Avaya Port Matrix: Avaya Aura Conferencing 8.0

Transcription

1 Avaya Matrix: Avaya Aura Conferencing 8.0 Issue 1.3 April 12, 2016 Avaya Matrix: Avaya Aura Conferencing 8.0. April 2016

2 ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC. DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA INC. MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE INFORMATION PROVIDED HEREIN WILL ELIMINATE SECURITY THREATS TO CUSTOMERS SYSTEMS. AVAYA INC., ITS RELATED COMPANIES, DIRECTORS, EMPLOYEES, REPRESENTATIVES, SUPPLIERS OR AGENTS MAY NOT, UNDER ANY CIRCUMSTANCES BE HELD LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE, EXEMPLARY, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THE INFORMATION PROVIDED HEREIN. THIS INCLUDES, BUT IS NOT LIMITED TO, THE LOSS OF DATA OR LOSS OF PROFIT, EVEN IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS INFORMATION CONSTITUTES ACCEPTANCE OF THESE TERMS Avaya Inc. All Rights Reserved. All trademarks identified by the or are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. 2 Avaya Matrix: Avaya Aura Conferencing 8.0

3 1 Conferencing Components The Avaya Aura Conferencing server platform supports the configuration of a single bonded network interface. Each bonded interface consists of two physical Ethernet network interfaces operating in active/standby mode. The server attaches to only one subnet and uses only one server IP address for the bond0 interface. The Avaya Aura Conferencing server platform supports the configuration of multiple IPv4 addresses in one subnet. Depending on the deployment model selected for deployment, one or more components may share the same server, along with the server IP address. Please refer to Deploying Avaya Aura Conferencing 8.0 for supported configurations. Component Description Database The Database is the component that stores configuration data for the Avaya Aura Conferencing Network Elements. Element Manager (EM) The Element Manager is the component that manages all the Avaya Aura Conferencing Network Elements. Accounting Manager The Accounting Manager is the component that manages all the billing (AM) and account details. Provisioning Manager The Provisioning Manager is the component that manages configuration procedures via a web interface for configuring system wide conferencing details and templates, and managing user configuration specific to conferencing. Collaboration Agent (CA) The Collaboration Agent Manager is the component that hosts the Manager Collaboration Agent which is a web interface for users to see their conference status, perform actions on the conference, and share a web collaboration session. Server (AS) The Server is the component that manages conferencing signaling. Media Server (MS) The Media Server is the component that host conferencing, relay media, and optionally records and stores recorded content for playback retrieval when configured in a Recording Media Server Cluster. When used in the co-resident deployment model, the Media Server requires an additional IPv4 network address on the bond0 interface for media due to the number of ports used by media flows. Web Conferencing Management Server (WCMS) Web Conferencing Server (WCS) Document Conversion Server (DCS) Flash Media Gateway (FMG) Flash Media Management Server Audio/Video in Collaboration Management al Client The Web Conferencing Management Server is the component that manages Web Conferencing Servers and relays documents to the Document Conversion Server when document conversion is requested. The Web Conferencing Server is the component that handles user actions and media during web collaboration. The Document Conversion Server it the component that converts Office documents into the format required for document sharing during a web conference session. The FMG component converts sessions between the Flash-domain (RTMP signaling and media) and the Multimedia-domain (SIP signaling and RTP/RTCP media). The Flash Media Management Server component provides OAM&P functions for configuration, administration, and management of Audio/Video in Collaboration Agent. This is a Flash-based client that connects to the Flash Media Management Server and provides access to OAM&P functions for configuration, administration, and management of Audio/Video in Collaboration systems. Avaya Matrix: Avaya Aura Conferencing 8.0 April

4 Component Avaya Aura Session Manager Avaya Aura System Manager Avaya Session Border Controller (SBC) Description The Avaya Aura Session Manager is the SIP routing and core component of the Avaya Aura solution. The Avaya Aura System Manager is the central management system component of the Avaya Aura solution. The Avaya Session Border Controller is a secure interface for SIP trunking and remote worker connectivity. 4 Avaya Matrix: Avaya Aura Conferencing 8.0

5 2 Usage Tables 2.1 Usage Table Heading Definitions Ingress Connections (In): This indicates connection requests that are initiated from external devices to open ports on this product. From the point of view of the product, the connection request is coming In. (Note that in most cases, traffic will flow in both directions.) Egress Connections (Out): This indicates connection requests that are initiated from this product to known ports on a remote device. From the point of view of the product, the connection requests is going Out. (Note that in most cases, traffic will flow in both directions.) Intra-Device Connections: This indicates connection requests that both originate and terminate on this product. Normally these would be handled on the loopback interface, but there may be some exceptions where modules within this product must communicate on ports open on one of the physical Ethernet interfaces. These ports would not need to be configured on an external firewall, but may show up on a port scan of the product. Destination : This is the default layer-4 port number to which the connection request is sent. Valid values include: A (C) next to the port number means that the port number is configurable. Refer to the Notes section after each table for specifics on valid port ranges. Network/ : This is the name associated with the layer-4 protocol and layers-5-7 application. Disabled: This field indicates whether customers can enable or disable a layer-4 port changing its default port setting. Valid values include: Yes or No No means the default port state cannot be changed (e.g. enabled or disabled). Yes means the default port state can be changed and that the port can either be enabled or disabled. : A port is either open, closed, filtered or N/A. Open ports will respond to queries. Closed ports may or may not respond to queries and are only listed when they can be optionally enabled. Filtered ports can be open or closed. Filtered UDP ports will not respond to queries. Filtered TCP will respond to queries, but will not allow connectivity. N/A is used for the egress default port state since these are not listening ports on the product. External Device: This is the remote device that is initiating a connection request (Ingress Connections) or receiving a connection request (Egress Connections). Avaya Matrix: Avaya Aura Conferencing 8.0 April

6 2.2 Tables Below are the tables which document the port usage for this product. Each component is represented by a separate table. For components that use more than one IP Address, that component has a table for each address separating the ingress/egress traffic per IP Address. Most components share a server IP Address with other components therefore there will be some duplication of ports, for example each server IP address will have the SSH TCP 22 open. For communication between components, egress traffic will be ingress traffic for the other component. In addition, unless otherwise noted, the source port of the data flows is the ephemeral port range ( ) as suggested by the IANA Firewall Boundary Legend Notes If communication may cross an optional firewall boundary, it is noted in the note column for that table using the following symbols: δ Used to note communication crossing Firewall boundary between a DMZ and the Core Data Center Network. δ Used to note communication crossing Firewall boundary between a DMZ and the Core Data Center that exists due to initial installation having the WCMS in the DMZ and has not been moved to the Core Data Center Network. ε Used to note communication crossing DMZ Firewall boundary from the Internet. ρ Used to note communication crossing Firewall boundary between the Core Data Center Network and a Remote Hosting Location Network. Figure 1 below shows a high level diagram where these firewall boundaries may exist and the corresponding symbol use to correlate using the notes column in the respective tables that follow. ε δ ρ Internet DMZ Enterprise Network Remote Location Figure 1: Firewall Boundaries 6 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

7 2.2.2 Conferencing Database Servers No. Destination Table 1 s for Database (DB) Server IP Addresses TCP/SSH No Open Admin Terminal, SAL Gateway System Management requiring shell access TCP/TLS No Open EM Server NED TCP/TLS No Open EM Server Database SQL TCP/TLS No Open AM Server Database SQL TCP/TLS No Open Provisioning Manager Server Database SQL TCP/TLS No Open CA Manager Server Database SQL δ TCP/TLS No Open AS Server Database SQL TCP/TLS No Open MS Server Database SQL ρ TCP/TLS No Open WCMS Server Database SQL δ TCP/TLS No Open WCS Server Database SQL δ TCP/TLS No Open DCS Server Database SQL TCP/TLS No Open Redundant Database server Database synchronization UDP No N/A NTP Source NTP UDP Yes N/A Syslog server Remote Syslog Server TCP/TLS No N/A All Network Element servers NED FTP pull passive mode (control) TCP/TLS No N/A All Network Element servers NED FTP pull passive mode (data) TCP/TLS No N/A Redundant Database server Database synchronization INTRA-DEVICE CONNECTIONS NONE Notes: 1. Source port Uses SSL FTP (RFC 4217) Avaya Matrix: Avaya Aura Conferencing 8.0 April

8 2.2.3 Element Manager No. Destination Table 2: s for EM Server IP Address TCP/SSH No Open Admin Terminal, SAL Gateway System Management requiring shell access UDP No Open NTP Source NTP UDP No Open All Network Element servers SMNP (GET) δ,δ,ρ TCP/TLS No Open All Network Element servers NED FTP pull passive mode (control) δ,δ,ρ, TCP/TLS No Open All Network Element servers NED FTP pull passive mode (data) δ,δ,ρ, TCP/TLS No Open All Network Element servers NED δ,δ,ρ TCP/TLS No Open EM Service Config. Mtce (perfect channel) UDP No Open EM Service Config. Mtce (perfect channel) and associated heartbeat to the TCP Perfect Channel TCP No Open EM Service Logs (perfect channel) UDP No Open EM Service Logs (perfect channel), Associated Heartbeat to TCP Perfect Channel TCP No Open EM Service OMs (perfect channel) UDP No Open EM Service OMs (perfect channel), Associated Heartbeat to TCP Perfect Channel UDP No Open Redundant EM Server FT heartbeat 6, TCP No Open Redundant EM Server FT Sync Channel UDP No Open Redundant EM Server FT Sync Channel UDP No Open EM Service Alarms (sync channel) UDP/TCP Yes N/A DNS Servers DNS UDP No N/A NTP Source NTP UDP No N/A Media Server SNMP (GET) TCP/HTTPS No N/A Avaya Aura System Manager Trust Management UDP Yes N/A Syslog Server Remote Syslog Server TCP/TLS No N/A EM Server NED FTP pull passive mode (control) TCP/TLS No N/A EM Server NED FTP pull passive mode (data) TCP/TLS No N/A DB Server Database SQL UDP No N/A EM Service Logs (perfect channel) UDP No N/A EM Service OMs (perfect channel) TCP/TLS No N/A EM Service Alarm Sync 11 8 Avaya Matrix: Avaya Aura Conferencing 8.0 April

9 No. Destination UDP No N/A Redundant EM Server FT heartbeat 6, TCP No N/A Redundant EM Server FT Sync Channel UDP No N/A Redundant EM Server FT Sync Channel UDP No N/A EM Service Alarm Sync 11 INTRA- DEVICE CONNE CTIONS NONE Notes: 1. Source port Uses SSL FTP (RFC 4217) 3. Source port is 12101, Source port is 12112, Source port is 12114, Sync between active and standby instance 7. Source Source Source port Source port Source port Avaya Matrix: Avaya Aura Conferencing 8.0 April

10 No. Destination Table 3: s for EM Service IP Address TCP/TLS No Open Network Element Servers Config. Mtce (perfect channel) δ,δ,ρ UDP No Open Network Element Servers Config. Mtce (perfect channel) δ,δ,ρ, UDP No Open Redundant ADR EM Service ADR Inter-system Heartbeat ρ TCP/TLS No Open Network Element Servers Logs (perfect channel) δ,δ,ρ UDP No Open Network Element Servers Logs (perfect channel) δ,δ,ρ, TCP/TLS No Open Network Element Servers OMs (perfect channel) δ,δ,ρ UDP No Open Network Element Servers OMs (perfect channel) δ,δ,ρ, TCP Yes Open EM Console TCP/TLS No Open EM Console EM Console connection to the EM Service Address. EM Console secure connection to the EM Service Address TCP/TLS No Open Network Element Servers Alarms (sync channel) δ,δ,ρ, TCP/TLS No Open EM Console EM Console Log Browser Stream UDP No Open Network Element Servers Alarms Sync δ,δ,ρ, TCP No N/A Avaya Aura System Manager SNMP (TRAP) , TCP No N/A External SNMP Manager SNMP (TRAP) UDP No N/A Redundant ADR EM Service ADR Inter-system Heartbeat ρ TCP/TLS No N/A AM Server Config. Mtce (Perfect Channel) UDP No N/A AM Server Config. Mtce (Perfect Channel) and associated heartbeat to TCP Perfect Channel TCP/TLS No N/A AM Server Logs (Perfect Channel) UDP No N/A AM Server Logs (Perfect Channel) and associated heartbeat to TCP Perfect Channel TCP/TLS No N/A AM Server OMs (Perfect Channel) UDP No N/A AM Server OMs (Perfect Channel) and associated heartbeat to TCP Perfect Channel TCP/TLS No N/A AS Server Config. Mtce (Perfect Channel) Config. Mtce (Perfect Channel) and UDP No N/A AS Server associated heartbeat to TCP Perfect Channel TCP/TLS No N/A AS Server Logs (Perfect Channel) UDP No N/A AS Server Logs (Perfect Channel) and associated heartbeat to TCP Perfect Channel TCP/TLS No N/A AS Server OMs (perfect channel) 10 Avaya Matrix: Avaya Aura Conferencing 8.0 April

11 No. Destination UDP No N/A AS Server OMs (perfect channel), Associated Heartbeat to TCP Perfect Channel TCP/TLS No N/A WCMS Server Config. Mtce (Perfect Channel) δ UDP No N/A WCMS Server Config. Mtce (Perfect Channel) and associated heartbeat to TCP Perfect Channel δ, TCP/TLS No N/A WCMS Server Logs (Perfect Channel) δ UDP No N/A WCMS Server Logs (Perfect Channel) and associated heartbeat to TCP Perfect Channel δ, TCP/TLS No N/A WCMS Server OMs (perfect channel) δ UDP No N/A WCMS Server OMs (Perfect Channel) and associated heartbeat to TCP Perfect Channel δ, TCP/TLS No N/A UDP No N/A Provisioning or CA Manager Server Provisioning or CA Manager Server Config. Mtce (Perfect Channel) Config. Mtce (Perfect Channel) and associated heartbeat to TCP Perfect Channel TCP/TLS No N/A Provisioning or CA Manager Server Logs (Perfect Channel) UDP No N/A Provisioning or CA Manager Logs (Perfect Channel) and associated Server heartbeat to TCP Perfect Channel TCP/TLS No N/A Provisioning or CA Manager Server OMs (perfect channel) UDP No N/A Provisioning or CA Manager OMs (perfect channel), Associated Server Heartbeat to TCP Perfect Channel TCP/TLS No N/A DCS Config. Mtce (Perfect Channel) Config Mtce (Perfect Channel) and UDP No N/A DCS associated heartbeat to TCP Perfect Channel TCP/TLS No N/A DCS Logs (Perfect Channel) UDP No N/A DCS Logs (Perfect Channel) and associated heartbeat to TCP Perfect Channel TCP/TLS No N/A DCS OMs (perfect channel) UDP No N/A DCS OMs (perfect channel) and associated heartbeat to TCP Perfect Channel TCP/TLS No N/A WCS Server Config. Mtce (Perfect Channel) δ UDP No N/A WCS Server Config. Mtce (Perfect Channel) and associated heartbeat to TCP Perfect Channel Avaya Matrix: Avaya Aura Conferencing 8.0 April δ δ,5 δ δ,6 δ δ,7 5 δ,5

12 No. Destination TCP/TLS No N/A WCS Server Logs (Perfect Channel) δ UDP No N/A WCS Server Logs (Perfect Channel) and associated heartbeat to TCP Perfect Channel δ, TCP/TLS No N/A WCS Server OMs (perfect channel) δ UDP No N/A WCS Server OMs (Perfect Channel) and associated heartbeat to TCP Perfect Channel δ, TCP/TLS No N/A MS Server Config. Mtce (Perfect Channel) ρ UDP No N/A MS Server Config. Mtce (Perfect Channel) and associated heartbeat to TCP Perfect Channel ρ, TCP/TLS No N/A MS Server Logs (Perfect Channel) ρ UDP No N/A MS Server Logs (Perfect Channel) and associated heartbeat to TCP Perfect Channel ρ, TCP/TLS No N/A MS Server OMs (perfect channel) ρ UDP No N/A MS Server OMs (Perfect Channel) and associated heartbeat to TCP Perfect Channel ρ,7 INTRA-DEVICE CONNECTIONS UDP No Open N/A EM Service to local syslog 8 Notes: 1. Source port is External Device Network Element Base + NE Config. Maintenance Perfect Channel Offset. Refer to Table 28, Table Source port is External Device Network Element Base + Log Offset. Refer to Table 28, Table Source port is External Device Network Element Base + OM Offset. Refer to Table 28, Table Source port is External Device Network Element Base + Alarm Offset. Refer to Table 28, Table Source port is 12101, Source port is 12112, Source port is 12114, Source port is Source port Trap port value must be either 162 or between 1024 and No default source port value. Trap port value must be either 162 or between 1024 and Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

13 2.2.4 Accounting Manager No. Destination Table 4: s for Accounting Manager (AM) Server IP Address TCP/SSH No Open Admin terminal, SAL Gateway System Management requiring shell access UDP No Open EM Server SNMP (GET) TCP/TLS No Open EM Server NED TCP/TLS No Open EM Service Config. Mtce (perfect channel) UDP No Open EM Service Config. Mtce (perfect channel) and associated heartbeat to the TCP Perfect Channel TCP No Open EM Service Logs (perfect channel) UDP No Open EM Service Logs (perfect channel), Associated Heartbeat to TCP Perfect Channel TCP No Open EM Service OMs (perfect channel) UDP No Open EM Service OMs (perfect channel), Associated Heartbeat to TCP Perfect Channel UDP No Open Redundant AM Server FT heartbeat 4, TCP No Open Redundant AM Server FT Sync Channel UDP No Open Redundant AM Server FT Sync Channel UDP/TCP Yes N/A DNS Servers DNS UDP No N/A NTP source NTP UDP Yes N/A Syslog Server Remote Syslog Server TCP/TLS No N/A EM Server NED FTP pull passive mode (control) TCP/TLS No N/A EM Server NED FTP pull passive mode (data) TCP/TLS No N/A DB Server Database SQL UDP No N/A EM Service Logs (perfect channel) UDP No N/A EM Service OMs (perfect channel) TCP/TLS No N/A EM Service Alarm Sync UDP No N/A Redundant AM Server FT Heartbeat 4, TCP No N/A Redundant AM Server FT Sync Channel UDP No N/A Redundant AM Server FT Sync Channel >1023 TCP Yes N/A Back office billing processing system Billing Stream UDP No N/A EM Service Alarm Sync 7 Avaya Matrix: Avaya Aura Conferencing 8.0 April

14 Destination No. INTRA-DEVICE CONNECTIONS NONE Notes: 1. Source port is 12101, Source port is 12112, Source port is 12114, Sync between active and standby 5. Source port is Uses SSL FTP (RFC 4217) 7. Source port is Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

15 No. Destination Table 5: s for Accounting Manager (AM) Service IP Address TCP/TLS No Open AS Server Billing Stream (perfect channel) UDP No Open AS Server Billing Stream (perfect channel) TCP/TLS No N/A AS Server Billing Stream (perfect channel) UDP No N/A AS Server Billing Stream (perfect channel) 2 INTRA-DEVICE CONNECTIONS NONE Notes: 1. Source port is Source port is Avaya Matrix: Avaya Aura Conferencing 8.0 April

16 2.2.5 Provisioning Manager Table 6: s for Provisioning Manager Server IP Address No. Destination TCP/SSH No Open Admin terminal, SAL Gateway System Management requiring shell access UDP No Open EM Server SNMP (GET) TCP/HTTPS No Open Intranet Web Client Client access to the Collaboration Agent 1, TCP/TLS No Open EM Server NED TCP/HTTPS No Open WCMS Server SIP Bridge δ, TCP/HTTPS No Open Admin subnet, Avaya Aura Administrative access for System System Manager Provisioning TCP/TLS No Open EM Service Config. Mtce (perfect channel) UDP No Open EM Service Config. Mtce (perfect channel), Associated Heartbeat to TCP Perfect Channel TCP/TLS No Open EM Service Logs (perfect channel) UDP No Open EM Service Logs (perfect channel), Associated Heartbeat to TCP Perfect Channel TCP/TLS No Open EM Service OMs (perfect channel) UDP No Open EM Service OMs (perfect channel), Associated Heartbeat to TCP Perfect Channel TCP/SIP Yes Closed AS Service AS SIP connection to the Provisioning or Personal Agent Manager Server TCP/TLS/SIP(S) Yes Open AS Service AS SIP connection to the Provisioning or Personal Agent Manager Server UDP/TCP Yes N/A DNS Servers DNS UDP No N/A NTP source NTP TCP/LDAP Yes N/A LDAP Servers Used to sync/authenticate with a Directory Server UDP Yes N/A Syslog server Remote Syslog Server TCP/TLS/LDAPS Yes N/A LDAPS Servers Used to sync/authenticate with a Directory Server over TLS TCP/TLS No N/A EM Server NED FTP pull passive mode (control) TCP/TLS No N/A EM Server NED FTP pull passive mode (data) TCP/SIP Yes N/A AS Service SIP to AS Service TCP/TLS/SIP(S) Yes N/A AS Service SIP(S)/TLS to AS Service TCP/TLS No N/A DB Server Database SQL UDP No N/A EM Service Logs (perfect channel) 9 16 Avaya Matrix: Avaya Aura Conferencing 8.0 April

17 No. Destination UDP No N/A EM Service OMs (perfect channel) TCP/TLS No N/A EM Service Alarm Sync UDP No N/A EM Service Alarm Sync 12 INTRA-DEVICE CONNECTIONS NONE Notes: 1. Server redirects to port The Provisioning Manager also includes the Collaboration Agent (CA). 3. SIP Bridge between the Web Conferencing Management Server and either the Provisioning Manager or CA Manager that is configured to be the Meeting Event Processor. 4. Source port is 12101, Source port is 12112, Source port is 12114, Source port Uses SSL FTP (RFC 4217) 9. Source port is Source port is Source port is Avaya Matrix: Avaya Aura Conferencing 8.0 April

18 2.2.6 Collaboration Agent Manager No. Destination Table 7: s for Collaboration Agent (CA) Manager Server IP Address TCP/SSH No Open Admin terminal, SAL Gateway System Management requiring shell access δ UDP No Open EM Server SNMP (GET) δ TCP/HTTPS No Open Internet/Intranet Web Client Client access to the Collaboration Agent ε, TCP/TLS No Open EM Server NED δ TCP/HTTPS No Open WCMS Server SIP Bridge δ, TCP/TLS No Open EM Service Config. Mtce (perfect channel) δ UDP No Open EM Service Config. Mtce (perfect channel), Associated Heartbeat to TCP Perfect Channel δ, TCP/TLS No Open EM Service Logs (perfect channel) δ UDP No Open EM Service Logs (perfect channel), Associated Heartbeat to TCP Perfect Channel δ, TCP/TLS No Open EM Service OMs (perfect channel) δ UDP No Open EM Service OMs (perfect channel), Associated Heartbeat to TCP Perfect Channel δ, TCP/SIP Yes Closed AS Service AS SIP connection to the Provisioning or Personal Agent Manager Server δ, TCP/TLS/SIP(S) Yes Open AS Service AS SIP/TLS connection to the Provisioning or Personal Agent Manager Server δ, TCP/SIP Yes Closed SBC Avaya SBC SIP connection to the Provisioning or Collaboration Agent Manager Server for the Mobile App. δ,6, TCP/TLS/SIP(S) Yes Open SBC Avaya SBC SIP/TLS connection to the Provisioning or Collaboration Agent Manager Server for the Mobile App UDP/TCP Yes N/A DNS Servers DNS δ, ε, UDP No N/A NTP source NTP δ, TCP/LDAP Yes N/A LDAP Servers Used to authenticate with a Directory Server δ UDP Yes N/A Syslog server Remote Syslog Server δ TCP/TLS/LDAPS Yes N/A LDAPS Servers Used to authenticate with a Directory Server over TLS δ TCP/TLS No N/A EM Server NED FTP pull passive mode (control) δ, 9 18 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016 δ,6,13

19 No. Destination TCP/TLS No N/A EM Server NED FTP pull passive mode (data) δ, TCP/SIP Yes N/A AS Service SIP to AS Service δ TCP/SIP Yes N/A SBC SIP to SBC δ TCP/TLS/SIP(S) Yes N/A AS Service SIP(S)/TLS to AS Service δ TCP/TLS/SIP(S) Yes N/A SBC SIP(S)/TLS to SBC δ TCP/TLS No N/A DB Server Database SQL δ TCP/TLS No N/A EM Service Log (perfect channel) δ UDP No N/A EM Service Logs (perfect channel) δ, TCP/TLS No N/A EM Service OMs (perfect channel) δ UDP No N/A EM Service OMs (perfect channel) δ, TCP/TLS No N/A EM Service Alarm Sync δ, UDP No N/A EM Service Alarm Sync δ INTRA-DEVICE CONNECTIONS NONE 1. Server redirects to port SIP Bridge between the Web Conferencing Management Server and either the Provisioning Manager or CA Manager that is configured to be the Meeting Event Processor. 3. Source port is 12101, Source port is 12112, Source port is 12114, The use of SIP and SIP/TLS is mutually exclusive. 7. Depending on if Split-Horizon DNS is used will dictate if a firewall rule to the Enterprise DNS is required. If not using Split-Horizon DNS it is recommended that /etc/hosts is used instead on any servers in the DMZ such that external access to internal DNS is restricted. 8. Source port Uses SSL FTP (RFC 4217) 10. Source port is Source port is Source port is For the Enhanced Audio/Video in Collaboration Agent feature, make sure that SIP trunk traffic flows between the SBC and Avaya Session Manager is configured in both directions. They are either SIP TLS 5061 or SIP TCP 5060 in both directions. Avaya Matrix: Avaya Aura Conferencing 8.0 April

20 20 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

21 2.2.7 Server No. Destination Table 8: s for Server (AS) Server IP Address TCP/SSH No Open Admin terminal, SAL Gateway System Management requiring shell access UDP No Open EM Server SNMP (GET) TCP/TLS No Open EM Server NED TCP/TLS No Open EM Service Config. Mtce (perfect channel) UDP No Open EM Service Config. Mtce (perfect channel) and associated heartbeat to TCP Perfect Channel TCP/TLS No Open EM Service Logs (perfect channel) UDP No Open EM Service Logs (perfect channel) and associated heartbeat to TCP Perfect Channel TCP/TLS No Open EM Service OMs (perfect channel) UDP No Open EM Service OMs (perfect channel) and associated heartbeat to TCP Perfect Channel TCP/TLS No Open AM Service Billing Stream (perfect channel) UDP No Open AM Service Billing Stream (perfect channel) TCP No Open Redundant AS Server FT heartbeat 5, TCP Yes Open Redundant AS Server FT Sync Channel UDP No Open Redundant AS Server FT Sync Channel TCP/TLS No Open Redundant AS Server FT Secure Sync Channel UDP/TCP Yes N/A DNS Servers DNS UDP No N/A NTP source NTP TCP/LDAP Yes N/A LDAP Server Used to authenticate with a Directory Server TCP/HTTPS No N/A Avaya Aura System Manager WebLM Licensing TCP/HTTPS No N/A WCS Service Server REST service call to control start/stop of recordings UDP No N/A Syslog Server Remote Syslog Server TCP/LDAPS Yes N/A LDAPS Server Used to authenticate with a Directory Server over TLS TCP/TLS No N/A EM Server NED FTP pull passive mode (control) TCP/TLS No N/A EM Server NED FTP pull passive mode (data) TCP/TLS No N/A DB Server Database SQL Avaya Matrix: Avaya Aura Conferencing 8.0 April δ

22 No. Destination TCP/TLS No N/A WCMS Server Server ping of the SIP Bridge through the WCMS δ TCP/TLS No N/A EM Service Logs (perfect channel) UDP No N/A EM Service Logs (perfect channel) TCP/TLS No N/A EM Service OMs (perfect channel) UDP No N/A EM Service OMs (perfect channel) TCP/TLS No N/A EM Service Alarm Sync UDP No N/A Redundant AS Server FT heartbeat 5, TCP Yes N/A Redundant AS Server FT Sync Channel UDP No N/A Redundant AS Server FT Sync Channel UDP No N/A EM Service Alarm Sync TCP/TLS No N/A Redundant AS Server FT Secure Sync Channel 12 INTRA-DEVICE CONNECTIONS NONE Notes: 1. Source port is 12101, Source port is 12112, Source port is 12114, Source port is Sync between active and standby, may be disabled after upgrade to AAC 8.0 SP2 6. Source port is Source port is Uses SSL FTP (RFC 4217) 9. Source port is Source port is Source port is As of AAC 8.0 SP2 22 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

23 Table 9: s for Server (AS) Service IP Address Destination No TCP/SIP Yes Closed MS Server SIP ρ, TCP/SIP Yes Closed Avaya Aura Session Manager (SM100) SIP TCP/SIP Yes Closed Provisioning or CA Manager Server SIP δ, TCP/SIP Yes Closed AAC Mobile App Client (ios and Android) SIP within Enterprise from Client 2, TCP/SIP Yes Closed SBC SIP trunk from SBC δ, TCP/TLS/SIP(S) Yes Open MS Server SIP or SIPS over TLS ρ, TCP/TLS/SIP(S) Yes Open Provisioning or CA Manager Server SIP or SIPS over TLS δ, TCP/TLS/SIP(S) Yes Open Avaya Aura Session Manager (SM100) SIP or SIPS over TLS TCP/TLS/SIP(S) Yes Open AAC Mobile App Client (ios SIP or SIPS over TLS within Enterprise from and Android) Client 2, TCP/TLS/SIP(S) Yes Open SBC SIP or SIPS trunk from SBC over TLS δ, TCP/SIP Yes N/A MS Server SIP ρ, TCP/SIP Yes N/A Avaya Aura Session Manager (SM100) SIP TCP/SIP Yes N/A SBC SIP Trunk to SBC δ, TCP/TLS/SIP(S) Yes N/A MS Server SIP or SIPS over TLS ρ, TCP/TLS/SIP(S) Yes N/A Avaya Aura Session Manager (SM100) SIP or SIPS over TLS TCP/TLS/SIP(S) Yes N/A SBC SIP or SIPS Trunk to SBC over TLS δ, TCP/SIP Yes N/A Co-Res MS Server SIP TCP/TLS/SIP(S) Yes N/A Co-Res MS Server SIP or SIPS over TLS TCP/SIP Yes N/A TCP/TLS/SIP(S) Yes N/A INTRA-DEVICE CONNECTIONS NONE Provisioning or CA Manager Server Provisioning or CA Manager Server Server SIP connection to the Provisioning or CA Manager Server SIP(S)/TLS connection to the Provisioning or CA Manager δ,1,3 δ,1,3 Avaya Matrix: Avaya Aura Conferencing 8.0 April

24 Notes: 1. Dependent on Meeting Event Processor configuration. 2. Client supports Connection Reuse such that additional outbound connection is not required. 3. The use of SIP and SIP/TLS is mutually exclusive. 24 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

25 2.2.8 Media Server No. Destination Table 10: s for Media Server (MS) Server IP Address TCP/SSH No Open Admin terminal, SAL Gateway System management requiring shell access ρ UDP No Open EM Server SNMP(GET) ρ TCP/TLS No Open MS Servers in the same cluster Media Server Configuration DB TCP No Open Provisioning Manager External Session API (ESA) UComm service only. ρ TCP/TLS No Open EM Server NED ρ TCP/SIP Yes Closed AS Service Server SIP connection to the Media Server ρ TCP/TLS/SIP(S) Yes Open AS Service Server SIP(S)/TLS connection to the Media Server ρ TCP/SIP Yes Closed AS Service Server SIP connection to the Co- Res Media Server TCP/TLS/SIP(S) No Open AS Service Server SIP(S)/TLS connection to the Co-Res Media Server TCP No Open MS Servers in the same cluster Cluster AMS Management TCP/HTTP Yes Closed Admin subnet Also used for KPI Monitoring via Administrator Web Client access TCP/HTTP Yes Closed WCS Server, WCMS Server TCP/HTTPS Yes Open Admin subnet TCP/HTTPS Yes Open WCS Server, WCMS Server TCP/HTTP/S No Open EM KPI/SDR Browser Client Web Conferencing Server and Web Conferencing Management Server signaling to the Media Server for recording media storage/retrieval. Web Conferencing Server and Web Conferencing Management Server signaling to the Media Server for recording media storage/retrieval. Also used for KPI Monitoring via Administrator Web Client access Web Conferencing Server and Web Conferencing Management Server signaling to the Media Server for recording media storage/retrieval. SOAP request from Admin client, defaults to over TLS. Avaya Matrix: Avaya Aura Conferencing 8.0 April δ, ρ,1,12 2 δ, ρ, 2,12 ρ

26 No. Destination TCP No Open MS Servers in the same cluster Cluster Inter-SC Communication TCP No Open MS Servers in the same cluster Cluster IVR Management TCP/TLS No Open EM Service Config. Mtce (perfect channel) ρ UDP No Open EM Service Config. Mtce (perfect channel), and the associated heartbeat to TCP Perfect Channel TCP/TLS No Open EM Service Logs (perfect channel) ρ UDP No Open EM Service Logs (perfect channel), and the associated heartbeat to TCP Perfect Channel ρ, TCP/TLS No Open EM Service OMs (perfect channel) ρ UDP No Open EM Service OMs (perfect channel), and the associated heartbeat to TCP Perfect Channel ρ, TCP No Open MS Servers in the same cluster Cluster SC Management TCP No Open MS Servers in the same cluster Cluster Inter-process alarm monitoring TCP No Open Provisioning Manager Multimedia Content Store ρ TCP No Open MS Servers in the same cluster Cluster CStore Management TCP No Open MS Servers in the same cluster Cluster IVR Management UDP/RTP No Open Intranet Client RTP Media (IVR) UDP/RTP No Open Intranet Client RTP Media (Conf) UDP/TCP Yes N/A DNS Servers DNS UDP No N/A NTP source NTP TCP/HTTPS No N/A Avaya Aura System Manager WebLM Licensing ρ TCP/HTTPS No N/A WCS Service Media Server download of encoded recording media for storage δ, ρ, UDP Yes N/A Syslog server Remote Syslog Server ρ TCP/TLS No N/A EM Server NED FTP pull passive mode (control) ρ, TCP/TLS No N/A EM Server NED FTP pull passive mode (data) ρ, TCP/TLS No N/A DB Server Database SQL ρ TCP/SIP Yes N/A AS Service SIP to AS Service ρ TCP/TLS/SIP Yes N/A AS Service SIP(S)/TLS to AS Service ρ TCP/TLS No N/A EM Service Logs (perfect channel) ρ UDP No N/A EM Service Logs (perfect channel) ρ, TCP/TLS No N/A EM Service OMs (perfect channel) ρ UDP No N/A EM Service OMs (perfect channel) ρ, TCP/TLS No N/A EM Service Alarm Sync ρ, UDP/RTP No N/A Intranet Client RTP Media (IVR) 6, UDP/RTP No N/A Intranet Client RTP Media (Conf) 6,13 26 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016 ρ, 3

27 No. Destination UDP No N/A EM Service Alarms (sync channel) ρ INTRA-DEVICE CONNECTIONS TCP No Open N/A Media Server Configuration DB Notes: 1. SOAP interface 2. SOAP over TLS interface, when enabled non TLS interface is disabled. 3. Source port is 12101, Source port is 12112, Source port is 12114, Not used in Co-Res deployment. Separate IP address used instead for media streams, refer to Table Source port is Uses SSL FTP (RFC 4217) 9. Source port is Source port is Source port is Only required for Media Servers configured for Recording 13. If the Client is the eavica plugin, the client s source port is restricted to the range configured in the EM Console. The default range is 51,000 53,000. If the client is connecting through the SBC, refer to the SBC port matrix for the source port range for media. Avaya Matrix: Avaya Aura Conferencing 8.0 April

28 No. Destination Table 11: s for Media Server Media IP Address for Co-Res Media Server deployment UDP/RTP No Open Intranet Client RTP Media (IVR) UDP/RTP No Open Intranet Client RTP Media (Conf) UDP/RTP No N/A Intranet Client RTP Media (IVR) UDP/RTP No N/A Intranet Client RTP Media (Conf) 1 INTRA-DEVICE CONNECTIONS NONE Notes: 1. If the Client is the eavica plugin, the client s source port is restricted to the range configured in the EM Console. The default range is 51,000 53,000. If the client is connecting through the SBC, refer to the SBC port matrix for the source port range for media. 28 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

29 2.2.9 Web Conferencing Management Destination No. Table 12: s for Web Conferencing Management Server (WCMS) Server IP Address TCP/SSH No Open Admin terminal, SAL Gateway System management requiring shell access TCP/SSH No Open Redundant WCMS Server rsync of document library between WCMS servers UDP No Open EM Server SNMP (GET) TCP/TLS No Open EM Server NED TCP/HTTPS No Open WCS Server Reverse Proxy (HTTPS) δ TCP/TLS No Open AS Server Server REST server call to the WCMS Server for recordings and Server ping of the SIP Bridge through the WCMS TCP/TLS No Open EM Service Config. Mtce (perfect channel) UDP No Open EM Service Config. Mtce (perfect channel), and associated heartbeat to TCP Perfect Channel TCP/TLS No Open EM Service Logs (perfect channel) UDP No Open EM Service Logs (perfect channel), and associated heartbeat to TCP Perfect Channel TCP/TLS No Open EM Service OMs (perfect channel) UDP No Open EM Service OMs (perfect channel), and associated heartbeat to TCP Perfect Channel TCP/SSH No N/A Redundant WCMS Server rsync of document library between WCMS servers UDP/TCP Yes N/A DNS Servers DNS UDP No N/A NTP source NTP UDP Yes N/A Syslog Server Remote Syslog Server TCP/TLS No N/A EM Server NED FTP pull passive mode (control) TCP/TLS No N/A EM Server NED FTP pull passive mode (data) TCP/TLS No N/A DB Server Database SQL Avaya Matrix: Avaya Aura Conferencing 8.0 April

30 No. Destination TCP/HTTPS No N/A Provisioning or CA Manager Server WCMS communication with the SIP Bridge dependent on whether or not the Provisioning or PA Manager is configured to be the SIP Bridge TCP/HTTPS Yes N/A DCS Document Conversion via TLS TCP/TLS No N/A EM Service Logs (perfect channel) UDP No N/A EM Service Logs (perfect channel) TCP/TLS No N/A EM Service OMs (perfect channel) UDP No N/A EM Service OMs (perfect channel) TCP/TLS No N/A EM Service Alarm Sync UDP No N/A EM Service Alarm Sync (sync channel) 8 INTRA-DEVICE CONNECTIONS NONE δ Notes: 1. Source port is 12101, Source port is 12112, Source port is 12114, Source port is Uses SSL FTP (RFC 4217) 6. Source port is Source port is Source port is Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

31 Web Conferencing Server No. Destination Table 13: s for Web Conferencing Server (WCS) Server IP Address TCP/SSH No Open Admin terminal, SAL Gateway System management requiring shell access δ UDP No Open EM Server SNMP (GET) δ TCP/TLS No Open EM Server NED δ TCP/TLS No Open EM Service Config. Mtce (perfect channel) δ UDP No Open EM Service Config. Mtce (perfect channel), and associated heartbeat to TCP Perfect Channel TCP/TLS No Open EM Service Logs (perfect channel) δ UDP No Open EM Service Logs (perfect channel), and associated heartbeat to TCP Perfect Channel δ, TCP/TLS No Open EM Service OMs (perfect channel) δ UDP No Open EM Service OMs (perfect channel), and associated heartbeat to TCP Perfect Channel δ, UDP/TCP Yes N/A DNS Servers DNS δ, ε, UDP No N/A NTP source NTP δ, UDP Yes N/A Syslog Server Remote Syslog Server δ TCP/TLS No N/A EM Server NED FTP pull passive mode (control) δ, TCP/TLS No N/A EM Server NED FTP pull passive mode (data) δ, TCP/TLS No N/A DB Server Database SQL δ TCP/HTTPS No N/A WCMS Server Reverse Proxy from WCS to WCMS δ, δ TCP/TLS No N/A EM Service Logs (perfect channel) δ UDP No N/A EM Service Logs (perfect channel) δ, TCP/TLS No N/A EM Service OMs (perfect channel) δ UDP No N/A EM Service OMs (perfect channel) δ, TCP/TLS No N/A EM Service Alarm Sync δ, UDP No N/A EM Service Alarm Sync δ TCP/HTTPS No N/A DCS Server Reverse Proxy from WCS to DCS δ INTRA-DEVICE CONNECTIONS NONE δ, 1 Avaya Matrix: Avaya Aura Conferencing 8.0 April

32 Notes: 1. Source port is 12101, Source port is 12112, Source port is 12114, Depending on if Split-Horizon DNS is used will dictate if a firewall rule to the Enterprise DNS is required. If not using Split-Horizon DNS it is recommended that /etc/hosts is used instead on any servers in the DMZ such that external access to internal DNS is restricted. 5. Source port is Uses SSL FTP (RFC 4217) 7. Source port is Source port is Source port is Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

33 Destination No. Table 14: s for Web Conferencing Server (WCS) Service IP Address TCP/HTTPS Yes Open Internet/Intranet Web Client Client access to web conferencing sessions ε TCP/HTTPS Yes Open AS Server Server REST service call to control start/stop of recordings δ TCP/HTTPS Yes Open Document Conversion Server Document Conversion Server access through the WCS δ TCP/HTTPS Yes Open WCMS Server REST API (HTTPS) δ, δ TCP/HTTPS Yes Open Recording MS Server Media Server downloads of encoded recording media for storage. δ, TCP No Open Internet/Intranet Web Client Flash Policy Server for Web Client Web socket access. ε NONE INTRA-DEVICE CONNECTIONS TCP/HTTPS No Open N/A TCP/HTTP Yes Closed N/A TCP/HTTPS No Open N/A Used for internal communication between the WCS Tomcat and Apache processes. Internal port for the WCS Tomcat Server when HTTP is enabled. Internal port for the WCS Tomcat Server TCP No Open N/A Internal port for the Flash Policy Server Notes: 1. Only required for Media Servers that are part of a Recording Media Server Cluster. 2. Server ACL rules must allow these ports as trusted ports due to the pre-routing from the public ports. Avaya Matrix: Avaya Aura Conferencing 8.0 April

34 Document Conversion Server No. Destination Table 15: s for Document Conversion Server (DCS) Server IP Address TCP/SSH No Open Admin terminal, SAL Gateway System management requiring shell access UDP No Open EM Server SNMP (GET) TCP/TLS No Open EM Server NED TCP/TLS No Open EM Service Config. Mtce (perfect channel) UDP No Open EM Service Config. Mtce (perfect channel), and associated heartbeat to TCP Perfect Channel TCP/TLS No Open EM Service Logs (perfect channel) UDP No Open EM Service Logs (perfect channel), and associated heartbeat to TCP Perfect Channel TCP/TLS No Open EM Service OMs (perfect channel) UDP No Open EM Service OMs (perfect channel), and associated heartbeat to TCP Perfect Channel TCP/HTTPS No Open WCS Server Document Conversion Service via WCS reverse proxy for document conversions UDP/TCP Yes N/A DNS Servers DNS UDP No N/A NTP Servers NTP TCP/HTTPS Yes N/A WCS Service Upload of converted documents through WCS Reverse Proxy to the WCMS δ UDP Yes N/A Syslog Server Remote Syslog Server TCP/TLS No N/A EM Server NED FTP pull passive mode (control) TCP/TLS No N/A EM Server NED FTP pull passive mode (data) TCP/TLS No N/A DB Server Database SQL TCP/TLS No N/A EM Service Logs (perfect channel) UDP No N/A EM Service Logs (perfect channel) TCP/TLS No N/A EM Service OMs (perfect channel) UDP No N/A EM Service OMs (perfect channel) TCP/TLS No N/A EM Service Alarm Sync UDP No N/A EM Service Alarm Sync INTRA-DEVICE CONNECTIONS NONE 34 Avaya Matrix: Avaya Aura Conferencing 8.0 April δ

35 Notes: 1. Source port is 12101, Source port is 12112, Source is 12114, Uses SSL FTP (RFC 4217) 5. Source port is Avaya Matrix: Avaya Aura Conferencing 8.0 April

36 Audio/Video in Collaboration Agent No. Destination Table 16: s for Flash Media Management Server IP Address TCP/SSH No Open Admin terminal, SAL Gateway System management requiring shell access δ UDP No Open EM Server SNMP (GET) δ TCP/RTMPS No Open Admin subnet, Web Administration Management of Flash Media Gateways UDP/TCP Yes N/A DNS Servers DNS UDP No N/A NTP Source NTP δ, UDP Yes N/A Syslog Server Remote Syslog Server δ TCP/JMX No N/A Flash Media Gateway Server JMX-RMI for clustering TCP/JMX Yes N/A Flash Media Gateway Server JMX-RMI for load balancer INTRA-DEVICE CONNECTIONS NONE δ Notes: 1. Source port is Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

37 Destination No. Table 17: s for Flash Media Gateway Server IP Address TCP/SSH No Open Admin terminal, SAL Gateway System management requiring shell access δ Internet/Intranet A/V in TCP/RTMPT Yes Open RTMPT Streams δ, ε Collaboration Agent Client UDP No Open EM Server SNMP (GET) δ Internet/Intranet A/V in TCP/RTMPS Yes Closed RTMPS Streams δ, ε Collaboration Agent Client Internet/Intranet A/V in TCP/RTMP Yes Closed RTMP Streams δ, ε Collaboration Agent Client Avaya Aura Session Manager SIP signaling from the Avaya Aura Session TCP/SIP Yes Open δ (SM100) Manager to the Flash Media Gateway Avaya Aura SIP/TLS signaling from the Avaya Aura Session Manager TCP/TLS/SIP Yes Closed Session Manager to the Flash Media δ (SM100) Gateway TCP/JMX No Open Flash Media Gateway Management Server JMX-RMI for clustering TCP/JMX Yes Closed Flash Media Gateway Management Server JMX-RMI for load balancer UDP/RTP/RTCP No Open Media Server Media Streams δ UDP/RTP/RTCP No Open Media Server Media IP Media Streams from Co-Res Media Server δ, UDP/TCP Yes N/A DNS Servers DNS UDP No N/A NTP Source NTP δ, UDP Yes N/A Syslog Server Remote Syslog Server δ UDP No N/A Media Server Media Streams δ UDP No N/A Media Server Media IP Media Streams from Co-Res Media Server δ, 1 INTRA-DEVICE CONNECTIONS TCP/JMX No Open N/A TCP/JMX No Open N/A Internal Flash Media Gateway Communication Internal Flash Media Gateway Communication Notes: Avaya Matrix: Avaya Aura Conferencing 8.0 April

38 1. For Co-Res, the Media Server uses a secondary IP address dedicated for Media Streams 2. Source port is Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

39 2.3 Table Changes No. Destination Table 18: Changes from AAC 7.0 to 7.2 for all Server IP Addresses None UDP/TCP Yes N/A DNS Servers DNS 1 REMOVED NONE Notes: 1. Only required for servers that enable DNS resolution, and is only required for the default server address and not for any service addresses that may also be enabled on the server. Avaya Matrix: Avaya Aura Conferencing 8.0 April

40 Destination No NONE Table 19: Changes from AAC 7.0 to 7.2 for the Provisioning and Collaboration Agent (CA) Manager Server IP Address TCP/LDAP Yes N/A LDAP Servers TCP/LDAPS Yes N/A LDAPS Servers REMOVED TCP/HTTP Yes N/A TCP/HTTPS Yes N/A Aura Session Manager (SM100) Aura Session Manager (SM100) Used to sync/authenticate with a Directory Server. Used to sync/authenticate with a Directory Server over TLS. Authentication using PPM service on the Avaya Aura Session Manager. Authentication using PPM service on the Avaya Aura Session Manager via TLS. δ δ Notes: N/A 40 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

41 Destination No NONE Table 20: Changes from AAC 7.0 to 7.2 for the Server (AS) Server IP Address TCP/LDAP Yes N/A LDAP Servers TCP/HTTPS No N/A WCS Service TCP/LDAPS Yes N/A LDAPS Servers TCP/HTTPS No N/A WCMS Server REMOVED NONE Used to sync/authenticate with a Directory Server. Server REST service call to control start/stop of recordings Used to sync/authenticate with a Directory Server over TLS. Server REST service call to control start/stop of recordings δ δ Notes: N/A Avaya Matrix: Avaya Aura Conferencing 8.0 April

42 Destination No NONE Table 21: Changes from AAC 7.0 to 7.2 (Web Conferencing Server IP Address) TCP/HTTP Yes N/A Media Server TCP/HTTPS Yes N/A Media Server REMOVED NONE Web Conferencing Server Signaling to the Media Server for recording media storage/retrieval. Web Conferencing Server Signaling to the Media Server for recording media storage/retrieval. δ, ρ, 1, 2 δ, ρ, 1, 2 Notes: 1. The use of port 7410 and 7411 is mutually exclusive. By default port 7410 for non-secure HTTP access is enabled, but when disabled, port 7411 is used for secure HTTPS access. 2. Only required for Media Servers that are in a Recording Media Server Cluster 42 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

43 Destination No. Table 22: Changes from AAC 7.0 to 7.2 (Web Conferencing Service Addresses) TCP/HTTPS No Open AS Server TCP/HTTPS No Open Media Server NONE REMOVED NONE Server REST services call to control start/stop of recordings. Media Server downloads of encoded recording media for storage. δ δ, ρ Notes: N/A Avaya Matrix: Avaya Aura Conferencing 8.0 April

44 Destination No. Table 23: Changes from AAC 7.0 to 7.2 (Web Conferencing Manager Server Addresses) TCP/HTTPS No Open AS Server TCP/HTTP Yes Open Media Server TCP/HTTPS Yes Closed Media Server REMOVED NONE Server REST server call for recordings Web Conferencing Server Signaling to the Media Server for recording media storage/retrieval. Web Conferencing Server Signaling to the Media Server for recording media storage/retrieval. δ ρ, 1 ρ, 1 Notes: 1. The use of port 7410 and 7411 is mutually exclusive. By default port 7410 for non-secure HTTP access is enabled, but when disabled, port 7411 is used for secure HTTPS access. 44 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

45 Destination No. Table 24: Changes from AAC 7.0 to 7.2 (Media Server (MS) Server Addresses) TCP/HTTP Yes Open TCP/HTTPS Yes Closed Web Conferencing Server, Web Conferencing Manager Server Web Conferencing Server, Web Conferencing Manager Server TCP/HTTPS No N/A Web Conferencing Service UDP/RTP/RTCP No N/A FMG REMOVED NONE Web Conferencing Server and Web Conferencing Management Server Signaling to the Media Server for recording media storage/retrieval. Web Conferencing Server and Web Conferencing Management Server signaling to the Media Server for recording media storage/retrieval. Media Server downloads of encoded recording media for storage. Media Streams to the Flash Media Gateways δ, δ, ρ, 1, 2 δ, δ, ρ,1, 2 δ, ρ, 1 δ Notes: 1. Only required for Media Servers designated for recording. 2. The use of port 7410 and 7411 is mutually exclusive. By default port 7410 for non-secure HTTP access is enabled, but when disabled, port 7411 is used for secure HTTPS access. Avaya Matrix: Avaya Aura Conferencing 8.0 April

46 No. Destination Table 25: Changes from AAC 7.0 to 7.2 (Document Conversion Server) UDP No Open EM Server SNMP (GET) NONE 46 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

47 Destination No. Table 26: Changes from AAC 7.2 to 8. (Web Conferencing Server (WCS) Service Addresses) TCP/HTTPS/WSS No Open Internet/Intranet Web Client TCP No Open Internet/Intranet Web Client NONE REMOVED NONE INTRA-DEVICE CONNECTIONS Only change here is that the HTTPS session is upgraded to a secure web socket connect. Clients must access the Flash Policy Server component of the WCS for Web Collaboration TCP/HTTPS No Open N/A Used for internal communication between the WCS sub-components TCP/HTTP Yes Closed N/A Internal port for the WCS Tomcat Server when HTTP is enabled TCP/HTTPS No Open N/A Used for internal communication between 5 the WCS sub-components TCP No Open N/A Internal port for the Flash Policy Server. 6 ε,1 ε,2 Notes: 1. References rule in Table References rule in Table References rule in Table References rule in Table References rule in Table References rule in Table 14. Avaya Matrix: Avaya Aura Conferencing 8.0 April

48 No. Destination Table 27: Changes from AAC 7.2 to 8.0 (Document Conversion Server) TCP/SSH No Open Admin terminal, SAL Gateway System management requiring shell access UDP No Open EM Server SNMP (GET) TCP/TLS No Open EM Server NED TCP/TLS No Open EM Service Config. Mtce (perfect channel) UDP No Open EM Service Config. Mtce (perfect channel), and associated heartbeat to TCP Perfect Channel TCP/TLS No Open EM Service Logs (perfect channel) UDP No Open EM Service Logs (perfect channel), and associated heartbeat to TCP Perfect Channel 8, TCP/TLS No Open EM Service OMs (perfect channel) UDP No Open EM Service OMs (perfect channel), and associated heartbeat to TCP Perfect Channel 11, TCP/HTTPS No Open WCS Server Document Conversion Service via WCS reverse proxy for document conversions 13,δ UDP/TCP Yes N/A DNS Servers DNS UDP No N/A NTP Servers NTP TCP/HTTPS Yes N/A WCS Service Upload of converted documents through WCS Reverse Proxy to the WCMS 16,δ UDP Yes N/A Syslog Server Remote Syslog Server TCP/TLS No N/A EM Server NED FTP pull passive mode (control) 18, TCP/TLS No N/A EM Server NED FTP pull passive mode (data) 20, TCP/TLS No N/A DB Server Database SQL TCP/TLS No N/A EM Service Logs (perfect channel) UDP No N/A EM Service Logs (perfect channel) 23, TCP/TLS No N/A EM Service OMs (perfect channel) UDP No N/A EM Service OMs (perfect channel) 23, TCP/TLS No N/A EM Service Alarm Sync UDP No N/A EM Service Alarm Sync 28 REMOVED TCP/HTTP Yes N/A WCS Server HTTP no longer supported TCP/HTTPS Yes N/A WCS Server HTTPS replaced by TCP/HTTPS , Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

49 Notes: 1. References rule in Table References rule in Table References rule in Table References rule in Table References rule in Table Source port is 12101, References rule in Table References rule in Table Source port is 12112, References rule in Table References rule in Table Source is 12114, References rule in Table References rule in Table References rule in Table References rule in Table References rule in Table References rule in Table Uses SSL FTP (RFC 4217). 20. References rule in Table References rule in Table References rule in Table Source port is References rule in Table References rule in Table References rule in Table References rule in Table References rule in Table change required in order to support Co-Res deployments. Avaya Matrix: Avaya Aura Conferencing 8.0 April

50 Table 28: Changes from AAC 7.2 to 8. ( Server (AS) Service IP Address) Destination No TCP/SIP Yes Closed TCP/TLS/SIP(S) Yes Open NONE REMOVED NONE AAC Mobile App Client (ios and Android) AAC Mobile App Client (ios and Android) SIP within Enterprise from Client 1,2,3 SIP or SIPS over TLS within Enterprise from Client 1,2,4 Notes: 1. Client supports Connection Reuse such that additional outbound connection is not required. 2. The use of SIP and SIP/TLS is mutually exclusive. 3. References rule in Table References rule in Table Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

51 Destination No. Table 29: Changes from AAC 7.2 to 8.0 for the Provisioning and Collaboration Agent (CA) Manager Server IP Address TCP/SIP Yes Closed SBC TCP/TLS/SIP(S) Yes Open SBC Avaya SBC SIP connection to the Provisioning or Collaboration Agent Manager Server for Enhanced Audio/Video in Collaboration Agent client. Avaya SBC SIP/TLS connection to the Provisioning or Collaboration Agent Manager Server for Enhanced Audio/Video in Collaboration Agent client TCP/SIP Yes N/A SBC SIP to SBC δ,1, TCP/TLS/SIP Yes N/A SBC SIP(S)/TLS to SBC δ,1,5 REMOVED NONE δ,1,2,6 δ,1,3,6 Notes: 1. The use of SIP and SIP/TLS is mutually exclusive. 2. References rule in Table References rule in Table References rule in Table References rule in Table For the Enhanced Audio/Video in Collaboration Agent feature, make sure that SIP trunk traffic flows between the SBC and Avaya Session Manager is configured in both directions. They are either SIP TLS 5061 or SIP TCP 5060 in both directions. Avaya Matrix: Avaya Aura Conferencing 8.0 April

52 No. Destination Table 30: Changes from AAC 8.0 to 8.0 SP2 for the ( Server (AS) Server IP Address) TCP/TLS No Open Redundant AS Server FT Secure Sync Channel TCP/TLS No N/A Redundant AS Server FT Secure Sync Channel 2 REMOVED NONE Notes: 1. Reference rule in Table Reference rule in Table Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

53 Appendix A: Base s and Offsets Network Elements that are managed by the Avaya Aura Conferencing Element Manager use a base port + offset for different types of communication between each other and the Element Manager. The typical defaults for the base ports are shown in Table 28, but they can be changed as required. Base port offsets are not configurable on the system and are shown in Table 29. Network Element Table 28: Base s Base Element Manager Accounting Manager Server Web Conferencing Management Server Provisioning Manager Collaboration Agent Manager Web Conferencing Server Document Conversion Server Media Server Offset Name Table 29: Network Element Offset Definitions Offset Value Element Manager Perfect Channel Config Maintenance 1 NE Perfect Channel Config Maintenance 2 NE Alarms 4 ADR Element Manager Service Heartbeat 6 Element Manager Logs 12 NE Log 13 Element Manager OMs 14 NE OM 15 Accounting Manager Billing Stream 18 Server Billing Stream 19 Element Manager OMI 21 Element Manager SNMP Traps 24 Element Manager Alarms 25 Element Manager Log Browser 26 Fault-Tolerance Heartbeat 50 Fault-Tolerance Sync 53 SIP Listening 52 SIP TLS Listening 53 Fault-Tolerance Secure Sync 54 Avaya Matrix: Avaya Aura Conferencing 8.0 April

54 Appendix B: Overview of TCP/IP s What are ports and how are they used? TCP and UDP use ports (defined at to route traffic arriving at a particular IP device to the correct upper layer application. These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams. Consider your desktop PC. Multiple applications may be simultaneously receiving information. In this example, may use destination TCP port 25, a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23. These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC. Furthermore, each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data ministream belongs. Every IP device has incoming (Ingress) and outgoing (Egress) data streams. s are used in TCP and UDP to name the ends of logical connections which carry data flows. TCP and UDP streams have an IP address and port number for both source and destination IP devices. The pairing of an IP address and a port number is called a socket (discussed later). Therefore, each data stream is uniquely identified with two sockets. Source and destination sockets must be known by the source before a data stream can be sent to the destination. Some destination ports are open to receive data streams and are called listening ports. Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number. HTTPS, as an example, is assigned port number 443. When a destination IP device is contacted by a source device using port 443, the destination uses the HTTPS protocol for that data stream conversation. Type Ranges numbers are divided into three ranges: Well Known s, Registered s, and Dynamic s (sometimes called Private s). Well Known s are those numbered from 0 through Registered s are those numbered from 1024 through Dynamic s are those numbered from through The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here: Well Known s For the purpose of providing services to unknown clients, a service listen port is defined. This port is used by the server process as its listen port. Common services often use listen ports in the well-known port range. A well-known port is normally active meaning that it is listening for any traffic destined for a specific application. For example, well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session. Well known port 25 is waiting for an session, etc. These ports are tied to a well understood application and range from 0 to In UNIX and Linux operating systems, only root may open or close a well-known port. Well Known ports are also commonly referred to as privileged ports. 54 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016

55 Registered s Unlike well-known ports, these ports are not restricted to the root user. Less common services register ports in this range. Avaya uses ports in this range for call control. Some, but not all, ports used by Avaya in this range include: 1719/1720 for H.323, 5060/5061 for SIP, 2944 for H.248 and others. The registered port range is Even though a port is registered with an application name, industry often uses these ports for different applications. Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings. Dynamic s Dynamic ports, sometimes called private ports, are available to use for any general purpose. This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage). These are the safest ports to use because no application types are linked to these ports. The dynamic port range is Sockets A socket is the pairing of an IP address with a port number. An example would be :3009, where 3009 is the socket number associated with the IP address. A data flow, or conversation, requires two sockets one at the source device and one at the destination device. The data flow then has two sockets with a total of four logical elements. Each data flow must be unique. If one of the four elements is unique, the data flow is unique. The following three data flows are uniquely identified by socket number and/or IP address. Data Flow 1: : :2345 Data Flow 2: :2345 Data Flow 3: : :2345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair. Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1, but since the port number on the first socket differs, the data flow is unique. Therefore, if one IP address octet changes, or one port number changes, the data flow is unique. Figure 1, below, is an example showing ingress and egress data flows from a PC to a web server. Avaya Matrix: Avaya Aura Conferencing 8.0 April

56 Socket Example Diagram Client HTTP-Get Source :1369 Destination :80 Web Server TCP-info Destination :1369 Source :80 ` Figure 2: Socket Example Notice the client egress stream includes the client s source IP and socket (1369) and the destination IP and socket (80). The ingress stream has the source and destination information reversed because the ingress is coming from the server. Understanding Firewall Types and Policy Creation Firewall Types There are three basic firewall types: Packet Filtering Level Gateways (Proxy Servers) Hybrid (ful Inspection) Packet Filtering is the most basic form of the firewalls. Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through. Routers configured with Access Control Lists (ACL) use packet filtering. An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet. level gateways (ALG) act as a proxy, preventing a direct connection between the foreign device and the internal destination device. ALGs filter each individual packet rather than blindly copying bytes. ALGs can also send alerts via , alarms or other methods and keep log files to track significant events. Hybrid firewalls are dynamic systems, tracking each connection traversing all interfaces of the firewall and making sure they are valid. In addition to looking at headers, the content of the packet, up through the application layer, is examined. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. ful inspection firewalls close off ports until the connection to the specific port is requested. This is an enhancement to security against port scanning. 1 1 scanning is the act of systematically scanning a computer s ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer. 56 Avaya Matrix: Avaya Aura Conferencing 8.0 April 2016