Avaya Port Matrix: Avaya Aura Media Server 7.7
Avaya Port Matrix: Avaya Aura Media Server 7.7
Avaya Aura®
Media Server 7.7
Issue 0.2
June 05, 2017
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 1
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF
PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC. DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE AND FURTHERMORE, AVAYA INC. MAKES NO REPRESENTATIONS
OR WARRANTIES THAT THE INFORMATION PROVIDED HEREIN WILL
ELIMINATE SECURITY THREATS TO CUSTOMERS’ SYSTEMS. AVAYA
INC., ITS RELATED COMPANIES, DIRECTORS, EMPLOYEES,
REPRESENTATIVES, SUPPLIERS OR AGENTS MAY NOT, UNDER ANY
CIRCUMSTANCES BE HELD LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL,
PUNITIVE, EXEMPLARY, INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OF THE INFORMATION PROVIDED HEREIN.
THIS INCLUDES, BUT IS NOT LIMITED TO, THE LOSS OF DATA OR LOSS OF
PROFIT, EVEN IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. YOUR USE OF THIS INFORMATION CONSTITUTES ACCEPTANCE
OF THESE TERMS.
© 2017 Avaya Inc. All Rights Reserved. All trademarks identified by the ®
or ™ are registered trademarks or trademarks, respectively, of Avaya Inc.
All other trademarks are the property of their respective owners.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 2
1. Avaya Aura Media Server Components
Data flows and their sockets are owned and directed by an application. For all applications, sockets are created
on the network interfaces on the server. For the purposes of firewall configuration, these sockets are sourced
from the server, so the firewall (iptables service) should be running on the same server. Application components
in the Media Server are listed as follows.
ivrmp All / service The Interactive Voice Response Media Processor. This component
address provides audio and video streaming, digit collection,
announcements/prompts, as well as Automatic Speech Recognition
(ASR) and Text to Speech (TTS) capabilities.
mmc Service The multimedia conductor. This component provides SIP signaling
address and session management capabilities to the other media server
components.
mysqld all The MySQL database management system. This component hosts
the database tables used to store the configuration and content used
by the Medi Server..
plicd all Provides legacy license capabilities.
sc all The session controller. This component performs session and
resource management for the media server. Additionally, it provides
the application interpreter for MSML services. It is the conduit for
communication between the application and media server resources.
soapserver all Handles SOAP requests for managing the Avaya Aura Media Server.
srp all This component is responsible for starting, stopping, monitoring, and
restarting core Media Server processes.
streamsource localhost This component provides streaming of pre-processed audio via local
file or streaming protocols.
vidmp Localhost / The Video Media Processor. This component provides video relaying,
service address switching, and thinning.
vxmli all This component fetches, interprets, and executes Voice XML (VXML)
2.0/2.1 compliant documents.
webua all / localhost The Web UserAgent component provides a RESTful control interface
for the Media Server.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 3
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 4
2. Port Usage Tables
Source Port: This is the default layer-4 port number of the connection source. Valid values include: 0 – 65535. A
“(C)” next to the port number means that the port number is configurable.
Destination Port: This is the default layer-4 port number to which the connection request is sent. Valid values
include: 0 – 65535. A “(C)” next to the port number means that the port number is configurable.
Network/Application Protocol: This is the name associated with the layer-4 protocol and layers-5-7 application.
Optionally Enabled / Disabled: This field indicates whether customers can enable or disable a layer-4 port
changing its default port setting. Valid values include: Yes or No
“No” means the default port state cannot be changed (e.g. enable or disabled).
“Yes” means the default port state can be changed and that the port can either be enabled or disabled.
Firewall State: The default firewall state for an AAMS appliance or OVA installation.
Description: Connection details. Add a reference to refer to the Notes section after each table for specifics on
any of the row data, if necessary.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 5
2.2 Port Tables
Below are the tables which document the port usage for this product.
Other Media Ephemeral AAMS 3306 TCP/Propri No Open/ Database replication (MySQL)
Servers in Cluster etary Allowed
Admin terminal or Ephemeral Host 3389 TCP/RDP Yes Open/ Remote desktop access to server (Windows)
SAL Gateway Platform Blocked
N/A Ephemeral AAMS 5997 TCP/Propri No Open/ Internal AAMS communication (srp)
etary Blocked
N/A Ephemeral AAMS 5998 TCP/Propri No Open/ Internal AAMS communication (srp)
etary Blocked
N/A Ephemeral AAMS 5999 TCP/Propri No Open/ Internal AAMS communication (srp)
etary Blocked
External Ephemeral AAMS 7150 TCP/HTTP Yes Closed/ HTTP RESTful control interface
Application Server Allowed
External Ephemeral AAMS 7151 TCP/HTTPS No Open/ HTTPS RESTful control interface
Application Server Allowed
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 6
Source Destination Default
Network / Port
System System Port Optionally
Port Application State/Fir Description
(Configurable (Configurable Enabled? ewall
Protocol
Range) Range) State
External Ephemeral AAMS 7410 TCP/SOAP Yes Open/ SOAP control interface
Management Allowed
Server
Admin terminal or Ephemeral AAMS 8080 TCP/HTTPS Yes Open/ HTTPS access to AAMS Element Manager
SAL Gateway Allowed
Admin terminal or Ephemeral AAMS 8443 TCP/HTTPS No Open/ HTTPS access to AAMS Element Manager
SAL Gateway Allowed
Other Media Ephemeral AAMS 19999 TCP/Propri No Open/ IvrMP Stream Source data
Servers in Cluster etary Allowed
N/A Ephemeral AAMS 20011 TCP/Propri No Open/ Internal AAMS communication (sc)
etary Blocked
N/A Ephemeral AAMS 21000 TCP/Propri Yes Open/ Internal AAMS communication (vxml)
etary Blocked
N/A Ephemeral AAMS 21001 TCP/Propri Yes Open/ Internal AAMS communication (vxml)
etary Blocked
N/A Ephemeral AAMS 21010- TCP/Propri Yes Closed/ Internal AAMS communication (vxml)
21031 etary Blocked
NTP Server Ephemeral AAMS 123 UDP/NTP No Open/ Network Time Protocol communication
Allowed
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 7
Source Destination Default
Network / Port
System System Port Optionally
Port Application State/Fir Description
(Configurable (Configurable Enabled? ewall
Protocol
Range) Range) State
Admin terminal or Ephemeral AAMS 161-162 UDP/SNMP No Open/ SNMP data and traps
SAL Gateway (0-65536) Allowed
N/A Ephemeral AAMS 1027 UDP/Propri No Open/ Internal AAMS communication (plicd)
etary Blocked
SIP Servers Ephemeral AAMS 5060 UDP/SIP Yes Closed/ SIP UDP signaling traffic
Allowed
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 8
Table 2. Ports for Service Address (Host or HA service address)
Source Destination
Network / Optionally Default
System Port System Port Application Enabled / Port Description
(Configurable (Configurable Protocol Disabled? State
Range) Range)
Other Media Ephemeral AAMS 1028 TCP/Propri Yes Closed/ Proprietary AAMS communication (for high
Servers in Cluster etary Allowed availability)
Other Media Ephemeral AAMS 4005 TCP/Propri No Open/ Proprietary AAMS communication (sc)
Servers in Cluster etary Allowed
SIP Servers Ephemeral AAMS 5060 TCP/SIP Yes Open/ SIP over TCP signaling traffic
Allowed
SIP Servers Ephemeral AAMS 5061 TCP/SIP TLS Yes Open/ SIP over TLS signaling traffic
Allowed
N/A Ephemeral AAMS 7081 TCP/Propri Yes Closed/ Internal AAMS communication (VidMP)
etary Blocked
Other Media Ephemeral AAMS 20005 TCP/Propri No Open/ Proprietary AAMS communication (cstore)
Servers in Cluster etary Allowed
Other Media Ephemeral AAMS 20007 TCP/Propri No Open/ Proprietary AAMS communication (cstore)
Servers in Cluster etary Allowed
Other Media Ephemeral AAMS 20009 TCP/Propri No Open/ Proprietary AAMS communication (IvrMP)
Servers in Cluster etary Allowed
Other Media Ephemeral AAMS 1028 UDP/Propri Yes Closed/ Proprietary AAMS communication (for high
Servers in Cluster etary Blocked availability)
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 9
Source Destination
Network / Optionally Default
System Port System Port Application Enabled / Port Description
(Configurable (Configurable Protocol Disabled? State
Range) Range)
SIP Endpoints Ephemeral AAMS 6000- UDP/RTP No Open/ RTP and SRTP media traffic. The RTP port
32598 Allowed range can be configured within AAMS
Element Manager, but the ports used must
fall within this range and there must be
enough ports for 2 times the desired audio,
video and WebRTC session capacity.
Source Destination
Network / Optionally Default
System Port System Port Application Enabled / Port Description
(Configurable (Configurable Protocol Disabled? State
Range) Range)
N/A Ephemeral AAMS 199 TCP/SNMP No Open SNMP data and traps
N/A Ephemeral AAMS 4001 TCP/Propri No Open Internal AAMS communication (IvrMP)
etary
N/A Ephemeral AAMS 4004 TCP/Propri No Open Internal AAMS communication (mmc)
etary
N/A Ephemeral AAMS 4011 TCP/Propri No Open Internal AAMS communication (IvrMP)
etary
N/A Ephemeral AAMS 4014 TCP/Propri No Open Internal AAMS communication (mmc)
etary
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 10
Source Destination
Network / Optionally Default
System Port System Port Application Enabled / Port Description
(Configurable (Configurable Protocol Disabled? State
Range) Range)
N/A Ephemeral AAMS 4015 TCP/Propri No Open Internal AAMS communication (sc)
etary
N/A Ephemeral AAMS 4016 TCP/Propri No Open Internal AAMS communication (VidMP)
etary
N/A Ephemeral AAMS 7080 TCP/Propri No Open Internal AAMS communication (ConfMP)
etary
N/A Ephemeral AAMS 7093 TCP/Propri Yes Open Internal AAMS communication (FntMP)
etary
N/A Ephemeral AAMS 7094 TCP/Propri Yes Open Internal AAMS communication (FntMP)
etary
N/A Ephemeral AAMS 7149 TCP/Propri No Open Internal AAMS communication (WebUA)
etary
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 11
3. Port Usage Diagram
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Session Manager 6.1 12
Appendix A: Overview of TCP/IP Ports
Ports are used in TCP and UDP to name the ends of logical connections which carry data flows. TCP
and UDP streams have an IP address and port number for both source and destination IP devices. The
pairing of an IP address and a port number is called a socket (discussed later). Therefore, each data
stream is uniquely identified with two sockets. Source and destination sockets must be known by the
source before a data stream can be sent to the destination. Some destination ports are “open” to receive
data streams and are called “listening” ports. Listening ports actively wait for a source (client) to make
contact to a destination (server) using a specific port that has a known protocol associate with that port
number. HTTPS, as an example, is assigned port number 443. When a destination IP device is
contacted by a source device using port 443, the destination uses the HTTPS protocol for that data
stream conversation.
The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and
are found here: http://www.iana.org/assignments/port-numbers.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 13
waiting for an email session, etc. These ports are tied to a well understood application and range from 0
to 1023.
In UNIX and Linux operating systems, only root may open or close a well-known port. Well Known Ports
are also commonly referred to as “privileged ports”.
Registered Ports
Unlike well known ports, these ports are not restricted to the root user. Less common services register ports in this range. Avaya uses ports
in this range for call control. Some, but not all, ports used by Avaya in this range include: 1719/1720 for H.323, 5060/5061 for SIP, 2944 for
H.248 and others. The registered port range is 1024 – 49151. Even though a port is registered with an application name, industry often uses
these ports for different applications. Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different
meanings.
Dynamic Ports
Dynamic ports, sometimes called “private ports”, are available to use for any general purpose. This means there are no meanings associated
with these ports (similar to RFC 1918 IP Address Usage). These are the safest ports to use because no application types are linked to these
ports. The dynamic port range is 49152 – 65535.
Sockets
A socket is the pairing of an IP address with a port number. An example would be 192.168.5.17:3009, where 3009 is the socket number
associated with the IP address. A data flow, or conversation, requires two sockets – one at the source device and one at the destination
device. The data flow then has two sockets with a total of four logical elements. Each data flow must be unique. If one of the four elements is
unique, the data flow is unique. The following three data flows are uniquely identified by socket number and/or IP address.
Data Flow 1: 172.16.16.14:1234 - 10.1.2.3:2345
Data Flow 2: 172.16.16.14.1235 - 10.1.2.3:2345
Data Flow 3: 172.16.16.14:1234 - 10.1.2.4:2345
Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair.
Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1, but since the port number on the
first socket differs, the data flow is unique.
Therefore, if one IP address octet changes, or one port number changes, the data flow is unique.
Figure 1. Socket example showing ingress and egress data flows from a PC to a web server
Notice the client egress stream includes the client’s source IP and socket (1369) and the destination IP
and socket (80). The ingress stream has the source and destination information reversed because the
ingress is coming from the server.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Session Manager 6.1 14
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types:
Packet Filtering
Application Level Gateways (Proxy Servers)
Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls. Each packet that arrives or leaves the network has
its header fields examined against criterion to either drop the packet or let it through. Routers configured
with Access Control Lists (ACL) use packet filtering. An example of packet filtering is preventing any
source device on the Engineering subnet to telnet into any device in the Accounting subnet.
Application level gateways (ALG) act as a proxy, preventing a direct connection between the foreign
device and the internal destination device. ALGs filter each individual packet rather than blindly copying
bytes. ALGs can also send alerts via email, alarms or other methods and keep log files to track
significant events.
Hybrid firewalls are dynamic systems, tracking each connection traversing all interfaces of the firewall and
making sure they are valid. In addition to looking at headers, the content of the packet, up through the
application layer, is examined. A stateful inspection firewall also monitors the state of the connection and
compiles the information in a state table. Stateful inspection firewalls close off ports until the connection
1
to the specific port is requested. This is an enhancement to security against port scanning .
Firewall Policies
The goals of firewall policies are to monitor, authorize and log data flows and events. They also restrict
access using IP addresses, port numbers and application types and sub-types.
This paper is focused with identifying the port numbers used by Avaya products so effective firewall
policies can be created without disrupting business communications or opening unnecessary access into
the network.
Knowing that the source column in the following matrices is the socket initiator is key in building some
types of firewall policies. Some firewalls can be configured to automatically create a return path through
the firewall if the initiating source is allowed through. This option removes the need to enter two firewall
rules, one for each stream direction, but can also raise security concerns.
Another feature of some firewalls is to create an umbrella policy that allows access for many independent
data flows using a common higher layer attribute. Finally, many firewall policies can be avoided by
placing endpoints and the servers that serve those endpoints in the same firewall zone.
1
The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a
computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Media Server 7.7 15
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.
June 2017 Avaya Port Matrix: Avaya Aura® Session Manager 6.1 16