Pexip Infinity port usage and firewall guidance

The diagrams and tables below show the ports used when the Management Node and Conferencing Nodes connect to other devices.

Firewall, routing and NAT guidance

Note that in all Pexip Infinity deployment scenarios:

  • The Management Node must be able to reach all Conferencing Nodes (Proxying Edge Nodes and Transcoding Conferencing Nodes) and vice versa.
  • Each Conferencing Node must be able to reach every other Conferencing Node (Proxying Edge Nodes and Transcoding Conferencing Nodes), except:
    • When a location contains Proxying Edge Nodes, those nodes only require IPsec connectivity with:

      • any other proxying nodes in that location
      • all nodes in the transcoding location, and the primary and secondary overflow locations that are associated with that location
      • the Management Node.

      This means that the proxying nodes in one location do not need to have a direct network connection to other proxying nodes in other locations.

  • Any internal firewalls must be configured to allow UDP port 500 and traffic using IP protocol 50 (ESP) in both directions between all Pexip nodes.
  • There cannot be a NAT between any Pexip nodes.

When a secondary network address is configured on a Conferencing Node:

  • The primary address is always used for inter-node communication to the Management Node and to other Conferencing Nodes.
  • SSH connections can be made only to the primary interface.
  • The secondary address is always used for signaling and media (to endpoints and other video devices).
  • Connections to DNS, SNMP, NTP, syslog and so on, go out from whichever interface is appropriate, based on routing.
  • You can have a mixture of any number of single-interfaced and dual-interfaced Conferencing Nodes, providing all nodes can communicate with each other via their primary interfaces.

Inter-node communication (Conferencing Nodes and Management Node)

These are the port usage rules for all inter-node communication (local and remote) — between Conferencing Nodes, and between the Management Node and Conferencing Nodes:

Source address Source port Destination address Dest. port Protocol Notes
Management Node 500 Conferencing Node 500 UDP ISAKMP (IPsec) inter-node communication
Management Node n/a Conferencing Node n/a ESP IPsec / IP Protocol 50 inter-node communication
Conferencing Node 500 Management Node / Conferencing Node 500 UDP ISAKMP (IPsec) inter-node communication
Conferencing Node n/a Management Node / Conferencing Node n/a ESP IPsec / IP Protocol 50 inter-node communication

Port requirements for inter-node communication

Administration access

These are the port usage rules for administrative access to the Management Node and Conferencing Nodes:

Source address Source port Destination address Dest. port Protocol Notes
SSH client <any> Management Node / Conferencing Node 22 TCP SSH *
Web browser / API workstation <any> Management Node 80*/443 TCP (HTTP/HTTPS) Management web and API administration
Web browser / API workstation <any> Conferencing Node 8443 TCP (HTTPS) Provisioning a Conferencing Node
(primarily for Azure/GCP/AWS deployments)

* Only required if you want to allow administrative access via this port.

Port requirements for administrative access

Peripheral services

These are the port usage rules for the mandatory and optional peripheral services used by the Management Node and Conferencing Nodes:

Source address Source port Destination address Dest. port Protocol Notes
Standard features
Management Node / Conferencing Node 55000–65535 DNS server 53 TCP/UDP DNS
Management Node / Conferencing Node 123, 55000–65535 NTP server 123 UDP NTP
Management Node 55000–65535 Pexip Licensing server (activation.pexip.com ) 443 TCP(HTTPS) Platform licensing requests
Additional features (ports only required if the relevant feature is configured)
SNMP server <any> Management Node / Conferencing Node 161 UDP SNMP
Outlook client/add-in <any> Conferencing Node 443 TCP (HTTPS) VMR Scheduling for Exchange
Management Node 55000–65535 FTP server 21 + server’s FTP port range TCP FTP server for daily backup files
Management Node 55000–65535 LDAP server

389 / 636

3268 / 3269

TCP

LDAP

AD global catalog searches

Management Node / Conferencing Node 55000–65535 Web proxy 8080 TCP HTTP web proxy
Management Node / Conferencing Node 55000–65535 Incident reporting server (acr.pexip.com) 443 TCP (HTTPS) Incident reporting
Management Node 55000–65535 Usage statistics server (api.keen.io) 443 TCP (HTTPS) Usage statistics
Management Node <any> Exchange server 443 TCP (HTTPS) VMR Scheduling for Exchange
Management Node 55000–65535 Cloud service 443 TCP (HTTPS) Dynamic bursting to a cloud service provider (see AWS, Azure or GCP for more details)
Management Node ephemeral Teams Connector Azure Event Hub 5671 AMQPS Only required if the Azure Event Hub is enabled for advanced status reporting in a Microsoft Teams integration
Management Node 55000–65535 SMTP server 587 TCP SMTP (provisioning emails)
Management Node / Conferencing Node <any> SNMP NMS 161 UDP SNMP Network Management System (NMS)
Management Node / Conferencing Node 55000–65535 Syslog server 514 UDP Syslog
Conferencing Node 55000–65535 Event sink server 80/443 TCP (HTTP/HTTPS) Event sink
Conferencing Node 55000–65535 AD FS server 443 TCP (HTTPS) Single Sign-On (SSO) with AD FS
Conferencing Node 55000–65535 OIDC server 443 TCP (HTTPS) Single Sign-On (SSO) with OpenID Connect
Conferencing Node 55000–65535 Epic server 443 TCP (HTTPS) Epic telehealth REST API requests
Management Node 55000–65535

OAuth token endpoint

  • for Exchange integrations connecting to O365 using OAuth for the service account: login.microsoftonline.com
  • for Google Workspace domain user authorization: oauth2.googleapis.com/token
  • for Webex-registered endpoints: webexapis.com

443

TCP (HTTPS) One-Touch Join
Conferencing Node 55000–65535

OAuth token endpoint

  • for Exchange integrations connecting to O365, or O365 Graph integrations: login.microsoftonline.com
  • for Google Workspace service account authorization: googleapis.com/oauth2/v4/token
  • for Google Workspace domain user authorization: oauth2.googleapis.com/token
  • for Webex-registered endpoints: webexapis.com

443

TCP (HTTPS) One-Touch Join
Conferencing Node 55000–65535 graph.microsoft.com (for O365 Graph Integrations) 443 TCP (HTTPS) One-Touch Join
Conferencing Node 55000–65535 Exchange on-premises or Office 365 (for Exchange Integrations or O365 EWS Integrations) 80/443 TCP (HTTP/HTTPS) One-Touch Join
Conferencing Node 55000–65535 googleapis.com (for Google Workspace Integrations) 443 TCP (HTTPS) One-Touch Join
Conferencing Node 55000–65535 Cisco endpoint API 80/443 TCP (HTTP/HTTPS) One-Touch Join
Conferencing Node 55000–65535 Cisco Webex cloud (webexapis.com) 443 TCP (HTTPS) One-Touch Join
Poly endpoint <any> Conferencing Node 443 TCP (HTTPS) One-Touch Join
Cisco endpoint <any> Conferencing Node 443 TCP (HTTPS) Meeting Controls macro

† Configurable by the administrator.

‡ Determined by Exchange.

◊ Does not apply if a web proxy has been configured.

Note also that the ephemeral port range (55000–65535) is subject to change.

Firewall connectivity to pexip.flexnetoperations.com is no longer required since 1 January 2022.

Port requirements for peripheral services (only the most commonly-used services are shown)

Conferencing Node call signaling and media

These port usage rules for call signaling and media apply to Proxying Edge Nodes and Transcoding Conferencing Nodes:

Source address Source port Destination address Dest. port Protocol Notes
Standard call signaling and media
Endpoint <any> Conferencing Node 80 TCP (HTTP) Redirects to HTTPS for web/API access, and for Skype for Business conference avatars (if SfB is in use)
Endpoint <any> Conferencing Node 443 TCP (HTTPS) Web browser/ API interface / Connect mobile app
Endpoint / call control system <any> Conferencing Node 1719 UDP H.323 (RAS signaling)
Endpoint / call control system <any> Conferencing Node 1720 TCP H.323 (H.225/Q.931 signaling)
Endpoint / call control system <any> Conferencing Node 33000–39999 ** TCP H.323 (H.245 signaling)
Endpoint / call control system <any> Conferencing Node 5060 TCP SIP
Endpoint / call control system <any> Conferencing Node 5061 TCP SIP/TLS
Endpoint / call control system <any> Conferencing Node 40000–49999 ** TCP/UDP

Endpoint / call control system / Skype for Business / Lync system / Connect app††

RTP / RTCP / RDP / VbSS / DTLS / STUN / TURN

Conferencing Node 33000–39999 ** Endpoint / call control system 1719 UDP H.323 (RAS signaling)
Conferencing Node 33000–39999 ** Endpoint / call control system 1720 / <any> TCP

H.323 (H.225/Q.931 signaling)

(to <any> if the device is registered to Pexip Infinity)

Conferencing Node 33000–39999 ** Endpoint / call control system <any> TCP H.323 (H.245 signaling)
Conferencing Node 33000–39999 ** Endpoint / call control system 5060 TCP/UDP SIP
Conferencing Node 33000–39999 ** Endpoint / call control system 5061 TCP SIP/TLS
Conferencing Node 40000–49999 ** Endpoint / call control system <any> TCP/UDP

RTP / RTCP / RDP / VbSS / DTLS / STUN / TURN

Endpoint / call control system / Skype for Business / Lync system / Connect app††

Conferencing Node 40000–49999 ** STUN / TURN server 3478 UDP STUN / TURN
Conferencing Node 40000–49999 ** RTMP streaming server 1935 TCP RTMP streaming
Conferencing Node 55000–65535 SfB/Lync Web Conferencing service 443 / 8057 ‡‡ TCP (TLS) PSOM (PowerPoint presentation from SfB/Lync)
Conferencing Node 55000–65535 SfB/Lync Front End Server or Edge Server
and WAC/OWA/OOS server
443 TCP (TLS/HTTPS) PowerPoint presentation from SfB/Lync
Additional features (ports only required if the relevant feature is configured)
Endpoint / call control system <any> Conferencing Node 5060 UDP SIP UDP
Google Meet 19302–19309 Conferencing Node 40000–49999 ** UDP Google Meet SRTP/SRTCP
Client application <any> Conferencing Node 443 TCP (HTTPS) Microsoft Teams (client application viewing the meeting invitation Alternative Dial Instructions)
Teams Connector ephemeral Conferencing Node

443

4277

TCP Microsoft Teams signaling
Teams Connector 50000-54999 Conferencing Node 40000–49999 ** UDP Microsoft Teams SRTP/SRTCP
Conferencing Node 33000–39999 **

Google Meet

(hangouts.clients6.google.com and

meetings.googleapis.com)

443 TCP (HTTPS) Google Meet
Conferencing Node 40000–49999 ** Google Meet 19302–19309 UDP Google Meet SRTP/SRTCP
Conferencing Node 33000–39999 **

Teams Connector load balancer

Teams Connector instance

443 TCP (HTTPS) Microsoft Teams
(see Firewall ports for the Teams Connector and NSG rules for full details)
Conferencing Node 40000–49999 ** Teams Connector instance 50000–54999 UDP Microsoft Teams SRTP/SRTCP

† Configurable by the administrator.

** Configurable via the Media port range start/end, and Signaling port range start/end options (see About global settings) .

†† Connect app web, mobile and desktop (installable) clients.

‡ See https://support.google.com/a/answer/1279090 for the actual IP ranges that need to be allowed.

‡‡ Typically 443 for Web Conferencing Edge and 8057 for a SfB/Lync Front End Server / FEP.

Note also that:

  • ICE calls allocate 4 ports per media line/stream.
  • The ephemeral port range (55000–65535) is subject to change.

Call signaling and media ports overview (inbound)

Call signaling and media ports details (inbound)