Pexip Infinity port usage and firewall guidance
The diagrams and tables below show the ports used when the Management Node and Conferencing Node connect to other devices.
Firewall, routing and NAT guidance
Note that in all Pexip Infinity deployment scenarios:
- The Management Node must be able to reach all Conferencing Nodes (Proxying Edge Nodes and Transcoding Conferencing Nodes) and vice versa.
- Each Conferencing Node must be able to reach every other Conferencing Node (Proxying Edge Nodes and Transcoding Conferencing Nodes), except:
If a location only contains Proxying Edge Nodes, then those proxying nodes in that location only require IPsec connectivity with:
- any other proxying nodes in that location
- all nodes in the transcoding location, and the primary and secondary overflow locations that are associated with that location
- the Management Node.
This means that the proxying nodes in one location do not need to have a direct network connection to other proxying nodes in other locations.
(If the location does not have an associated transcoding location, primary or secondary overflow location defined, or if it contains a mix of proxying nodes and transcoding nodes, then those proxying nodes must be able to reach all other Conferencing Nodes.)
- Any internal firewalls must be configured to allow UDP port 500 and traffic using IP protocol 50 (ESP) in both directions between all Pexip nodes.
- There cannot be a NAT between any Pexip nodes.
When a secondary network address is configured on a Conferencing Node:
- The primary address is always used for inter-node communication to the Management Node and to other Conferencing Nodes.
- The secondary address is always used for signaling and media (to endpoints and other video devices).
- Connections to DNS, SNMP, NTP, syslog and so on, go out from whichever interface is appropriate, based on routing.
- You can have a mixture of any number of single-interfaced and dual-interfaced Conferencing Nodes, providing all nodes can communicate with each other via their primary interfaces.
Management Node
Inbound
Outbound
| Protocol | Source‑Port | Dest‑Port | Description | Device |
|---|---|---|---|---|
| TCP | 55000–65535 | 21 + server’s FTP port range | FTP / FTPS ‡ | FTP server (for daily backup files) |
| TCP/UDP | 55000–65535 | 53 | DNS | DNS server |
| TCP | 55000–65535 |
389 / 636 3268 / 3269 |
LDAP ‡ |
LDAP server AD global catalog searches |
| TCP | 55000–65535 | 443 | HTTPS | vCenter Server and any ESXi host on which Conferencing Nodes may be deployed |
| TCP | 55000–65535 | 443 | HTTPS | Pexip Licensing server (pexip.flexnetoperations.com, 64.14.29.85) |
| TCP | 55000–65535 | 443 | HTTPS ‡ | Incident reporting server (acr.pexip.com) |
| TCP | 55000–65535 | 443 | HTTPS ‡ | Usage statistics (api.keen.io) |
| TCP | <any> | 443 | HTTPS ‡ | Exchange server (for VMR Scheduling for Exchange) |
| TCP | 55000–65535 | 443 | HTTPS ‡ | Dynamic bursting to a cloud service provider |
| TCP | 55000–65535 | 587 | SMTP ‡ | SMTP server |
| UDP | 123, 55000–65535 | 123 | NTP | NTP server |
| UDP | <any> | 161 † | SNMP ‡ | SNMP NMS |
| UDP | 500 | 500 | ISAKMP (IPsec) | Conferencing Node |
| UDP † | 55000–65535 | 514 † | Syslog ‡ | Syslog server |
| ESP | n/a | n/a | IPsec / IP Protocol 50 | Conferencing Node |
|
* Only required if you want to allow administrative access via this port. † Configurable by the administrator. ‡ Only applies if the relevant feature is configured. Note also that the ephemeral port range (55000–65535) is subject to change. |
||||
|
|
|
Management Node inbound ports |
Management Node outbound ports |
Conferencing Nodes
These port usage rules apply to Proxying Edge Nodes and Transcoding Conferencing Nodes.
Inbound
| Protocol | Source‑Port | Dest‑Port | Description | Device |
|---|---|---|---|---|
| TCP | <any> | 22 | SSH * | SSH client |
| TCP | <any> | 80 | HTTP | Web browser / API interface / Skype for Business / Lync system (for conference avatar) |
| TCP | <any> | 443 | HTTPS | Web browser/ API interface / Infinity Connect mobile client |
| TCP | <any> | 443 | HTTPS ‡ | Outlook client/add-in (for VMR Scheduling for Exchange) |
| TCP | <any> | 1720 | H.323 (H.225 signaling) | Endpoint / call control system |
| TCP | <any> | 5060 | SIP | Endpoint / call control system |
| UDP ‡ | <any> | 5060 | SIP | Endpoint / call control system |
| TCP | <any> | 5061 | SIP/TLS | Endpoint / call control system |
| TCP | <any> | 33000–39999 ** | H.323 (Q.931/H.245 signaling) | Endpoint / call control system |
| TCP/UDP | <any> | 40000–49999 ** | RTP / RTCP / RDP / DTLS / RTMP / STUN / TURN | Endpoint / call control system / Skype for Business / Lync system / Infinity Connect †† |
| UDP | <any> | 161 | SNMP ‡ | SNMP server |
| UDP | 500 | 500 | ISAKMP (IPsec) | Management Node / Conferencing Node |
| UDP | <any> | 1719 | H.323 (RAS signaling) | Endpoint / call control system |
| ESP | n/a | n/a | IPsec / IP Protocol 50 | Management Node / Conferencing Node |
Outbound
| Protocol | Source‑Port | Dest‑Port | Description | Device |
|---|---|---|---|---|
| TCP/UDP | 55000–65535 | 53 | DNS | DNS server |
| TCP | 55000–65535 | 443 | HTTPS ‡ | Incident reporting server (acr.pexip.com) |
| TCP | 55000–65535 | 443 | HTTPS ‡ | AD FS server (SSO) |
| TCP | 33000–39999 ** | 1720 | H.323 (H.225 signaling) | Endpoint / call control system |
| TCP/UDP | 33000–39999 ** | 5060 | SIP | Endpoint / call control system |
| TCP | 33000–39999 ** | 5061 | SIP/TLS | Endpoint / call control system |
| TCP | 33000–39999 ** | <any> | H.323 (Q.931/H.245 signaling) | Endpoint / call control system |
| TCP/UDP | 40000–49999 ** | <any> | RTP / RTCP / RDP / DTLS / RTMP / STUN / TURN | Endpoint / call control system / Skype for Business / Lync system / Infinity Connect †† |
| TCP | 40000–49999 ** | 1935 | RTMP | RTMP streaming server |
| TCP (TLS) | 55000–65535 | 443 / 8057 ‡‡ | PSOM (PowerPoint presentation from SfB/Lync) | SfB/Lync Web Conferencing service |
| TCP (TLS) | 55000–65535 | 443 | HTTPS (PowerPoint presentation from SfB/Lync) | SfB/Lync Front End Server or Edge Server and WAC/OWA/OOS server |
| UDP | 123, 55000–65535 | 123 | NTP | NTP server |
| UDP | <any> | 161 † | SNMP ‡ | SNMP NMS |
| UDP | 500 | 500 | ISAKMP (IPsec) | Management Node / Conferencing Node |
| UDP † | 55000–65535 | 514 † | Syslog ‡ | Syslog server |
| UDP | 33000–39999 ** | 1719 | H.323 (RAS signaling) | Endpoint / Call control system |
| UDP | 40000–49999 ** | 3478 † | STUN / TURN | STUN / TURN server |
| ESP | n/a | n/a | IPsec / IP Protocol 50 | Management Node / Conferencing Node |
|
* Only required if you want to allow administrative access via this port. † Configurable by the administrator. ** Configurable via the Media port range start/end and Signaling port range start/end options (see About global settings). †† Infinity Connect web, mobile and desktop (installable) clients ‡ Only applies if the relevant feature is configured. ‡‡ Typically 443 for Web Conferencing Edge and 8057 for a SfB/Lync Front End Server / FEP. Note also that:
|
||||
|
|
|
Conferencing Node inbound ports |
Conferencing Node outbound ports |