Pexip Infinity port usage and firewall guidance
The diagrams and tables below show the ports used when the Management Node and Conferencing Nodes connect to other devices.
Firewall, routing and NAT guidance
Note that in all Pexip Infinity deployment scenarios:
- The Management Node must be able to reach all Conferencing Nodes (Proxying Edge Nodes and Transcoding Conferencing Nodes) and vice versa.
- Each Conferencing Node must be able to reach every other Conferencing Node (Proxying Edge Nodes and Transcoding Conferencing Nodes), except:
When a location contains Proxying Edge Nodes, those nodes only require IPsec connectivity with:
- any other proxying nodes in that location
- all nodes in the transcoding location, and the primary and secondary overflow locations that are associated with that location
- the Management Node.
This means that the proxying nodes in one location do not need to have a direct network connection to other proxying nodes in other locations.
- Any internal firewalls must be configured to allow UDP port 500 and traffic using IP protocol 50 (ESP) in both directions between all Pexip nodes.
- There cannot be a NAT between any Pexip nodes.
When a secondary network address is configured on a Conferencing Node:
- The primary address is always used for inter-node communication to the Management Node and to other Conferencing Nodes.
- SSH connections can be made only to the primary interface.
- The secondary address is always used for signaling and media (to endpoints and other video devices).
- Connections to DNS, SNMP, NTP, syslog and so on, go out from whichever interface is appropriate, based on routing.
- You can have a mixture of any number of single-interfaced and dual-interfaced Conferencing Nodes, providing all nodes can communicate with each other via their primary interfaces.
Inter-node communication (Conferencing Nodes and Management Node)
These are the port usage rules for all inter-node communication (local and remote) — between Conferencing Nodes, and between the Management Node and Conferencing Nodes:
| Source address | Source port | Destination address | Dest. port | Protocol | Notes |
|---|---|---|---|---|---|
| Management Node | 500 | Conferencing Node | 500 | UDP | ISAKMP (IPsec) inter-node communication |
| Management Node | n/a | Conferencing Node | n/a | ESP | IPsec / IP Protocol 50 inter-node communication |
| Conferencing Node | 500 | Management Node / Conferencing Node | 500 | UDP | ISAKMP (IPsec) inter-node communication |
| Conferencing Node | n/a | Management Node / Conferencing Node | n/a | ESP | IPsec / IP Protocol 50 inter-node communication |
Port requirements for inter-node communication
Administration access
These are the port usage rules for administrative access to the Management Node and Conferencing Nodes:
| Source address | Source port | Destination address | Dest. port | Protocol | Notes |
|---|---|---|---|---|---|
| SSH client | <any> | Management Node / Conferencing Node | 22 | TCP | SSH |
| Web browser / API workstation | <any> | Management Node | 80 |
TCP (HTTP/HTTPS) | Management web and API administration |
| Web browser / API workstation | <any> | Conferencing Node | 8443 | TCP (HTTPS) | Provisioning a Conferencing Node (primarily for Azure/GCP/AWS deployments) |
|
|
|||||
Port requirements for administrative access
Peripheral services
These are the port usage rules for the mandatory and optional peripheral services used by the Management Node and Conferencing Nodes:
| Source address | Source port | Destination address | Dest. port | Protocol | Notes |
|---|---|---|---|---|---|
| Standard features | |||||
| Management Node / Conferencing Node | 55000–65535 | DNS server | 53 | TCP/UDP | DNS |
| Management Node / Conferencing Node | 123, 55000–65535 | NTP server | 123 | UDP | NTP |
| Management Node | 55000–65535 | Pexip Licensing server (activation.pexip.com |
443 | TCP(HTTPS) | Platform licensing requests |
| Additional features (ports only required if the relevant feature is configured) | |||||
| SNMP server | <any> | Management Node / Conferencing Node | 161 | UDP | SNMP |
| Outlook client/add-in | <any> | Conferencing Node | 443 | TCP (HTTPS) | VMR Scheduling for Exchange |
| Management Node | 55000–65535 | FTP server | 21 + server’s FTP port range | TCP | FTP server for daily backup files |
| Management Node | 55000–65535 | LDAP server |
389 / 636 3268 / 3269 |
TCP |
LDAP AD global catalog searches |
| Management Node / Conferencing Node | 55000–65535 | Web proxy | 8080 |
TCP | HTTP web proxy |
| Management Node / Conferencing Node | 55000–65535 | Incident reporting server (acr.pexip.com) | 443 | TCP (HTTPS) | Incident reporting |
| Management Node | 55000–65535 | Usage statistics server (api.keen.io) | 443 | TCP (HTTPS) | Usage statistics |
| Management Node | <any> | Exchange server | 443 | TCP (HTTPS) | VMR Scheduling for Exchange |
| Management Node | 55000–65535 | Cloud service | 443 | TCP (HTTPS) | Dynamic bursting to a cloud service provider |
| Management Node | ephemeral | Teams Connector Azure Event Hub | 5671 | AMQPS | Only required if the Azure Event Hub is enabled for advanced status reporting in a Microsoft Teams integration |
| Management Node | 55000–65535 | SMTP server | 587 | TCP | SMTP (provisioning emails) |
| Management Node / Conferencing Node | <any> | SNMP NMS | 161 |
UDP | SNMP Network Management System (NMS) |
| Management Node / Conferencing Node | 55000–65535 | Syslog server | 514 |
UDP |
Syslog |
| Conferencing Node | 55000–65535 | Event sink server | 80/443 | TCP (HTTP/HTTPS) | Event sink |
| Conferencing Node | 55000–65535 | AD FS server | 443 | TCP (HTTPS) | Single Sign-On (SSO) with AD FS |
| Conferencing Node | 55000–65535 | OIDC server | 443 | TCP (HTTPS) | Single Sign-On (SSO) with OpenID Connect |
| Conferencing Node | 55000–65535 | Epic server | 443 | TCP (HTTPS) | Epic telehealth REST API requests |
| Management Node | 55000–65535 |
OAuth token endpoint
|
443 |
TCP (HTTPS) | One-Touch Join |
| Conferencing Node | 55000–65535 |
OAuth token endpoint
|
443 |
TCP (HTTPS) | One-Touch Join
|
| Conferencing Node | 55000–65535 | graph.microsoft.com (for O365 Graph Integrations) |
443 |
TCP (HTTPS) | One-Touch Join
|
| Conferencing Node | 55000–65535 | Exchange on-premises or Office 365 (for Exchange Integrations or O365 EWS Integrations) | 80/443 |
TCP (HTTP/HTTPS) | One-Touch Join |
| Conferencing Node | 55000–65535 | googleapis.com (for Google Workspace Integrations) |
443 | TCP (HTTPS) | One-Touch Join |
| Conferencing Node | 55000–65535 | Cisco endpoint API | 80/443 |
TCP (HTTP/HTTPS) | One-Touch Join |
| Conferencing Node | 55000–65535 | Cisco Webex cloud (webexapis.com) | 443 |
TCP (HTTPS) | One-Touch Join
|
| Poly endpoint | <any> | Conferencing Node | 443 | TCP (HTTPS) | One-Touch Join |
| Cisco endpoint | <any> | Conferencing Node | 443 | TCP (HTTPS) | Meeting Controls macro |
|
Note also that the ephemeral port range (55000–65535) is subject to change. Firewall connectivity to pexip.flexnetoperations.com is no longer required since 1 January 2022. |
|||||
Port requirements for peripheral services (only the most commonly-used services are shown)
Conferencing Node call signaling and media
These port usage rules for call signaling and media apply to Proxying Edge Nodes and Transcoding Conferencing Nodes:
| Source address | Source port | Destination address | Dest. port | Protocol | Notes |
|---|---|---|---|---|---|
| Standard call signaling and media | |||||
| Endpoint | <any> | Conferencing Node | 80 | TCP (HTTP) | Redirects to HTTPS for web/API access, and for Skype for Business conference avatars (if SfB is in use) |
| Endpoint | <any> | Conferencing Node | 443 | TCP (HTTPS) | Web browser/ API interface / Connect mobile app |
| Endpoint / call control system | <any> | Conferencing Node | 1719 | UDP | H.323 (RAS signaling) |
| Endpoint / call control system | <any> | Conferencing Node | 1720 | TCP | H.323 (H.225/Q.931 signaling) |
| Endpoint / call control system | <any> | Conferencing Node | 33000–39999 |
TCP | H.323 (H.245 signaling) |
| Endpoint / call control system | <any> | Conferencing Node | 5060 | TCP | SIP |
| Endpoint / call control system | <any> | Conferencing Node | 5061 | TCP | SIP/TLS |
| Endpoint / call control system | <any> | Conferencing Node | 40000–49999 |
TCP/UDP |
Endpoint / call control system / Skype for Business / Lync system / Connect app RTP / RTCP / RDP / VbSS / DTLS / STUN / TURN |
| Conferencing Node | 33000–39999 |
Endpoint / call control system | 1719 | UDP | H.323 (RAS signaling) |
| Conferencing Node | 33000–39999 |
Endpoint / call control system | 1720 / <any> | TCP |
H.323 (H.225/Q.931 signaling) (to <any> if the device is registered to Pexip Infinity) |
| Conferencing Node | 33000–39999 |
Endpoint / call control system | <any> | TCP | H.323 (H.245 signaling) |
| Conferencing Node | 33000–39999 |
Endpoint / call control system | 5060 | TCP/UDP | SIP |
| Conferencing Node | 33000–39999 |
Endpoint / call control system | 5061 | TCP | SIP/TLS |
| Conferencing Node | 40000–49999 |
Endpoint / call control system | <any> | TCP/UDP |
RTP / RTCP / RDP / VbSS / DTLS / STUN / TURN Endpoint / call control system / Skype for Business / Lync system / Connect app |
| Conferencing Node | 40000–49999 |
STUN / TURN server | 3478 |
UDP | STUN / TURN |
| Conferencing Node | 40000–49999 |
RTMP streaming server | 1935 | TCP | RTMP streaming |
| Conferencing Node | 55000–65535 | SfB/Lync Web Conferencing service | 443 / 8057 |
TCP (TLS) | PSOM (PowerPoint presentation from SfB/Lync) |
| Conferencing Node | 55000–65535 | SfB/Lync Front End Server or Edge Server and WAC/OWA/OOS server |
443 | TCP (TLS/HTTPS) | PowerPoint presentation from SfB/Lync |
| Additional features (ports only required if the relevant feature is configured) | |||||
| Endpoint / call control system | <any> | Conferencing Node | 5060 | UDP | SIP UDP |
| Google Meet |
19302–19309 | Conferencing Node | 40000–49999 |
UDP | Google Meet SRTP/SRTCP |
| Client application | <any> | Conferencing Node | 443 | TCP (HTTPS) | Microsoft Teams (client application viewing the meeting invitation Alternative Dial Instructions) |
| Teams Connector | ephemeral | Conferencing Node |
443 4277 |
TCP | Microsoft Teams signaling |
| Teams Connector | 50000-54999 | Conferencing Node | 40000–49999 |
UDP | Microsoft Teams SRTP/SRTCP |
| Conferencing Node | 33000–39999 |
Google Meet (hangouts.clients6.google.com and meetings.googleapis.com) |
443 | TCP (HTTPS) | Google Meet |
| Conferencing Node | 40000–49999 |
Google Meet | 19302–19309 | UDP | Google Meet SRTP/SRTCP |
| Conferencing Node | 33000–39999 |
Teams Connector load balancer Teams Connector instance |
443 | TCP (HTTPS) | Microsoft Teams
|
| Conferencing Node | 40000–49999 |
Teams Connector instance | 50000–54999 | UDP | Microsoft Teams SRTP/SRTCP |
|
Note also that:
|
|||||
Call signaling and media ports overview (inbound)
Call signaling and media ports details (inbound)