messages, i.e. UDP/1719. While it is possible
to change this port on the VCS Expressway,
most endpoints will not support connections to
ports other than UDP/1719. We therefore
recommend that this be left as the default.

Each traversal server zone specifies an

H.323

port

and a

SIP port

to be used for the initial

connection from the client.
Each time you configure a new traversal
server zone on the VCS Expressway, you will
be allocated default port numbers for these
connections:

H.323 ports will start at UDP/6001 and

•

increment by 1 for every new traversal
server zone
SIP ports will start at TCP/7001 and

•

increment by 1 for every new traversal
server zone.

You can change these default ports if
necessary but you must ensure that the ports
are unique for each traversal server zone.
Once the H.323 and SIP ports have been set
on the VCS Expressway, matching ports must
be configured on the corresponding traversal
client.

For connections to the VCS Expressway using
the

H.460.18/19

protocols, the default ports

are:

Call signaling

UDP/1719: listening port for RAS messages

•

TCP/1720: listening port for H.225 protocol

•

TCP/2777: listening port for H.245 protocol

•

Media

UDP/2776: RTP media port

•

UDP/2777: RTCP media control port

•

For connections to the VCS Expressway using
the

Assent

protocol, the default ports are:

Call signaling

UDP/1719: listening port for RAS

•

messages
TCP/2776: listening port for H.225 and

•

H.245 protocols

Media

UDP/2776: RTP media port

•

UDP/2777: RTCP media control port

•

Ports for Initial Connections from

Traversal Clients

Assent Ports

H.460.18/19 Ports

SIP Ports

In situations where the VCS Expressway is
attempting to connect to an endpoint on the
public internet, you will not know the exact
port(s) on the endpoint to which the connection
will be made. This is because the ports to
be used are determined by the endpoint and
advised to the VCS Expressway only once the
server has located the endpoint on the public
internet. This may cause problems if your VCS
Expressway is located within a DMZ (i.e. there
is a firewall between the VCS Expressway and
the public internet) as you will not be able to
specify in advance rules that will allow you to
connect out to the endpoint’s ports.
You can however specify the ports on the
VCS Expressway that will be used for calls
to and from endpoints on the public internet
so that your firewall administrator can allow
connections via these ports. The ports that
can be configured for this purpose are:

H.323

TCP/1720: signaling

•

UDP/1719: signaling

•

UDP/50,000-51199: media

•

TCP/15,000-19999: signaling

•

SIP

TCP/5061: signaling

•

UDP/5060 (default): signaling

•

UDP/50,000-51199: media

•

TCP: a temporary port in the range

•

25000-29999 is allocated.

STUN

3478/UDP (default): STUN Discovery

•

4678/UDP: (default): STUN Relay

•

60000-61200/UDP (default range): media

•

The VCS Expressway can be enabled to provide

STUN services

(STUN Relay and STUN Binding

Discovery) which can be used by SIP endpoints
which support the

ICE firewall traversal

protocol

The ports used by these services are
configurable via:

VCS Configuration > Expressway > STUN

•

xConfiguration Traversal Server

•

STUN

The ICE clients on each of the SIP endpoints
must be able to discover these ports, either via
SRV records in DNS or by direct configuration.

Ports for Connections out to the

Public Internet

STUN Ports

If your VCS Expressway does not have any endpoints registering directly with it, and it has
no Alternates configured, then UDP/1719 is not required. You therefore do not need to
allow outbound connections to this port through the firewall between the VCS Control and

VCS Expressway.

You must allow outbound connections
through your firewall to each of the
unique SIP and H.323 ports that are

configured on each of the VCS Expressway’s
traversal server zones.