Avaya Port Matrix

Avaya Aura®
Media Server 7.7

Issue 0.2
June 05, 2017

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 1
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF
PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC. DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE AND FURTHERMORE, AVAYA INC. MAKES NO REPRESENTATIONS
OR WARRANTIES THAT THE INFORMATION PROVIDED HEREIN WILL
ELIMINATE SECURITY THREATS TO CUSTOMERS’ SYSTEMS. AVAYA
INC., ITS RELATED COMPANIES, DIRECTORS, EMPLOYEES,
REPRESENTATIVES, SUPPLIERS OR AGENTS MAY NOT, UNDER ANY
CIRCUMSTANCES BE HELD LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL,
PUNITIVE, EXEMPLARY, INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OF THE INFORMATION PROVIDED HEREIN.
THIS INCLUDES, BUT IS NOT LIMITED TO, THE LOSS OF DATA OR LOSS OF
PROFIT, EVEN IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. YOUR USE OF THIS INFORMATION CONSTITUTES ACCEPTANCE
OF THESE TERMS.

© 2017 Avaya Inc. All Rights Reserved. All trademarks identified by the ®
or ™ are registered trademarks or trademarks, respectively, of Avaya Inc.
All other trademarks are the property of their respective owners.

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 2
1. Avaya Aura Media Server Components
Data flows and their sockets are owned and directed by an application. For all applications, sockets are created
on the network interfaces on the server. For the purposes of firewall configuration, these sockets are sourced
from the server, so the firewall (iptables service) should be running on the same server. Application components
in the Media Server are listed as follows.

Component Interface Description

confmp Localhost / The Conference Media Processor. This component is responsible for
service address audio/video conferencing and session anchoring for the rest of the
system.

cstore Service This component provides reliable persistent storage of generic

address multimedia content.
fntmp localhost / The Firewall NAT Tunneling Media Processor. This component
service address manages the external media streams with ICE protocol support
(WebRTC interop). It relays the media streams to the other internal
media processing components.

ivrmp All / service The Interactive Voice Response Media Processor. This component
address provides audio and video streaming, digit collection,
announcements/prompts, as well as Automatic Speech Recognition
(ASR) and Text to Speech (TTS) capabilities.
mmc Service The multimedia conductor. This component provides SIP signaling
address and session management capabilities to the other media server
components.

mysqld all The MySQL database management system. This component hosts
the database tables used to store the configuration and content used
by the Medi Server..
plicd all Provides legacy license capabilities.
sc all The session controller. This component performs session and
resource management for the media server. Additionally, it provides
the application interpreter for MSML services. It is the conduit for
communication between the application and media server resources.
soapserver all Handles SOAP requests for managing the Avaya Aura Media Server.
srp all This component is responsible for starting, stopping, monitoring, and
restarting core Media Server processes.
streamsource localhost This component provides streaming of pre-processed audio via local
file or streaming protocols.
vidmp Localhost / The Video Media Processor. This component provides video relaying,
service address switching, and thinning.
vxmli all This component fetches, interprets, and executes Voice XML (VXML)
2.0/2.1 compliant documents.
webua all / localhost The Web UserAgent component provides a RESTful control interface
for the Media Server.

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 3
 Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 4
2. Port Usage Tables

2.1 Port Usage Table Heading Definitions

Source System: System name or type that initiates connection requests.

Source Port: This is the default layer-4 port number of the connection source. Valid values include: 0 – 65535. A
“(C)” next to the port number means that the port number is configurable.

Destination System: System name or type that receives connection requests.

Destination Port: This is the default layer-4 port number to which the connection request is sent. Valid values
include: 0 – 65535. A “(C)” next to the port number means that the port number is configurable.

Network/Application Protocol: This is the name associated with the layer-4 protocol and layers-5-7 application.

Optionally Enabled / Disabled: This field indicates whether customers can enable or disable a layer-4 port
changing its default port setting. Valid values include: Yes or No
“No” means the default port state cannot be changed (e.g. enable or disabled).
“Yes” means the default port state can be changed and that the port can either be enabled or disabled.

Default Port State: A port is either open, closed or filtered.

Open ports will respond to queries
Closed ports may or may not respond to queries and are only listed when they can be optionally
enabled.
Filtered ports can be open or closed. Filtered UDP ports will not respond to queries. Filtered TCP will
respond to queries, but will not allow connectivity.

Firewall State: The default firewall state for an AAMS appliance or OVA installation.

Description: Connection details. Add a reference to refer to the Notes section after each table for specifics on
any of the row data, if necessary.

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 5
2.2 Port Tables
Below are the tables which document the port usage for this product.

Table 1. Ports for All Addresses (binds to 0.0.0.0)

Source Destination Default

Network / Port
System System Port Optionally
Port Application State/Fir Description
(Configurable (Configurable Enabled? ewall
Protocol
Range) Range) State
Admin terminal or Ephemeral Host 22 TCP/SSH No Open/ System management requiring shell access
SAL Gateway platform Allowed (Linux)

Other Media Ephemeral AAMS 3306 TCP/Propri No Open/ Database replication (MySQL)
Servers in Cluster etary Allowed

Admin terminal or Ephemeral Host 3389 TCP/RDP Yes Open/ Remote desktop access to server (Windows)
SAL Gateway Platform Blocked

N/A Ephemeral AAMS 5997 TCP/Propri No Open/ Internal AAMS communication (srp)
etary Blocked

N/A Ephemeral AAMS 5998 TCP/Propri No Open/ Internal AAMS communication (srp)
etary Blocked

N/A Ephemeral AAMS 5999 TCP/Propri No Open/ Internal AAMS communication (srp)
etary Blocked

External Ephemeral AAMS 7150 TCP/HTTP Yes Closed/ HTTP RESTful control interface
Application Server Allowed

External Ephemeral AAMS 7151 TCP/HTTPS No Open/ HTTPS RESTful control interface
Application Server Allowed

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 6
 Source Destination Default
Network / Port
System System Port Optionally
Port Application State/Fir Description
(Configurable (Configurable Enabled? ewall
Protocol
Range) Range) State
External Ephemeral AAMS 7410 TCP/SOAP Yes Open/ SOAP control interface
Management Allowed
Server

External Ephemeral AAMS 7411 TCP/SOAP No Open/ SOAP control interface

Management Allowed
Server

Admin terminal or Ephemeral AAMS 8080 TCP/HTTPS Yes Open/ HTTPS access to AAMS Element Manager
SAL Gateway Allowed

Admin terminal or Ephemeral AAMS 8443 TCP/HTTPS No Open/ HTTPS access to AAMS Element Manager
SAL Gateway Allowed

Other Media Ephemeral AAMS 19999 TCP/Propri No Open/ IvrMP Stream Source data
Servers in Cluster etary Allowed

N/A Ephemeral AAMS 20011 TCP/Propri No Open/ Internal AAMS communication (sc)
etary Blocked

N/A Ephemeral AAMS 21000 TCP/Propri Yes Open/ Internal AAMS communication (vxml)
etary Blocked

N/A Ephemeral AAMS 21001 TCP/Propri Yes Open/ Internal AAMS communication (vxml)
etary Blocked

N/A Ephemeral AAMS 21010- TCP/Propri Yes Closed/ Internal AAMS communication (vxml)
21031 etary Blocked

NTP Server Ephemeral AAMS 123 UDP/NTP No Open/ Network Time Protocol communication
Allowed

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 7
 Source Destination Default
Network / Port
System System Port Optionally
Port Application State/Fir Description
(Configurable (Configurable Enabled? ewall
Protocol
Range) Range) State
Admin terminal or Ephemeral AAMS 161-162 UDP/SNMP No Open/ SNMP data and traps
SAL Gateway (0-65536) Allowed

N/A Ephemeral AAMS 1027 UDP/Propri No Open/ Internal AAMS communication (plicd)
etary Blocked

SIP Servers Ephemeral AAMS 5060 UDP/SIP Yes Closed/ SIP UDP signaling traffic
Allowed

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 8
 Table 2. Ports for Service Address (Host or HA service address)

Source Destination
Network / Optionally Default
System Port System Port Application Enabled / Port Description
(Configurable (Configurable Protocol Disabled? State
Range) Range)

Other Media Ephemeral AAMS 1028 TCP/Propri Yes Closed/ Proprietary AAMS communication (for high
Servers in Cluster etary Allowed availability)

Other Media Ephemeral AAMS 4005 TCP/Propri No Open/ Proprietary AAMS communication (sc)
Servers in Cluster etary Allowed

SIP Servers Ephemeral AAMS 5060 TCP/SIP Yes Open/ SIP over TCP signaling traffic
Allowed

SIP Servers Ephemeral AAMS 5061 TCP/SIP TLS Yes Open/ SIP over TLS signaling traffic
Allowed

N/A Ephemeral AAMS 7081 TCP/Propri Yes Closed/ Internal AAMS communication (VidMP)
etary Blocked

Other Media Ephemeral AAMS 20005 TCP/Propri No Open/ Proprietary AAMS communication (cstore)
Servers in Cluster etary Allowed

Other Media Ephemeral AAMS 20007 TCP/Propri No Open/ Proprietary AAMS communication (cstore)
Servers in Cluster etary Allowed

Other Media Ephemeral AAMS 20009 TCP/Propri No Open/ Proprietary AAMS communication (IvrMP)
Servers in Cluster etary Allowed

Other Media Ephemeral AAMS 1028 UDP/Propri Yes Closed/ Proprietary AAMS communication (for high
Servers in Cluster etary Blocked availability)

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 9
 Source Destination
Network / Optionally Default
System Port System Port Application Enabled / Port Description
(Configurable (Configurable Protocol Disabled? State
Range) Range)

SIP Endpoints Ephemeral AAMS 6000- UDP/RTP No Open/ RTP and SRTP media traffic. The RTP port
32598 Allowed range can be configured within AAMS
Element Manager, but the ports used must
fall within this range and there must be
enough ports for 2 times the desired audio,
video and WebRTC session capacity.

Table 3. Ports for Local Address (loopback)

Source Destination
Network / Optionally Default
System Port System Port Application Enabled / Port Description
(Configurable (Configurable Protocol Disabled? State
Range) Range)

N/A Ephemeral AAMS 199 TCP/SNMP No Open SNMP data and traps

N/A Ephemeral AAMS 4001 TCP/Propri No Open Internal AAMS communication (IvrMP)
etary

N/A Ephemeral AAMS 4004 TCP/Propri No Open Internal AAMS communication (mmc)
etary

N/A Ephemeral AAMS 4011 TCP/Propri No Open Internal AAMS communication (IvrMP)
etary

N/A Ephemeral AAMS 4014 TCP/Propri No Open Internal AAMS communication (mmc)
etary

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 10
 Source Destination
Network / Optionally Default
System Port System Port Application Enabled / Port Description
(Configurable (Configurable Protocol Disabled? State
Range) Range)

N/A Ephemeral AAMS 4015 TCP/Propri No Open Internal AAMS communication (sc)
etary

N/A Ephemeral AAMS 4016 TCP/Propri No Open Internal AAMS communication (VidMP)
etary

N/A Ephemeral AAMS 7080 TCP/Propri No Open Internal AAMS communication (ConfMP)
etary

N/A Ephemeral AAMS 7093 TCP/Propri Yes Open Internal AAMS communication (FntMP)
etary

N/A Ephemeral AAMS 7094 TCP/Propri Yes Open Internal AAMS communication (FntMP)
etary

N/A Ephemeral AAMS 7149 TCP/Propri No Open Internal AAMS communication (WebUA)
etary

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 11
3. Port Usage Diagram

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Session Manager 6.1 12
 Appendix A: Overview of TCP/IP Ports

What are ports and how are they used?

TCP and UDP use ports (defined at http://www.iana.org/assignments/port-numbers) to route traffic
arriving at a particular IP device to the correct upper layer application. These ports are logical descriptors
(numbers) that help devices multiplex and de-multiplex information streams. Consider your desktop PC.
Multiple applications may be simultaneously receiving information. In this example, email may use
destination TCP port 25, a browser may use destination TCP port 80 and a telnet session may use
destination TCP port 23. These logical ports allow the PC to de-multiplex a single incoming serial data
packet stream into three mini-streams inside the PC. Furthermore, each of the mini-streams is directed to
the correct high-level application because the port numbers identify which application each data mini-
stream belongs. Every IP device has incoming (Ingress) and outgoing (Egress) data streams.

Ports are used in TCP and UDP to name the ends of logical connections which carry data flows. TCP
and UDP streams have an IP address and port number for both source and destination IP devices. The
pairing of an IP address and a port number is called a socket (discussed later). Therefore, each data
stream is uniquely identified with two sockets. Source and destination sockets must be known by the
source before a data stream can be sent to the destination. Some destination ports are “open” to receive
data streams and are called “listening” ports. Listening ports actively wait for a source (client) to make
contact to a destination (server) using a specific port that has a known protocol associate with that port
number. HTTPS, as an example, is assigned port number 443. When a destination IP device is
contacted by a source device using port 443, the destination uses the HTTPS protocol for that data
stream conversation.

Port Type Ranges

Port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic Ports
(sometimes called Private Ports).

Well Known Ports are those numbered from 0 through 1023.

Registered Ports are those numbered from 1024 through 49151

Dynamic Ports are those numbered from 49152 through 65535

The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and
are found here: http://www.iana.org/assignments/port-numbers.

Well Known Ports

For the purpose of providing services to unknown clients, a service listen port is defined. This port is
used by the server process as its listen port. Common services often use listen ports in the well known
port range. A well known port is normally active meaning that it is “listening” for any traffic destined for a
specific application. For example, well known port 23 on a server is actively waiting for a data source to
contact the server IP address using this port number to establish a Telnet session. Well known port 25 is
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 13
 waiting for an email session, etc. These ports are tied to a well understood application and range from 0
to 1023.

In UNIX and Linux operating systems, only root may open or close a well-known port. Well Known Ports
are also commonly referred to as “privileged ports”.

Registered Ports
Unlike well known ports, these ports are not restricted to the root user. Less common services register ports in this range. Avaya uses ports
in this range for call control. Some, but not all, ports used by Avaya in this range include: 1719/1720 for H.323, 5060/5061 for SIP, 2944 for
H.248 and others. The registered port range is 1024 – 49151. Even though a port is registered with an application name, industry often uses
these ports for different applications. Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different
meanings.
Dynamic Ports
Dynamic ports, sometimes called “private ports”, are available to use for any general purpose. This means there are no meanings associated
with these ports (similar to RFC 1918 IP Address Usage). These are the safest ports to use because no application types are linked to these
ports. The dynamic port range is 49152 – 65535.
Sockets
A socket is the pairing of an IP address with a port number. An example would be 192.168.5.17:3009, where 3009 is the socket number
associated with the IP address. A data flow, or conversation, requires two sockets – one at the source device and one at the destination
device. The data flow then has two sockets with a total of four logical elements. Each data flow must be unique. If one of the four elements is
unique, the data flow is unique. The following three data flows are uniquely identified by socket number and/or IP address.
Data Flow 1: 172.16.16.14:1234 - 10.1.2.3:2345
Data Flow 2: 172.16.16.14.1235 - 10.1.2.3:2345
Data Flow 3: 172.16.16.14:1234 - 10.1.2.4:2345

Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair.
Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1, but since the port number on the
first socket differs, the data flow is unique.
Therefore, if one IP address octet changes, or one port number changes, the data flow is unique.

Socket Example Diagram

Client HTTP-Get Source 192.168.1.10:1369 Destination 10.10.10.47:80 Web Server

TCP-info Destination 192.168.1.10:1369 Source 10.10.10.47:80

Figure 1. Socket example showing ingress and egress data flows from a PC to a web server

Notice the client egress stream includes the client’s source IP and socket (1369) and the destination IP
and socket (80). The ingress stream has the source and destination information reversed because the
ingress is coming from the server.

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Session Manager 6.1 14
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types:

 Packet Filtering
 Application Level Gateways (Proxy Servers)
 Hybrid (Stateful Inspection)

Packet Filtering is the most basic form of the firewalls. Each packet that arrives or leaves the network has
its header fields examined against criterion to either drop the packet or let it through. Routers configured
with Access Control Lists (ACL) use packet filtering. An example of packet filtering is preventing any
source device on the Engineering subnet to telnet into any device in the Accounting subnet.

Application level gateways (ALG) act as a proxy, preventing a direct connection between the foreign
device and the internal destination device. ALGs filter each individual packet rather than blindly copying
bytes. ALGs can also send alerts via email, alarms or other methods and keep log files to track
significant events.

Hybrid firewalls are dynamic systems, tracking each connection traversing all interfaces of the firewall and
making sure they are valid. In addition to looking at headers, the content of the packet, up through the
application layer, is examined. A stateful inspection firewall also monitors the state of the connection and
compiles the information in a state table. Stateful inspection firewalls close off ports until the connection
1
to the specific port is requested. This is an enhancement to security against port scanning .

Firewall Policies
The goals of firewall policies are to monitor, authorize and log data flows and events. They also restrict
access using IP addresses, port numbers and application types and sub-types.

This paper is focused with identifying the port numbers used by Avaya products so effective firewall
policies can be created without disrupting business communications or opening unnecessary access into
the network.

Knowing that the source column in the following matrices is the socket initiator is key in building some
types of firewall policies. Some firewalls can be configured to automatically create a return path through
the firewall if the initiating source is allowed through. This option removes the need to enter two firewall
rules, one for each stream direction, but can also raise security concerns.

Another feature of some firewalls is to create an umbrella policy that allows access for many independent
data flows using a common higher layer attribute. Finally, many firewall policies can be avoided by
placing endpoints and the servers that serve those endpoints in the same firewall zone.

1
The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a
computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 15
 Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

June 2017 Avaya Port Matrix: Avaya Aura® Session Manager 6.1 16