Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 1 Comments Infodevavayacom
Avaya Port Matrix
Avaya Aurareg Application Enablement Services 81
Issue 10
April 2019
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 2 Comments Infodevavayacom
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED AS IS AVAYA INC DISCLAIMS
ALL WARRANTIES EITHER EXPRESS OR IMPLIED INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND FURTHERMORE AVAYA INC MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE INFORMATION
PROVIDED HEREIN WILL ELIMINATE SECURITY THREATS TO CUSTOMERSrsquo SYSTEMS AVAYA INC ITS RELATED COMPANIES
DIRECTORS EMPLOYEES REPRESENTATIVES SUPPLIERS OR AGENTS MAY NOT UNDER ANY CIRCUMSTANCES BE HELD LIABLE
FOR ANY DIRECT INDIRECT SPECIAL PUNITIVE EXEMPLARY INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OF THE INFORMATION PROVIDED HEREIN THIS INCLUDES BUT IS NOT LIMITED TO THE LOSS OF DATA OR LOSS OF PROFIT EVEN
IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES YOUR USE OF THIS INFORMATION CONSTITUTES
ACCEPTANCE OF THESE TERMS
copy 2018 Avaya Inc All Rights Reserved All trademarks identified by
the reg or trade are registered trademarks or trademarks respectively of Avaya Inc All other trademarks are the property of their respective
owners
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 3 Comments Infodevavayacom
1 Application Enablement Services Components
Data flows and their sockets are owned and directed by an application A server running on Red Hat Enterprise Linux (RHEL) 76 has many applications such as tomcat PostgreSQL etc For all applications sockets are created on the network interfaces on the server For the purposes of firewall configuration these sockets are sourced from the server so the firewall (ldquoiptablesrdquo service) should be running on the same server Application components in the Application Enablement (AE) Services server are listed as follows
Component Interface Description
DMCC Service Eth0 (public IP)
The Device Media and Call Control (DMCC) service provides both first-party and third-party call control features via a Java API as well as XML and NET interfaces Additionally DMCC provides the integration for Microsoft LCS 2005 OCS 2007 LYNC and Sametime TCPIP TLS and SIP protocols may be used to connect a DMCC Client to DMCC
DLG Service Eth0 (public IP)
The DEFINITY LAN Gateway (DLG) service tunnels messages over TCPIP That is the DLG service supports a set of TCPIP connections for the communications channel between Communication Manager and AE Services The DLG service is also used for transporting ASAIQ931 messages
CVLAN Service
Eth0 (public IP)
The CallVisor LAN (CVLAN) service is a CC++ based API that enables applications to exchange ASAI messages with the AE Services server CVLAN provides a full complement of third-party call control capabilities such as controlling specific calls or stations completing routing of incoming calls receiving notifications of events invoking Communication Manager features and querying Communication Manager for information
TSAPI Service Eth0 (public IP)
The Telephony Services API (TSAPI) is a CC++ based API that provides a full complement of third party call control capabilities The Java Telephony API (JTAPI) is a client side interface to the TSAPI service and as such it provides third party call control
Transport Service
Eth0 (public IP) or Eth1 (private IP)
The Transport link is a secure TCPIP connection between the AE Services server and Communication Manager The default interface is ldquoeth0rdquo
System Management Service
Eth0 (public IP) or Eth2 (Out of Band Mgmt IP)
By default listens on port 443 for HTTPS connection to provide users a web interface to enable SOAP-based access to Communication Manager administration functions The default interface is ldquoeth0rdquo unless ldquoOut-of-Band Managementrdquo has been configured
Telephony Web Service
Eth0 (public IP) or Eth2 (Out of Band Mgmt IP)
By default listens on port 8443 for HTTPS connection to provide users a web interface that enables high level call control functionality over standard web services interfaces (SOAPXML)The default interface is ldquoeth0rdquo unless ldquoOut-of-Band Managementrdquo has been configured
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 4 Comments Infodevavayacom
Component Interface Description
AES Management Console
Eth0 (public IP)
or
Eth2 (Out of Band Mgmt IP)
The AES Management Console by default listens on port 443 for HTTPS connections and provides an ldquoOperations Administration and Managementrdquo interface for maintenance of the AE Services server The default interface is ldquoeth0rdquo unless ldquoOut-of-Band Managementrdquo has been configured
NOTE Eth0 is the default interface but the interface can be changed via the appropriate AE Services Management Console web-page
2 Port Usage Tables
21 Port Usage Table Heading Definitions
Source System System name or type that initiate connection requests
Source Port This is the default layer-4 port number of the connection source Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
Destination System System name or type that receives connection requests
Destination Port This is the default layer-4 port number to which the connection request is sent Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
NetworkApplication Protocol This is the name associated with the layer-4 protocol and layers-5-7 application
Optionally Enabled Disabled This field indicates whether customers can enable or disable a layer-4 port changing its default port setting Valid values include Yes or No
ldquoNordquo means the default port state cannot be changed (eg enable or disabled)
ldquoYesrdquo means the default port state can be changed and that the port can either be enabled or disabled
Default Port State A port is either opened closed or filtered
Open ports will respond to queries
Closed ports may or may not respond to queries and are only listed when they can be optionally enabled
Filtered ports can be open or closed Filtered UDP ports will not respond to queries Filtered TCP will respond to queries but will not allow connectivity
Description Connection details Add a reference to refer to the Notes section after each table for specifics on any of the row data if necessary
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 5 Comments Infodevavayacom
22 Port Tables
Below are the tables which document the port usage for this product
Table 1 Ports for Application Enablement Services Interface
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 Administrator Terminal
Ephemeral AE
Services 22 TCPSSH Yes Open
SSH (and SFTP and SCP)
2
Web Browser Ephemeral AE
Services 80 TCPHTTP Yes Closed
AE Services Management Console Web Services and License Manager
3 Administrator Terminal or
NMS Ephemeral
AE Services
161 UDPSNMP Yes Closed SNMP
4
Web Browser Ephemeral AE
Services 443 TCPHTTPS No Open
AE Services Management Console Web Services and License Manager
5 TSAPI and JTAPI Client
Ephemeral AE
Services 450 TCP Yes Open
TSAPI Listener
6
TSAPI and JTAPI Client
Ephemeral AE
Services
1050-1065
(C) TCP No Open
TSAPI Session TLINKS ( 16 is the max number of supported switch connections)
7
TSAPI and JTAPI Client
Ephemeral AE
Services
1066-1081
(C) TCPTLS No Open
TSAPI Session Encrypted TLINKS ( 16 is the max number of supported switch connections)
8 DMCC Client Ephemeral
AE Services
4721 (C) TCP Yes Closed DMCC XML Protocol
9 DMCC Client Ephemeral
AE Services
4722 (C) TCPTLS Yes Open DMCC Secure XML Protocol
10 TR87 SIP Client AACC
ACE Ephemeral
AE Services
4723 (C) TCPTLS Yes Closed TR87 TLS
11 ASAI Client Ephemeral
AE Services
5678 TCP No Closed DLG Listener
12 Web Browser Ephemeral
AE Services
8080 TCPHTTP Yes Closed Web License Manager
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 6 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
13
Web Browser Ephemeral AE
Services 8443 TCPHTTPS Yes Closed
AE Services Management Console Web Services and License Manager
14 CVLAN Client Ephemeral
AE Services
9998 (C) TCPTLS Yes Open Secure CVLAN Listener
15 CVLAN Client Ephemeral
AE Services
9999 TCP Yes Open Unsecure and OAM CVLAN Listener
16 CM Ephemeral
AE Services
20000 -
29999 (C) TCP No Closed
H323 Signaling (TTS)
17 CM Ephemeral
AE Services
30000 -
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media)
18 AE Services Ephemeral
DNS Server
53 UDP Yes Open DNS
19 AE Services Ephemeral DHCP 67 UDP Yes Closed DHCP
20
AE Services Ephemeral SNMP Trap
Receiver 162 UDP Yes Closed
SNMP TrapNotification to a NMS andor Avaya SALSSG
21 AE Services Ephemeral
LDAP Server
389 (C) TCP Yes Closed LDAP for authentication and authorization
22
AE Services Ephemeral LDAP Server
636 (C) TCP Yes Closed
Secure LDAP ( LDAPS ) for authentication and authorization
23 AE Services Ephemeral CM 8765 TCP No Closed Transport Protocol
24 AE Services
20000-
24999 (C) CM 1720 TCP No Closed
H323 Signaling (Non TTS)
25 AE Services
30000-
34999 (C) CM 1719 UDP No Closed
H323 RAS
26 AE Services
4101-4116
(C) CM 5022 TCP No Closed
System Management Service (SMS) Proxy (aka OSSI Proxy)
27 AE Services Ephemeral
NTP Server
123 UDP Yes Open NTP
28 AE Services Ephemeral WebLM 52233 TCPHTTP Yes Open
Web License Manager
29
AE Services Ephemeral AE
Services 9041 amp 9043 TCP No Closed
Geo HA Active Arbiter to Standby Arbiter Communication
30 AE Services Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS)
31 Tomcat Ephemeral
AE Services
5001 TCP6 Yes Open Tomact
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 7 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
32 Tomcat Ephemeral
AE Services
8009 TCP6 Yes Open Tomcat
33 DmccMain
Ephemeral
AE Services
1098 TCP6 Yes Open Device and media call control
34 DmccMain
Ephemeral
AE Services
8086 TCP6 Yes Open Device and media call control
35 DmccMain
Ephemeral
AE Services
57386 UDP6 Yes Open Device and media call control
36 DmccMain
Ephemeral
AE Services
55392 UDP6 Yes Open Device and media call control
37 LcmMain Ephemeral
AE Services
1099 TCP6 Yes Open Life cycle manager
38 LcmMain Ephemeral
AE Services
8083 TCP6 Yes Open Life cycle manager
39 LcmMain Ephemeral
AE Services
53104 UDP6 Yes Open Life cycle manager
40 SPIRIT WrapperListe
ner Ephemeral
AE Services
59537 TCP6 Yes Open SPIRIT WrapperListener
41 postgres Ephemeral
AE Services
5430 TCP6 Yes Open Database
42 Tomcat Ephemeral
AE Services
57132 UDP6 Yes Open Tomcat
43 Tomcat Ephemeral
AE Services
55855 UDP6 Yes Open Tomcat
44 SnmpAgent Ephemeral
AE Services
10161 UDP6 Yes Open SnmpAgent
45 rsyslogd Ephemeral
AE Services
515 UDP6 Yes Open rsyslogd
NOTES
1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically using a predefined range of ports between 1024 and 65535
2 The default interface associated with each port is eth0 but it is configurable via the appropriate AE Services Management Console web-page
3 This table does not fully apply to the SW-Only offer For example for the SW-Only offer the ability to enable amp disable the ports used by third-party services is not controlled by AE Services
4 Each port in the ranges 20000-29999 (TCPUDP) and 30000-49999 (UDP) is opened only when the port has been
assigned to a registered station If the port is not currently assigned to a registered station then the port is closed In
addition the UDP ports in the range 30000-49999 are opened only when the assigned station is configured for Server-
Media
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 8 Comments Infodevavayacom
Table 2 Ports for Application Enablement Services Interface (LocalHost ndash 127001)
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 AE Services Ephemeral
AE Services
80 TCPHTTP Yes Open Web License Manager
2 AE Services Ephemeral
AE Services
389 TCP Yes Open LDAP for authentication and authorization
3 AE Services Ephemeral
AE Services
443 TCPHTTPS No Open Web License Manager
4 AE Services Ephemeral
AE Services
1024-1039 TCP No Open TSAPI Session Local TLINKS
5 AE Services Ephemeral
AE Services
4101-4116
(C) TCP No Open
System Management Service (SMS) Proxy
6
AE Services Ephemeral AE
Services 5430 TCP No Open
Database
7 AE Services Ephemeral
AE Services
5501 TCP No Open TSAPI Service OAM
8 AE Services Ephemeral
AE Services
5502 TCP No Open TSAPI Switch Driver OAM
9 AE Services Ephemeral
AE Services
5503 TCP No Open DLG Service OAM
10 AE Services Ephemeral
AE Services
5504 TCP No Open Transport Service OAM
11 AE Services Ephemeral
AE Services
5505 TCP No Open ASAI Link Service
12 AE Services Ephemeral
AE Services
8080 TCPHTTP Yes Open Web License Manager
13 AE Services Ephemeral
AE Services
8443 TCPHTTPS Yes Open Web License Manager
14 AE Services Ephemeral
AE Services
80818082 TCP No Open JMX (Management)
15 AE Services Ephemeral
AE Services
80848085 TCP No Open JMX (Management)
16 AE Services Ephemeral
AE Services
10161 UDP No Open SNMP
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 9 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
17 AE Services Ephemeral
AE Services
1777 TCP Yes Open AESvcsSnmpAgen
18 AE Services Ephemeral
AE Services
1778 TCP Yes Open AESvcs
19 AE Services Ephemeral
AE Services
1779 TCP Yes Open DMCCSvc
20 AE Services Ephemeral
AE Services
2583 TCPUDP Yes Open perl
21 AE Services Ephemeral
AE Services
25 TCP Yes Open master
22 AE Services Ephemeral
AE Services
705 TCP Yes Open Snmpd
23 AE Services Ephemeral
AE Services
199 TCP Yes Open Snmpd
24 AE Services Ephemeral
AE Services
514 UDP Yes Open rsyslogd
25 AE Services Ephemeral
AE Services
515 UDP Yes Open rsyslogd
26 AE Services Ephemeral
AE Services
5517 UDP Yes Open rsyslogd
27 AE Services Ephemeral
AE Services
8005 TCP6 Yes Open Tomcat
28 AE Services Ephemeral
AE Services
5510 UDP Yes Open rsyslogd
NOTES 1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically
using a predefined range of ports between 1024 and 65535
23 Port Table Changes
Table 3 Port Changes From AE Services 633 to 70
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 20000-
29999 (C) TCP No Closed
H323 Signaling (TTS) range extended to accommodate 8K DMCC registrations
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 10 Comments Infodevavayacom
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 30000-
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media) range extended to accommodate 8K DMCC registrations
AE Services
Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS) range extended to accommodate 8K DMCC registrations
Note ICMP (ping) should be enabled between AES and CM Gateway
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 11 Comments Infodevavayacom
3 Port Usage Diagram
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 12 Comments Infodevavayacom
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams For example your PC may have multiple applications simultaneously receiving information email using destination TCP port 25 a browser using destination TCP port 443 and a ssh session using destination TCP port 22 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Each of the mini-streams is directed to the correct high-level application identified by the port numbers Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact with the known protocol associated with the port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Types
Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports) The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well Known Ports
Well Known Ports are those numbered from 0 through 1023 For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
In UNIX and Linux operating systems only root may open or close a well-known port Well Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 2 Comments Infodevavayacom
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED AS IS AVAYA INC DISCLAIMS
ALL WARRANTIES EITHER EXPRESS OR IMPLIED INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND FURTHERMORE AVAYA INC MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE INFORMATION
PROVIDED HEREIN WILL ELIMINATE SECURITY THREATS TO CUSTOMERSrsquo SYSTEMS AVAYA INC ITS RELATED COMPANIES
DIRECTORS EMPLOYEES REPRESENTATIVES SUPPLIERS OR AGENTS MAY NOT UNDER ANY CIRCUMSTANCES BE HELD LIABLE
FOR ANY DIRECT INDIRECT SPECIAL PUNITIVE EXEMPLARY INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OF THE INFORMATION PROVIDED HEREIN THIS INCLUDES BUT IS NOT LIMITED TO THE LOSS OF DATA OR LOSS OF PROFIT EVEN
IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES YOUR USE OF THIS INFORMATION CONSTITUTES
ACCEPTANCE OF THESE TERMS
copy 2018 Avaya Inc All Rights Reserved All trademarks identified by
the reg or trade are registered trademarks or trademarks respectively of Avaya Inc All other trademarks are the property of their respective
owners
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 3 Comments Infodevavayacom
1 Application Enablement Services Components
Data flows and their sockets are owned and directed by an application A server running on Red Hat Enterprise Linux (RHEL) 76 has many applications such as tomcat PostgreSQL etc For all applications sockets are created on the network interfaces on the server For the purposes of firewall configuration these sockets are sourced from the server so the firewall (ldquoiptablesrdquo service) should be running on the same server Application components in the Application Enablement (AE) Services server are listed as follows
Component Interface Description
DMCC Service Eth0 (public IP)
The Device Media and Call Control (DMCC) service provides both first-party and third-party call control features via a Java API as well as XML and NET interfaces Additionally DMCC provides the integration for Microsoft LCS 2005 OCS 2007 LYNC and Sametime TCPIP TLS and SIP protocols may be used to connect a DMCC Client to DMCC
DLG Service Eth0 (public IP)
The DEFINITY LAN Gateway (DLG) service tunnels messages over TCPIP That is the DLG service supports a set of TCPIP connections for the communications channel between Communication Manager and AE Services The DLG service is also used for transporting ASAIQ931 messages
CVLAN Service
Eth0 (public IP)
The CallVisor LAN (CVLAN) service is a CC++ based API that enables applications to exchange ASAI messages with the AE Services server CVLAN provides a full complement of third-party call control capabilities such as controlling specific calls or stations completing routing of incoming calls receiving notifications of events invoking Communication Manager features and querying Communication Manager for information
TSAPI Service Eth0 (public IP)
The Telephony Services API (TSAPI) is a CC++ based API that provides a full complement of third party call control capabilities The Java Telephony API (JTAPI) is a client side interface to the TSAPI service and as such it provides third party call control
Transport Service
Eth0 (public IP) or Eth1 (private IP)
The Transport link is a secure TCPIP connection between the AE Services server and Communication Manager The default interface is ldquoeth0rdquo
System Management Service
Eth0 (public IP) or Eth2 (Out of Band Mgmt IP)
By default listens on port 443 for HTTPS connection to provide users a web interface to enable SOAP-based access to Communication Manager administration functions The default interface is ldquoeth0rdquo unless ldquoOut-of-Band Managementrdquo has been configured
Telephony Web Service
Eth0 (public IP) or Eth2 (Out of Band Mgmt IP)
By default listens on port 8443 for HTTPS connection to provide users a web interface that enables high level call control functionality over standard web services interfaces (SOAPXML)The default interface is ldquoeth0rdquo unless ldquoOut-of-Band Managementrdquo has been configured
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 4 Comments Infodevavayacom
Component Interface Description
AES Management Console
Eth0 (public IP)
or
Eth2 (Out of Band Mgmt IP)
The AES Management Console by default listens on port 443 for HTTPS connections and provides an ldquoOperations Administration and Managementrdquo interface for maintenance of the AE Services server The default interface is ldquoeth0rdquo unless ldquoOut-of-Band Managementrdquo has been configured
NOTE Eth0 is the default interface but the interface can be changed via the appropriate AE Services Management Console web-page
2 Port Usage Tables
21 Port Usage Table Heading Definitions
Source System System name or type that initiate connection requests
Source Port This is the default layer-4 port number of the connection source Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
Destination System System name or type that receives connection requests
Destination Port This is the default layer-4 port number to which the connection request is sent Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
NetworkApplication Protocol This is the name associated with the layer-4 protocol and layers-5-7 application
Optionally Enabled Disabled This field indicates whether customers can enable or disable a layer-4 port changing its default port setting Valid values include Yes or No
ldquoNordquo means the default port state cannot be changed (eg enable or disabled)
ldquoYesrdquo means the default port state can be changed and that the port can either be enabled or disabled
Default Port State A port is either opened closed or filtered
Open ports will respond to queries
Closed ports may or may not respond to queries and are only listed when they can be optionally enabled
Filtered ports can be open or closed Filtered UDP ports will not respond to queries Filtered TCP will respond to queries but will not allow connectivity
Description Connection details Add a reference to refer to the Notes section after each table for specifics on any of the row data if necessary
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 5 Comments Infodevavayacom
22 Port Tables
Below are the tables which document the port usage for this product
Table 1 Ports for Application Enablement Services Interface
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 Administrator Terminal
Ephemeral AE
Services 22 TCPSSH Yes Open
SSH (and SFTP and SCP)
2
Web Browser Ephemeral AE
Services 80 TCPHTTP Yes Closed
AE Services Management Console Web Services and License Manager
3 Administrator Terminal or
NMS Ephemeral
AE Services
161 UDPSNMP Yes Closed SNMP
4
Web Browser Ephemeral AE
Services 443 TCPHTTPS No Open
AE Services Management Console Web Services and License Manager
5 TSAPI and JTAPI Client
Ephemeral AE
Services 450 TCP Yes Open
TSAPI Listener
6
TSAPI and JTAPI Client
Ephemeral AE
Services
1050-1065
(C) TCP No Open
TSAPI Session TLINKS ( 16 is the max number of supported switch connections)
7
TSAPI and JTAPI Client
Ephemeral AE
Services
1066-1081
(C) TCPTLS No Open
TSAPI Session Encrypted TLINKS ( 16 is the max number of supported switch connections)
8 DMCC Client Ephemeral
AE Services
4721 (C) TCP Yes Closed DMCC XML Protocol
9 DMCC Client Ephemeral
AE Services
4722 (C) TCPTLS Yes Open DMCC Secure XML Protocol
10 TR87 SIP Client AACC
ACE Ephemeral
AE Services
4723 (C) TCPTLS Yes Closed TR87 TLS
11 ASAI Client Ephemeral
AE Services
5678 TCP No Closed DLG Listener
12 Web Browser Ephemeral
AE Services
8080 TCPHTTP Yes Closed Web License Manager
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 6 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
13
Web Browser Ephemeral AE
Services 8443 TCPHTTPS Yes Closed
AE Services Management Console Web Services and License Manager
14 CVLAN Client Ephemeral
AE Services
9998 (C) TCPTLS Yes Open Secure CVLAN Listener
15 CVLAN Client Ephemeral
AE Services
9999 TCP Yes Open Unsecure and OAM CVLAN Listener
16 CM Ephemeral
AE Services
20000 -
29999 (C) TCP No Closed
H323 Signaling (TTS)
17 CM Ephemeral
AE Services
30000 -
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media)
18 AE Services Ephemeral
DNS Server
53 UDP Yes Open DNS
19 AE Services Ephemeral DHCP 67 UDP Yes Closed DHCP
20
AE Services Ephemeral SNMP Trap
Receiver 162 UDP Yes Closed
SNMP TrapNotification to a NMS andor Avaya SALSSG
21 AE Services Ephemeral
LDAP Server
389 (C) TCP Yes Closed LDAP for authentication and authorization
22
AE Services Ephemeral LDAP Server
636 (C) TCP Yes Closed
Secure LDAP ( LDAPS ) for authentication and authorization
23 AE Services Ephemeral CM 8765 TCP No Closed Transport Protocol
24 AE Services
20000-
24999 (C) CM 1720 TCP No Closed
H323 Signaling (Non TTS)
25 AE Services
30000-
34999 (C) CM 1719 UDP No Closed
H323 RAS
26 AE Services
4101-4116
(C) CM 5022 TCP No Closed
System Management Service (SMS) Proxy (aka OSSI Proxy)
27 AE Services Ephemeral
NTP Server
123 UDP Yes Open NTP
28 AE Services Ephemeral WebLM 52233 TCPHTTP Yes Open
Web License Manager
29
AE Services Ephemeral AE
Services 9041 amp 9043 TCP No Closed
Geo HA Active Arbiter to Standby Arbiter Communication
30 AE Services Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS)
31 Tomcat Ephemeral
AE Services
5001 TCP6 Yes Open Tomact
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 7 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
32 Tomcat Ephemeral
AE Services
8009 TCP6 Yes Open Tomcat
33 DmccMain
Ephemeral
AE Services
1098 TCP6 Yes Open Device and media call control
34 DmccMain
Ephemeral
AE Services
8086 TCP6 Yes Open Device and media call control
35 DmccMain
Ephemeral
AE Services
57386 UDP6 Yes Open Device and media call control
36 DmccMain
Ephemeral
AE Services
55392 UDP6 Yes Open Device and media call control
37 LcmMain Ephemeral
AE Services
1099 TCP6 Yes Open Life cycle manager
38 LcmMain Ephemeral
AE Services
8083 TCP6 Yes Open Life cycle manager
39 LcmMain Ephemeral
AE Services
53104 UDP6 Yes Open Life cycle manager
40 SPIRIT WrapperListe
ner Ephemeral
AE Services
59537 TCP6 Yes Open SPIRIT WrapperListener
41 postgres Ephemeral
AE Services
5430 TCP6 Yes Open Database
42 Tomcat Ephemeral
AE Services
57132 UDP6 Yes Open Tomcat
43 Tomcat Ephemeral
AE Services
55855 UDP6 Yes Open Tomcat
44 SnmpAgent Ephemeral
AE Services
10161 UDP6 Yes Open SnmpAgent
45 rsyslogd Ephemeral
AE Services
515 UDP6 Yes Open rsyslogd
NOTES
1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically using a predefined range of ports between 1024 and 65535
2 The default interface associated with each port is eth0 but it is configurable via the appropriate AE Services Management Console web-page
3 This table does not fully apply to the SW-Only offer For example for the SW-Only offer the ability to enable amp disable the ports used by third-party services is not controlled by AE Services
4 Each port in the ranges 20000-29999 (TCPUDP) and 30000-49999 (UDP) is opened only when the port has been
assigned to a registered station If the port is not currently assigned to a registered station then the port is closed In
addition the UDP ports in the range 30000-49999 are opened only when the assigned station is configured for Server-
Media
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 8 Comments Infodevavayacom
Table 2 Ports for Application Enablement Services Interface (LocalHost ndash 127001)
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 AE Services Ephemeral
AE Services
80 TCPHTTP Yes Open Web License Manager
2 AE Services Ephemeral
AE Services
389 TCP Yes Open LDAP for authentication and authorization
3 AE Services Ephemeral
AE Services
443 TCPHTTPS No Open Web License Manager
4 AE Services Ephemeral
AE Services
1024-1039 TCP No Open TSAPI Session Local TLINKS
5 AE Services Ephemeral
AE Services
4101-4116
(C) TCP No Open
System Management Service (SMS) Proxy
6
AE Services Ephemeral AE
Services 5430 TCP No Open
Database
7 AE Services Ephemeral
AE Services
5501 TCP No Open TSAPI Service OAM
8 AE Services Ephemeral
AE Services
5502 TCP No Open TSAPI Switch Driver OAM
9 AE Services Ephemeral
AE Services
5503 TCP No Open DLG Service OAM
10 AE Services Ephemeral
AE Services
5504 TCP No Open Transport Service OAM
11 AE Services Ephemeral
AE Services
5505 TCP No Open ASAI Link Service
12 AE Services Ephemeral
AE Services
8080 TCPHTTP Yes Open Web License Manager
13 AE Services Ephemeral
AE Services
8443 TCPHTTPS Yes Open Web License Manager
14 AE Services Ephemeral
AE Services
80818082 TCP No Open JMX (Management)
15 AE Services Ephemeral
AE Services
80848085 TCP No Open JMX (Management)
16 AE Services Ephemeral
AE Services
10161 UDP No Open SNMP
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 9 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
17 AE Services Ephemeral
AE Services
1777 TCP Yes Open AESvcsSnmpAgen
18 AE Services Ephemeral
AE Services
1778 TCP Yes Open AESvcs
19 AE Services Ephemeral
AE Services
1779 TCP Yes Open DMCCSvc
20 AE Services Ephemeral
AE Services
2583 TCPUDP Yes Open perl
21 AE Services Ephemeral
AE Services
25 TCP Yes Open master
22 AE Services Ephemeral
AE Services
705 TCP Yes Open Snmpd
23 AE Services Ephemeral
AE Services
199 TCP Yes Open Snmpd
24 AE Services Ephemeral
AE Services
514 UDP Yes Open rsyslogd
25 AE Services Ephemeral
AE Services
515 UDP Yes Open rsyslogd
26 AE Services Ephemeral
AE Services
5517 UDP Yes Open rsyslogd
27 AE Services Ephemeral
AE Services
8005 TCP6 Yes Open Tomcat
28 AE Services Ephemeral
AE Services
5510 UDP Yes Open rsyslogd
NOTES 1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically
using a predefined range of ports between 1024 and 65535
23 Port Table Changes
Table 3 Port Changes From AE Services 633 to 70
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 20000-
29999 (C) TCP No Closed
H323 Signaling (TTS) range extended to accommodate 8K DMCC registrations
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 10 Comments Infodevavayacom
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 30000-
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media) range extended to accommodate 8K DMCC registrations
AE Services
Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS) range extended to accommodate 8K DMCC registrations
Note ICMP (ping) should be enabled between AES and CM Gateway
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 11 Comments Infodevavayacom
3 Port Usage Diagram
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 12 Comments Infodevavayacom
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams For example your PC may have multiple applications simultaneously receiving information email using destination TCP port 25 a browser using destination TCP port 443 and a ssh session using destination TCP port 22 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Each of the mini-streams is directed to the correct high-level application identified by the port numbers Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact with the known protocol associated with the port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Types
Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports) The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well Known Ports
Well Known Ports are those numbered from 0 through 1023 For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
In UNIX and Linux operating systems only root may open or close a well-known port Well Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 3 Comments Infodevavayacom
1 Application Enablement Services Components
Data flows and their sockets are owned and directed by an application A server running on Red Hat Enterprise Linux (RHEL) 76 has many applications such as tomcat PostgreSQL etc For all applications sockets are created on the network interfaces on the server For the purposes of firewall configuration these sockets are sourced from the server so the firewall (ldquoiptablesrdquo service) should be running on the same server Application components in the Application Enablement (AE) Services server are listed as follows
Component Interface Description
DMCC Service Eth0 (public IP)
The Device Media and Call Control (DMCC) service provides both first-party and third-party call control features via a Java API as well as XML and NET interfaces Additionally DMCC provides the integration for Microsoft LCS 2005 OCS 2007 LYNC and Sametime TCPIP TLS and SIP protocols may be used to connect a DMCC Client to DMCC
DLG Service Eth0 (public IP)
The DEFINITY LAN Gateway (DLG) service tunnels messages over TCPIP That is the DLG service supports a set of TCPIP connections for the communications channel between Communication Manager and AE Services The DLG service is also used for transporting ASAIQ931 messages
CVLAN Service
Eth0 (public IP)
The CallVisor LAN (CVLAN) service is a CC++ based API that enables applications to exchange ASAI messages with the AE Services server CVLAN provides a full complement of third-party call control capabilities such as controlling specific calls or stations completing routing of incoming calls receiving notifications of events invoking Communication Manager features and querying Communication Manager for information
TSAPI Service Eth0 (public IP)
The Telephony Services API (TSAPI) is a CC++ based API that provides a full complement of third party call control capabilities The Java Telephony API (JTAPI) is a client side interface to the TSAPI service and as such it provides third party call control
Transport Service
Eth0 (public IP) or Eth1 (private IP)
The Transport link is a secure TCPIP connection between the AE Services server and Communication Manager The default interface is ldquoeth0rdquo
System Management Service
Eth0 (public IP) or Eth2 (Out of Band Mgmt IP)
By default listens on port 443 for HTTPS connection to provide users a web interface to enable SOAP-based access to Communication Manager administration functions The default interface is ldquoeth0rdquo unless ldquoOut-of-Band Managementrdquo has been configured
Telephony Web Service
Eth0 (public IP) or Eth2 (Out of Band Mgmt IP)
By default listens on port 8443 for HTTPS connection to provide users a web interface that enables high level call control functionality over standard web services interfaces (SOAPXML)The default interface is ldquoeth0rdquo unless ldquoOut-of-Band Managementrdquo has been configured
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 4 Comments Infodevavayacom
Component Interface Description
AES Management Console
Eth0 (public IP)
or
Eth2 (Out of Band Mgmt IP)
The AES Management Console by default listens on port 443 for HTTPS connections and provides an ldquoOperations Administration and Managementrdquo interface for maintenance of the AE Services server The default interface is ldquoeth0rdquo unless ldquoOut-of-Band Managementrdquo has been configured
NOTE Eth0 is the default interface but the interface can be changed via the appropriate AE Services Management Console web-page
2 Port Usage Tables
21 Port Usage Table Heading Definitions
Source System System name or type that initiate connection requests
Source Port This is the default layer-4 port number of the connection source Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
Destination System System name or type that receives connection requests
Destination Port This is the default layer-4 port number to which the connection request is sent Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
NetworkApplication Protocol This is the name associated with the layer-4 protocol and layers-5-7 application
Optionally Enabled Disabled This field indicates whether customers can enable or disable a layer-4 port changing its default port setting Valid values include Yes or No
ldquoNordquo means the default port state cannot be changed (eg enable or disabled)
ldquoYesrdquo means the default port state can be changed and that the port can either be enabled or disabled
Default Port State A port is either opened closed or filtered
Open ports will respond to queries
Closed ports may or may not respond to queries and are only listed when they can be optionally enabled
Filtered ports can be open or closed Filtered UDP ports will not respond to queries Filtered TCP will respond to queries but will not allow connectivity
Description Connection details Add a reference to refer to the Notes section after each table for specifics on any of the row data if necessary
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 5 Comments Infodevavayacom
22 Port Tables
Below are the tables which document the port usage for this product
Table 1 Ports for Application Enablement Services Interface
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 Administrator Terminal
Ephemeral AE
Services 22 TCPSSH Yes Open
SSH (and SFTP and SCP)
2
Web Browser Ephemeral AE
Services 80 TCPHTTP Yes Closed
AE Services Management Console Web Services and License Manager
3 Administrator Terminal or
NMS Ephemeral
AE Services
161 UDPSNMP Yes Closed SNMP
4
Web Browser Ephemeral AE
Services 443 TCPHTTPS No Open
AE Services Management Console Web Services and License Manager
5 TSAPI and JTAPI Client
Ephemeral AE
Services 450 TCP Yes Open
TSAPI Listener
6
TSAPI and JTAPI Client
Ephemeral AE
Services
1050-1065
(C) TCP No Open
TSAPI Session TLINKS ( 16 is the max number of supported switch connections)
7
TSAPI and JTAPI Client
Ephemeral AE
Services
1066-1081
(C) TCPTLS No Open
TSAPI Session Encrypted TLINKS ( 16 is the max number of supported switch connections)
8 DMCC Client Ephemeral
AE Services
4721 (C) TCP Yes Closed DMCC XML Protocol
9 DMCC Client Ephemeral
AE Services
4722 (C) TCPTLS Yes Open DMCC Secure XML Protocol
10 TR87 SIP Client AACC
ACE Ephemeral
AE Services
4723 (C) TCPTLS Yes Closed TR87 TLS
11 ASAI Client Ephemeral
AE Services
5678 TCP No Closed DLG Listener
12 Web Browser Ephemeral
AE Services
8080 TCPHTTP Yes Closed Web License Manager
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 6 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
13
Web Browser Ephemeral AE
Services 8443 TCPHTTPS Yes Closed
AE Services Management Console Web Services and License Manager
14 CVLAN Client Ephemeral
AE Services
9998 (C) TCPTLS Yes Open Secure CVLAN Listener
15 CVLAN Client Ephemeral
AE Services
9999 TCP Yes Open Unsecure and OAM CVLAN Listener
16 CM Ephemeral
AE Services
20000 -
29999 (C) TCP No Closed
H323 Signaling (TTS)
17 CM Ephemeral
AE Services
30000 -
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media)
18 AE Services Ephemeral
DNS Server
53 UDP Yes Open DNS
19 AE Services Ephemeral DHCP 67 UDP Yes Closed DHCP
20
AE Services Ephemeral SNMP Trap
Receiver 162 UDP Yes Closed
SNMP TrapNotification to a NMS andor Avaya SALSSG
21 AE Services Ephemeral
LDAP Server
389 (C) TCP Yes Closed LDAP for authentication and authorization
22
AE Services Ephemeral LDAP Server
636 (C) TCP Yes Closed
Secure LDAP ( LDAPS ) for authentication and authorization
23 AE Services Ephemeral CM 8765 TCP No Closed Transport Protocol
24 AE Services
20000-
24999 (C) CM 1720 TCP No Closed
H323 Signaling (Non TTS)
25 AE Services
30000-
34999 (C) CM 1719 UDP No Closed
H323 RAS
26 AE Services
4101-4116
(C) CM 5022 TCP No Closed
System Management Service (SMS) Proxy (aka OSSI Proxy)
27 AE Services Ephemeral
NTP Server
123 UDP Yes Open NTP
28 AE Services Ephemeral WebLM 52233 TCPHTTP Yes Open
Web License Manager
29
AE Services Ephemeral AE
Services 9041 amp 9043 TCP No Closed
Geo HA Active Arbiter to Standby Arbiter Communication
30 AE Services Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS)
31 Tomcat Ephemeral
AE Services
5001 TCP6 Yes Open Tomact
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 7 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
32 Tomcat Ephemeral
AE Services
8009 TCP6 Yes Open Tomcat
33 DmccMain
Ephemeral
AE Services
1098 TCP6 Yes Open Device and media call control
34 DmccMain
Ephemeral
AE Services
8086 TCP6 Yes Open Device and media call control
35 DmccMain
Ephemeral
AE Services
57386 UDP6 Yes Open Device and media call control
36 DmccMain
Ephemeral
AE Services
55392 UDP6 Yes Open Device and media call control
37 LcmMain Ephemeral
AE Services
1099 TCP6 Yes Open Life cycle manager
38 LcmMain Ephemeral
AE Services
8083 TCP6 Yes Open Life cycle manager
39 LcmMain Ephemeral
AE Services
53104 UDP6 Yes Open Life cycle manager
40 SPIRIT WrapperListe
ner Ephemeral
AE Services
59537 TCP6 Yes Open SPIRIT WrapperListener
41 postgres Ephemeral
AE Services
5430 TCP6 Yes Open Database
42 Tomcat Ephemeral
AE Services
57132 UDP6 Yes Open Tomcat
43 Tomcat Ephemeral
AE Services
55855 UDP6 Yes Open Tomcat
44 SnmpAgent Ephemeral
AE Services
10161 UDP6 Yes Open SnmpAgent
45 rsyslogd Ephemeral
AE Services
515 UDP6 Yes Open rsyslogd
NOTES
1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically using a predefined range of ports between 1024 and 65535
2 The default interface associated with each port is eth0 but it is configurable via the appropriate AE Services Management Console web-page
3 This table does not fully apply to the SW-Only offer For example for the SW-Only offer the ability to enable amp disable the ports used by third-party services is not controlled by AE Services
4 Each port in the ranges 20000-29999 (TCPUDP) and 30000-49999 (UDP) is opened only when the port has been
assigned to a registered station If the port is not currently assigned to a registered station then the port is closed In
addition the UDP ports in the range 30000-49999 are opened only when the assigned station is configured for Server-
Media
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 8 Comments Infodevavayacom
Table 2 Ports for Application Enablement Services Interface (LocalHost ndash 127001)
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 AE Services Ephemeral
AE Services
80 TCPHTTP Yes Open Web License Manager
2 AE Services Ephemeral
AE Services
389 TCP Yes Open LDAP for authentication and authorization
3 AE Services Ephemeral
AE Services
443 TCPHTTPS No Open Web License Manager
4 AE Services Ephemeral
AE Services
1024-1039 TCP No Open TSAPI Session Local TLINKS
5 AE Services Ephemeral
AE Services
4101-4116
(C) TCP No Open
System Management Service (SMS) Proxy
6
AE Services Ephemeral AE
Services 5430 TCP No Open
Database
7 AE Services Ephemeral
AE Services
5501 TCP No Open TSAPI Service OAM
8 AE Services Ephemeral
AE Services
5502 TCP No Open TSAPI Switch Driver OAM
9 AE Services Ephemeral
AE Services
5503 TCP No Open DLG Service OAM
10 AE Services Ephemeral
AE Services
5504 TCP No Open Transport Service OAM
11 AE Services Ephemeral
AE Services
5505 TCP No Open ASAI Link Service
12 AE Services Ephemeral
AE Services
8080 TCPHTTP Yes Open Web License Manager
13 AE Services Ephemeral
AE Services
8443 TCPHTTPS Yes Open Web License Manager
14 AE Services Ephemeral
AE Services
80818082 TCP No Open JMX (Management)
15 AE Services Ephemeral
AE Services
80848085 TCP No Open JMX (Management)
16 AE Services Ephemeral
AE Services
10161 UDP No Open SNMP
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 9 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
17 AE Services Ephemeral
AE Services
1777 TCP Yes Open AESvcsSnmpAgen
18 AE Services Ephemeral
AE Services
1778 TCP Yes Open AESvcs
19 AE Services Ephemeral
AE Services
1779 TCP Yes Open DMCCSvc
20 AE Services Ephemeral
AE Services
2583 TCPUDP Yes Open perl
21 AE Services Ephemeral
AE Services
25 TCP Yes Open master
22 AE Services Ephemeral
AE Services
705 TCP Yes Open Snmpd
23 AE Services Ephemeral
AE Services
199 TCP Yes Open Snmpd
24 AE Services Ephemeral
AE Services
514 UDP Yes Open rsyslogd
25 AE Services Ephemeral
AE Services
515 UDP Yes Open rsyslogd
26 AE Services Ephemeral
AE Services
5517 UDP Yes Open rsyslogd
27 AE Services Ephemeral
AE Services
8005 TCP6 Yes Open Tomcat
28 AE Services Ephemeral
AE Services
5510 UDP Yes Open rsyslogd
NOTES 1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically
using a predefined range of ports between 1024 and 65535
23 Port Table Changes
Table 3 Port Changes From AE Services 633 to 70
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 20000-
29999 (C) TCP No Closed
H323 Signaling (TTS) range extended to accommodate 8K DMCC registrations
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 10 Comments Infodevavayacom
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 30000-
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media) range extended to accommodate 8K DMCC registrations
AE Services
Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS) range extended to accommodate 8K DMCC registrations
Note ICMP (ping) should be enabled between AES and CM Gateway
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 11 Comments Infodevavayacom
3 Port Usage Diagram
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 12 Comments Infodevavayacom
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams For example your PC may have multiple applications simultaneously receiving information email using destination TCP port 25 a browser using destination TCP port 443 and a ssh session using destination TCP port 22 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Each of the mini-streams is directed to the correct high-level application identified by the port numbers Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact with the known protocol associated with the port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Types
Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports) The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well Known Ports
Well Known Ports are those numbered from 0 through 1023 For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
In UNIX and Linux operating systems only root may open or close a well-known port Well Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 4 Comments Infodevavayacom
Component Interface Description
AES Management Console
Eth0 (public IP)
or
Eth2 (Out of Band Mgmt IP)
The AES Management Console by default listens on port 443 for HTTPS connections and provides an ldquoOperations Administration and Managementrdquo interface for maintenance of the AE Services server The default interface is ldquoeth0rdquo unless ldquoOut-of-Band Managementrdquo has been configured
NOTE Eth0 is the default interface but the interface can be changed via the appropriate AE Services Management Console web-page
2 Port Usage Tables
21 Port Usage Table Heading Definitions
Source System System name or type that initiate connection requests
Source Port This is the default layer-4 port number of the connection source Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
Destination System System name or type that receives connection requests
Destination Port This is the default layer-4 port number to which the connection request is sent Valid values include 0 ndash 65535 A ldquo(C)rdquo next to the port number means that the port number is configurable
NetworkApplication Protocol This is the name associated with the layer-4 protocol and layers-5-7 application
Optionally Enabled Disabled This field indicates whether customers can enable or disable a layer-4 port changing its default port setting Valid values include Yes or No
ldquoNordquo means the default port state cannot be changed (eg enable or disabled)
ldquoYesrdquo means the default port state can be changed and that the port can either be enabled or disabled
Default Port State A port is either opened closed or filtered
Open ports will respond to queries
Closed ports may or may not respond to queries and are only listed when they can be optionally enabled
Filtered ports can be open or closed Filtered UDP ports will not respond to queries Filtered TCP will respond to queries but will not allow connectivity
Description Connection details Add a reference to refer to the Notes section after each table for specifics on any of the row data if necessary
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 5 Comments Infodevavayacom
22 Port Tables
Below are the tables which document the port usage for this product
Table 1 Ports for Application Enablement Services Interface
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 Administrator Terminal
Ephemeral AE
Services 22 TCPSSH Yes Open
SSH (and SFTP and SCP)
2
Web Browser Ephemeral AE
Services 80 TCPHTTP Yes Closed
AE Services Management Console Web Services and License Manager
3 Administrator Terminal or
NMS Ephemeral
AE Services
161 UDPSNMP Yes Closed SNMP
4
Web Browser Ephemeral AE
Services 443 TCPHTTPS No Open
AE Services Management Console Web Services and License Manager
5 TSAPI and JTAPI Client
Ephemeral AE
Services 450 TCP Yes Open
TSAPI Listener
6
TSAPI and JTAPI Client
Ephemeral AE
Services
1050-1065
(C) TCP No Open
TSAPI Session TLINKS ( 16 is the max number of supported switch connections)
7
TSAPI and JTAPI Client
Ephemeral AE
Services
1066-1081
(C) TCPTLS No Open
TSAPI Session Encrypted TLINKS ( 16 is the max number of supported switch connections)
8 DMCC Client Ephemeral
AE Services
4721 (C) TCP Yes Closed DMCC XML Protocol
9 DMCC Client Ephemeral
AE Services
4722 (C) TCPTLS Yes Open DMCC Secure XML Protocol
10 TR87 SIP Client AACC
ACE Ephemeral
AE Services
4723 (C) TCPTLS Yes Closed TR87 TLS
11 ASAI Client Ephemeral
AE Services
5678 TCP No Closed DLG Listener
12 Web Browser Ephemeral
AE Services
8080 TCPHTTP Yes Closed Web License Manager
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 6 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
13
Web Browser Ephemeral AE
Services 8443 TCPHTTPS Yes Closed
AE Services Management Console Web Services and License Manager
14 CVLAN Client Ephemeral
AE Services
9998 (C) TCPTLS Yes Open Secure CVLAN Listener
15 CVLAN Client Ephemeral
AE Services
9999 TCP Yes Open Unsecure and OAM CVLAN Listener
16 CM Ephemeral
AE Services
20000 -
29999 (C) TCP No Closed
H323 Signaling (TTS)
17 CM Ephemeral
AE Services
30000 -
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media)
18 AE Services Ephemeral
DNS Server
53 UDP Yes Open DNS
19 AE Services Ephemeral DHCP 67 UDP Yes Closed DHCP
20
AE Services Ephemeral SNMP Trap
Receiver 162 UDP Yes Closed
SNMP TrapNotification to a NMS andor Avaya SALSSG
21 AE Services Ephemeral
LDAP Server
389 (C) TCP Yes Closed LDAP for authentication and authorization
22
AE Services Ephemeral LDAP Server
636 (C) TCP Yes Closed
Secure LDAP ( LDAPS ) for authentication and authorization
23 AE Services Ephemeral CM 8765 TCP No Closed Transport Protocol
24 AE Services
20000-
24999 (C) CM 1720 TCP No Closed
H323 Signaling (Non TTS)
25 AE Services
30000-
34999 (C) CM 1719 UDP No Closed
H323 RAS
26 AE Services
4101-4116
(C) CM 5022 TCP No Closed
System Management Service (SMS) Proxy (aka OSSI Proxy)
27 AE Services Ephemeral
NTP Server
123 UDP Yes Open NTP
28 AE Services Ephemeral WebLM 52233 TCPHTTP Yes Open
Web License Manager
29
AE Services Ephemeral AE
Services 9041 amp 9043 TCP No Closed
Geo HA Active Arbiter to Standby Arbiter Communication
30 AE Services Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS)
31 Tomcat Ephemeral
AE Services
5001 TCP6 Yes Open Tomact
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 7 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
32 Tomcat Ephemeral
AE Services
8009 TCP6 Yes Open Tomcat
33 DmccMain
Ephemeral
AE Services
1098 TCP6 Yes Open Device and media call control
34 DmccMain
Ephemeral
AE Services
8086 TCP6 Yes Open Device and media call control
35 DmccMain
Ephemeral
AE Services
57386 UDP6 Yes Open Device and media call control
36 DmccMain
Ephemeral
AE Services
55392 UDP6 Yes Open Device and media call control
37 LcmMain Ephemeral
AE Services
1099 TCP6 Yes Open Life cycle manager
38 LcmMain Ephemeral
AE Services
8083 TCP6 Yes Open Life cycle manager
39 LcmMain Ephemeral
AE Services
53104 UDP6 Yes Open Life cycle manager
40 SPIRIT WrapperListe
ner Ephemeral
AE Services
59537 TCP6 Yes Open SPIRIT WrapperListener
41 postgres Ephemeral
AE Services
5430 TCP6 Yes Open Database
42 Tomcat Ephemeral
AE Services
57132 UDP6 Yes Open Tomcat
43 Tomcat Ephemeral
AE Services
55855 UDP6 Yes Open Tomcat
44 SnmpAgent Ephemeral
AE Services
10161 UDP6 Yes Open SnmpAgent
45 rsyslogd Ephemeral
AE Services
515 UDP6 Yes Open rsyslogd
NOTES
1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically using a predefined range of ports between 1024 and 65535
2 The default interface associated with each port is eth0 but it is configurable via the appropriate AE Services Management Console web-page
3 This table does not fully apply to the SW-Only offer For example for the SW-Only offer the ability to enable amp disable the ports used by third-party services is not controlled by AE Services
4 Each port in the ranges 20000-29999 (TCPUDP) and 30000-49999 (UDP) is opened only when the port has been
assigned to a registered station If the port is not currently assigned to a registered station then the port is closed In
addition the UDP ports in the range 30000-49999 are opened only when the assigned station is configured for Server-
Media
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 8 Comments Infodevavayacom
Table 2 Ports for Application Enablement Services Interface (LocalHost ndash 127001)
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 AE Services Ephemeral
AE Services
80 TCPHTTP Yes Open Web License Manager
2 AE Services Ephemeral
AE Services
389 TCP Yes Open LDAP for authentication and authorization
3 AE Services Ephemeral
AE Services
443 TCPHTTPS No Open Web License Manager
4 AE Services Ephemeral
AE Services
1024-1039 TCP No Open TSAPI Session Local TLINKS
5 AE Services Ephemeral
AE Services
4101-4116
(C) TCP No Open
System Management Service (SMS) Proxy
6
AE Services Ephemeral AE
Services 5430 TCP No Open
Database
7 AE Services Ephemeral
AE Services
5501 TCP No Open TSAPI Service OAM
8 AE Services Ephemeral
AE Services
5502 TCP No Open TSAPI Switch Driver OAM
9 AE Services Ephemeral
AE Services
5503 TCP No Open DLG Service OAM
10 AE Services Ephemeral
AE Services
5504 TCP No Open Transport Service OAM
11 AE Services Ephemeral
AE Services
5505 TCP No Open ASAI Link Service
12 AE Services Ephemeral
AE Services
8080 TCPHTTP Yes Open Web License Manager
13 AE Services Ephemeral
AE Services
8443 TCPHTTPS Yes Open Web License Manager
14 AE Services Ephemeral
AE Services
80818082 TCP No Open JMX (Management)
15 AE Services Ephemeral
AE Services
80848085 TCP No Open JMX (Management)
16 AE Services Ephemeral
AE Services
10161 UDP No Open SNMP
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 9 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
17 AE Services Ephemeral
AE Services
1777 TCP Yes Open AESvcsSnmpAgen
18 AE Services Ephemeral
AE Services
1778 TCP Yes Open AESvcs
19 AE Services Ephemeral
AE Services
1779 TCP Yes Open DMCCSvc
20 AE Services Ephemeral
AE Services
2583 TCPUDP Yes Open perl
21 AE Services Ephemeral
AE Services
25 TCP Yes Open master
22 AE Services Ephemeral
AE Services
705 TCP Yes Open Snmpd
23 AE Services Ephemeral
AE Services
199 TCP Yes Open Snmpd
24 AE Services Ephemeral
AE Services
514 UDP Yes Open rsyslogd
25 AE Services Ephemeral
AE Services
515 UDP Yes Open rsyslogd
26 AE Services Ephemeral
AE Services
5517 UDP Yes Open rsyslogd
27 AE Services Ephemeral
AE Services
8005 TCP6 Yes Open Tomcat
28 AE Services Ephemeral
AE Services
5510 UDP Yes Open rsyslogd
NOTES 1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically
using a predefined range of ports between 1024 and 65535
23 Port Table Changes
Table 3 Port Changes From AE Services 633 to 70
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 20000-
29999 (C) TCP No Closed
H323 Signaling (TTS) range extended to accommodate 8K DMCC registrations
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 10 Comments Infodevavayacom
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 30000-
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media) range extended to accommodate 8K DMCC registrations
AE Services
Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS) range extended to accommodate 8K DMCC registrations
Note ICMP (ping) should be enabled between AES and CM Gateway
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 11 Comments Infodevavayacom
3 Port Usage Diagram
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 12 Comments Infodevavayacom
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams For example your PC may have multiple applications simultaneously receiving information email using destination TCP port 25 a browser using destination TCP port 443 and a ssh session using destination TCP port 22 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Each of the mini-streams is directed to the correct high-level application identified by the port numbers Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact with the known protocol associated with the port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Types
Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports) The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well Known Ports
Well Known Ports are those numbered from 0 through 1023 For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
In UNIX and Linux operating systems only root may open or close a well-known port Well Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 5 Comments Infodevavayacom
22 Port Tables
Below are the tables which document the port usage for this product
Table 1 Ports for Application Enablement Services Interface
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 Administrator Terminal
Ephemeral AE
Services 22 TCPSSH Yes Open
SSH (and SFTP and SCP)
2
Web Browser Ephemeral AE
Services 80 TCPHTTP Yes Closed
AE Services Management Console Web Services and License Manager
3 Administrator Terminal or
NMS Ephemeral
AE Services
161 UDPSNMP Yes Closed SNMP
4
Web Browser Ephemeral AE
Services 443 TCPHTTPS No Open
AE Services Management Console Web Services and License Manager
5 TSAPI and JTAPI Client
Ephemeral AE
Services 450 TCP Yes Open
TSAPI Listener
6
TSAPI and JTAPI Client
Ephemeral AE
Services
1050-1065
(C) TCP No Open
TSAPI Session TLINKS ( 16 is the max number of supported switch connections)
7
TSAPI and JTAPI Client
Ephemeral AE
Services
1066-1081
(C) TCPTLS No Open
TSAPI Session Encrypted TLINKS ( 16 is the max number of supported switch connections)
8 DMCC Client Ephemeral
AE Services
4721 (C) TCP Yes Closed DMCC XML Protocol
9 DMCC Client Ephemeral
AE Services
4722 (C) TCPTLS Yes Open DMCC Secure XML Protocol
10 TR87 SIP Client AACC
ACE Ephemeral
AE Services
4723 (C) TCPTLS Yes Closed TR87 TLS
11 ASAI Client Ephemeral
AE Services
5678 TCP No Closed DLG Listener
12 Web Browser Ephemeral
AE Services
8080 TCPHTTP Yes Closed Web License Manager
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 6 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
13
Web Browser Ephemeral AE
Services 8443 TCPHTTPS Yes Closed
AE Services Management Console Web Services and License Manager
14 CVLAN Client Ephemeral
AE Services
9998 (C) TCPTLS Yes Open Secure CVLAN Listener
15 CVLAN Client Ephemeral
AE Services
9999 TCP Yes Open Unsecure and OAM CVLAN Listener
16 CM Ephemeral
AE Services
20000 -
29999 (C) TCP No Closed
H323 Signaling (TTS)
17 CM Ephemeral
AE Services
30000 -
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media)
18 AE Services Ephemeral
DNS Server
53 UDP Yes Open DNS
19 AE Services Ephemeral DHCP 67 UDP Yes Closed DHCP
20
AE Services Ephemeral SNMP Trap
Receiver 162 UDP Yes Closed
SNMP TrapNotification to a NMS andor Avaya SALSSG
21 AE Services Ephemeral
LDAP Server
389 (C) TCP Yes Closed LDAP for authentication and authorization
22
AE Services Ephemeral LDAP Server
636 (C) TCP Yes Closed
Secure LDAP ( LDAPS ) for authentication and authorization
23 AE Services Ephemeral CM 8765 TCP No Closed Transport Protocol
24 AE Services
20000-
24999 (C) CM 1720 TCP No Closed
H323 Signaling (Non TTS)
25 AE Services
30000-
34999 (C) CM 1719 UDP No Closed
H323 RAS
26 AE Services
4101-4116
(C) CM 5022 TCP No Closed
System Management Service (SMS) Proxy (aka OSSI Proxy)
27 AE Services Ephemeral
NTP Server
123 UDP Yes Open NTP
28 AE Services Ephemeral WebLM 52233 TCPHTTP Yes Open
Web License Manager
29
AE Services Ephemeral AE
Services 9041 amp 9043 TCP No Closed
Geo HA Active Arbiter to Standby Arbiter Communication
30 AE Services Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS)
31 Tomcat Ephemeral
AE Services
5001 TCP6 Yes Open Tomact
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 7 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
32 Tomcat Ephemeral
AE Services
8009 TCP6 Yes Open Tomcat
33 DmccMain
Ephemeral
AE Services
1098 TCP6 Yes Open Device and media call control
34 DmccMain
Ephemeral
AE Services
8086 TCP6 Yes Open Device and media call control
35 DmccMain
Ephemeral
AE Services
57386 UDP6 Yes Open Device and media call control
36 DmccMain
Ephemeral
AE Services
55392 UDP6 Yes Open Device and media call control
37 LcmMain Ephemeral
AE Services
1099 TCP6 Yes Open Life cycle manager
38 LcmMain Ephemeral
AE Services
8083 TCP6 Yes Open Life cycle manager
39 LcmMain Ephemeral
AE Services
53104 UDP6 Yes Open Life cycle manager
40 SPIRIT WrapperListe
ner Ephemeral
AE Services
59537 TCP6 Yes Open SPIRIT WrapperListener
41 postgres Ephemeral
AE Services
5430 TCP6 Yes Open Database
42 Tomcat Ephemeral
AE Services
57132 UDP6 Yes Open Tomcat
43 Tomcat Ephemeral
AE Services
55855 UDP6 Yes Open Tomcat
44 SnmpAgent Ephemeral
AE Services
10161 UDP6 Yes Open SnmpAgent
45 rsyslogd Ephemeral
AE Services
515 UDP6 Yes Open rsyslogd
NOTES
1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically using a predefined range of ports between 1024 and 65535
2 The default interface associated with each port is eth0 but it is configurable via the appropriate AE Services Management Console web-page
3 This table does not fully apply to the SW-Only offer For example for the SW-Only offer the ability to enable amp disable the ports used by third-party services is not controlled by AE Services
4 Each port in the ranges 20000-29999 (TCPUDP) and 30000-49999 (UDP) is opened only when the port has been
assigned to a registered station If the port is not currently assigned to a registered station then the port is closed In
addition the UDP ports in the range 30000-49999 are opened only when the assigned station is configured for Server-
Media
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 8 Comments Infodevavayacom
Table 2 Ports for Application Enablement Services Interface (LocalHost ndash 127001)
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 AE Services Ephemeral
AE Services
80 TCPHTTP Yes Open Web License Manager
2 AE Services Ephemeral
AE Services
389 TCP Yes Open LDAP for authentication and authorization
3 AE Services Ephemeral
AE Services
443 TCPHTTPS No Open Web License Manager
4 AE Services Ephemeral
AE Services
1024-1039 TCP No Open TSAPI Session Local TLINKS
5 AE Services Ephemeral
AE Services
4101-4116
(C) TCP No Open
System Management Service (SMS) Proxy
6
AE Services Ephemeral AE
Services 5430 TCP No Open
Database
7 AE Services Ephemeral
AE Services
5501 TCP No Open TSAPI Service OAM
8 AE Services Ephemeral
AE Services
5502 TCP No Open TSAPI Switch Driver OAM
9 AE Services Ephemeral
AE Services
5503 TCP No Open DLG Service OAM
10 AE Services Ephemeral
AE Services
5504 TCP No Open Transport Service OAM
11 AE Services Ephemeral
AE Services
5505 TCP No Open ASAI Link Service
12 AE Services Ephemeral
AE Services
8080 TCPHTTP Yes Open Web License Manager
13 AE Services Ephemeral
AE Services
8443 TCPHTTPS Yes Open Web License Manager
14 AE Services Ephemeral
AE Services
80818082 TCP No Open JMX (Management)
15 AE Services Ephemeral
AE Services
80848085 TCP No Open JMX (Management)
16 AE Services Ephemeral
AE Services
10161 UDP No Open SNMP
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 9 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
17 AE Services Ephemeral
AE Services
1777 TCP Yes Open AESvcsSnmpAgen
18 AE Services Ephemeral
AE Services
1778 TCP Yes Open AESvcs
19 AE Services Ephemeral
AE Services
1779 TCP Yes Open DMCCSvc
20 AE Services Ephemeral
AE Services
2583 TCPUDP Yes Open perl
21 AE Services Ephemeral
AE Services
25 TCP Yes Open master
22 AE Services Ephemeral
AE Services
705 TCP Yes Open Snmpd
23 AE Services Ephemeral
AE Services
199 TCP Yes Open Snmpd
24 AE Services Ephemeral
AE Services
514 UDP Yes Open rsyslogd
25 AE Services Ephemeral
AE Services
515 UDP Yes Open rsyslogd
26 AE Services Ephemeral
AE Services
5517 UDP Yes Open rsyslogd
27 AE Services Ephemeral
AE Services
8005 TCP6 Yes Open Tomcat
28 AE Services Ephemeral
AE Services
5510 UDP Yes Open rsyslogd
NOTES 1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically
using a predefined range of ports between 1024 and 65535
23 Port Table Changes
Table 3 Port Changes From AE Services 633 to 70
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 20000-
29999 (C) TCP No Closed
H323 Signaling (TTS) range extended to accommodate 8K DMCC registrations
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 10 Comments Infodevavayacom
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 30000-
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media) range extended to accommodate 8K DMCC registrations
AE Services
Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS) range extended to accommodate 8K DMCC registrations
Note ICMP (ping) should be enabled between AES and CM Gateway
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 11 Comments Infodevavayacom
3 Port Usage Diagram
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 12 Comments Infodevavayacom
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams For example your PC may have multiple applications simultaneously receiving information email using destination TCP port 25 a browser using destination TCP port 443 and a ssh session using destination TCP port 22 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Each of the mini-streams is directed to the correct high-level application identified by the port numbers Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact with the known protocol associated with the port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Types
Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports) The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well Known Ports
Well Known Ports are those numbered from 0 through 1023 For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
In UNIX and Linux operating systems only root may open or close a well-known port Well Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 6 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
13
Web Browser Ephemeral AE
Services 8443 TCPHTTPS Yes Closed
AE Services Management Console Web Services and License Manager
14 CVLAN Client Ephemeral
AE Services
9998 (C) TCPTLS Yes Open Secure CVLAN Listener
15 CVLAN Client Ephemeral
AE Services
9999 TCP Yes Open Unsecure and OAM CVLAN Listener
16 CM Ephemeral
AE Services
20000 -
29999 (C) TCP No Closed
H323 Signaling (TTS)
17 CM Ephemeral
AE Services
30000 -
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media)
18 AE Services Ephemeral
DNS Server
53 UDP Yes Open DNS
19 AE Services Ephemeral DHCP 67 UDP Yes Closed DHCP
20
AE Services Ephemeral SNMP Trap
Receiver 162 UDP Yes Closed
SNMP TrapNotification to a NMS andor Avaya SALSSG
21 AE Services Ephemeral
LDAP Server
389 (C) TCP Yes Closed LDAP for authentication and authorization
22
AE Services Ephemeral LDAP Server
636 (C) TCP Yes Closed
Secure LDAP ( LDAPS ) for authentication and authorization
23 AE Services Ephemeral CM 8765 TCP No Closed Transport Protocol
24 AE Services
20000-
24999 (C) CM 1720 TCP No Closed
H323 Signaling (Non TTS)
25 AE Services
30000-
34999 (C) CM 1719 UDP No Closed
H323 RAS
26 AE Services
4101-4116
(C) CM 5022 TCP No Closed
System Management Service (SMS) Proxy (aka OSSI Proxy)
27 AE Services Ephemeral
NTP Server
123 UDP Yes Open NTP
28 AE Services Ephemeral WebLM 52233 TCPHTTP Yes Open
Web License Manager
29
AE Services Ephemeral AE
Services 9041 amp 9043 TCP No Closed
Geo HA Active Arbiter to Standby Arbiter Communication
30 AE Services Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS)
31 Tomcat Ephemeral
AE Services
5001 TCP6 Yes Open Tomact
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 7 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
32 Tomcat Ephemeral
AE Services
8009 TCP6 Yes Open Tomcat
33 DmccMain
Ephemeral
AE Services
1098 TCP6 Yes Open Device and media call control
34 DmccMain
Ephemeral
AE Services
8086 TCP6 Yes Open Device and media call control
35 DmccMain
Ephemeral
AE Services
57386 UDP6 Yes Open Device and media call control
36 DmccMain
Ephemeral
AE Services
55392 UDP6 Yes Open Device and media call control
37 LcmMain Ephemeral
AE Services
1099 TCP6 Yes Open Life cycle manager
38 LcmMain Ephemeral
AE Services
8083 TCP6 Yes Open Life cycle manager
39 LcmMain Ephemeral
AE Services
53104 UDP6 Yes Open Life cycle manager
40 SPIRIT WrapperListe
ner Ephemeral
AE Services
59537 TCP6 Yes Open SPIRIT WrapperListener
41 postgres Ephemeral
AE Services
5430 TCP6 Yes Open Database
42 Tomcat Ephemeral
AE Services
57132 UDP6 Yes Open Tomcat
43 Tomcat Ephemeral
AE Services
55855 UDP6 Yes Open Tomcat
44 SnmpAgent Ephemeral
AE Services
10161 UDP6 Yes Open SnmpAgent
45 rsyslogd Ephemeral
AE Services
515 UDP6 Yes Open rsyslogd
NOTES
1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically using a predefined range of ports between 1024 and 65535
2 The default interface associated with each port is eth0 but it is configurable via the appropriate AE Services Management Console web-page
3 This table does not fully apply to the SW-Only offer For example for the SW-Only offer the ability to enable amp disable the ports used by third-party services is not controlled by AE Services
4 Each port in the ranges 20000-29999 (TCPUDP) and 30000-49999 (UDP) is opened only when the port has been
assigned to a registered station If the port is not currently assigned to a registered station then the port is closed In
addition the UDP ports in the range 30000-49999 are opened only when the assigned station is configured for Server-
Media
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 8 Comments Infodevavayacom
Table 2 Ports for Application Enablement Services Interface (LocalHost ndash 127001)
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 AE Services Ephemeral
AE Services
80 TCPHTTP Yes Open Web License Manager
2 AE Services Ephemeral
AE Services
389 TCP Yes Open LDAP for authentication and authorization
3 AE Services Ephemeral
AE Services
443 TCPHTTPS No Open Web License Manager
4 AE Services Ephemeral
AE Services
1024-1039 TCP No Open TSAPI Session Local TLINKS
5 AE Services Ephemeral
AE Services
4101-4116
(C) TCP No Open
System Management Service (SMS) Proxy
6
AE Services Ephemeral AE
Services 5430 TCP No Open
Database
7 AE Services Ephemeral
AE Services
5501 TCP No Open TSAPI Service OAM
8 AE Services Ephemeral
AE Services
5502 TCP No Open TSAPI Switch Driver OAM
9 AE Services Ephemeral
AE Services
5503 TCP No Open DLG Service OAM
10 AE Services Ephemeral
AE Services
5504 TCP No Open Transport Service OAM
11 AE Services Ephemeral
AE Services
5505 TCP No Open ASAI Link Service
12 AE Services Ephemeral
AE Services
8080 TCPHTTP Yes Open Web License Manager
13 AE Services Ephemeral
AE Services
8443 TCPHTTPS Yes Open Web License Manager
14 AE Services Ephemeral
AE Services
80818082 TCP No Open JMX (Management)
15 AE Services Ephemeral
AE Services
80848085 TCP No Open JMX (Management)
16 AE Services Ephemeral
AE Services
10161 UDP No Open SNMP
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 9 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
17 AE Services Ephemeral
AE Services
1777 TCP Yes Open AESvcsSnmpAgen
18 AE Services Ephemeral
AE Services
1778 TCP Yes Open AESvcs
19 AE Services Ephemeral
AE Services
1779 TCP Yes Open DMCCSvc
20 AE Services Ephemeral
AE Services
2583 TCPUDP Yes Open perl
21 AE Services Ephemeral
AE Services
25 TCP Yes Open master
22 AE Services Ephemeral
AE Services
705 TCP Yes Open Snmpd
23 AE Services Ephemeral
AE Services
199 TCP Yes Open Snmpd
24 AE Services Ephemeral
AE Services
514 UDP Yes Open rsyslogd
25 AE Services Ephemeral
AE Services
515 UDP Yes Open rsyslogd
26 AE Services Ephemeral
AE Services
5517 UDP Yes Open rsyslogd
27 AE Services Ephemeral
AE Services
8005 TCP6 Yes Open Tomcat
28 AE Services Ephemeral
AE Services
5510 UDP Yes Open rsyslogd
NOTES 1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically
using a predefined range of ports between 1024 and 65535
23 Port Table Changes
Table 3 Port Changes From AE Services 633 to 70
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 20000-
29999 (C) TCP No Closed
H323 Signaling (TTS) range extended to accommodate 8K DMCC registrations
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 10 Comments Infodevavayacom
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 30000-
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media) range extended to accommodate 8K DMCC registrations
AE Services
Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS) range extended to accommodate 8K DMCC registrations
Note ICMP (ping) should be enabled between AES and CM Gateway
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 11 Comments Infodevavayacom
3 Port Usage Diagram
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 12 Comments Infodevavayacom
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams For example your PC may have multiple applications simultaneously receiving information email using destination TCP port 25 a browser using destination TCP port 443 and a ssh session using destination TCP port 22 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Each of the mini-streams is directed to the correct high-level application identified by the port numbers Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact with the known protocol associated with the port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Types
Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports) The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well Known Ports
Well Known Ports are those numbered from 0 through 1023 For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
In UNIX and Linux operating systems only root may open or close a well-known port Well Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 7 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
32 Tomcat Ephemeral
AE Services
8009 TCP6 Yes Open Tomcat
33 DmccMain
Ephemeral
AE Services
1098 TCP6 Yes Open Device and media call control
34 DmccMain
Ephemeral
AE Services
8086 TCP6 Yes Open Device and media call control
35 DmccMain
Ephemeral
AE Services
57386 UDP6 Yes Open Device and media call control
36 DmccMain
Ephemeral
AE Services
55392 UDP6 Yes Open Device and media call control
37 LcmMain Ephemeral
AE Services
1099 TCP6 Yes Open Life cycle manager
38 LcmMain Ephemeral
AE Services
8083 TCP6 Yes Open Life cycle manager
39 LcmMain Ephemeral
AE Services
53104 UDP6 Yes Open Life cycle manager
40 SPIRIT WrapperListe
ner Ephemeral
AE Services
59537 TCP6 Yes Open SPIRIT WrapperListener
41 postgres Ephemeral
AE Services
5430 TCP6 Yes Open Database
42 Tomcat Ephemeral
AE Services
57132 UDP6 Yes Open Tomcat
43 Tomcat Ephemeral
AE Services
55855 UDP6 Yes Open Tomcat
44 SnmpAgent Ephemeral
AE Services
10161 UDP6 Yes Open SnmpAgent
45 rsyslogd Ephemeral
AE Services
515 UDP6 Yes Open rsyslogd
NOTES
1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically using a predefined range of ports between 1024 and 65535
2 The default interface associated with each port is eth0 but it is configurable via the appropriate AE Services Management Console web-page
3 This table does not fully apply to the SW-Only offer For example for the SW-Only offer the ability to enable amp disable the ports used by third-party services is not controlled by AE Services
4 Each port in the ranges 20000-29999 (TCPUDP) and 30000-49999 (UDP) is opened only when the port has been
assigned to a registered station If the port is not currently assigned to a registered station then the port is closed In
addition the UDP ports in the range 30000-49999 are opened only when the assigned station is configured for Server-
Media
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 8 Comments Infodevavayacom
Table 2 Ports for Application Enablement Services Interface (LocalHost ndash 127001)
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 AE Services Ephemeral
AE Services
80 TCPHTTP Yes Open Web License Manager
2 AE Services Ephemeral
AE Services
389 TCP Yes Open LDAP for authentication and authorization
3 AE Services Ephemeral
AE Services
443 TCPHTTPS No Open Web License Manager
4 AE Services Ephemeral
AE Services
1024-1039 TCP No Open TSAPI Session Local TLINKS
5 AE Services Ephemeral
AE Services
4101-4116
(C) TCP No Open
System Management Service (SMS) Proxy
6
AE Services Ephemeral AE
Services 5430 TCP No Open
Database
7 AE Services Ephemeral
AE Services
5501 TCP No Open TSAPI Service OAM
8 AE Services Ephemeral
AE Services
5502 TCP No Open TSAPI Switch Driver OAM
9 AE Services Ephemeral
AE Services
5503 TCP No Open DLG Service OAM
10 AE Services Ephemeral
AE Services
5504 TCP No Open Transport Service OAM
11 AE Services Ephemeral
AE Services
5505 TCP No Open ASAI Link Service
12 AE Services Ephemeral
AE Services
8080 TCPHTTP Yes Open Web License Manager
13 AE Services Ephemeral
AE Services
8443 TCPHTTPS Yes Open Web License Manager
14 AE Services Ephemeral
AE Services
80818082 TCP No Open JMX (Management)
15 AE Services Ephemeral
AE Services
80848085 TCP No Open JMX (Management)
16 AE Services Ephemeral
AE Services
10161 UDP No Open SNMP
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 9 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
17 AE Services Ephemeral
AE Services
1777 TCP Yes Open AESvcsSnmpAgen
18 AE Services Ephemeral
AE Services
1778 TCP Yes Open AESvcs
19 AE Services Ephemeral
AE Services
1779 TCP Yes Open DMCCSvc
20 AE Services Ephemeral
AE Services
2583 TCPUDP Yes Open perl
21 AE Services Ephemeral
AE Services
25 TCP Yes Open master
22 AE Services Ephemeral
AE Services
705 TCP Yes Open Snmpd
23 AE Services Ephemeral
AE Services
199 TCP Yes Open Snmpd
24 AE Services Ephemeral
AE Services
514 UDP Yes Open rsyslogd
25 AE Services Ephemeral
AE Services
515 UDP Yes Open rsyslogd
26 AE Services Ephemeral
AE Services
5517 UDP Yes Open rsyslogd
27 AE Services Ephemeral
AE Services
8005 TCP6 Yes Open Tomcat
28 AE Services Ephemeral
AE Services
5510 UDP Yes Open rsyslogd
NOTES 1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically
using a predefined range of ports between 1024 and 65535
23 Port Table Changes
Table 3 Port Changes From AE Services 633 to 70
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 20000-
29999 (C) TCP No Closed
H323 Signaling (TTS) range extended to accommodate 8K DMCC registrations
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 10 Comments Infodevavayacom
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 30000-
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media) range extended to accommodate 8K DMCC registrations
AE Services
Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS) range extended to accommodate 8K DMCC registrations
Note ICMP (ping) should be enabled between AES and CM Gateway
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 11 Comments Infodevavayacom
3 Port Usage Diagram
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 12 Comments Infodevavayacom
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams For example your PC may have multiple applications simultaneously receiving information email using destination TCP port 25 a browser using destination TCP port 443 and a ssh session using destination TCP port 22 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Each of the mini-streams is directed to the correct high-level application identified by the port numbers Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact with the known protocol associated with the port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Types
Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports) The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well Known Ports
Well Known Ports are those numbered from 0 through 1023 For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
In UNIX and Linux operating systems only root may open or close a well-known port Well Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 8 Comments Infodevavayacom
Table 2 Ports for Application Enablement Services Interface (LocalHost ndash 127001)
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
1 AE Services Ephemeral
AE Services
80 TCPHTTP Yes Open Web License Manager
2 AE Services Ephemeral
AE Services
389 TCP Yes Open LDAP for authentication and authorization
3 AE Services Ephemeral
AE Services
443 TCPHTTPS No Open Web License Manager
4 AE Services Ephemeral
AE Services
1024-1039 TCP No Open TSAPI Session Local TLINKS
5 AE Services Ephemeral
AE Services
4101-4116
(C) TCP No Open
System Management Service (SMS) Proxy
6
AE Services Ephemeral AE
Services 5430 TCP No Open
Database
7 AE Services Ephemeral
AE Services
5501 TCP No Open TSAPI Service OAM
8 AE Services Ephemeral
AE Services
5502 TCP No Open TSAPI Switch Driver OAM
9 AE Services Ephemeral
AE Services
5503 TCP No Open DLG Service OAM
10 AE Services Ephemeral
AE Services
5504 TCP No Open Transport Service OAM
11 AE Services Ephemeral
AE Services
5505 TCP No Open ASAI Link Service
12 AE Services Ephemeral
AE Services
8080 TCPHTTP Yes Open Web License Manager
13 AE Services Ephemeral
AE Services
8443 TCPHTTPS Yes Open Web License Manager
14 AE Services Ephemeral
AE Services
80818082 TCP No Open JMX (Management)
15 AE Services Ephemeral
AE Services
80848085 TCP No Open JMX (Management)
16 AE Services Ephemeral
AE Services
10161 UDP No Open SNMP
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 9 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
17 AE Services Ephemeral
AE Services
1777 TCP Yes Open AESvcsSnmpAgen
18 AE Services Ephemeral
AE Services
1778 TCP Yes Open AESvcs
19 AE Services Ephemeral
AE Services
1779 TCP Yes Open DMCCSvc
20 AE Services Ephemeral
AE Services
2583 TCPUDP Yes Open perl
21 AE Services Ephemeral
AE Services
25 TCP Yes Open master
22 AE Services Ephemeral
AE Services
705 TCP Yes Open Snmpd
23 AE Services Ephemeral
AE Services
199 TCP Yes Open Snmpd
24 AE Services Ephemeral
AE Services
514 UDP Yes Open rsyslogd
25 AE Services Ephemeral
AE Services
515 UDP Yes Open rsyslogd
26 AE Services Ephemeral
AE Services
5517 UDP Yes Open rsyslogd
27 AE Services Ephemeral
AE Services
8005 TCP6 Yes Open Tomcat
28 AE Services Ephemeral
AE Services
5510 UDP Yes Open rsyslogd
NOTES 1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically
using a predefined range of ports between 1024 and 65535
23 Port Table Changes
Table 3 Port Changes From AE Services 633 to 70
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 20000-
29999 (C) TCP No Closed
H323 Signaling (TTS) range extended to accommodate 8K DMCC registrations
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 10 Comments Infodevavayacom
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 30000-
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media) range extended to accommodate 8K DMCC registrations
AE Services
Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS) range extended to accommodate 8K DMCC registrations
Note ICMP (ping) should be enabled between AES and CM Gateway
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 11 Comments Infodevavayacom
3 Port Usage Diagram
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 12 Comments Infodevavayacom
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams For example your PC may have multiple applications simultaneously receiving information email using destination TCP port 25 a browser using destination TCP port 443 and a ssh session using destination TCP port 22 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Each of the mini-streams is directed to the correct high-level application identified by the port numbers Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact with the known protocol associated with the port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Types
Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports) The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well Known Ports
Well Known Ports are those numbered from 0 through 1023 For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
In UNIX and Linux operating systems only root may open or close a well-known port Well Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 9 Comments Infodevavayacom
No Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
17 AE Services Ephemeral
AE Services
1777 TCP Yes Open AESvcsSnmpAgen
18 AE Services Ephemeral
AE Services
1778 TCP Yes Open AESvcs
19 AE Services Ephemeral
AE Services
1779 TCP Yes Open DMCCSvc
20 AE Services Ephemeral
AE Services
2583 TCPUDP Yes Open perl
21 AE Services Ephemeral
AE Services
25 TCP Yes Open master
22 AE Services Ephemeral
AE Services
705 TCP Yes Open Snmpd
23 AE Services Ephemeral
AE Services
199 TCP Yes Open Snmpd
24 AE Services Ephemeral
AE Services
514 UDP Yes Open rsyslogd
25 AE Services Ephemeral
AE Services
515 UDP Yes Open rsyslogd
26 AE Services Ephemeral
AE Services
5517 UDP Yes Open rsyslogd
27 AE Services Ephemeral
AE Services
8005 TCP6 Yes Open Tomcat
28 AE Services Ephemeral
AE Services
5510 UDP Yes Open rsyslogd
NOTES 1 An Ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically
using a predefined range of ports between 1024 and 65535
23 Port Table Changes
Table 3 Port Changes From AE Services 633 to 70
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 20000-
29999 (C) TCP No Closed
H323 Signaling (TTS) range extended to accommodate 8K DMCC registrations
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 10 Comments Infodevavayacom
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 30000-
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media) range extended to accommodate 8K DMCC registrations
AE Services
Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS) range extended to accommodate 8K DMCC registrations
Note ICMP (ping) should be enabled between AES and CM Gateway
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 11 Comments Infodevavayacom
3 Port Usage Diagram
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 12 Comments Infodevavayacom
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams For example your PC may have multiple applications simultaneously receiving information email using destination TCP port 25 a browser using destination TCP port 443 and a ssh session using destination TCP port 22 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Each of the mini-streams is directed to the correct high-level application identified by the port numbers Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact with the known protocol associated with the port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Types
Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports) The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well Known Ports
Well Known Ports are those numbered from 0 through 1023 For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
In UNIX and Linux operating systems only root may open or close a well-known port Well Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 10 Comments Infodevavayacom
Source Destination Network
Application
Protocol
Optionally
Enabled
Disabled
Default Port State
Description System Port
(Configurable Range)
System Port
(Configurable Range)
CM Ephemeral AE
Services 30000-
49999 (C) UDP Yes Closed
H323 RTP (DMCC Server-Media) range extended to accommodate 8K DMCC registrations
AE Services
Ephemeral CM 20000 ndash
29999 (C) UDP No Closed
H323 Registration (RAS) range extended to accommodate 8K DMCC registrations
Note ICMP (ping) should be enabled between AES and CM Gateway
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 11 Comments Infodevavayacom
3 Port Usage Diagram
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 12 Comments Infodevavayacom
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams For example your PC may have multiple applications simultaneously receiving information email using destination TCP port 25 a browser using destination TCP port 443 and a ssh session using destination TCP port 22 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Each of the mini-streams is directed to the correct high-level application identified by the port numbers Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact with the known protocol associated with the port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Types
Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports) The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well Known Ports
Well Known Ports are those numbered from 0 through 1023 For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
In UNIX and Linux operating systems only root may open or close a well-known port Well Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 11 Comments Infodevavayacom
3 Port Usage Diagram
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 12 Comments Infodevavayacom
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams For example your PC may have multiple applications simultaneously receiving information email using destination TCP port 25 a browser using destination TCP port 443 and a ssh session using destination TCP port 22 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Each of the mini-streams is directed to the correct high-level application identified by the port numbers Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact with the known protocol associated with the port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Types
Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports) The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well Known Ports
Well Known Ports are those numbered from 0 through 1023 For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
In UNIX and Linux operating systems only root may open or close a well-known port Well Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 12 Comments Infodevavayacom
Appendix A Overview of TCPIP Ports
What are ports and how are they used
TCP and UDP use ports (defined at httpwwwianaorgassignmentsport-numbers) to route traffic arriving at a particular IP device to the correct upper layer application These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams For example your PC may have multiple applications simultaneously receiving information email using destination TCP port 25 a browser using destination TCP port 443 and a ssh session using destination TCP port 22 These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams inside the PC Each of the mini-streams is directed to the correct high-level application identified by the port numbers Every IP device has incoming (Ingress) and outgoing (Egress) data streams
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows TCP and UDP streams have an IP address and port number for both source and destination IP devices The pairing of an IP address and a port number is called a socket Therefore each data stream is uniquely identified with two sockets Source and destination sockets must be known by the source before a data stream can be sent to the destination Some destination ports are ldquoopenrdquo to receive data streams and are called ldquolisteningrdquo ports Listening ports actively wait for a source (client) to make contact with the known protocol associated with the port number HTTPS as an example is assigned port number 443 When a destination IP device is contacted by a source device using port 443 the destination uses the HTTPS protocol for that data stream conversation
Port Types
Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Ports (sometimes called Private Ports) The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here httpwwwianaorgassignmentsport-numbers
Well Known Ports
Well Known Ports are those numbered from 0 through 1023 For the purpose of providing services to unknown clients a service listen port is defined This port is used by the server process as its listen port Common services often use listen ports in the well-known port range A well-known port is normally active meaning that it is ldquolisteningrdquo for any traffic destined for a specific application For example well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session Well known port 25 is waiting for an email session etc These ports are tied to a well understood application and range from 0 to 1023
In UNIX and Linux operating systems only root may open or close a well-known port Well Known Ports are also commonly referred to as ldquoprivileged portsrdquo
Registered Ports
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 13 Comments Infodevavayacom
Registered Ports are those numbered from 1024 through 49151 Unlike well-known ports these ports are not restricted to the root user Less common services register ports in this range Avaya uses ports in this range for call control Some but not all ports used by Avaya in this range include 17191720 for H323 50605061 for SIP 2944 for H248 and others The registered port range is 1024 ndash 49151 Even though a port is registered with an application name industry often uses these ports for different applications Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings
Dynamic Ports
Dynamic Ports are those numbered from 49152 through 65535 Dynamic ports sometimes called ldquoprivate portsrdquo are available to use for any general purpose This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage) These are the safest ports to use because no application types are linked to these ports The default dynamic port range for Linux systems is 49152 ndash 65535
Sockets
A socket is the pairing of an IP address with a port number An example would be 1921685173009 where 3009 is the socket number associated with the IP address A data flow or conversation requires two sockets ndash one at the source device and one at the destination device The data flow then has two sockets with a total of four logical elements Each data flow must be unique If one of the four elements is unique the data flow is unique The following three data flows are uniquely identified by socket number andor IP address Data Flow 1 1721616141234 - 101232345
two different port numbers and IP addresses and is a valid and typical socket pair Data Flow 2 1721616141235 - 101232345
same IP addresses and port numbers on the second IP address as data flow 1 but since the port number on the first socket differs the data flow is unique
Data Flow 3 1721616141234 - 101242345 If one IP address octet changes or one port number changes the data flow is unique
`
Client Web ServerHTTP-Get Source 1921681101369 Destination 1010104780
TCP-info Destination 1921681101369 Source 1010104780
Socket Example Diagram
Figure 1 Socket example showing ingress and egress data flows from a PC to a web server
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 14 Comments Infodevavayacom
The client egress stream includes the clientrsquos source IP and socket (1369) and the destination IP and socket (80) The ingress stream from the server has the source and destination information reversed
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types
bull Packet Filtering
bull Application Level Gateways (Proxy Servers)
bull Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls Each packet that arrives or leaves the network has its header fields examined and checked against criterion to either drop the packet or let it through Routers configured with Access Control Lists (ACL) use packet filtering An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet
An Application Level Gateway (ALG) acts as a proxy preventing a direct connection between the foreign device and the internal destination device ALGs filter each individual packet rather than blindly copying bytes ALGs can also send alerts via email alarms or other methods and keep log files to track significant events
Hybrid firewalls are dynamic systems tracking each connection traversing all interfaces of the firewall and making sure they are valid In addition to looking at headers the content of the packet up through the application layer is examined A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table Stateful inspection firewalls close off ports until the connection to the specific port is requested This is an enhancement to security against port scanning1
Firewall Policies
The goals of firewall policies are to monitor authorize and log data flows and events They also restrict access based on IP addresses port numbers application types and sub-types
This paper is focused with identifying the port numbers used by Avaya products so that effective firewall policies may be created These policies are meant allow Avayarsquos business communications to proceed seamlessly without allowing unnecessary access into the network
Knowing that the source column in the following matrices is the socket initiator is the key to building some types of firewall policies Some firewalls can be configured to automatically create a return
1 Port Scanning is the act of systematically connecting to a range of a computers ports one at a time Since a port is
a place where information enters and exits a computer port scanning identifies open doors to the computer Port
scanning has legitimate uses in managing networks but it also can be malicious in nature ndash for example when
someone is looking for a weakened access point to break into the computer
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
Avaya ndash Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy
March 2019 Avaya Port Matrix Avaya Aurareg Application Enablement Services 81 15 Comments Infodevavayacom
path through the firewall if the initiating source is allowed through This option removes the need to enter two firewall rules one for each stream direction however it can also raise security concerns
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows which use a common higher layer attribute Finally many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone
