Pexip Infinity port usage and firewall guidance

The diagrams and tables below show the ports used when the Management Node and Conferencing Node connect to other devices.

Firewall, routing and NAT guidance

Note that in all Pexip Infinity deployment scenarios:

  • The Management Node must be able to reach all Conferencing Nodes (Proxying Edge Nodes and Transcoding Conferencing Nodes) and vice versa.
  • Each Conferencing Node must be able to reach every other Conferencing Node (Proxying Edge Nodes and Transcoding Conferencing Nodes), except:
    • If a location only contains Proxying Edge Nodes, then those proxying nodes in that location only require IPsec connectivity with:

      • any other proxying nodes in that location
      • all nodes in the transcoding location, and the primary and secondary overflow locations that are associated with that location
      • the Management Node.

      This means that the proxying nodes in one location do not need to have a direct network connection to other proxying nodes in other locations.

      (If the location does not have an associated transcoding location, primary or secondary overflow location defined, or if it contains a mix of proxying nodes and transcoding nodes, then those proxying nodes must be able to reach all other Conferencing Nodes.)

  • Any internal firewalls must be configured to allow UDP port 500 and traffic using IP protocol 50 (ESP) in both directions between all Pexip nodes.
  • There cannot be a NAT between any Pexip nodes.

When a secondary network address is configured on a Conferencing Node:

  • The primary address is always used for inter-node communication to the Management Node and to other Conferencing Nodes.
  • SSH connections can be made only to the primary interface.
  • The secondary address is always used for signaling and media (to endpoints and other video devices).
  • Connections to DNS, SNMP, NTP, syslog and so on, go out from whichever interface is appropriate, based on routing.
  • You can have a mixture of any number of single-interfaced and dual-interfaced Conferencing Nodes, providing all nodes can communicate with each other via their primary interfaces.

Management Node

Inbound

Protocol Source‑Port Dest‑Port Description Device
TCP <any> 22 SSH * SSH client
TCP <any> 80 HTTP * Web browser / API interface
TCP <any> 443 HTTPS Web browser / API interface
UDP <any> 161 SNMP ‡ SNMP server
UDP 500 500 ISAKMP (IPsec) Conferencing Node
ESP n/a n/a IPsec / IP Protocol 50 Conferencing Node

Outbound

Protocol Source‑Port Dest‑Port Description Device
TCP 55000–65535 21 + server’s FTP port range FTP / FTPS ‡ FTP server (for daily backup files)
TCP/UDP 55000–65535 53 DNS DNS server
TCP 55000–65535

389 / 636

3268 / 3269

LDAP ‡

LDAP server

AD global catalog searches

TCP 55000–65535 443 HTTPS vCenter Server and any ESXi host on which Conferencing Nodes may be deployed
TCP 55000–65535 443 HTTPS Pexip Licensing server (pexip.flexnetoperations.com, 64.14.29.85)
TCP 55000–65535 443 HTTPS ‡ Incident reporting server (acr.pexip.com)
TCP 55000–65535 443 HTTPS ‡ Usage statistics (api.keen.io)
TCP <any> 443 HTTPS ‡ Exchange server (for VMR Scheduling for Exchange)
TCP 55000–65535 443 HTTPS ‡ Dynamic bursting to a cloud service provider (see AWS and Azure for more details)
TCP 55000–65535 587 SMTP ‡ SMTP server
UDP 123, 55000–65535 123 NTP NTP server
UDP <any> 161 † SNMP ‡ SNMP NMS
UDP 500 500 ISAKMP (IPsec) Conferencing Node
UDP † 55000–65535 514 † Syslog ‡ Syslog server
ESP n/a n/a IPsec / IP Protocol 50 Conferencing Node

* Only required if you want to allow administrative access via this port.

† Configurable by the administrator.

‡ Only applies if the relevant feature is configured.

Note also that the ephemeral port range (55000–65535) is subject to change.

Management Node inbound ports

Management Node outbound ports

Conferencing Nodes

These port usage rules apply to Proxying Edge Nodes and Transcoding Conferencing Nodes.

Inbound

Protocol Source‑Port Dest‑Port Description Device
TCP <any> 22 SSH * SSH client
TCP <any> 80 HTTP Web browser / API interface / Skype for Business / Lync system (for conference avatar)
TCP <any> 443 HTTPS Web browser/ API interface / Infinity Connect mobile client
TCP <any> 443 HTTPS ‡ Outlook client/add-in (for VMR Scheduling for Exchange)
TCP <any> 443 HTTPS ‡ Teams Connector
TCP <any> 1720 H.323 (H.225 signaling) Endpoint / call control system
TCP <any> 5060 SIP Endpoint / call control system
UDP ‡ <any> 5060 SIP Endpoint / call control system
TCP <any> 5061 SIP/TLS Endpoint / call control system
TCP <any> 33000–39999 ** H.323 (Q.931/H.245 signaling) Endpoint / call control system
TCP/UDP <any> 40000–49999 ** RTP / RTCP / RDP / VbSS / DTLS / RTMP / STUN / TURN Endpoint / call control system / Skype for Business / Lync system / Infinity Connect ††
UDP 19302–19309 40000–49999 ** SRTP/SRTCP Google Hangouts Meet
UDP 50000-54999 40000–49999 ** SRTP/SRTCP Teams Connector
UDP <any> 161 SNMP ‡ SNMP server
UDP 500 500 ISAKMP (IPsec) Management Node / Conferencing Node
UDP <any> 1719 H.323 (RAS signaling) Endpoint / call control system
ESP n/a n/a IPsec / IP Protocol 50 Management Node / Conferencing Node

Outbound

Protocol Source‑Port Dest‑Port Description Device
TCP/UDP 55000–65535 53 DNS DNS server
TCP 55000–65535 443 HTTPS ‡ Incident reporting server (acr.pexip.com)
TCP 55000–65535 443 HTTPS ‡ AD FS server (SSO)
TCP 33000–39999 ** 443 HTTPS ‡ Google Hangouts Meet
TCP 33000–39999 ** 443 HTTPS ‡ Teams Connector
TCP 33000–39999 ** 1720 H.323 (H.225 signaling) Endpoint / call control system
TCP/UDP 33000–39999 ** 5060 SIP Endpoint / call control system
TCP 33000–39999 ** 5061 SIP/TLS Endpoint / call control system
TCP 33000–39999 ** <any> H.323 (Q.931/H.245 signaling) Endpoint / call control system
TCP/UDP 40000–49999 ** <any> RTP / RTCP / RDP / VbSS / DTLS / RTMP / STUN / TURN Endpoint / call control system / Skype for Business / Lync system / Infinity Connect ††
TCP 40000–49999 ** 1935 RTMP RTMP streaming server
UDP 40000–49999 ** 19302–19309 SRTP/SRTCP Google Hangouts Meet
UDP 40000–49999 ** 50000–54999 SRTP/SRTCP Teams Connector
TCP (TLS) 55000–65535 443 / 8057 ‡‡ PSOM (PowerPoint presentation from SfB/Lync) SfB/Lync Web Conferencing service
TCP (TLS) 55000–65535 443 HTTPS (PowerPoint presentation from SfB/Lync) SfB/Lync Front End Server or Edge Server
and WAC/OWA/OOS server
UDP 123, 55000–65535 123 NTP NTP server
UDP <any> 161 † SNMP ‡ SNMP NMS
UDP 500 500 ISAKMP (IPsec) Management Node / Conferencing Node
UDP † 55000–65535 514 † Syslog ‡ Syslog server
UDP 33000–39999 ** 1719 H.323 (RAS signaling) Endpoint / Call control system
UDP 40000–49999 ** 3478 † STUN / TURN STUN / TURN server
ESP n/a n/a IPsec / IP Protocol 50 Management Node / Conferencing Node

* Only required if you want to allow administrative access via this port.

† Configurable by the administrator.

** Configurable via the Media port range start/end and Signaling port range start/end options (see About global settings).

†† Infinity Connect web, mobile and desktop (installable) clients

‡ Only applies if the relevant feature is configured.

‡‡ Typically 443 for Web Conferencing Edge and 8057 for a SfB/Lync Front End Server / FEP.

Note also that:

  • ICE calls allocate 4 ports per media line/stream.
  • The ephemeral port range (55000–65535) is subject to change.

Conferencing Node inbound ports

Conferencing Node outbound ports