Firewall Requirements

Last Updated: Jun 16, 2017 11:07AM CEST


This document describes how to configure your router/network to use services from Videonor. It´s intended for network administrators and others that configures network routing and firewalls to prepare video deployment.

It´s expected that you have at least a basic understanding of networking, IP-addresses and router capabilities. Any configuration of routers and network equipment is beyond the scope of this document- you´re expected to be able to do such configurations yourself.

Unless you have done so already, please have a look at this article regarding more advanced router features that might affect the video traffic.

Rule-set for endpoints deployed behind router that performs NAT

Endpoints deployed behind NAT needs outbound access to our networks in order to make/receive calls and media. There is no need to enable inbound access in the firewall.

This rule set will allow communication for all endpoints connected to Videonor.

From Trust to Untrust (outbound/established)

Ports Comment 
TCP/443 /1720 /2776 /2777 /5060 /5061 /5222 provisioning/signaling
TCP/443 /389 /636 phonebook
UDP/123 ntp **
UDP/1719 /2776 /2777 /3478 signaling and media
UDP/20000-65535 RTP/RTCP (media)

From Untrust to Trust (inbound)

Allow return traffic on established sessions. No direct inbound access is required.

Rule-set for endpoints deployed without NAT

Our infrastructure compares incoming signaling with source IP in order to detect NAT. If our infrastructure does not detect any NAT between endpoints and our infrastructure, it assumes that the endpoint can receive media directly without forcing it through relays. In such cases, media can end up not using established sessions. Therefore, it is required to open inbound access to the endpoint.

From Trust to Untrust (outbound)

Ports Comment 
TCP/443 /389 /636 /1720 /5060 /5061 /5222 phonebook/provisioning/signaling
UDP/123 /1719 /3478 ntp/signaling
UDP/1024-65535 * media

*In some cases, your endpoint will be sending media to proxies/endpoints that is not deployed by Videonor and you never know which ports they want you to send media on. By opening UDP/1024-65535 for outbound access, media connection to any external endpoint is ensured.

From Untrust to Trust (inbound)

Ports Source Comment 
TCP/1720 /5061 /5060** ANY signaling
UDP/1024-65535 ** ANY signlaing and media 

** The "inbound" config for endpoints deployed on public routable ip addresses will vary a bit and the suggested signaling ports here will work for most endpoints unless it has been configured to use non-standard ports. Different vendors often use different ports for media and in many cases these port ranges are configurable as well. The UDP/1024-65535 range will work for all endpoints that receive media over UDP but we strongly recommend that you check the appropriate documentation for the endpoint you are deploying in order to narrow this down to the range that is actually used by the endpoint.

Inbound ports for Jabber Video (as provisioned by Videonor)

Ports (Jabber Video) Source Comment
TCP/5061 ANY inbound signaling
UDP/21000-21900 /3478 ANY inbound media

Example setup for "Inbound ports" for a Cisco Telepresence EX90 endpoint (Warning: this is from the default config and might not work in your case. Again- please verify this on your endpoint)

Ports (EX90 example) Source Comment
TCP/5061 /5060 ANY inbound signaling
UDP/2326-2486 /3478 ANY inbound media

Rule-set for virtual meeting rooms

Videonor has multiple solutions for virtual meeting rooms, and the media port ranges varies between the different solutions. This article provides the complete range for all solutions. If you need to limit the port-range for media, please get in touch with Videonor Support.

From Trust to Untrust (outbound/established)

Ports Comment 
TCP/ 80 /443  signaling
UDP/32768-65535 Applies to Lync / S4B
TCP/40000-49999 Applies to browser participants not using WebRTC (Safari, IE)

From Untrust to Trust (inbound)

Allow return traffic on established sessions. No direct inbound access is required.

This concludes this guide. If you have questions/comments, please submit a case and let us now.

I find this article helpful

Can’t find what you’re looking for?

Submit a ticket
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found