Pexip Infinity port usage and firewall guidance

The diagrams and tables below show the ports used when the Management Node and Conferencing Node connect to other devices.

Firewall, routing and NAT guidance

Note that in all Pexip Infinity deployment scenarios:

  • The Management Node must be able to reach all Conferencing Nodes (Proxying Edge Nodes and Transcoding Conferencing Nodes) and vice versa.
  • Each Conferencing Node must be able to reach every other Conferencing Node (Proxying Edge Nodes and Transcoding Conferencing Nodes), except:
    • If a location only contains Proxying Edge Nodes, then those proxying nodes in that location only require IPsec connectivity with:

      • any other proxying nodes in that location
      • all nodes in the transcoding location, and the primary and secondary overflow locations that are associated with that location
      • the Management Node.

      This means that the proxying nodes in one location do not need to have a direct network connection to other proxying nodes in other locations.

      (If the location does not have an associated transcoding location, primary or secondary overflow location defined, or if it contains a mix of proxying nodes and transcoding nodes, then those proxying nodes must be able to reach all other Conferencing Nodes.)

  • Any internal firewalls must be configured to allow UDP port 500 and traffic using IP protocol 50 (ESP) in both directions between all Pexip nodes.
  • There cannot be a NAT between any Pexip nodes.

When a secondary network address is configured on a Conferencing Node:

  • The primary address is always used for inter-node communication to the Management Node and to other Conferencing Nodes.
  • SSH connections can be made only to the primary interface.
  • The secondary address is always used for signaling and media (to endpoints and other video devices).
  • Connections to DNS, SNMP, NTP, syslog and so on, go out from whichever interface is appropriate, based on routing.
  • You can have a mixture of any number of single-interfaced and dual-interfaced Conferencing Nodes, providing all nodes can communicate with each other via their primary interfaces.

Management Node

Inbound

Protocol Source‑Port Dest‑Port Description Device
TCP <any> 22 SSH *Only required if you want to allow administrative access via this port. SSH client
TCP <any> 80 HTTP *Only required if you want to allow administrative access via this port. Web browser / API interface
TCP <any> 443 HTTPS Web browser / API interface
UDP <any> 161 SNMP SNMP server Only applies if the relevant feature is configured.
UDP 500 500 ISAKMP (IPsec) Conferencing Node
ESP n/a n/a IPsec / IP Protocol 50 Conferencing Node

Outbound

Protocol Source‑Port Dest‑Port Description Device
TCP 55000–65535 21 + server’s FTP port range FTP / FTPS FTP server (for daily backup files) Only applies if the relevant feature is configured.
TCP/UDP 55000–65535 53 DNS DNS server
TCP 55000–65535

389 / 636

3268 / 3269

LDAP

LDAP server Only applies if the relevant feature is configured.

AD global catalog searches Only applies if the relevant feature is configured.

TCP 55000–65535 443 HTTPS vCenter Server and any ESXi host on which Conferencing Nodes may be deployed
TCP 55000–65535 443 HTTPS Pexip Licensing server (pexip.flexnetoperations.com or activation.pexip.com)
TCP 55000–65535 443 HTTPS Incident reporting server (acr.pexip.com) Only applies if the relevant feature is configured.
TCP 55000–65535 443 HTTPS Usage statistics (api.keen.io) Only applies if the relevant feature is configured.
TCP <any> 443 HTTPS Exchange server (for VMR Scheduling for Exchange) Only applies if the relevant feature is configured.
TCP 55000–65535 443 HTTPS Dynamic bursting to a cloud service provider (see AWS, Azure or GCP for more details) Only applies if the relevant feature is configured.
TCP 55000–65535 587 SMTP SMTP server Only applies if the relevant feature is configured.
UDP 123, 55000–65535 123 NTP NTP server
UDP <any> 161 Configurable by the administrator. SNMP SNMP NMS Only applies if the relevant feature is configured.
UDP 500 500 ISAKMP (IPsec) Conferencing Node
UDP Configurable by the administrator. 55000–65535 514 Configurable by the administrator. Syslog Syslog server Only applies if the relevant feature is configured.
ESP n/a n/a IPsec / IP Protocol 50 Conferencing Node

* Only required if you want to allow administrative access via this port.

† Configurable by the administrator.

‡ Only applies if the relevant feature is configured.

Note also that the ephemeral port range (55000–65535) is subject to change.

Management Node inbound ports

Management Node outbound ports

Conferencing Nodes

These port usage rules apply to Proxying Edge Nodes and Transcoding Conferencing Nodes.

Inbound

Protocol Source‑Port Dest‑Port Description Device
TCP <any> 22 SSH *Only required if you want to allow administrative access via this port. SSH client
TCP <any> 80 HTTP Web browser / API interface / Skype for Business / Lync system (for conference avatar)
TCP <any> 443 HTTPS Web browser/ API interface / Infinity Connect mobile client
TCP <any> 443 HTTPS Outlook client/add-in (for VMR Scheduling for Exchange) Only applies if the relevant feature is configured.
TCP <any> 443 HTTPS Teams Connector / access to Alternative Dial Instructions Only applies if the relevant feature is configured.
TCP <any> 1720 H.323 (H.225 signaling) Endpoint / call control system
TCP <any> 5060 SIP Endpoint / call control system
UDP ‡ <any> 5060 SIP Endpoint / call control system
TCP <any> 5061 SIP/TLS Endpoint / call control system
TCP <any> 33000–39999 **Configurable via the Media port range start/end, and Signaling port range start/end options. H.323 (Q.931/H.245 signaling) Endpoint / call control system
TCP/UDP <any> 40000–49999 **Configurable via the Media port range start/end, and Signaling port range start/end options. RTP / RTCP / RDP / VbSS / DTLS / RTMP / STUN / TURN Endpoint / call control system / Skype for Business / Lync system / Infinity Connect ††Infinity Connect web, mobile and desktop (installable) clients.
UDP 19302–19309 40000–49999 **Configurable via the Media port range start/end, and Signaling port range start/end options. SRTP/SRTCP Google Hangouts Meet
UDP 50000-54999 40000–49999 **Configurable via the Media port range start/end, and Signaling port range start/end options. SRTP/SRTCP Teams Connector
UDP <any> 161 SNMP SNMP server Only applies if the relevant feature is configured.
UDP 500 500 ISAKMP (IPsec) Management Node / Conferencing Node
UDP <any> 1719 H.323 (RAS signaling) Endpoint / call control system
ESP n/a n/a IPsec / IP Protocol 50 Management Node / Conferencing Node

Outbound

Protocol Source‑Port Dest‑Port Description Device
TCP/UDP 55000–65535 53 DNS DNS server
TCP 55000–65535 80 HTTP Event sink server Only applies if the relevant feature is configured.
TCP 55000–65535 443 HTTPS Event sink server Only applies if the relevant feature is configured.
TCP 55000–65535 443 HTTPS Incident reporting server (acr.pexip.com) Only applies if the relevant feature is configured.
TCP 55000–65535 443 HTTPS AD FS server (SSO) Only applies if the relevant feature is configured.
TCP 33000–39999 **Configurable via the Media port range start/end, and Signaling port range start/end options. 443 HTTPS Google Hangouts Meet Only applies if the relevant feature is configured.
TCP 33000–39999 **Configurable via the Media port range start/end, and Signaling port range start/end options. 443 HTTPS Teams Connector Only applies if the relevant feature is configured.
TCP 33000–39999 **Configurable via the Media port range start/end, and Signaling port range start/end options. 1720 H.323 (H.225 signaling) Endpoint / call control system
TCP/UDP 33000–39999 **Configurable via the Media port range start/end, and Signaling port range start/end options. 5060 SIP Endpoint / call control system
TCP 33000–39999 **Configurable via the Media port range start/end, and Signaling port range start/end options. 5061 SIP/TLS Endpoint / call control system
TCP 33000–39999 **Configurable via the Media port range start/end, and Signaling port range start/end options. <any> H.323 (Q.931/H.245 signaling) Endpoint / call control system
TCP/UDP 40000–49999 **Configurable via the Media port range start/end, and Signaling port range start/end options. <any> RTP / RTCP / RDP / VbSS / DTLS / RTMP / STUN / TURN Endpoint / call control system / Skype for Business / Lync system / Infinity Connect ††Infinity Connect web, mobile and desktop (installable) clients.
TCP 40000–49999 **Configurable via the Media port range start/end, and Signaling port range start/end options. 1935 RTMP RTMP streaming server
UDP 40000–49999 **Configurable via the Media port range start/end, and Signaling port range start/end options. 19302–19309 SRTP/SRTCP Google Hangouts Meet
UDP 40000–49999 **Configurable via the Media port range start/end, and Signaling port range start/end options. 50000–54999 SRTP/SRTCP Teams Connector
TCP (TLS) 55000–65535 443 / 8057 ‡‡Typically 443 for Web Conferencing Edge and 8057 for a SfB/Lync Front End Server / FEP. PSOM (PowerPoint presentation from SfB/Lync) SfB/Lync Web Conferencing service
TCP (TLS) 55000–65535 443 HTTPS (PowerPoint presentation from SfB/Lync) SfB/Lync Front End Server or Edge Server
and WAC/OWA/OOS server
UDP 123, 55000–65535 123 NTP NTP server
UDP <any> 161 Configurable by the administrator. SNMP SNMP NMS Only applies if the relevant feature is configured.
UDP 500 500 ISAKMP (IPsec) Management Node / Conferencing Node
UDP Configurable by the administrator. 55000–65535 514 Configurable by the administrator. Syslog Syslog server Only applies if the relevant feature is configured.
UDP 33000–39999 **Configurable via the Media port range start/end, and Signaling port range start/end options. 1719 H.323 (RAS signaling) Endpoint / Call control system
UDP 40000–49999 **Configurable via the Media port range start/end, and Signaling port range start/end options. 3478 Configurable by the administrator. STUN / TURN STUN / TURN server
ESP n/a n/a IPsec / IP Protocol 50 Management Node / Conferencing Node

* Only required if you want to allow administrative access via this port.

† Configurable by the administrator.

** Configurable via the Media port range start/end, and Signaling port range start/end options (see About global settings).

†† Infinity Connect web, mobile and desktop (installable) clients.

‡ Only applies if the relevant feature is configured.

‡‡ Typically 443 for Web Conferencing Edge and 8057 for a SfB/Lync Front End Server / FEP.

Note also that:

  • ICE calls allocate 4 ports per media line/stream.
  • The ephemeral port range (55000–65535) is subject to change.

Conferencing Node inbound ports

Conferencing Node outbound ports