CommunicationManager6 3 6PortMatrix-165316 PDF

Avaya Port Matrix:
Updated for Communication

Manager 6.3.6
Issue 2.0
March 21, 2014
CID 165316
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS
PROVIDED "AS IS". AVAYA INC. DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE AND FURTHERMORE, AVAYA INC. MAKES NO REPRESENTATIONS OR WARRANTIES
THAT THE INFORMATION PROVIDED HEREIN WILL ELIMINATE SECURITY THREATS TO
CUSTOMERS’ SYSTEMS. AVAYA INC., ITS RELATED COMPANIES, DIRECTORS, EMPLOYEES,
REPRESENTATIVES, SUPPLIERS OR AGENTS MAY NOT, UNDER ANY CIRCUMSTANCES BE HELD
LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE, EXEMPLARY, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THE INFORMATION PROVIDED
HEREIN. THIS INCLUDES, BUT IS NOT LIMITED TO, THE LOSS OF DATA OR LOSS OF PROFIT, EVEN
IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS
INFORMATION CONSTITUTES ACCEPTANCE OF THESE TERMS.
© 2014 Avaya Inc. All Rights Reserved. All trademarks identified by the ® or ™ are registered trademarks or
trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.
1
Avaya – Confidential & Proprietary.
Use pursuant to your signed agreement or Avaya policy.
Avaya Port Matrix updated for Communication Manager (CM) 6.3.6
Defining TCP/IP Ports

What are ports and how are they used?
TCP and UDP use ports, defined by RFC 6335, to route traffic arriving at a particular IP device to the correct upper layer
application. These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams.
Consider your desktop PC. Multiple applications may be simultaneously receiving information. In this example, email may
use destination TCP port 25, a browser may use destination TCP port 80 and a telnet session may use destination TCP port
23. These logical ports allow the PC to de-multiplex a single incoming serial data packet stream into three mini-streams
inside the PC. Furthermore, each of the mini-streams is directed to the correct high-level application because the port
numbers identify which application each data mini-stream belongs. Every IP device has incoming (Ingress) and outgoing
(Egress) data streams.
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows. TCP and UDP streams have
an IP address and port number for both source and destination IP devices. The pairing of an IP address and a port number is
called a socket (discussed later). Therefore, each data stream is uniquely identified with two sockets. Source and destination
sockets must be known by the source before a data stream can be sent to the destination. Some destination ports are “open”
to receive data streams and are called “listening” ports. Listening ports actively wait for a source (client) to make contact to a
destination (server) using a specific port that has a known protocol associated with that port number. HTTPS, as an example,
is assigned port number 443. When a destination IP device is contacted by a source device using port 443, the destination
uses the HTTPS protocol for that data stream conversation.
Port Type Ranges

Port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic Ports (sometimes called
Private Ports).
According to RFC 6335:

• Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here:
http://www.iana.org/assignments/port-numbers.
• Well Known Ports are those numbered from 0 through 1023.
• Registered Ports are those numbered from 1024 through 49151
• Dynamic Ports are those numbered from 49152 through 65535
Well Known Ports

For the purpose of providing services to unknown clients, a service listen port is defined. This port is used by the server
process as its listen port. Common services often use listen ports in the well known port range. A well known port is
normally active, meaning that it is “listening” for any traffic destined for a specific application. For example, well known port 23
on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet
session. Well known port 25 is waiting for an email session, etc. These ports are tied to a well understood application and
range from 0 to 1023.
In UNIX and Linux operating systems, only root may open or close a well-known port. Well Known Ports are also commonly
referred to as “privileged ports”.
Registered Ports
Unlike well known ports, these ports are not restricted to the root user. Less common services register ports in this range. Avaya uses ports in this range for
call control. Some, but not all, ports used by Avaya in this range include: 1719/1720 for H.323, 5060/5061 for SIP, 2944 for H.248, and others. The IANA
registered port range is 1024 – 49151. Even though a port is registered with an application name, industry often uses these ports for different applications.
Conflicts can occur in an enterprise when a port is used with different meanings by different servers.
2
Dynamic Ports
Dynamic ports, sometimes called “private ports” or "ephemeral ports", are available to use for any general purpose. This means there are no meanings
associated with these ports. This is similar to RFC 1918 IP Address Usage. These are the safest ports to use because no application types are linked to
these ports. The IANA dynamic port range is 49152 – 65535.
Sockets
A socket is the pairing of an IP address with a port number. An example would be 192.168.5.17:3009, where 3009 is the socket number associated with the
IP address. A data flow, or conversation, requires two sockets – one at the source device and one at the destination device. The data flow then has two
sockets with a total of four logical elements. Each data flow must be unique. If one of the four elements is unique, the data flow is unique. The following
three data flows are uniquely identified by socket number and/or IP address.
Data Flow 1: 172.16.16.14:1234 - 10.1.2.3:2345
Data Flow 2: 172.16.16.14.1235 - 10.1.2.3:2345
Data Flow 3: 172.16.16.14:1234 - 10.1.2.4:2345
Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair.
Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1, but since the port number on the first socket
differs, the data flow is unique.
Therefore, if one IP address octet changes, or one port number changes, the data flow is unique.
Below is an example showing ingress and egress data flows from a PC to a web server.
Notice the client egress stream includes the client’s source IP and socket (1369) and the destination IP and socket (80). The
ingress stream has the source and destination information reversed because the ingress is coming from the server.
Avaya Server and Sockets

Data flows and their sockets may be directed by a server, but for the purposes of firewall configuration these sockets may not be sourced from the server.
The source may be the server's Processor Ethernet (PE), but it may be another network element such as a CLAN circuit pack or a gateway VoIP engine.
Therefore, the following port matrix lists these Avaya elements as the source. However, a large number of IP ports used by CM's Processor Ethernet
interface have the same IP port numbers as those used on CLAN circuit packs in port networks. In many ways, the CLAN circuit packs act as remote
network interface cards for the processor controlling them. Therefore, the following CM port matrix table includes CLAN ports. The affected ports are noted.
The various Avaya CM processors have a number of network interfaces (up to 5), each of which has its own IP address. Some of these addresses are fixed
and chosen from IP addresses previously assigned to Lucent Technologies and used by agreement, or are assigned to Avaya. Some addresses are
assigned from the local network on which the processor is operating. IP addresses of the form 192.11.0.0/16 were assigned to Lucent Technologies;
addresses of the form 198.152.0.0/16 are assigned to Avaya, Inc.
Table 1 illustrates how different processor models make use of various NICs. In the table, the first number in an entry is an IP address and the second the
maximum supported speed in megabits per second. Interfaces assigned addresses 192.11.13.6 are for the Avaya Services Laptop, interface 2 in the figure.
Interfaces assigned address 192.11.13.13 or 192.11.13.14 are for the server duplication link, interface 3 in the figure. Interfaces assigned address
192.11.13.1 are for SAMP access, which is not supported starting in CM 6.0. Addresses of the form 127.0.0.0/8 are 'host loopback' or 'internal' addresses.
Addresses marked "administered" are assigned by the customer from the customer's network.
Table 1 - Processor Network Interfaces
3
1
Interface S8300D S8510, S8800, R610, R620, DL360G7, S8800, R610, R620, DL360G7, DL360PG8
DL360PG8 (Duplex)
(Simplex)
eth0 192.11.13.6 administered administered
100 1000 1000
eth0:0 -- -- --
eth1 inet6 192.11.13.6 192.11.13.6
100 1000 1000
eth1.0000 135.9.71.116-- --
eth1.4093 169.254.1.31-- --
eth2 -- administered administered
1000 1000
eth2:0 -- -- --
eth3 -- -- 192.11.13.13
1000
eth3:0 -- -- --
eth4 -- -- --
eth4:0 -- -- --
eth5 -- -- --
lo 127.0.0.1 127.0.0.1 127.0.0.1
sit0 IPv6-in-IPv4 IPv6-in-IPv4 IPv6-in-IPv4
Notes:
CM 6.3.6 is supported on the System Platform and VMware servers (S8300D, S8510, S8800, R610, R620, DL360G7, and DL360pG8).
The default administered eth0 address on S8510 is 192.168.1.1.
The Simplex versions of S8800/R610/R620/DL360G7/DL360PG8 would be configured similar to the S8510.
Understanding Firewall Types and Policy Creation

Firewall Types
There are three basic firewall types:
• Packet Filtering
• Application Level Gateways (Proxy Servers)
• Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls. Each packet that arrives or leaves the network has its header fields
examined against criterion to either drop the packet or let it through. Routers configured with Access Control Lists (ACL) use
packet filtering. An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any
device in the Accounting subnet.
Application level gateways (ALG) act as a proxy, preventing a direct connection between the foreign device and the internal
destination device. ALGs filter each individual packet rather than blindly copying bytes. ALGs can also send alerts via email,
alarms or other methods and keep log files to track significant events.
Hybrid firewalls are dynamic systems, tracking each connection traversing all interfaces of the firewall and making sure they
are valid. In addition to looking at headers, the content of the packet, up through the application layer, is examined. A stateful
inspection firewall also monitors the state of the connection and compiles the information in a state table. Stateful inspection
2
firewalls close off ports until the connection to the specific port is requested. This provides security against port scanning .
1
A colon in the interface name indicates an alias. A period in the interface name indicates a vlan.
2
The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a
computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.
4
Firewall Policies
The goals of firewall policies are to monitor, authorize and log data flows and events. They also restrict access using IP
addresses, port numbers and application types and sub-types.
This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created
without disrupting business communications or opening unnecessary access into the network.
Knowing that the source column in the following matrices is the socket initiator is key in building some types of firewall
policies. Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is
allowed through. This option removes the need to enter two firewall rules, one for each stream direction, but can also raise
security concerns.
Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a
common higher layer attribute. One example would be creating a policy to allow any H.323 data flows through the firewall.
This umbrella policy would allow H.225, H.245, H.248, RTCP and RTP streams to flow through the firewall without specifying
specific port ranges for each of these protocols.
Finally, many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same
firewall zone.
Matrix Headings Defined

Source Initiator: The device or application initiating a data flow.
Source Port(s): This is the default port(s) used by the source device or application. Valid values include: 0 – 65535. NOTE: CM source ports are listed as
1024-65535 but CM has been configured to only use local ports 32768-61000.
Destination Receiver: The device or application receiving a data flow from a source.
Destination Port(s): This is the default port(s) used at the device or application responding to an initiator. Valid values include: 0 – 65535.
Network / Application Protocol: Labels of the network and application protocols used.
Destination Configurable: “Yes” means the destination port is configurable. “No” means the destination port is not configurable. Valid values include: Yes
or No.
Range If populated, this field lists the range of ports that can be used by the destination. The range may or may not be configurable. Valid values include: 0
– 65535.
Source Configurable: “Yes” means the source port is configurable. “No” means the source port is not configurable. Valid values include: Yes or No
Range: If populated, this field lists the range of ports that can be used by the source. The range may or may not be configurable. Valid values include: 0 –
65535.
Traffic Purpose: Describes the purpose of the data flow.
Comments: Important comments.
S8xx0, R610, R620, DL360G7, DL360PG8 Media Servers

Software Release/Version Communication Manager 6.3.6
Source Destination Network/ Destination Source Traffic Purpose

Configurable? Configurable?
Application (Comments)
Initiator Port(s) Receiver Port(s) Range Range
Protocol
CM NA any NA ICMP NA NA ICMP messages:
ping, etc.
5
Protocol
any NA CM NA ICMP NA NA ICMP messages:
ping, etc.
Admin 1024 - 65535 CM 20 TCP / FTP – No No File Transfers (Data)

Device data
Note 1
CM 1024 – 65535 IPSI 20 TCP / FTP – No No IPSI Firmware File

data Transfer
Note 2
Admin 1024 - 65535 CM 21 TCP / FTP No No File Transfers

Device (Command)
Note 1
CM 1024 - 65535 IPSI 21 TCP / FTP No No IPSI Firmware File

Transfer
Note 2
Admin 1024 – 65535 CM 22 TCP / SSH, No No OS administration

Device SCP, SFTP interface over Secure
Shell (SSH)
Note 3
Admin 1024 – 65535 CM 23 TCP / Telnet No No OS administration

Device interfaces over
Telnet; closed by
default.
Note 4
Any 1024 – 65535 CMM 25 TCP / SMTP No No Message retrieval
CM or 1024 - 65535 DNS 53 UDP / DNS No No DNS Requests and

CLAN Server Responses
CM (server) 68 IPSI (client) 67 UDP / DHCP No No Dynamic Host Control

Protocol (DHCP)
Note 5
IPSI (client) 67 CM 68 UDP / DHCP No No Dynamic Host Control

(server) Protocol (DHCP)
Note 5
CM 1024 – 65535 Services 69 UDP / TFTP No No Installs and Upgrades

Laptop via Services Interface
Note 6
IP Phone / 1024 – 2048 CM – 69 UDP / TFTP No No IP Phone and/or

H.248 GW S8300 Gateway Firmware
Download
Note 7
Admin 1024 – 65535 CM 80 TCP / HTTP No No Avaya web

Device administration
interface
Note 8
IP Phone 1024 – 2048 CM 81 TCP / HTTP No No HTTP IP Phone
6
Protocol
Firmware Download
Note 9
Any 1024 – 65535 CMM 110 TCP / POP3 No No Message retrieval
Message 1024 – 65535 CMM 111 UDP / RPC No No Message Manager

Manager
Note 10
DEM
Message 1024 – 65535 CMM 111 TCP / RPC No No Message Manager

Manager
Note 10
DEM
CM 1024 – 65535 Network 123 UDP / NTP No No Network Time

Time Protocol (client)
Server
(NTS) Note 11
CM 1024 - 65535 IPSI 123 UDP / NTP No No Network Time

Protocol (NTP)
Note 33
IPSI 1024 – 65535 CM 123 UDP / NTP No No Network Time

Protocol (NTP)
CM / SCS / 1024 – 65535 CM 123 UDP / NTP No No Network Time

SRS Protocol (server)
Note 12
Any 1024 – 65535 CMM 143 TCP / IMAP4 No No Message retrieval
SNMP 1024 – 65535 CM 161 UDP / SNMP No No SNMP (server)

Agent
NMS Note 13
SNMP NMS 1024 – 65535 CLAN 161 UDP/SNMP No No SNMP agent

Agent
CM 1024 – 65535 SNMP 162 UDP / SNMP No No SNMP traps (client)

NMS Trap for alarms or notable
events
Note 14
CLAN 1024-65535 SNMP 162 UDP/SNMP No No SNMP traps for

NMS Trap alarms/events
Gateway/ 1024 – 65535 CM 162 UDP/ SNMP No No SNMP traps (server)

CM / SCS / Trap collection
SRS / UPS
Note 15
Any 1024 – 65535 CMM 389 TCP / LDAP No No CMM LDAPFE

Note 16
IP Phone 1024 – 2048 CM 411 TCP / HTTPS No No HTTPS IP Phone

configuration file
CLAN download
Note 17
Admin 1024 – 65535 CM 443 TCP / HTTPS No No Avaya web

administration
7
Protocol
Device / interface (HTTPS)
SCS/SRS
Any 1024 – 65535 CMM 465 TCP / SSL, No No Secure message

SMTP retrieval
CLAN, IPSI, 1024-65535 CM 514 UDP/SYSLOG Yes No TN Board Logging

Crossfire
CM 1024-65535 Rsyslog 514 UDP/Syslog Yes No Remote system log

server. storage
CM / SCS / 512 – 1023 CM – SRS 514 TCP / RSH No No Legacy (CM1.3)

SRS Filesync Service
Note 18
CM - SRS 514 CM / 512 - 1023 TCP / RSH No No Legacy Filesync

Service
SCS /
Note 18
SRS
Any 1024 – 65535 CMM 636 TCP /SSL/ No No CMM LDAPFE

LDAP
Note 16
Any 1024 – 65535 CMM 993 TCP / IMAP4, No No Secure message

SSL retrieval
Any 1024 – 65535 CMM 995 TCP / POP3, No No Secure message

SSL retrieval
Any 1024 – 65535 CMM 8000-10000 UDP/RTP Yes No Audio record.
Message 1024 – 65535 CMM 1024 – UDP / No No Message Waiting

Manager 65535 Proprietary indicators
H.248 1024 – 65535 CM or 1039 TCP / No No Proprietary encrypted

Media CLAN Encrypted H.248 over TCP
Gateways H.248
Note 19
CM/SAMP 1234 SAMP/ 1234 TCP/Modem No No Not used in CM 6.0

or later - SAMP not
CM supported
H.323 1024-5000 CM 1300 TLS / H.323 No No Encrypted H.323

Phone signaling
CM 1024 – 65535 CM – 1332 UDP / DES No No Arbiter

S8xx0 Encrypted
Proprietary Note 20
H.323 49300 CM or 1719 UDP / H.225 No No Registration,

Phone CLAN Admission, and
Status (RAS)
Note 19
CM 1024-65535 CM or 1719 TCP/H.323 No No H.323 RAS for trunks

CLAN
CLAN
H.323 1500 – 6500 CM or 1720 TCP / H.323 No No H.323 signaling

Phone CLAN
Note 22, Note 19.
8
Protocol
CM 5000-5021 CM / SCS / 1719, 1720, TCP / H.323 Yes No H.323 IP trunk
SRS or 5000-9999 Signaling Ports admin
CLAN CLAN via SAT
Third Party 1024-65535 CM / SCS / 1719, 1720, TCP / H.323 Yes No H.323 IP trunk
GK or GW SRS or 5000-9999 Signaling Ports admin
CLAN via SAT
CM (via 61440-61444 H.323 1720 TCP / H.323 No Yes TTS

CLAN/PE) Phone
Note 35
CM RADIUS 1024 – 65535 RADIUS 1812 UDP/RADIUS Yes No RADIUS based login
Client Server processing
Note 36
CM RADIUS 1024 – 65535 RADIUS 1813 UDP/RADIUS Yes No RADIUS based login
Note 36
CM 1024 - 65535 IPSI 1956 TCP / No No IPSI Command

Proprietary Server Service
Admin 1024 – 65535 CM 2222 TCP / SSH No No High Priority SSH

Device
Note 23
H.248 GW 1024 – 65535 CM or 2944 TCP / H.248 No No TLS encrypted H.248

CLAN
Note 24, Note 19.
H.248 GW 1024 – 65535 CM or 2945 TCP / H.248 No No Unencrypted H.248

CLAN
Note 24, Note 19.
CM 1024 – 65535 CM 5005 TCP / No No Border

Proprietary Communication
Note 37
CM 1024 - 65535 IPSI 5010 TCP / No No IPSI / Server control

Proprietary channel
CM 1024 - 65535 IPSI 5011 TCP / No No IPSI / Server IPSI

Proprietary version channel
CM 1024 – 65535 IPSI 5012 TCP / No No IPSI / Server serial

Proprietary number channel
Admin 1024 – 65535 CM 5022 TCP / SSH No No SAT interface over

Device SSH
Note 25
Admin 1024 – 65535 CM 5023 TCP / Telnet No No SAT interface over

Device Telnet
Note 26
CM 1024 – 65535 SafeWord 5030 TCP/ Yes No SafeWord based

SafeWord Server login processing
Client SafeWord
Note 36
SIP Trunks 1024 – 65535 CM or 5060 TCP / SIP Yes No SIP
9
Protocol
CLAN 5000-9999 Note 27, Note 19.
CM 1024 – 65535 SIP Trunks 5060 TCP / SIP Yes No SIP

1 to 65535 Note 27, Note 19.
SIP Trunks 1024 – 65535 CM or 5061 TCP/TLS / Yes No SIPS

SIPS
CLAN 5000-9999 Note 28, note 19.
CM 1024 – 65535 SIP Trunks 5061 TCP/TLS / Yes No SIPS

SIPS
1 to 65535 Note 28, note 19.
CM 1024 – 65535 CM 5098, 12080 TCP / TLS No No Dupmgr

(optionally (SW duplication)
encrypted)
Note Error!
Reference source
not found.
CM 1024 – 65535 CM 5100 TCP/ No No GMM Inquiry

Proprietary Command
Note 37
CM 1024 – 65535 CM 5101 TCP/ No No Test Alarms

Proprietary Command
Note 37
CM 1024 – 65535 CM 5200 TCP/ No No GMM to SNMP

Proprietary INADS
Note 37
CM 1024 – 65535 CM 5210 TCP/ No No GMM to G3 Agent

Proprietary
Note 37
CM 1024 – 65535 CM 5220 TCP/ No No GMM to FP Agent

Proprietary
Note 37
Audix / LX / 1024 – 65535 CMM 5500 TCP / No No Audix Digital

Proprietary Networking
MM /
MN
CM SecurID 1024 – 65535 SecurID 5500 UDP/SecurID Yes No SecurID based login
Note 36
CM or 5500 Audix / LX 1024 - TCP / No No Audix Digital

CLAN / MM /MN 65535 Proprietary Networking
CM 1024 – 65535 CM 7007 TCP / No No SME

Proprietary
Note 37
CM 1024 – 65535 CM 7010 TCP / No No Watchdog

Note 37
CM 1024 – 65535 CM 7011 TCP / No No Watchdog

10
Protocol
Note 37
NA NA NA 8009 TCP / tomcat No No Not Required.

Note 29
AEServices 1024 – 65535 CM 8765 TCP / ASAI No No AEServices

(Q.931
ASN.1) Note 32
CM 1024 – 65535 CM 9000 TCP / No No DGB Server

Proprietary
Admin 1024-65535 SAMP/CM 10022 TCP/SSH No No Not used in CM 6.0

Device or later - SAMP not
supported
Any 1024-65535 CMM 1024-65535 TCP/SIP Yes No Call control – CMM, 2

ports
CM 1024-65535 SSA 10162 UDP/SNMP Yes Yes INADS to secure

services agent
Not used.
Admin 1024-65535 SAMP/CM 10443 TCP/HTTPS No No Not used in CM 6.0

Device or later - SAMP not
supported
CM 1024 – 65535 CM 12080 TCP / No No Dupmgr Control

Proprietary
CM/SAMP 19121 SAMP/CM 19121 UDP/HPI No No Not used in CM 6.0

or later - SAMP not
supported
CM / SCS / 20873 - 21872 CM /SCS/ 20873 - TCP / TLS No No Internal Filesync

SRS SRS 21872 communication
Note 34
CM / SCS / 1024 – 65535 CM – SRS 21873 TCP / TLS No No Filesync over SSL
SRS
Note 30
CM / SCS / 1024 – 65535 CM 21874 TCP / TLS No No Filesync over SSL

SRS
Note 31
Message 1024 – 65535 CMM 55000 TCP / No No IMAPI

Manager Proprietary
CMM 1024 – 65535 Message 55000 TCP / No No IMAPI

Manager Proprietary
LDAPFE 1024 – 65535 CMM 55389 TCP / LDAP No No Internal use by

LDAPFE.
Note 37
G650 1024 – 65535 CM or 59000 – TCP / H.245 No No H.245

CLAN 59200
11
Notes:
1. By default the File Transfer Protocol (FTP) service is disabled. In CM3.1 or later, the FTP service can be
enabled by authenticating to the media server web administration interface --> Launch Maintenance Web
Interface --> Security --> Server Access --> Change Service Name FTP Server (21) and set Server State
to Enabled. Prior to CM3.1, the FTP service can be enabled by authenticating to the media server web
administration interface --> Launch Maintenance Web Interface --> Security --> Start/Stop FTP Server.
*Once enabled this service automatically disables after 15 minutes of inactivity.
2. By default the FTP service is disabled on Avaya IPSI circuit packs. This service is enabled during IPSI
firmware upgrades. When the FTP service is started, the Avaya Communication Manager initiates the
client-side of the FTP protocol and then transfers a new firmware file to the IPSI. Once the transfer is
complete, the FTP service is automatically disabled. A five-minute timeout is enforced to guard against
cases where the firmware download is started but terminated prematurely.
3. In CM3.1 or later, the Secure Shell (SSH), Secure Copy Protocol (SCP), and Secure File Transfer
Protocol (SFTP) services can be Disabled and/or blocked by authenticating to the media server web
administration interface --> Launch Maintenance Web Interface --> Security --> Server Access -->
Change Service Name SSH Server (SCP/SFTP 22) and set Server State to Disabled and/or set
Corporate LAN Firewall to Disabled. Prior to CM3.1, the SSH service can be blocked, via the media
server host firewall, by authenticating to the media server web administration interface --> Launch
Maintenance Web Interface --> Security --> Firewall -> Uncheck Input to Server for Server ssh.
4. In CM 4 and later, telnet is disabled by default. In CM3.1 or later, the Telnet service can be Disabled
and/or blocked by authenticating to the media server web administration interface --> Launch
Maintenance Web Interface --> Security --> Server Access --> Change Service Name Telnet Server (23)
and set Server State to Disabled and/or set Corporate LAN Firewall to Disabled. Prior to CM3.1, the
Telnet service could be blocked, via the media server host firewall, by authenticating to the media server
web administration interface --> Launch Maintenance Web Interface --> Security --> Firewall -> Uncheck
Input to Server for Server telnet.
5. The Dynamic Host Control Protocol (DHCP) service is used only in multi-connect configurations to assign
IP addresses to all the IPSI boards in the various port networks. By default the DHCP service is disabled
on Avaya media servers and is only enabled if DHCP is configured during installation or administered via
the media server web administration interface. In multi-connect configurations, this option is available by
authenticating to the media server web administration interface --> Launch Maintenance Web Interface --
> Server Configuration --> Configure Server --> Continue --> Continue --> Select Configure individual
services --> Continue --> Select Set DNS/DHCP --> Check Enable DHCP service on this server for IPSIs.
When enabled the DHCP services is only available via the Control Network interfaces and is not available
via the Customer LAN Interface.
6. Within the web administration interface --> Launch Maintenance Web Interface --> Manage Software -->
TFTP can optionally be used to copy a Communication Manager release to the local media server hard
drive using a TFTP server on the services laptop. Alternative copy methods include from the local CD-
ROM drive or from a URL.
7. The TFTP service is only enabled in Avaya S8300 and S8400 media servers by default and can be
utilized for Gateway and IP Phone firmware download. In S8300 CM3.1 or later, the Trivial File Transfer
Protocol (TFTP) service can be Disabled and/or blocked by authenticating to the media server web
administration interface --> Launch Maintenance Web Interface --> Security --> Server Access -->
Change Service Name TFTP Server (69) and set Server State to Disabled and/or set Corporate LAN
Firewall to Disabled. Prior to CM3.1, the TFTP service can be blocked, via the media server host firewall,
by authenticating to the media server web administration interface --> Launch Maintenance Web Interface
--> Security --> Firewall -> Uncheck Input to Server for Server tftp. It is recommended this service
disabled if not utilizing a file server, or utilizing external TFTP, HTTP, or HTTPS server(s) for firmware
downloads.
8. An Avaya Welcome and Access Warning banner is displayed via this port. Once the user’s selects
“Continue” this port automatically redirects to HTTPS (443/tcp).
9. In CM2.2 and later, HTTP (81/tcp) and HTTPS (411/tcp) are offered as secure replacements to the TFTP
IP Phone firmware download service. These ports are limited to 100 simultaneous connections. Moved
to Utility Server.
10. The Remote Procedure Call (RPC) service is utilized for communication between the CM Messaging
Application (CMM) and the Message Manager client applications. This service is only enabled if CMM is
12
selected during installation and CMM is enabled. CMM is only available on the S8510, S8300 and S8400
media servers.
11. The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or
administered via the media server web administration interface --> Launch Maintenance Web Interface --
> Server Configuration --> Configure Server --> Continue --> Continue --> Select Configure individual
services --> Continue --> Select Configure Time Server. The IP address or Domain Name Server (DNS)
Name for a Primary, Secondary, or Tertiary Network Time Server (NTS) can be provided. Furthermore,
the NTP the media server can be configured to support multicast timing messages or direct poll requests
to the Network Time Server (NTS). Finally, keys can optionally be provided for secure communications
with the NTS.
12. The Network Time Protocol (NTP) server service is enabled if NTP is configured during installation or
administration via the media server web administration interface --> Launch Maintenance Web Interface -
-> Server Configuration --> Configure Server --> Continue --> Continue --> Select Configure individual
services --> Continue --> Select Configure Time Server --> Select this computer synchronizes with the
duplicated server. This option is utilized to synchronize time between the main media server, duplicated
media server, Survivable Remote Servers (SRS, formerly called LSP), and Survivable Core Servers
(SCS, formerly called ESS).
13. By default the Simple Network Management (SNMP) Agent service is disabled. The SNMP Agent
service can be enabled and configured via authenticating to the media server web administration
interface --> Launch Maintenance Web Interface --> Alarms --> SNMP Agents. If SNMP is enabled, it is
recommended that SNMP access be restricted to administered IP addresses and that SNMPv3 be
utilized for enhanced security.
14. By default SNMP Trap client service is disabled. The SNMP Trap client service can be enabled and
configured via authenticating to the media server web interface --> Launch Maintenance Web Interface --
> Alarms --> SNMP Traps --> Add.
15. By default the SNMP Trap server service is blocked. The SNMP Trap server services can be unblocked,
via the media server host firewall, by authenticating to the media server web administration interface -->
Launch Maintenance Web Interface --> Security --> Firewall -> Uncheck Input to Server for Server snmp
trap.
16. CMM LDAP Service. Only needed internally. These messages do not go out into nor are received from
the network.
17. In CM2.2 and later, HTTP (81/tcp) and HTTPS (411/tcp) are offered as secure replacements to the TFTP
IP Phone firmware download service. These ports are limited to 100 simultaneous connections. Moved
to Utility Server.
18. By default the Legacy Filesync service is disabled. This port is only enabled if the SRS is configured to
synchronize with a media server running CM 1.3.
19. By default only the S8300 and S8400 have Processor Ethernet enabled. Processor Ethernet enables use
of the Ethernet card resident in the processor cabinet, in place of a C-LAN card. Processor Ethernet can
be confirmed enabled or disabled using the SAT interface --> Type display system-parameters customer-
options --> under page 4 see Processor Ethernet.
20. The Arbiter service is only enabled on S87x0 media servers. The Arbiter process runs on S87x0 Media
Servers to 1.) Decide which server is healthier and more able to be active and 2.) Coordinate data
shadowing between servers, under the Duplication Manager’s control. UDP port 1333 was also used on
legacy systems but is no longer used.
21. One port for each of the active processor and the standby processor.
22. CM as the destination is only when with Processor Ethernet is enabled. The Processor Ethernet limits
H.323 signaling connection requests to a processor-dependent rate on the order of 5-10 per second.
23. In CM3.1 or later, the High Priority SSH service can be Disabled and/or blocked, via the media server
host firewall, by --> Launch Maintenance Web Interface --> Security --> Server Access --> Change
Service Name High Priority SSH (2222) and set Server State to Disabled and/or set Corporate LAN
Firewall to Disabled. Prior to CM3.1, the High Priority SSH service could be blocked, via the media
server host firewall, by authenticating to the media server web administration interface --> Launch
Maintenance Web Interface --> Security --> Firewall -> Uncheck Input to Server for Server hp-sshd.
24. The H.248 service is only enabled on media servers with Processor Ethernet enabled. It limits
connection requests to 50 with a burst limit of 100.
25. In CM3.1 or later, the Station Administration Terminal (SAT) SSH service can be Disabled and/or
blocked, via the media server host firewall, by --> Launch Maintenance Web Interface --> Security -->
13
Server Access --> Change Service Name SAT (SSH 5022) and set Server State to Disabled and/or set
Corporate LAN Firewall to Disabled. Prior to CM3.1, the SAT SSH service could be blocked, via the
media server host firewall, by authenticating to the media server web administration interface --> Launch
Maintenance Web Interface --> Security --> Firewall -> Uncheck Input to Server for Server secure-sat.
26. In CM3.1 or later, the Station Administration Terminal (SAT) Telnet service can be Disabled and/or
blocked, via the media server host firewall, by --> Launch Maintenance Web Interface --> Security -->
Server Access --> Change Service Name SAT (Telnet 5023) and set Server State to Disabled and/or set
Corporate LAN Firewall to Disabled. Prior to CM3.1, the SAT Telnet service could be blocked, via the
media server host firewall, by authenticating to the media server web administration interface --> Launch
Maintenance Web Interface --> Security --> Firewall -> Uncheck Input to Server for Server def-sat.
27. The SIP service is only enabled on media servers with Processor Ethernet enabled. It limits connection
requests 50 with a burst limit of 100. The configurable range excludes well known ports used by other
services; e.g. wrongly attempting to use 5060 for TLS.
28. The SIPS service is only enabled media servers with Processor Ethernet enabled. It limits connection
requests to 50 with a burst limit of 100. The configurable range excludes well known ports used by other
services; e.g. wrongly attempting to use 5060 for TLS.
29. This port is not required for external connectivity and has been closed by default in CM 4.0 and later.
See Avaya Security Advisory ASA-2007-051.
30. In CM2.x the filesync (over SSL) utilized port 21873/tcp to transfer translation, unicode, license, and
password files to the standby server(s).
31. In CM3.x and later the filesync (over SSL) utilized port 21874/tcp to transfer translation, unicode, license,
and password files to the standby server(s).
32. Optionally encrypted in CM 4.1 and later. See AE Services Administration and Maintenance Guide,
Release 4.1 (02-300357 Issue 8 December 2007).
33. CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request.
34. Ports used for internal filesync communication; defaults to 20873 – 20877. Number of ports used (up to
1000) is a function of the FileSyncMaxClient variable in /etc/opt/ecs/ecs.conf.
35. Source port is configurable using the “change ip-network-region” SAT command (page 2). The default is
61440 – 61444.
36. Disabled by default. Requires root access to enable.
37. Used only for communication between two software processes on the same hardware platform. These
messages do not go out into nor are received from the network.
14
Port Summary:
Ingress: This indicates data flowing INTO the product defined in the matrix.
Egress: This indicates data flowing away FROM the product defined in the matrix.
Port(s): This is the layer-4 port number. Valid values include: 0 – 65535. Note all ports listed are destination ports.
Network/Application Protocol: This is the name associated with the layer-4 protocol and layers-5-7 application.
Optionally Enabled / Disabled: This field indicates whether customers can enable or disable a layer-4 port changing its default port setting. Valid values
include: Yes or No
No means the default port state cannot be changed (e.g. enable or disabled).
Yes means the default port state can be changed and that the port can either be enabled or disabled.
Default Port State: A port is either open, closed, filtered or N/A.
Open ports will respond to queries
Closed ports may or may not respond to queries and are only listed when they can be optionally enabled.
Filtered ports can be open or closed. Filtered UDP ports will not respond to queries. Filtered TCP will respond to queries, but will not allow connectivity.
N/A is used for the egress default port state since these are not listening ports on the product.
Avaya S8510, S8800, R610, R620, DL360G7 and DL360PG8 Port Summary
Network / Optionally
Default
Ports Application Enabled /
Port State
Protocol Disabled?
Ingress
1. 20 TCP / FTP Yes Closed
3. 22 TCP / SSH Yes Open Column Descriptions
4. 23 TCP / Telnet Yes Closed
5. 25 TCP/SMTP No Open* Ingress -- data flows coming into the product.
6. 68 UDP / DHCP Yes Closed
7. 80 TCP / HTTP No Open
8. 81 TCP / HTTP No Open
Egress -- data flows leaving the product.
9. 110 TCP/POP3 No Open*
10. 123 UDP / NTP Yes Closed Port(s) – Logical number(s) at OSI layer-4.
11. 143 TCP/IMAP4 No Open* Valid values include: 0 – 65535
12. 161 UDP / SNMP Yes Closed
13.
162 UDP / SNMP Yes Closed Network / Application Protocol – Top layer protocol. i.e.
14. RTP, HTTP, etc.
411 TCP / HTTPS No Open
15.
443 TCP / HTTPS No Open Optionally Enabled/Disabled – indicates whether customers
can enable or disable a layer-4 port changing its default port
16. 465 TCP/SMTP No Open* setting.
17.
514 UDP/SYSLOG Yes Closed Valid values include: Yes or No.
18. 993 TCP/IMAP4 No Open*
19. 995 TCP/POP3 No Open* Default Port State:
20. 1039 TCP Yes Closed Valid Values include: Open, Closed, Filtered or
21. 1300 TLS Yes Closed N/A
22.
1332 TCP No Closed
23. 1719 UDP / H.225 Yes Closed *Open if CMM co-resident.
24. 1720 TCP / H.323 Yes Closed **Open for duplex configurations
25.
2222 TCP / SSH Yes Open
26. 5060 TCP / SIP Yes Closed
27. 5061 TCP / SIPS Yes Closed
28.
5022 TCP / SAT Yes Open
15
29.
5023 TCP / SAT Yes Closed
30.
5098 TCP/TLS No Open**
31.
8009 TCP / HTTP No Closed
32.
8765 TCP Yes Closed
33.
12080 TCP Yes Closed
34.
21874 TCP / TLS No Open
Egress
1. 20 TCP / FTP Yes NA
3. 53 UDP / DNS No NA
4. 67 UDP / DHCP Yes NA
6. 69 UDP / TFTP Yes NA
7. 123 UDP / NTP Yes NA
8. 162 UDP / SNMP Yes NA
9. 1719 UDP / H.225 Yes NA
10. 1720 TCP / H.323 Yes NA
11.
1956 TCP No NA
12.
5010 TCP No NA
13.
5011 TCP No NA
14.
5012 TCP No NA
15. 5060 TCP / SIP Yes NA
16. 5061 TLS / SIPS Yes NA
17.
55000 TCP No NA
18. 1024 –
UDP / TCP No NA
65535
Avaya S8300 Port Summary

Network / Optionally Column Descriptions
Default
Ports Application Enabled /
Port State
Protocol Disabled? Ingress -- data flows coming into the product.
Ingress
2. 21 TCP / FTP Yes Closed Egress -- data flows leaving the product.
3. 22 TCP / SSH Yes Open
4. 23 TCP / Telnet Yes Closed Port(s) – Logical number(s) at OSI layer-4.
5. 25 TCP/SMTP No Open* Valid values include: 0 – 65535
6. 68 UDP / DHCP Yes Closed
7. 69 UDP / TFTP Yes Closed
8. 80 TCP / HTTP No Open Network / Application Protocol – Top layer protocol. i.e.
9. 81 TCP / HTTP No Open RTP, HTTP, etc.
11. 111 UDP / RPC Yes Closed Optionally Enabled/Disabled – indicates whether customers
12. can enable or disable a layer-4 port changing its default port
111 TCP / RPC Yes Closed
setting.
13.
123 UDP / NTP Yes Closed Valid values include: Yes or No.
15. Default Port State:
161 UDP / SNMP Yes Closed
Valid Values include: Open, Closed, Filtered or
16. N/A
162 UDP / SNMP Yes Closed
17.
411 TCP / HTTPS No Open *Open if CMM co-resident.
16
18.
443 TCP / HTTPS No Open
19. 465 TCP/SMTP No Open*
20.
514 TCP / RSH Yes Closed
21.
514 UDP/SYSLOG Yes Closed
24. 1024 –
UDP No Open
65535
25.
1037 TCP No Open
26.
1039 TCP Yes Open
27. 1300 TLS Yes Closed
28.
1320 TCP No Closed
29.
1332 TCP No Closed
30.
1719 UDP / H.225 Yes Closed
31.
1720 TCP / H.323 Yes Closed
32.
2222 TCP / SSH Yes Open
33. 2944 TLS/H.248 Yes Closed
34.
2945 TCP / H.248 Yes Open
35.
5022 TCP / SAT Yes Open
36.
5023 TCP / SAT Yes Closed
37.
5060 TCP / SIP Yes Closed
38.
5061 TCP / SIPS Yes Closed
39.
5098 TCP/TLS No Open**
40.
5500 TCP No Open
41.
8009 TCP / HTTP No Closed
42.
8765 TCP Yes Closed
43.
44.
21873 TCP No Open
45.
21874 TCP / TLS No Open
46.
47. 59000 -
TCP No Open
59200
Egress
3. 53 UDP / DNS No NA
5. 69 UDP / TFTP Yes NA
7. 123 UDP / NTP Yes NA
8. 162 UDP / SNMP Yes NA
9. 1719 UDP / H.225 Yes NA
10. 1720 TCP / H.323 Yes NA
11.
1956 TCP No NA
17
12.
5010 TCP No NA
13.
5011 TCP No NA
14.
5012 TCP No NA
15. 5060 TCP / SIP Yes NA
16. 5061 TLS / SIPS Yes NA
17.
55000 TCP No NA
18. 1024 –
UDP / TCP No NA
65535
The port numbers are assigned by IANA (Internet Assigned Numbers Authority) and are found here:
http://www.iana.org/assignments/port-numbers
18
IP Protocol Summary:
IP Protocol Number: This is the layer-3 or layer- protocol number. Valid values include: 0 – 255.
IP Protocol Name: This is the name associated with the layer-3 protocol or layer-4 port number. Examples are ICMP, TCP, UDP, IGMP, etc.
Optionally Enabled / Disabled: This field indicates whether customers can enable or disable a layer-3 protocol from its default setting. Valid values are: Yes
or No.
No means the default protocol state cannot be changed (e.g. enable or disabled).
Yes means the default protocol state can be changed and that the protocol can either be enabled or disabled.
Default Protocol State: A protocol is open, closed or filtered. Open will respond to queries whereas filtered is open, but will not respond. Valid values
include: Open, Close or Filtered. For brevity, closed protocols are not listed unless they can be optionally enabled.
Open protocols will respond to queries
Closed protocols may or may not respond to queries and are only listed when they can be optionally enabled.
Filtered protocols can be open or closed.
Avaya IP Protocol Summary

IP Protocol IP Optionally Default Column Description
Number Protocol Enabled/ Protocol
Name Disabled? State IP Protocol Number – Logical number at OSI layer-3 or layer-4.
1 1 ICMP Yes Open
Valid values include: 0 – 255
2 6 TCP No Open
3 17 UDP No Open
4
IP Protocol Name – OSI layer 3 & 4. i.e. ICMP, TCP, UDP, IGMP
5
6 Optionally Enabled/Disabled – indicates whether customers can enable or
7 disable a layer-3 or layer-4 protocol changing its default protocol setting.
8
9 Default Protocol State:
10 Valid Values include: Open, Closed or Filtered
The protocol numbers are assigned by IANA (Internet Assigned Numbers Authority) and are found here:
http://www.iana.org/assignments/protocol-numbers
Terminology and Acronyms

Table 2 - Terminology and Acronym List
Term Meaning
ACL Access Control List.
AES, AEServices Application Enablement Services.
ALG Application Level Gateway.
ASA Avaya Security Advisory
ASAI Adjunct Switch Application Interface
ASN Abstract Syntax Notation
AUDIX® Audio Information Exchange
C-LAN Control-LAN (TN799 board).
CM Communication Manager.
CMM Communication Manager Messaging (formerly IA-770).
19
Term Meaning
Def-sat DEFINITY® System Administration Terminal
DHCP Dynamic Host Configuration Protocol.
DNS Domain Name Service.
Dupmgr Duplication Manager
ESS Enterprise Survivable Server, now called SCS.
Eth Ethernet
Filesync File Synchronization, especially of administration
translations.
FP Fault and Performance.
FTP File Transfer Protocol.
GK Gatekeeper.
GMM Global Maintenance Manager.
GW Gateway.
HPI Hardware Platform Interface.
HTTP Hypertext Transfer Protocol.
HTTPS Hypertext Transfer Protocol Secure.
IANA Internet Assigned Numbers Authority
ICMP Internet Control Management Protocol.
IGMP Internet Group Management Protocol
IMAP4 Internet Message Access Protocol version 4.
IMAPI Intuity™ Messaging Applications Programming Interface.
INADS Initialization and Administration System.
IA Intuity™ AUDIX ®
IP Internet Protocol.
IPSI Internet Protocol Server Interface (TN2312 board).
IPv6 Internet Protocol version 6.
LDAP Lightweight Directory Access Protocol.
LDAPFE Lightweight Directory Access Protocol Front End.
LSP Local Survivable Processor, now called SRS.
MTU Maximum Transmission Unit.
NA Not Applicable
NIC Network Interface Card
NSS Network Security Services.
NTS Network Time Server
NTP Network Time Protocol.
OSI Open System Interconnection
PE Processor Ethernet.
POP3 Post Office Protocol version 3.
RADIUS Remote Authentication Dial In User Service.
RAS Registration, Admission, Status.
RFC Request For Comments.
RPC Remote Procedure Call.
RSH Remote Shell
20
Term Meaning
Rsyslog Remote System Log
RTCP RTP Control Protocol.
RTP Real Time Transport Protocol.
SAMP Server Availability Management Processor.
SASL Simple Authentication and Security Layer.
SAT Station Administration Terminal.
SCP Secure Copy.
SCS Survivable Core Server, formerly called ESS.
SFTP Secure File Transfer Protocol.
SIP Session Initiation Protocol.
SME Server Maintenance Engine.
SMTP Simple Mail Transfer Protocol.
SNMP Simple Network Management Protocol.
SRS Survivable Remote Server, formerly called LSP
SSA Secure Services Agent.
SSH Secure Shell.
SSL Secure Sockets Layer.
TCP Transmission Control Protocol.
TFTP Trivial File Transfer Protocol.
TLS Transport Layer Security.
TTS Time To Service.
UDP User Datagram Protocol.
VLAN Virtual Local Area Network.
VOIP Voice Over Internet Protocol.
21

CommunicationManager6 3 6PortMatrix-165316 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CommunicationManager6 3 6PortMatrix-165316 PDF

Uploaded by

Copyright:

Available Formats

Avaya Port Matrix:

Updated for Communication

Defining TCP/IP Ports

Port Type Ranges

According to RFC 6335:

Well Known Ports

Avaya Server and Sockets

Understanding Firewall Types and Policy Creation

Matrix Headings Defined

S8xx0, R610, R620, DL360G7, DL360PG8 Media Servers

Source Destination Network/ Destination Source Traffic Purpose

Admin 1024 - 65535 CM 20 TCP / FTP – No No File Transfers (Data)

CM 1024 – 65535 IPSI 20 TCP / FTP – No No IPSI Firmware File

Admin 1024 - 65535 CM 21 TCP / FTP No No File Transfers

CM 1024 - 65535 IPSI 21 TCP / FTP No No IPSI Firmware File

Admin 1024 – 65535 CM 22 TCP / SSH, No No OS administration

Admin 1024 – 65535 CM 23 TCP / Telnet No No OS administration

Any 1024 – 65535 CMM 25 TCP / SMTP No No Message retrieval

CM or 1024 - 65535 DNS 53 UDP / DNS No No DNS Requests and

CM (server) 68 IPSI (client) 67 UDP / DHCP No No Dynamic Host Control

IPSI (client) 67 CM 68 UDP / DHCP No No Dynamic Host Control

CM 1024 – 65535 Services 69 UDP / TFTP No No Installs and Upgrades

IP Phone / 1024 – 2048 CM – 69 UDP / TFTP No No IP Phone and/or

Admin 1024 – 65535 CM 80 TCP / HTTP No No Avaya web

IP Phone 1024 – 2048 CM 81 TCP / HTTP No No HTTP IP Phone

Any 1024 – 65535 CMM 110 TCP / POP3 No No Message retrieval

Message 1024 – 65535 CMM 111 UDP / RPC No No Message Manager

Message 1024 – 65535 CMM 111 TCP / RPC No No Message Manager

CM 1024 – 65535 Network 123 UDP / NTP No No Network Time

CM 1024 - 65535 IPSI 123 UDP / NTP No No Network Time

IPSI 1024 – 65535 CM 123 UDP / NTP No No Network Time

CM / SCS / 1024 – 65535 CM 123 UDP / NTP No No Network Time

Any 1024 – 65535 CMM 143 TCP / IMAP4 No No Message retrieval

SNMP 1024 – 65535 CM 161 UDP / SNMP No No SNMP (server)

SNMP NMS 1024 – 65535 CLAN 161 UDP/SNMP No No SNMP agent

CM 1024 – 65535 SNMP 162 UDP / SNMP No No SNMP traps (client)

CLAN 1024-65535 SNMP 162 UDP/SNMP No No SNMP traps for

Gateway/ 1024 – 65535 CM 162 UDP/ SNMP No No SNMP traps (server)

Any 1024 – 65535 CMM 389 TCP / LDAP No No CMM LDAPFE

IP Phone 1024 – 2048 CM 411 TCP / HTTPS No No HTTPS IP Phone

Admin 1024 – 65535 CM 443 TCP / HTTPS No No Avaya web

Any 1024 – 65535 CMM 465 TCP / SSL, No No Secure message

CLAN, IPSI, 1024-65535 CM 514 UDP/SYSLOG Yes No TN Board Logging

CM 1024-65535 Rsyslog 514 UDP/Syslog Yes No Remote system log

CM / SCS / 512 – 1023 CM – SRS 514 TCP / RSH No No Legacy (CM1.3)

CM - SRS 514 CM / 512 - 1023 TCP / RSH No No Legacy Filesync

Any 1024 – 65535 CMM 636 TCP /SSL/ No No CMM LDAPFE

Any 1024 – 65535 CMM 993 TCP / IMAP4, No No Secure message

Any 1024 – 65535 CMM 995 TCP / POP3, No No Secure message

Any 1024 – 65535 CMM 8000-10000 UDP/RTP Yes No Audio record.

Message 1024 – 65535 CMM 1024 – UDP / No No Message Waiting

H.248 1024 – 65535 CM or 1039 TCP / No No Proprietary encrypted

CM/SAMP 1234 SAMP/ 1234 TCP/Modem No No Not used in CM 6.0

H.323 1024-5000 CM 1300 TLS / H.323 No No Encrypted H.323

CM 1024 – 65535 CM – 1332 UDP / DES No No Arbiter

H.323 49300 CM or 1719 UDP / H.225 No No Registration,

CM 1024-65535 CM or 1719 TCP/H.323 No No H.323 RAS for trunks

H.323 1500 – 6500 CM or 1720 TCP / H.323 No No H.323 signaling

CM (via 61440-61444 H.323 1720 TCP / H.323 No Yes TTS

CM 1024 - 65535 IPSI 1956 TCP / No No IPSI Command

Admin 1024 – 65535 CM 2222 TCP / SSH No No High Priority SSH

H.248 GW 1024 – 65535 CM or 2944 TCP / H.248 No No TLS encrypted H.248

H.248 GW 1024 – 65535 CM or 2945 TCP / H.248 No No Unencrypted H.248