Pexip Infinity port usage and firewall guidance

The diagrams and tables below show the ports used when the Management Node and Conferencing Nodes connect to other devices.

Firewall, routing and NAT guidance

Note that in all Pexip Infinity deployment scenarios:

• The Management Node must be able to reach all Conferencing Nodes (Proxying Edge Nodes and Transcoding Conferencing Nodes) and vice versa.
• Each Conferencing Node must be able to reach every other Conferencing Node (Proxying Edge Nodes and Transcoding Conferencing Nodes), except:

  • When a location contains Proxying Edge Nodes, those nodes only require IPsec connectivity with:

    • any other proxying nodes in that location
    • all nodes in the transcoding location, and the primary and secondary overflow locations that are associated with that location
    • the Management Node.

    This means that the proxying nodes in one location do not need to have a direct network connection to other proxying nodes in other locations.

• Any internal firewalls must be configured to allow UDP port 500 and traffic using IP protocol 50 (ESP) in both directions between all Pexip nodes.
• There cannot be a NAT between any Pexip nodes.

When a secondary network address is configured on a Conferencing Node:

• The primary address is always used for inter-node communication to the Management Node and to other Conferencing Nodes.
• SSH connections can be made only to the primary interface.
• The secondary address is always used for signaling and media (to endpoints and other video devices).
• Connections to DNS, SNMP, NTP, syslog and so on, go out from whichever interface is appropriate, based on routing.
• You can have a mixture of any number of single-interfaced and dual-interfaced Conferencing Nodes, providing all nodes can communicate with each other via their primary interfaces.

Inter-node communication (Conferencing Nodes and Management Node)

These are the port usage rules for all inter-node communication (local and remote) — between Conferencing Nodes, and between the Management Node and Conferencing Nodes:

Source address	Source port	Destination address	Dest. port	Protocol	Notes
Management Node	500	Conferencing Node	500	UDP	ISAKMP (IPsec) inter-node communication
Management Node	n/a	Conferencing Node	n/a	ESP	IPsec / IP Protocol 50 inter-node communication
Conferencing Node	500	Management Node / Conferencing Node	500	UDP	ISAKMP (IPsec) inter-node communication
Conferencing Node	n/a	Management Node / Conferencing Node	n/a	ESP	IPsec / IP Protocol 50 inter-node communication

Port requirements for inter-node communication

Administration access

These are the port usage rules for administrative access to the Management Node and Conferencing Nodes:

Source address	Source port	Destination address	Dest. port	Protocol	Notes
SSH client	<any>	Management Node / Conferencing Node	22	TCP	SSH * Only required if you want to allow administrative access via this port.
Web browser / API workstation	<any>	Management Node	80* Only required if you want to allow administrative access via this port./443	TCP (HTTP/HTTPS)	Management web and API administration
Web browser / API workstation	<any>	Conferencing Node	8443	TCP (HTTPS)	Provisioning a Conferencing Node (primarily for Azure/GCP/AWS deployments)
* Only required if you want to allow administrative access via this port.

Port requirements for administrative access

Peripheral services

These are the port usage rules for the mandatory and optional peripheral services used by the Management Node and Conferencing Nodes:

Source address	Source port	Destination address	Dest. port	Protocol	Notes
Standard features
Management Node / Conferencing Node	55000–65535	DNS server	53	TCP/UDP	DNS
Management Node / Conferencing Node	123, 55000–65535	NTP server	123	UDP	NTP
Management Node	55000–65535	Pexip Licensing server (activation.pexip.com ◊ Does not apply if a web proxy has been configured.)	443	TCP(HTTPS)	Platform licensing requests
Additional features (ports only required if the relevant feature is configured)
SNMP server	<any>	Management Node / Conferencing Node	161	UDP	SNMP
Outlook client/add-in	<any>	Conferencing Node	443	TCP (HTTPS)	Secure Scheduler for Exchange
Management Node	55000–65535	FTP server	21 + server’s FTP port range	TCP	FTP server for daily backup files
Management Node	55000–65535	LDAP server	389 / 636 3268 / 3269	TCP	LDAP / LDAPS AD global catalog searches
Management Node / Conferencing Node	55000–65535	Web proxy	8080 † Configurable by the administrator.	TCP	HTTP web proxy
Management Node / Conferencing Node	55000–65535	Incident reporting server (acr.pexip.com)	443	TCP (HTTPS)	Incident reporting ◊ Does not apply if a web proxy has been configured.
Management Node	55000–65535	Usage statistics server (api.keen.io)	443	TCP (HTTPS)	Usage statistics ◊ Does not apply if a web proxy has been configured.
Management Node	<any>	Exchange server	443	TCP (HTTPS)	Secure Scheduler for Exchange
Management Node	55000–65535	Cloud service	443	TCP (HTTPS)	Dynamic bursting to a cloud service provider (see AWS, Azure or GCP for more details) ◊ Does not apply if a web proxy has been configured.
Management Node	ephemeral	Teams Connector Azure Event Hub	5671	AMQPS	Only required if the Azure Event Hub is enabled for advanced status reporting in a Microsoft Teams integration * See "Firewall ports for the Teams Connector and NSG rules" for full details (click the link at the foot of this table).
Management Node	55000–65535	SMTP server	587	TCP	SMTP (provisioning emails)
Management Node / Conferencing Node	<any>	SNMP NMS	161 † Configurable by the administrator.	UDP	SNMP Network Management System (NMS)
Management Node / Conferencing Node	55000–65535	Syslog server	514 † Configurable by the administrator.	UDP † Configurable by the administrator.	Syslog
Management Node / Conferencing Node	55000–65535	OIDC server	443	TCP (HTTPS)	Single Sign-On (SSO) with OpenID Connect ◊ Does not apply if a web proxy has been configured.
Conferencing Node	55000–65535	AD FS server	443	TCP (HTTPS)	Single Sign-On (SSO) with AD FS
Conferencing Node	55000–65535	Event sink server	80/443	TCP (HTTP/HTTPS)	Event sink
Conferencing Node	55000–65535	Epic server	443	TCP (HTTPS)	Epic telehealth REST API requests ◊ Does not apply if a web proxy has been configured.
Conferencing Node	55000–65535	External policy server	443	TCP (HTTPS)	External policy server REST API requests
Conferencing Node	<any>	AI Media Server (AIMS)	443	TCP (HTTPS)	Live captions service
Management Node	55000–65535	OAuth token endpoint for Exchange integrations connecting to O365 using OAuth for the service account: login.microsoftonline.com for Google Workspace domain user authorization: oauth2.googleapis.com/token for Webex-registered endpoints: webexapis.com	443 † Configurable by the administrator.	TCP (HTTPS)	One-Touch Join ◊ Does not apply if a web proxy has been configured.
Conferencing Node	55000–65535	OAuth token endpoint for Exchange integrations connecting to O365, or O365 Graph integrations: login.microsoftonline.com for Google Workspace service account authorization: googleapis.com/oauth2/v4/token for Google Workspace domain user authorization: oauth2.googleapis.com/token for Webex-registered endpoints: webexapis.com	443 † Configurable by the administrator.	TCP (HTTPS)	One-Touch Join ◊ Does not apply if a web proxy has been configured.
Conferencing Node	55000–65535	graph.microsoft.com (for O365 Graph Integrations) ◊ Does not apply if a web proxy has been configured.	443 † Configurable by the administrator.	TCP (HTTPS)	One-Touch Join ◊ Does not apply if a web proxy has been configured.
Conferencing Node	55000–65535	Exchange on-premises or Office 365 (for Exchange Integrations or O365 EWS Integrations)	80/443 † Configurable by the administrator.‡ Determined by Exchange.	TCP (HTTP/HTTPS)	One-Touch Join ◊ Does not apply if a web proxy has been configured.
Conferencing Node	55000–65535	googleapis.com (for Google Workspace Integrations) ◊ Does not apply if a web proxy has been configured.	443	TCP (HTTPS)	One-Touch Join ◊ Does not apply if a web proxy has been configured.
Conferencing Node	55000–65535	Cisco endpoint API	80/443 † Configurable by the administrator.	TCP (HTTP/HTTPS)	One-Touch Join ◊ Does not apply if a web proxy has been configured.
Conferencing Node	55000–65535	Cisco Webex cloud (webexapis.com)	443 † Configurable by the administrator.	TCP (HTTPS)	One-Touch Join ◊ Does not apply if a web proxy has been configured.
Poly endpoint	<any>	Conferencing Node	443	TCP (HTTPS)	One-Touch Join
Cisco endpoint	<any>	Conferencing Node	443	TCP (HTTPS)	Meeting Controls macro
† Configurable by the administrator. * See Firewall ports for the Teams Connector and NSG rules for full details. ‡ Determined by Exchange. ◊ Does not apply if a web proxy has been configured. Note also that the ephemeral port range (55000–65535) is subject to change. Firewall connectivity to pexip.flexnetoperations.com is no longer required since 1 January 2022.

Port requirements for peripheral services (only the most commonly-used services are shown)

Conferencing Node call signaling and media

These port usage rules for call signaling and media apply to Proxying Edge Nodes and Transcoding Conferencing Nodes:

Source address	Source port	Destination address	Dest. port	Protocol	Notes
Standard call signaling and media
Endpoint	<any>	Conferencing Node	80	TCP (HTTP)	Redirects to HTTPS for web/API access, and for Skype for Business conference avatars (if SfB is in use)
Endpoint	<any>	Conferencing Node	443	TCP (HTTPS)	Web browser/ API interface / Connect mobile app
Endpoint / call control system	<any>	Conferencing Node	1719	UDP	H.323 (RAS signaling)
Endpoint / call control system	<any>	Conferencing Node	1720	TCP	H.323 (H.225/Q.931 signaling)
Endpoint / call control system	<any>	Conferencing Node	33000–39999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	TCP	H.323 (H.245 signaling)
Endpoint / call control system	<any>	Conferencing Node	5060	TCP	SIP
Endpoint / call control system	<any>	Conferencing Node	5061	TCP	SIP/TLS
Endpoint / call control system	<any>	Conferencing Node	40000–49999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	TCP/UDP	Endpoint / call control system / Skype for Business / Lync system / Pexip app†† Pexip app web, mobile and desktop (installable) clients. RTP / RTCP / RDP / VbSS / DTLS / STUN / TURN
Conferencing Node	33000–39999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	Endpoint / call control system	1719	UDP	H.323 (RAS signaling)
Conferencing Node	33000–39999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	Endpoint / call control system	1720 / <any>	TCP	H.323 (H.225/Q.931 signaling) (to <any> if the device is registered to Pexip Infinity)
Conferencing Node	33000–39999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	Endpoint / call control system	<any>	TCP	H.323 (H.245 signaling)
Conferencing Node	33000–39999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	Endpoint / call control system	5060	TCP/UDP	SIP
Conferencing Node	33000–39999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	Endpoint / call control system	5061	TCP	SIP/TLS
Conferencing Node	40000–49999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	Endpoint / call control system	<any>	TCP/UDP	RTP / RTCP / RDP / VbSS / DTLS / STUN / TURN Endpoint / call control system / Skype for Business / Lync system / Pexip app†† Pexip app web, mobile and desktop (installable) clients.
Conferencing Node	40000–49999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	STUN / TURN server	3478 † Configurable by the administrator.	UDP	STUN / TURN
Conferencing Node	40000–49999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	RTMP streaming server	1935	TCP	RTMP streaming
Conferencing Node	55000–65535	SfB/Lync Web Conferencing service	443 / 8057 ‡‡ Typically 443 for Web Conferencing Edge and 8057 for a SfB/Lync Front End Server / FEP.	TCP (TLS)	PSOM (PowerPoint presentation from SfB/Lync)
Conferencing Node	55000–65535	SfB/Lync Front End Server or Edge Server and WAC/OWA/OOS server	443	TCP (TLS/HTTPS)	PowerPoint presentation from SfB/Lync
Additional features (ports only required if the relevant feature is configured)
Endpoint / call control system	<any>	Conferencing Node	5060	UDP	SIP UDP
Google Meet ‡ See https://support.google.com/a/answer/1279090 for the actual IP ranges that need to be allowed (see the bottom of the table for a clickable hyperlink).	19302–19309	Conferencing Node	40000–49999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	UDP	Google Meet SRTP/SRTCP
Client application	<any>	Conferencing Node	443	TCP (HTTPS)	Microsoft Teams (client application viewing the meeting invitation Alternative Dial Instructions) * See "Firewall ports for the Teams Connector and NSG rules" for full details (click the link at the foot of this table).
Teams Connector	ephemeral	Conferencing Node	443 4277	TCP	Microsoft Teams signaling * See "Firewall ports for the Teams Connector and NSG rules" for full details (click the link at the foot of this table).
Teams Connector	50000-54999	Conferencing Node	40000–49999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	UDP	Microsoft Teams SRTP/SRTCP * See "Firewall ports for the Teams Connector and NSG rules" for full details (click the link at the foot of this table).
Conferencing Node	33000–39999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	Google Meet (hangouts.clients6.google.com and meetings.googleapis.com)	443	TCP (HTTPS)	Google Meet
Conferencing Node	40000–49999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	Google Meet	19302–19309	UDP	Google Meet SRTP/SRTCP
Conferencing Node	33000–39999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	Teams Connector load balancer Teams Connector instance	443	TCP (HTTPS)	Microsoft Teams * See "Firewall ports for the Teams Connector and NSG rules" for full details (click the link at the foot of this table).
Conferencing Node	40000–49999 ** Configurable via the Media port range start/end, and Signaling port range start/end options.	Teams Connector instance	50000–54999	UDP	Microsoft Teams SRTP/SRTCP * See "Firewall ports for the Teams Connector and NSG rules" for full details (click the link at the foot of this table).
† Configurable by the administrator. * See Firewall ports for the Teams Connector and NSG rules for full details. ** Configurable via the Media port range start/end, and Signaling port range start/end options (see About global settings) . †† Pexip app web, mobile and desktop (installable) clients. ‡ See https://support.google.com/a/answer/1279090 for the actual IP ranges that need to be allowed. ‡‡ Typically 443 for Web Conferencing Edge and 8057 for a SfB/Lync Front End Server / FEP. Note also that: ICE calls allocate 4 ports per media line/stream. The ephemeral port range (55000–65535) is subject to change.