Avaya Port Matrix

Avaya Aura®
Communication Manager
8.1.0

Issue 1.1
May 1, 2019

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 1
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF
PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC. DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE AND FURTHERMORE, AVAYA INC. MAKES NO REPRESENTATIONS
OR WARRANTIES THAT THE INFORMATION PROVIDED HEREIN WILL
ELIMINATE SECURITY THREATS TO CUSTOMERS’ SYSTEMS. AVAYA
INC., ITS RELATED COMPANIES, DIRECTORS, EMPLOYEES,
REPRESENTATIVES, SUPPLIERS OR AGENTS MAY NOT, UNDER ANY
CIRCUMSTANCES BE HELD LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL,
PUNITIVE, EXEMPLARY, INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OF THE INFORMATION PROVIDED HEREIN.
THIS INCLUDES, BUT IS NOT LIMITED TO, THE LOSS OF DATA OR LOSS OF
PROFIT, EVEN IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. YOUR USE OF THIS INFORMATION CONSTITUTES ACCEPTANCE
OF THESE TERMS.

© 2019 Avaya Inc. All Rights Reserved. All trademarks identified by the ®
or ™ are registered trademarks or trademarks, respectively, of Avaya Inc.
All other trademarks are the property of their respective owners.

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 2
 1. Communication Manager Components
Data flows and their sockets are owned and directed by an application. It is possible for a server to have more
than one application, but this document only covers the CM application, not other applications running in separate
virtual machines under VMware on the same hardware. For the CM application, sockets are created on the
network interfaces, but these may not be sourced from the server. The source may be the server's Processor
Ethernet (PE), but it may be another network element such as a CLAN circuit pack. For the purposes of firewall
configuration, these sockets are sourced from the server, so the firewall (iptables service) should be running on
the same server.

Component Interface Description

CM Ethernet All traffic
The above table says only "Ethernet", but that interface may be either CM's Processor Ethernet or the Ethernet
interface on a CLAN circuit pack. Each of the various Avaya CM servers have a number of network interfaces (up
to 5), each of which has its own IP address. The following table illustrates how different processor models make
use of various network interfaces (NICs). In the table below, the first number in an entry is an IP address and the
second the maximum supported speed in megabits per second. Interfaces assigned addresses 192.11.13.6 are
for the Avaya Services Laptop, labeled "eth2" in the table. Interfaces assigned address 192.11.13.13 or
192.11.13.14 are for the server duplication link, labeled "eth3" in the table. Addresses of the form 127.0.0.0/8 are
'host loopback' or 'internal' addresses. Addresses marked "administered" are assigned by the customer from the
customer's network.

Note: IP addresses for the Ethernet ports in this table are shown as examples only.

Interface1 S8300D S8300E R610, R620, DL360G7, DL360PG8 R610, R620, DL360G7, DL360PG8
(Simplex) (Duplex)
eth0 192.11.13.6 192.11.13.6 administered administered
1000 1000 1000 1000
eth0:0 -- -- -- --
eth1 inet6 inet6 192.11.13.6 192.11.13.6
1000 1000 1000 1000
eth1.0000 135.9.71.116 135.9.71.116 -- --
eth1.4093 169.254.1.31 169.254.1.31 -- --
eth2 -- administered administered administered
1000 1000 1000
eth2:0 -- -- -- --
eth3 -- -- -- 192.11.13.13 (Server 1) and 192.11.13.14
(Server 2)
1000
eth3:0 -- -- -- --
eth4 -- -- -- --
eth4:0 -- -- -- --

1.1 Document Change History

EVENT DOCUMENT DATE CHANGE DESCRIPTION

Version 1.0 issued for a new CM 18 Apr 2019 Document stored as <190586>.
R8.1 minor release
A summary of changes:

• Syslog over TLS uses TCP port 6514.

1 A colon in the interface name indicates an alias. A period in the interface name indicates a vlan.

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 3
 • CM Array feature uses TCP port 2376 for
communication between Docker
daemons.
• CM Array feature uses TCP port 9988 for
communication between a container
(Kafka) client and the container Broker.

Version 1.1 was re-edited to A summary of changes:

correct some document errors.
• Removed port 81. We have not
supported HTTP IP phone updates for
many years!
• Updated the Port Matrix diagram to
move “Array Kafka” to point to “Other”
block.

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 4
Port Usage Tables

1.2 Port Usage Table Heading Definitions

Source System: System name or type that initiates connection requests.

Source Port: This is the default layer-4 port number of the connection source. Valid values include: 0 – 65535. A
“(C)” next to the port number means that the port number is configurable.

Destination System: System name or type that receives connection requests.

Destination Port: This is the default layer-4 port number to which the connection request is sent. Valid values
include: 0 – 65535. A “(C)” next to the port number means that the port number is configurable.

Network/Application Protocol: This is the name associated with the layer-4 protocol and layers-5-7 application.

Optionally Enabled / Disabled: This field indicates whether customers can enable or disable a layer-4 port
changing its default port setting. Valid values include: Yes or No
“No” means the default port state cannot be changed (e.g. enable or disabled).
“Yes” means the default port state can be changed and that the port can either be enabled or disabled.

Default Port Listen State: A listen port is either open, closed or filtered.
Open listen ports will respond to queries
Closed listen ports may or may not respond to queries and are only listed when they can be optionally
enabled.
Filtered listen ports can be open or closed. Filtered UDP ports will not respond to queries. Filtered TCP
will respond to queries, but will not allow connectivity.

Description: Connection details. Some descriptions have a reference to the Notes section after each table for
specifics on any of the row data.

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 5
1.3 Port Tables
Below are the tables which document the port usage for this product. Note that a large number of IP ports used by CM's Processor Ethernet interface
have the same IP port numbers as those used on CLAN circuit packs in port networks. In many ways, the CLAN circuit packs act as remote network
interface cards for the processor controlling them. Therefore, the following CM port matrix table includes CLAN ports. The affected ports are noted.

In a theoretical sense, all IP ports on CM are optionally enabled/disabled, with default port state closed. That's because by default CM's processor
Ethernet is disabled. For practical purposes, almost all systems will have the processor Ethernet port enabled. The enable/disable column in the
following table assumes it's enabled. Processor Ethernet can be confirmed enabled or disabled using the SAT interface --> Type display system-
parameters customer-options --> under page 4 see Processor Ethernet.

Table 1. Listen Ports for Communication Manager

Source Destination
Network / Optionally Default
System Port System Port
Application Enabled / Port Description
(Non- (Configurable
Protocol Disabled? State
Configura Range)
ble Range)
NA CM NA ICMP messages: ping, etc. IP Protocol
any ICMP yes open
(NA) (NA) Number 1.
1024 – CM TCP / SSH, OS administration interface over Secure
Admin Device 22 yes open
65535 SCP, SFTP Shell (SSH). Note 1, Note23
1024 – CM OS administration interfaces over
Admin Device 23 TCP / Telnet yes closed
65535 Telnet. Note 23
1024 – CM Avaya web administration interface.
Admin Device 80 TCP / HTTP no open
65535 Note 2, Note 23.
1024 – CM Network Time Protocol (NTP)
IPSI 123 UDP / NTP Yes closed
65535
1024 – CM Network Time Protocol (NTP)
CM / SCS / SRS 123 UDP / NTP Yes closed
65535
SNMP 1024 – CM UDP / closed SNMP (server)
161 Yes
NMS 65535 SNMP Agent Note 5, Note 23
SNMP 1024 – CLAN UDP / closed SNMP (server)
161 Yes
NMS 65535 SNMP Agent Note 23

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 6
 Source Destination
Network / Optionally Default
System Port System Port
Application Enabled / Port Description
(Non- (Configurable
Protocol Disabled? State
Configura Range)
ble Range)
Gateway/ CM / 1024 – CM UDP/ SNMP SNMP traps (server) collection
162 Yes closed
SCS / SRS / UPS 65535 Trap Note 6, Note 23
CM HTTPS IP Phone configuration file
1024 – TCP /
IP Phone CLAN 411 No open download
2048 HTTPS
Note 3
Admin Device / 1024 – CM TCP / Avaya web administration interface
443 No open
SCS / SRS 65535 HTTPS (HTTPS) Note 23
CM UDP/ TN Board Logging & Server Log Files
CLAN, IPSI, 1024-
514 SYSLOG Yes closed
TN2602AP 65535
TCP/SYSLOG
SRS Legacy (CM1.3) Filesync Service
CM 1.3 or older 512 – 1023 514 TCP / RSH yes closed
Note 7
CM or TCP / Proprietary encrypted H.248 over TCP.
H.248 Media 1024 –
CLAN 1039 Encrypted yes open Note 8
Gateways 65535
H.248
H.323 Phone 1024-5000 CM 1300 TCP / H.323 yes closed TLS encrypted H.323 signaling
CM UDP / DES Arbiter.
1024 –
CM 1332 Encrypted Note 9 Note 9 Note 9
65535
Proprietary
CM or Registration, Admission, and Status
H.323 Phone 49300 CLAN 1719 UDP / H.225 Yes closed (RAS) for phones. Note 8

CM 1024- CM or H.323 RAS for trunks

1719 TCP/H.323 Yes closed
CLAN 65535 CLAN Note 22
1500 – CM or H.323 signaling
H.323 Phone 1720 TCP / H.323 Yes closed
6500 CLAN Note 8, Note 10.
CM / SCS / H.323 IP trunk Signaling Ports admin
CM 1719, 1720,
5000-5021 SRS or TCP / H.323 Yes closed via SAT
CLAN 5000-9999
CLAN
CM / SCS / H.323 IP trunk Signaling Ports admin
Third Party GK or 1024-
SRS or 1720 TCP / H.323 Yes closed via SAT
GW 65535
CLAN

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 7
 Source Destination
Network / Optionally Default
System Port System Port
Application Enabled / Port Description
(Non- (Configurable
Protocol Disabled? State
Configura Range)
ble Range)
1024 – CM High Priority SSH
Admin Device 2222 TCP / SSH Yes open
65535 Note 12, Note 23
1024 – CM TLS encrypted exchange between
CM Array Mgmt 2376 TCP /TLS Yes closed
65535 Docker daemons. (See note 24)
1024 – CM or TLS encrypted H.248
H.248 GW 2944 TCP / H.248 Yes closed
65535 CLAN Note 8, Note 13
1024 – CM or Unencrypted H.248
H.248 GW 65535 CLAN 2945 TCP / H.248 Yes open Note 8, Note 13

1024 – CM SAT interface over SSH

Admin Device 65535 5022 TCP / SSH yes open Note 14, Note 23

1024 – CM SAT interface over Telnet

Admin Device 65535 5023 TCP / Telnet yes closed Note 15, Note 23

1024 – CM or SIP
5060
SIP Trunks 65535 CLAN TCP / SIP yes closed Note 8, Note 16, Note 22
(5000-9999)
1024 – CM or SIPS
5061 TCP / TLS /
SIP Trunks 65535 CLAN yes closed Note 8, Note 17, Note 22
(5000-9999) SIPS
1024 – CM TCP / TLS Dupmgr
CM 65535 5098 (optionally no Open (SW duplication) – Server 1
encrypted) Note 22
1024 – CM Server Log Files
CM 65535 6514 TLS/SYSLOG yes closed

1024 – CM TCP / ASAI AEServices

AEServices 65535 8765 (Q.931 yes closed Note 20
ASN.1)
1024 – CM DGB (debugging tool)
TCP /
CM 65535 9000 No Open
Proprietary

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 8
 Source Destination
Network / Optionally Default
System Port System Port
Application Enabled / Port Description
(Non- (Configurable
Protocol Disabled? State
Configura Range)
ble Range)
1024 – CM SIP
9061 TCP/TLS/
AMS 65535 Yes closed Note 22
(5000-9999) SIPS
1024 – CM Exchange between Kafka (container)
CM Array Mgmt 9988 TCP Yes closed
65535 client and a Kafka Broker. (See note 24)
1024 – CM Dupmgr (SW duplication) – Server 2
CM 65535 12080 TCP / TLS no Closed Note 10. Proprietary. Optionally
encrypted.
20873 - CM /SCS/ Internal Filesync communication
CM / SCS / SRS 21872 SRS 20873 - 21872 TCP / TLS no open Note 21

1024 – CM – SRS Filesync over SSL

CM / SCS / SRS 65535 21873 TCP / TLS no open Note 18

1024 – CM Filesync over SSL

CM / SCS / SRS 65535 21874 TCP / TLS No open Note 19

1024 – CM or H.245
G650 65535 CLAN 59000 – 59200 TCP / H.245 No open

NOTES:
1. The Secure Shell (SSH), Secure Copy Protocol (SCP), and Secure File Transfer Protocol (SFTP) services can be Disabled and/or blocked by authenticating to the
media server web administration interface --> Server (Maintenance) --> Security --> Server Access --> Change Service Name SSH Server (SCP/SFTP 22) and set
Service State to Disabled
2. An Avaya Welcome and Access Warning banner is displayed via this port. Once the user selects “Continue” this port automatically redirects to HTTPS
(443/tcp).
3. This note for IP phone download was removed, since it has been in disuse for many years.
4. The Network Time Protocol (NTP) server service is enabled if NTP is configured during installation or administration via the media server web administration
interface --> Server (Maintenance) --> Server Configuration --> Configure Server --> Continue --> Continue --> Select Configure individual services --> Continue -
-> Select Configure Time Server --> Select this computer synchronizes with the duplicated server. This option is utilized to synchronize time between the main
media server, duplicated media server, Survivable Remote Servers (SRS, formerly called LSP), and Survivable Core Servers (SCS, formerly called ESS).

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 9
5. By default the Simple Network Management (SNMP) Agent service is disabled. The SNMP Agent service can be enabled and configured via authenticating to
the media server web administration interface --> Server (Maintenance) --> SNMP -> Access -> add/change. . If SNMP is enabled, it is recommended that
SNMP access be restricted to administered IP addresses and that SNMPv3 be utilized for enhanced security.
6. By default the SNMP Trap server service is blocked. The SNMP Trap server services can be unblocked, via the media server host firewall, by authenticating to
the media server web administration interface --> Server (Maintenance) --> SNMP -> Incoming Traps -> Add/Change.
7. By default the Legacy Filesync service is disabled. This port is only enabled if a CM 7.0 SRS is configured to synchronize translations with a CM main server
running CM 1.3 or older.
8. By default only the S8300D and S8300E servers have the Processor Ethernet enabled. Processor Ethernet enables use of the Ethernet card resident in the
processor cabinet, in place of a C-LAN card. Processor Ethernet can be confirmed enabled or disabled using the SAT interface --> Type display system-
parameters customer-options --> under page 4 see Processor Ethernet.
9. The Arbiter service is only enabled on duplicated servers. The Arbiter process 1.) Decides which server is healthier and more able to be active and 2.)
Coordinates data shadowing between servers, under the Duplication Manager’s control.
10. Duplicated Port 5098 is for Server 1 and Port 12080 is for Server 2.
11. CM as the destination is only when Processor Ethernet is enabled. The Processor Ethernet limits H.323 signaling connection requests to a processor-
dependent rate on the order of 5-10 per second.
12. In CM3.1 or later, the High Priority SSH service can be Disabled and/or blocked, via the media server host firewall, by authenticating to the media server web
administration interface --> Server (Maintenance) --> Security --> Server Access --> Change Service Name High Priority SSH (2222) and set Service State to
Disabled Prior to CM3.1, the High Priority SSH service could be blocked, via the media server host firewall, by authenticating to the media server web
administration interface --> Launch Maintenance Web Interface --> Security --> Firewall -> Uncheck Input to Server for Server hp-sshd.
13. The H.248 service is only enabled on media servers with Processor Ethernet enabled. It limits connection requests to 50 with a burst limit of 100.
14. In CM3.1 or later, the Station Administration Terminal (SAT) SSH service can be Disabled and/or blocked, via the media server host firewall, by authenticating
to the media server web administration interface --> Server (Maintenance) --> Security --> Server Access --> Change Service Name SAT (SSH 5022) and set
Service State to Disabled
15. In CM3.1 or later, the Station Administration Terminal (SAT) Telnet service can be Disabled and/or blocked, via the media server host firewall, by authenticating
to the media server web administration interface --> Server (Maintenance) --> Security --> Server Access --> Change Service Name SAT (Telnet 5023) and set
Service State to Disabled
16. The SIP service is only enabled on media servers with Processor Ethernet enabled. It limits connection requests 50 with a burst limit of 100. The configurable
range excludes well-known ports used by other services; e.g. wrongly attempting to use 5060 for TLS.
17. The SIPS service is only enabled on media servers with Processor Ethernet enabled. It limits connection requests 50 with a burst limit of 100. The configurable
range excludes well-known ports used by other services; e.g. wrongly attempting to use 5060 for TLS.
18. If the main CM server is CM2.x and the survivable CM servers are CM 7.0, filesync (over SSL) utilizes port 21873/tcp to transfer translation, unicode, license,
and password files to the standby server(s).
19. In CM3.x and later, filesync over SSL utilizes port 21874/tcp to transfer translation, unicode, license, and password files to the standby server(s).

20. Optionally encrypted in CM 4.1 and later. See AE Services Administration and Maintenance Guide, Release 4.1 (02-300357 Issue 8 December 2007).
21. Ports used for internal filesync communication; defaults to 20873 – 20877. Number of ports used (up to 1000) is a function of the FileSyncMaxClient variable in
/etc/opt/ecs/ecs.conf.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 10
 22. TLS enabled AMS SIP signaling groups on CM are blocked from using 1719, 1720, 5060 or 5061. TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061. TLS enabled H.323 signaling groups are blocked from using 5061 or 9061.
23. If an Ethernet interface has been dedicated for use by out-of-band management, firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication. http: 80 and 443, ssh 22, 2222, and 5022, telnet: 23 and 5023, SNMP 161 and 162.
24. The CM Array feature (clustering among cloud-based servers) uses TCP port 2376 to communicate between Docker daemons. The CM proxy uses TCP port
9988 to communicate with the Kafka client process (which runs as a Docker container). This feature is not activated, unless CM Array is configured.

Table 2. Talk-only Ports for Communication Manager

If a port is both listen and talk, it's covered by table 1 rather than by table 2

Source Destination
Network / Optionally
System Port System Port
Application Enabled / Description
(Non- (Configurable
Configurable Range) Protocol Disabled?
Range)
NA any NA ICMP messages: ping, etc. IP
CM ICMP NA
(NA) (NA) Protocol Number 1.
CM or CLAN 1024 - 65535 DNS Server 53 UDP / DNS No DNS Requests and Responses
Network
Network Time Protocol (client)
CM 1024 – 65535 Time Server 123 UDP / NTP yes
Note 1
(NTS)
IPSI Network Time Protocol (client)
CM 1024 – 65535 123 UDP / NTP yes
Note 7
SNMP NMS SNMP traps (client) for alarms or
162 UDP / SNMP
CM 1024 – 65535 yes notable events
(0-65535) Trap
Note 2, Note 11
SNMP NMS SNMP traps (client) for alarms or
UDP / SNMP
CLAN 1024 – 65535 162 yes notable events
Trap
Note 11
Rsyslog 514
CM 1024-65535 UDP/ Syslog yes Remote system log storage
server.

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 11
 Source Destination
Network / Optionally
System Port System Port
Application Enabled / Description
(Non- (Configurable
Configurable Range) Protocol Disabled?
Range)
CM 1.3 or
SRS 514 Note 7 TCP / RSH yes Legacy Filesync Service Note 7.
older
CM (via H.323 TTS
Note 8 1720 TCP / H.323 yes
CLAN/PE) Phone Note 8
CM RADIUS RADIUS UDP/ RADIUS based login processing
1024 – 65535 1812, 1813 no
Client Server RADIUS Note 9
IPSI TCP /
CM 1024 - 65535 1956 no IPSI Command Server Service
Proprietary
IPSI TCP /
CM 1024 - 65535 5010 no IPSI / Server control channel
Proprietary
IPSI TCP /
CM 1024 - 65535 5011 No IPSI / Server IPSI version channel
Proprietary
IPSI TCP /
CM 1024 - 65535 5012 no IPSI / Server serial number channel
Proprietary
CM SafeWord SafeWord TCP/ SafeWord based login processing.
1024 – 65535 5030 yes
Client Server SafeWord Note 9
SIP Trunks 5060 SIP
CM 1024 – 65535 TCP / SIP yes
(1 to 65535) Note 4, Note 5, Note 10
SIP Trunks 5061 TCP / TLS / SIP
CM 1024 – 65535 yes
(1 to 65535) SIPS Note 4, Note 6, Note 10
CM SecurID SecurID UDP / SecurID based login processing.
1024 – 65535 5500 yes
Client Server SecurID Note 9
Audix / LX / TCP /
CM or CLAN 5500 1024 - 65535 no Audix Digital Networking
MM / MN Proprietary
AMS 9061 TCP/TLS/SIP SIP
CM 1024 – 65535 yes
(1 to 65535) S Note 10

NOTES:
1. The Network Time Protocol (NTP) client service is enabled if NTP is configured during installation or administered via the CM web administration interface -->
Server (Maintenance) --> Server Configuration -> NTP Configuration -> NTP Mode (Enabled, Disabled) The IP address or Domain Name Server (DNS) Name for
a Primary, Secondary, or Tertiary Network Time Server (NTS) can be provided. Furthermore, the NTP the media server can be configured to support multicast
timing messages or direct poll requests to the Network Time Server (NTS). Finally, keys can optionally be provided for secure communications with the NTS.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 12
 2. By default SNMP Trap client service is disabled. The SNMP Trap client service can be enabled and configured via authenticating to the media server web
interface --> Server (Maintenance) --> SNMP -> FP Traps -> Add/Change. .
3. By default the Legacy Filesync service is disabled. This port is only enabled if a CM 7.0 SRS is configured to synchronize translations with a CM main server
running CM 1.3 or older. The destination port range is 512 - 1023 but it's not configurable.
4. By default only the S8300D and S8300E servers have the Processor Ethernet enabled. Processor Ethernet enables use of the Ethernet card resident in the
processor cabinet, in place of a C-LAN card. Processor Ethernet can be confirmed enabled or disabled using the SAT interface --> Type display system-
parameters customer-options --> under page 4 see Processor Ethernet.
5. The SIP service is only enabled on CM servers with Processor Ethernet enabled. It limits connection requests 50 with a burst limit of 100. The configurable
range excludes well-known ports used by other services; e.g. wrongly attempting to use 5060 for TLS.
6. The SIPS service is only enabled on CM servers with Processor Ethernet enabled. It limits connection requests 50 with a burst limit of 100. The configurable
range excludes well-known ports used by other services; e.g. wrongly attempting to use 5060 for TLS.
7. CM sends the NTP data to IPSI using an ephemeral port specified in the IPSI request.
8. Source port is configurable using the “change ip-network-region” SAT command (page 2). The default is 61440 – 61444.
9. Disabled by default. Requires root access to enable.
10. TLS enabled AMS SIP signaling groups on CM are blocked from using 1719, 1720, 5060 or 5061. TLS enabled non-AMS SIP signaling groups are blocked from
using 1720 or 9061. TLS enabled H.323 signaling groups are blocked from using 5061 or 9061.
11. If an Ethernet interface has been dedicated for use by out-of-band management, firewall rules should be used to block the following management ports on the
Ethernet interface that is to be used for in-band (voice) communication. http: 80 and 443, ssh 22, 2222, and 5022, telnet: 23 and 5023, SNMP 161 and 162.

1.4 Port Table Changes

There are no port changes from the R7.0.1 release.

1.5 Port Table Changes on CMM

The CMM port usage information similar to the following has been removed from Table 1 because this CM Port Matrix document no longer covers CMM.
A separate Avaya Port Matrix document for CMM will instead contain updated information about CMM's IP port usage.

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 13
2. Port Usage Diagram
HTTPS-TCP:443
HTTP-TCP:80 NTP-UDP:123
Syslog-UDP:514
Array Docker-TCP:2376
SSH-TCP:22
SSH-TCP:2222
SSH-TCP:5022 Arbiter-UDP:1332
Other CM
Dupmgr-TCP:5098, Servers
12080
Network DGB-TCP: 9000
Filesync-TCP: 20873-
Admin SNMP-UDP:161 21874
SNMP-UDP:162

H.323-UDP:1719
For registration

Telnet-TCP:23
Telnet-TCP:5023 H.248-TCP:1039
Avaya H.248-TCP:2944 Media
H.248-TCP:2945
Aura® H:245-TCP:59000- Gateways
Commun 59200

ication
Manager
SIP-TCP default:
5060 ICMP
SIP-TCP default: NTP-UDP:123
5061 Syslog-UDP:514
SIP-TCP default: Syslog-TLS:6514 Other, or
9061 Array KafkaTCP:9988 Any
Phone or
ASAI-TCP:
trunk or 8765
HTTP-TCP:81
SIP media HTTPS-TCP:411
server
HTTP/HTTPS
H.323-TCP:1300
SIP(S)/H.323
SSH
SNMP
H.323-TCP: default Proprietary
1719
ICMP, Other
H.323-UDP:1719
H.323-TCP:1720

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 14
 Appendix A: Overview of TCP/IP Ports

What are ports and how are they used?

TCP and UDP use ports (defined at http://www.iana.org/assignments/port-numbers) to route traffic
arriving at a particular IP device to the correct upper layer application. These ports are logical descriptors
(numbers) that help devices multiplex and de-multiplex information streams. Consider your desktop PC.
Multiple applications may be simultaneously receiving information. In this example, email may use
destination TCP port 25, a browser may use destination TCP port 80 and a telnet session may use
destination TCP port 23. These logical ports allow the PC to de-multiplex a single incoming serial data
packet stream into three mini-streams inside the PC. Furthermore, each of the mini-streams is directed to
the correct high-level application because the port numbers identify which application each data mini-
stream belongs. Every IP device has incoming (Ingress) and outgoing (Egress) data streams.

Ports are used in TCP and UDP to name the ends of logical connections which carry data flows. TCP
and UDP streams have an IP address and port number for both source and destination IP devices. The
pairing of an IP address and a port number is called a socket (discussed later). Therefore, each data
stream is uniquely identified with two sockets. Source and destination sockets must be known by the
source before a data stream can be sent to the destination. Some destination ports are “open” to receive
data streams and are called “listening” ports. Listening ports actively wait for a source (client) to make
contact to a destination (server) using a specific port that has a known protocol associate with that port
number. HTTPS, as an example, is assigned port number 443. When a destination IP device is
contacted by a source device using port 443, the destination uses the HTTPS protocol for that data
stream conversation.

Port Type Ranges

Port numbers are divided into three ranges: Well-Known Ports, Registered Ports, and Dynamic Ports
(sometimes called Private Ports).

Well-Known Ports are those numbered from 0 through 1023.

Registered Ports are those numbered from 1024 through 49151

Dynamic Ports are those numbered from 49152 through 65535

The Well-Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and
are found here: http://www.iana.org/assignments/port-numbers.

Well-Known Ports
For the purpose of providing services to unknown clients, a service listen port is defined. This port is
used by the server process as its listen port. Common services often use listen ports in the well-known
port range. A well-known port is normally active meaning that it is “listening” for any traffic destined for a
specific application. For example, well-known port 23 on a server is actively waiting for a data source to
contact the server IP address using this port number to establish a Telnet session. Well-known port 25 is
waiting for an email session, etc. These ports are tied to a well understood application and range from 0
to 1023.

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 15
 In UNIX and Linux operating systems, only root may open or close a well-known port. Well-Known Ports
are also commonly referred to as “privileged ports”.

Registered Ports
Unlike well-known ports, these ports are not restricted to the root user. Less common services register ports in this range. Avaya uses ports
in this range for call control. Some, but not all, ports used by Avaya in this range include: 1719/1720 for H.323, 5060/5061 for SIP, 2944 for
H.248 and others. The registered port range is 1024 – 49151. Even though a port is registered with an application name, industry often uses
these ports for different applications. Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different
meanings.
Dynamic Ports
Dynamic ports, sometimes called “private ports”, are available to use for any general purpose. This means there are no meanings associated
with these ports (similar to RFC 1918 IP Address Usage). These are the safest ports to use because no application types are linked to these
ports. The dynamic port range is 49152 – 65535.
Sockets
A socket is the pairing of an IP address with a port number. An example would be 192.168.5.17:3009, where 3009 is the socket number
associated with the IP address. A data flow, or conversation, requires two sockets – one at the source device and one at the destination
device. The data flow then has two sockets with a total of four logical elements. Each data flow must be unique. If one of the four elements is
unique, the data flow is unique. The following three data flows are uniquely identified by socket number and/or IP address.
Data Flow 1: 172.16.16.14:1234 - 10.1.2.3:2345
Data Flow 2: 172.16.16.14.1235 - 10.1.2.3:2345
Data Flow 3: 172.16.16.14:1234 - 10.1.2.4:2345

Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair.
Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1, but since the port number on the
first socket differs, the data flow is unique.
Therefore, if one IP address octet changes, or one port number changes, the data flow is unique.

Socket Example Diagram

Client HTTP-Get Source 192.168.1.10:1369 Destination 10.10.10.47:80 Web Server

TCP-info Destination 192.168.1.10:1369 Source 10.10.10.47:80

Figure 1. Socket example showing ingress and egress data flows from a PC to a web server

Notice the client egress stream includes the client’s source IP and socket (1369) and the destination IP
and socket (80). The ingress stream has the source and destination information reversed because the
ingress is coming from the server.

Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 16
Understanding Firewall Types and Policy Creation

Firewall Types
There are three basic firewall types:

• Packet Filtering
• Application Level Gateways (Proxy Servers)
• Hybrid (Stateful Inspection)

Packet Filtering is the most basic form of the firewalls. Each packet that arrives or leaves the network has
its header fields examined against criterion to either drop the packet or let it through. Routers configured
with Access Control Lists (ACL) use packet filtering. An example of packet filtering is preventing any
source device on the Engineering subnet to telnet into any device in the Accounting subnet.

Application level gateways (ALG) act as a proxy, preventing a direct connection between the foreign
device and the internal destination device. ALGs filter each individual packet rather than blindly copying
bytes. ALGs can also send alerts via email, alarms or other methods and keep log files to track
significant events.

Hybrid firewalls are dynamic systems, tracking each connection traversing all interfaces of the firewall and
making sure they are valid. In addition to looking at headers, the content of the packet, up through the
application layer, is examined. A stateful inspection firewall also monitors the state of the connection and
compiles the information in a state table. Stateful inspection firewalls close off ports until the connection
to the specific port is requested. This is an enhancement to security against port scanning 2.

Firewall Policies
The goals of firewall policies are to monitor, authorize and log data flows and events. They also restrict
access using IP addresses, port numbers and application types and sub-types.

This paper is focused with identifying the port numbers used by Avaya products so effective firewall
policies can be created without disrupting business communications or opening unnecessary access into
the network.

Knowing that the source column in the following matrices is the socket initiator is key in building some
types of firewall policies. Some firewalls can be configured to automatically create a return path through
the firewall if the initiating source is allowed through. This option removes the need to enter two firewall
rules, one for each stream direction, but can also raise security concerns.

Another feature of some firewalls is to create an umbrella policy that allows access for many independent
data flows using a common higher layer attribute. Finally, many firewall policies can be avoided by
placing endpoints and the servers that serve those endpoints in the same firewall zone.

2
The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a
computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but
port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.
Avaya – Proprietary
Use pursuant to the terms of your signed agreement or Avaya policy.

May 2019 Avaya Port Matrix: Avaya Aura® Communication Manager 8.1 17