Pexip Infinity port usage and firewall guidance
The diagrams and tables below show the ports used when the Management Node and Conferencing Nodes connect to other devices.
Firewall, routing and NAT guidance
Note that in all Pexip Infinity deployment scenarios:
- The Management Node must be able to reach all Conferencing Nodes (Proxying Edge Nodes and Transcoding Conferencing Nodes) and vice versa.
- Each Conferencing Node must be able to reach every other Conferencing Node (Proxying Edge Nodes and Transcoding Conferencing Nodes), except:
When a location contains Proxying Edge Nodes, those nodes only require IPsec connectivity with:
- any other proxying nodes in that location
- all nodes in the transcoding location, and the primary and secondary overflow locations that are associated with that location
- the Management Node.
This means that the proxying nodes in one location do not need to have a direct network connection to other proxying nodes in other locations.
- Any internal firewalls must be configured to allow UDP port 500 and traffic using IP protocol 50 (ESP) in both directions between all Pexip nodes.
- There cannot be a NAT between any Pexip nodes.
When a secondary network address is configured on a Conferencing Node:
- The primary address is always used for inter-node communication to the Management Node and to other Conferencing Nodes.
- SSH connections can be made only to the primary interface.
- The secondary address is always used for signaling and media (to endpoints and other video devices).
- Connections to DNS, SNMP, NTP, syslog and so on, go out from whichever interface is appropriate, based on routing.
- You can have a mixture of any number of single-interfaced and dual-interfaced Conferencing Nodes, providing all nodes can communicate with each other via their primary interfaces.
Inter-node communication (Conferencing Nodes and Management Node)
These are the port usage rules for all inter-node communication (local and remote) — between Conferencing Nodes, and between the Management Node and Conferencing Nodes:
Source address | Source port | Destination address | Dest. port | Protocol | Notes |
---|---|---|---|---|---|
Management Node | 500 | Conferencing Node | 500 | UDP | ISAKMP (IPsec) inter-node communication |
Management Node | n/a | Conferencing Node | n/a | ESP | IPsec / IP Protocol 50 inter-node communication |
Conferencing Node | 500 | Management Node / Conferencing Node | 500 | UDP | ISAKMP (IPsec) inter-node communication |
Conferencing Node | n/a | Management Node / Conferencing Node | n/a | ESP | IPsec / IP Protocol 50 inter-node communication |
Port requirements for inter-node communication
Administration access
These are the port usage rules for administrative access to the Management Node and Conferencing Nodes:
Source address | Source port | Destination address | Dest. port | Protocol | Notes |
---|---|---|---|---|---|
SSH client | <any> | Management Node / Conferencing Node | 22 | TCP | SSH |
Web browser / API workstation | <any> | Management Node | 80 |
TCP (HTTP/HTTPS) | Management web and API administration |
Web browser / API workstation | <any> | Conferencing Node | 8443 | TCP (HTTPS) | Provisioning a Conferencing Node (primarily for Azure/GCP/AWS deployments) |
|
Port requirements for administrative access
Peripheral services
These are the port usage rules for the mandatory and optional peripheral services used by the Management Node and Conferencing Nodes:
Source address | Source port | Destination address | Dest. port | Protocol | Notes |
---|---|---|---|---|---|
Standard features | |||||
Management Node / Conferencing Node | 55000–65535 | DNS server | 53 | TCP/UDP | DNS |
Management Node / Conferencing Node | 123, 55000–65535 | NTP server | 123 | UDP | NTP |
Management Node | 55000–65535 | Pexip Licensing server (activation.pexip.com |
443 | TCP (HTTPS) | Platform licensing requests |
Secure Scheduler for Exchange only | |||||
Management Node | <any> | Exchange server (for Exchange on-premises) | 443 | TCP (HTTPS) | |
Management Node | <any> | login.microsoftonline.com (for Microsoft 365) | 443 | TCP (HTTPS) | |
Management Node | <any> | Kerberos Key Distribution Center (KDC) (if Kerberos Authentication is enabled) | 88 | TCP/UDP | |
Management Node | <any> | KDC Proxy (if Kerberos Authentication and Kerberos KDC HTTPS proxy is enabled) | 443 | TCP (HTTPS) | |
Management Node | <any> | Load balancer (if in use) | 443 | TCP (HTTPS) | |
Conferencing Node | <any> | User OAuth token URI (if personal VMRs are enabled) | 443 | TCP (HTTPS) | |
Outlook client/add-in | <any> | Add-in server FQDN (Conferencing Node / reverse proxy) | 443 | TCP (HTTPS) | Must be reachable either directly, or by using split DNS. |
Outlook client/add-in | <any> | https://appsforoffice.microsoft.com | 443 | TCP (HTTPS) | Not required if resources are hosted locally. |
One-Touch Join only | |||||
Management Node / Conferencing Node | 55000–65535 | Web proxy (optional) | 8080 |
TCP | HTTP web proxy |
Management Node | 55000–65535 |
OAuth token endpoint
|
443 |
TCP (HTTPS) | Not required if a web proxy is used |
Conferencing Node | 55000–65535 |
OAuth token endpoint
|
443 |
TCP (HTTPS) | Not required if a web proxy is used |
Conferencing Node | 55000–65535 | graph.microsoft.com (for O365 Graph Integrations) |
443 |
TCP (HTTPS) | Not required if a web proxy is used |
Conferencing Node | 55000–65535 | Exchange on-premises or Office 365 (for Exchange Integrations or O365 EWS Integrations) | 80/443 |
TCP (HTTP/HTTPS) | Not required if a web proxy is used |
Conferencing Node | 55000–65535 | googleapis.com (for Google Workspace Integrations) |
443 | TCP (HTTPS) | Not required if a web proxy is used |
Conferencing Node | 55000–65535 | Cisco endpoint API | 80/443 |
TCP (HTTP/HTTPS) | Not required if a web proxy is used |
Conferencing Node | 55000–65535 | Cisco Webex cloud (webexapis.com) | 443 |
TCP (HTTPS) | Not required if a web proxy is used |
Poly endpoint | <any> | Conferencing Node | 443 | TCP (HTTPS) | |
Other additional features (ports only required if the relevant feature is configured) | |||||
SNMP server | <any> | Management Node / Conferencing Node | 161 | UDP | SNMP |
Management Node | 55000–65535 | FTP server | 21 + server’s FTP port range | TCP | FTP server for daily backup files |
Management Node | 55000–65535 | LDAP server |
389 / 636 3268 / 3269 |
TCP |
LDAP / LDAPS AD global catalog searches |
Management Node / Conferencing Node | 55000–65535 | Web proxy | 8080 |
TCP | HTTP web proxy |
Management Node / Conferencing Node | 55000–65535 | Incident reporting server (acr.pexip.com) | 443 | TCP (HTTPS) | Incident reporting |
Management Node | 55000–65535 | Usage statistics server (api.keen.io) | 443 | TCP (HTTPS) | Usage statistics |
Management Node | 55000–65535 | Cloud service | 443 | TCP (HTTPS) | Dynamic bursting to a cloud service provider |
Management Node | ephemeral | Teams Connector Azure Event Hub | 5671 | AMQPS | Only required if the Azure Event Hub is enabled for advanced status reporting in a Microsoft Teams integration |
Management Node | 55000–65535 | SMTP server | 587 | TCP | SMTP (provisioning emails) |
Management Node / Conferencing Node | <any> | SNMP NMS | 161 |
UDP | SNMP Network Management System (NMS) |
Management Node / Conferencing Node | 55000–65535 | Syslog server | 514 |
UDP |
Syslog |
Management Node / Conferencing Node | 55000–65535 | OIDC server | 443 | TCP (HTTPS) | Single Sign-On (SSO) with OpenID Connect |
Conferencing Node | 55000–65535 | AD FS server | 443 | TCP (HTTPS) | Single Sign-On (SSO) with AD FS |
Conferencing Node | 55000–65535 | Event sink server | 80/443 | TCP (HTTP/HTTPS) | Event sink |
Conferencing Node | 55000–65535 | Epic server | 443 | TCP (HTTPS) | Epic telehealth REST API requests |
Conferencing Node | 55000–65535 | External policy server | 443 | TCP (HTTPS) | External policy server REST API requests |
Conferencing Node | <any> | AI Media Server (AIMS) | 443 | TCP (HTTPS) | Live captions service |
Cisco endpoint | <any> | Conferencing Node | 443 | TCP (HTTPS) | Meeting Controls macro |
Note also that the ephemeral port range (55000–65535) is subject to change. |
Port requirements for peripheral services (only the most commonly-used services are shown)
Conferencing Node call signaling and media
These port usage rules for call signaling and media apply to Proxying Edge Nodes and Transcoding Conferencing Nodes:
Source address | Source port | Destination address | Dest. port | Protocol | Notes |
---|---|---|---|---|---|
Standard call signaling and media | |||||
Endpoint | <any> | Conferencing Node | 80 | TCP (HTTP) | Redirects to HTTPS for web/API access, and for Skype for Business conference avatars (if SfB is in use) |
Endpoint | <any> | Conferencing Node | 443 | TCP (HTTPS) | Web browser/ API interface / Connect mobile app |
Endpoint / call control system | <any> | Conferencing Node | 5060 | TCP | SIP |
Endpoint / call control system | <any> | Conferencing Node | 5061 | TCP | SIP/TLS |
Endpoint / call control system | <any> | Conferencing Node | 40000–49999 |
TCP/UDP |
Endpoint / call control system / Skype for Business / Lync system / Pexip app RTP / RTCP / RDP / VbSS / DTLS / STUN / TURN |
Conferencing Node | 33000–39999 |
Endpoint / call control system | 5060 | TCP/UDP | SIP |
Conferencing Node | 33000–39999 |
Endpoint / call control system | 5061 | TCP | SIP/TLS |
Conferencing Node | 40000–49999 |
Endpoint / call control system | <any> | TCP/UDP |
RTP / RTCP / RDP / VbSS / DTLS / STUN / TURN Endpoint / call control system / Skype for Business / Lync system / Pexip app |
Conferencing Node | 40000–49999 |
STUN / TURN server | 3478 |
UDP | STUN / TURN |
Conferencing Node | 40000–49999 |
RTMP streaming server | 1935 | TCP | RTMP streaming |
Conferencing Node | 55000–65535 | SfB/Lync Web Conferencing service | 443 / 8057 |
TCP (TLS) | PSOM (PowerPoint presentation from SfB/Lync) |
Conferencing Node | 55000–65535 | SfB/Lync Front End Server or Edge Server and WAC/OWA/OOS server |
443 | TCP (TLS/HTTPS) | PowerPoint presentation from SfB/Lync |
Endpoint / call control system | <any> | Conferencing Node | 5060 | UDP | SIP UDP (if enabled) |
H.323 only | |||||
Endpoint / call control system | <any> | Conferencing Node | 1719 | UDP | H.323 (RAS signaling) |
Endpoint / call control system | <any> | Conferencing Node | 1720 | TCP | H.323 (H.225/Q.931 signaling) |
Endpoint / call control system | <any> | Conferencing Node | 33000–39999 |
TCP | H.323 (H.245 signaling) |
Conferencing Node | 33000–39999 |
Endpoint / call control system | 1719 | UDP | H.323 (RAS signaling) |
Conferencing Node | 33000–39999 |
Endpoint / call control system | 1720 / <any> | TCP |
H.323 (H.225/Q.931 signaling) (to <any> if the device is registered to Pexip Infinity) |
Conferencing Node | 33000–39999 |
Endpoint / call control system | <any> | TCP | H.323 (H.245 signaling) |
Microsoft Teams only | |||||
Client application | <any> | Conferencing Node | 443 | TCP (HTTPS) | Microsoft Teams (client application viewing the meeting invitation Alternative Dial Instructions) |
Teams Connector | ephemeral | Conferencing Node |
443 4277 |
TCP | Microsoft Teams signaling |
Teams Connector | 50000-54999 | Conferencing Node | 40000–49999 |
UDP | Microsoft Teams SRTP/SRTCP |
Conferencing Node | 33000–39999 |
Teams Connector load balancer Teams Connector instance |
443 | TCP (HTTPS) | Microsoft Teams |
Conferencing Node | 40000–49999 |
Teams Connector instance | 50000–54999 | UDP | Microsoft Teams SRTP/SRTCP |
Google Meet only | |||||
Google Meet |
19302–19309 | Conferencing Node | 40000–49999 |
UDP | Google Meet SRTP/SRTCP |
Conferencing Node | 33000–39999 |
Google Meet (hangouts.clients6.google.com and meetings.googleapis.com) |
443 | TCP (HTTPS) | Google Meet |
Conferencing Node | 40000–49999 |
Google Meet | 19302–19309 | UDP | Google Meet SRTP/SRTCP |
Note also that:
|