS (source >=1024)
•	8443			SIP TLS (source >=1024)

UDP
•	36000-59999		RTP/RTCP Ephemeral (source >=1024)


<<<<<<<<<<<<<<<Rules from E to internet>>>>>>>>>>>>>>>
MRA-E External (Host-DMZ) -> Off-premises endpoint (Outside)
TCP
•	53	DNS
•	443	TLS			TLS Ephemeral (source 30000-35999)

UDP 
•	53	DNS
•	1024-65535		RTP/RTCP Ephemeral (source 36000-59999)


<<<<<<<<<<<<<<<Rules from E to inside>>>>>>>>>>>>>>>
MRA-E Internal (Proxy-DMZ) -> Corporete mail servers, NTP servers, log servers and SL server (Inside)
TCP
•	25	SMTP		SMTP (source >=1024) limit access to mail servers
•	53	DNS			Name lookup (source >=1024) limit access to DNS server
•	443 (HTTPS)		Smart Licensing (source >=1024) limit access to SSMS SL server
•	514				Syslog (source 30000-35999) limit access to syslog servers
•	6514			Syslog (source 30000-35999) limit access to syslog servers

UDP
•	53	DNS			Name lookup (source >=1024) limit access to DNS server
•	123 NTP			NTP (source >=1024) limit access to NTP servers
•	514				Syslog (source 30000-35999) limit access to syslog servers


<<<<<<<<<<<<<<<Rules from inside to E>>>>>>>>>>>>>>>
Inside hosts (Inside) -> MRA-E Internal (Proxy-DMZ)
TCP
•	HTTP(S)			Managment (source >=1024) (could use same filter as we have for VTY access on VGWs)
•	SSH				Managment (source >=1024) (could use same filter as we have for VTY access on VGWs)

UDP
•	SNMP			Managment (source >=1024) (limit to SNMP servers as source IP)


<<<<<<<<<<<<<<<Rule from C to E>>>>>>>>>>>>>>>
MRA-C Internal (Inside) -> MRA-E Internal (Proxy-DMZ)
TCP
•	7001			SIP TCP/TLS tunnel (source 25000-29999)
•	2222			SIP TCP/TLS tunnel (source 30000-35999)
•	7400			SIP TCP/TLS tunnel (source 30000-35999)

UDP
•	36000-36011		RTP/RTCP Assent (source 36000-59999)


Response Signature


View solution in original post

0 Helpful
7 Replies 7

Go to solution
b.winter
VIP
VIP

‎12-21-2022 07:40 AM

Check the IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide for Expressway.
This is publicly available in the internet.

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP

‎12-21-2022 10:10 AM

You do not want or need to have all those ports open from internet to the E node. As both @b.winter and @Nithin Eluvathingal has answered this is documented in the deployment guide. Recommend that you read that multiple times before you embark on this as you do not want to open any unneeded ports.



Response Signature


0 Helpful

Go to solution
fdharmawan
Level 4
Level 4

‎12-21-2022 04:56 PM

Hi Guys,

Actually I read the very same document as what Nithin posted. But I should admit that I did not examine the graph, just the tables.

So I just need to open the ports on Expressway E that is facing towards public internet, right? So it covers only 5061, 5222, 8443, and 36000-59999.

0 Helpful

Go to solution
Nithin Eluvathingal
VIP
VIP
In response to fdharmawan

‎12-21-2022 08:15 PM

its correct.

I always share this guide to the security team when they ask which port to be opened. The picture explain it very well.



Response Signature


0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to fdharmawan

‎12-22-2022 12:46 AM

This might help you as it's a breakdown of used ports that we have made for the entire MRA setup. Please note that we do not use IM&P as we have moved from Jabber to Webex and that part is now cloud based, so there are no need for us to have XMPP port open.

<<<<<<<<<<<<<<<Rules from internet to E>>>>>>>>>>>>>>>
Off-premises endpoint (Outside) -> MRA-E External (Host-DMZ)
TCP
•	5061			SIP TLS (source >=1024)
•	8443			SIP TLS (source >=1024)

UDP
•	36000-59999		RTP/RTCP Ephemeral (source >=1024)


<<<<<<<<<<<<<<<Rules from E to internet>>>>>>>>>>>>>>>
MRA-E External (Host-DMZ) -> Off-premises endpoint (Outside)
TCP
•	53	DNS
•	443	TLS			TLS Ephemeral (source 30000-35999)

UDP 
•	53	DNS
•	1024-65535		RTP/RTCP Ephemeral (source 36000-59999)


<<<<<<<<<<<<<<<Rules from E to inside>>>>>>>>>>>>>>>
MRA-E Internal (Proxy-DMZ) -> Corporete mail servers, NTP servers, log servers and SL server (Inside)
TCP
•	25	SMTP		SMTP (source >=1024) limit access to mail servers
•	53	DNS			Name lookup (source >=1024) limit access to DNS server
•	443 (HTTPS)		Smart Licensing (source >=1024) limit access to SSMS SL server
•	514				Syslog (source 30000-35999) limit access to syslog servers
•	6514			Syslog (source 30000-35999) limit access to syslog servers

UDP
•	53	DNS			Name lookup (source >=1024) limit access to DNS server
•	123 NTP			NTP (source >=1024) limit access to NTP servers
•	514				Syslog (source 30000-35999) limit access to syslog servers


<<<<<<<<<<<<<<<Rules from inside to E>>>>>>>>>>>>>>>
Inside hosts (Inside) -> MRA-E Internal (Proxy-DMZ)
TCP
•	HTTP(S)			Managment (source >=1024) (could use same filter as we have for VTY access on VGWs)
•	SSH				Managment (source >=1024) (could use same filter as we have for VTY access on VGWs)

UDP
•	SNMP			Managment (source >=1024) (limit to SNMP servers as source IP)


<<<<<<<<<<<<<<<Rule from C to E>>>>>>>>>>>>>>>
MRA-C Internal (Inside) -> MRA-E Internal (Proxy-DMZ)
TCP
•	7001			SIP TCP/TLS tunnel (source 25000-29999)
•	2222			SIP TCP/TLS tunnel (source 30000-35999)
•	7400			SIP TCP/TLS tunnel (source 30000-35999)

UDP
•	36000-36011		RTP/RTCP Assent (source 36000-59999)


Response Signature


0 Helpful

Go to solution
fdharmawan
Level 4
Level 4

‎12-27-2022 11:57 PM

Thank you Roger for the insight!

0 Helpful
Customers Also Viewed These Support Documents