Opening firewall ports for Security Center communication - Security Center 5.8 - 5.12

Product
Security Center
Content type
Version
5.12
5.11
5.10
5.9
5.8
Language
English
Last updated
2023-09-18

Opening Firewall Ports for Security Center Communication

When Security Center is deployed in a network environment with firewalls, you must open the network ports required for proper communication between the Security Center components.

This topic uses deployment scenarios to provide a list of incoming and outgoing network ports that are required by specific Security Center features or functionality, including:

  • Access control
  • Federation™
  • Video

Each Security Center deployment has common network configuration requirements that must be met for proper functioning of the system. This topic does not include these common ports, but builds on top of them. For more information on the Security Center port requirements, refer to Default ports used by Security Center.

Required ports must be opened in each firewall that governs communication between system components such as video units, access control units, other Security Center deployments, and so on.

One Access Manager with one or more Synergis Cloud Link units

For Security Center to work properly with Synergis™ Cloud Link units, you must open firewall ports to allow proper communication between the components.

Scenario

In this access control scenario, a Security Center server running the Access Manager role is connected to one or more Synergis Cloud Link units, each on a different network segment. To filter all traffic on the network, or if there are firewall rules between each network segment, specific inbound and outbound ports must be defined.

The following table lists the default network ports that must be opened for the Access Manager:

Port usage Inbound port Outbound port Protocol Executable file
Synergis extension - discovery   UDP 2000 Genetec Inc. proprietary protocol GenetecAccessManager.exe
Secure communication with Synergis units   TCP 443 HTTPS

TLS 1.2

GenetecAccessManager.exe

The following table lists the default network ports that are opened on Synergis units:

Port usage Inbound port Outbound port Protocol
Secure communication with the Access Manager TCP 443   HTTPS

TLS 1.2

Discovery UDP 2000   Genetec Inc. proprietary protocol
Peer-to-peer1 TCP 443 TCP 443 HTTPS

TLS 1.2

1 In the context of peer-to-peer, Synergis Cloud Link appliances require both inbound and outbound TCP 443 because each appliance can act as the client or as the server.

Central Security Center federating one or more remote sites to share video

For a Security Center Federation™ host to properly connect to one or more federated systems to share video, you must open firewall ports to allow proper communication between the sites.

Scenario

In this scenario, a central Security Center server is set up as the Federation™ host to monitor one or more Security Center systems at remote sites. Each system is running the Directory, Media Router, Archiver, Access Manager, and Map Manager roles.

The following table lists the default inbound and outbound ports must be opened for the Federation™ host:

Port usage Inbound port Outbound port Protocol Executable file
Security Center Federation
Federation client connections   TCP 5500 TLS 1.2 GenetecSecurityCenter Federation.exe
Media Router
Live and playback stream requests, and announce requests TCP 554   RTSP over TLS when secure communication enabled GenetecMediaRouter.exe
Federated Media Router stream requests   TCP 554 RTSP over TLS when secure communication is enabled GenetecMediaRouter.exe
Archiver
Live and playback stream requests TCP 555   RTSP over TLS when secure communication is enabled GenetecArchiverAgent32.exe
Edge playback stream requests TCP 605   RTSP GenetecVideoUnit Control32.exe
Redirector
Communication with Media Router (Security Center Federation)   TCP 554 RTSP over TLS when secure communication is enabled GenetecRedirector.exe
Live and playback stream requests TCP 560   RTSP over TLS when secure communication enabled GenetecRedirector.exe
Stream requests to other redirectors   TCP 560 RTSP over TLS when secure communication enabled GenetecRedirector.exe
Media transmission to client applications TCP 960 TCP 960 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecRedirector.exe
Media transmission to other redirectors   UDP 8000 – 12000 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecRedirector.exe
Live video and audio multicast streaming UDP 47806, 47807   SRTP when using encryption in transit from Archiver or in transit and at rest GenetecRedirector.exe

The following table lists the default inbound and outbound ports that must be opened at the remote site:

Port usage Inbound port Outbound port Protocol Executable file
Security Center Federation
Federation host connections TCP 5500   TLS 1.2 GenetecServer.exe
Media Router
Federated Media Router stream requests TCP 554   RTSP over TLS when secure communication is enabled GenetecMediaRouter.exe
Archiver
Edge playback stream requests TCP 605   RTSP GenetecVideoUnit Control32.exe
Live video and audio multicast streaming   UDP 47806, 47807 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecArchiverAgent32.exe

GenetecVideoUnit Control32.exe

Redirector
Communication with Media Router (Security Center Federation) TCP 554   RTSP over TLS when secure communication enabled GenetecRedirector.exe
Communication with Archiver   TCP 555 RTSP over TLS when secure communication enabled GenetecRedirector.exe
Stream requests to other redirectors   TCP 560 RTSP over TLS when secure communication enabled GenetecRedirector.exe
Media transmission to client applications   UDP 6000-6500

TCP 9603

SRTP when using encryption in transit from Archiver or in transit and at rest GenetecRedirector.exe
Media transmission to other redirectors   UDP 8000 – 12000 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecRedirector.exe

Archiver role connecting to cameras behind a firewall

For the Security Center Archiver role to properly connect to one or more cameras behind a firewall, you must open firewall ports to allow proper communication with the devices.

Scenario

In this video surveillance scenario, the Archiver role must connect to one or more cameras behind a firewall. Cameras might be on different networks, or a single network where the firewall controls every connection.

The following table lists the default network ports that must be opened for the Archiver:

Port usage Inbound port Outbound port Protocol Executable file
Live unicast streaming from IP cameras UDP 15000 – 199991   SRTP when using encryption in transit from Archiver or in transit and at rest GenetecVideoUnit Control32.exe
Live video and audio multicast streaming UDP 47806, 47807 UDP 47806, 47807 SRTP when using encryption in transit from Archiver or in transit and at rest GenetecArchiverAgent32.exe

GenetecVideoUnit Control32.exe

Vendor-specific ports for cameras TCP & UDP TCP

Common ports include:

  • TCP 80
  • TCP 443
  • TCP 554
  • TCP 322
  • TCP 80: HTTP
  • TCP 443: HTTPS
  • TCP 554: RTSP
  • TCP 322: RTSP over TLS when secure communication enabled
GenetecVideoUnit Control32.exe

The following table lists the default network ports that must be opened for the camera:

Port usage Inbound port Outbound port Protocol
Live unicast streaming from IP cameras   UDP 15000 – 199991 SRTP when using encryption in transit from Archiver or in transit and at rest
Live video and audio multicast streaming UDP 47806, 47807 UDP 47806, 47807 SRTP when using encryption in transit from Archiver or in transit and at rest
Vendor-specific ports for cameras TCP

Common ports include:

  • TCP 80
  • TCP 443
  • TCP 554
  • TCP 322
TCP & UDP
  • TCP 80: HTTP
  • TCP 443: HTTPS
  • TCP 554: RTSP
  • TCP 322: RTSP over TLS when secure communication enabled
1 You can have multiple Archiver agents on the same server. Each ArchiverAgent assigns a unique UDP port to each video unit it controls. To ensure that the UDP port assignment on a server is unique, each additional ArchiverAgent on the same server adds 5000 to its starting UDP port number. For example, the first ArchiverAgent uses ports 15000 - 19999, the second one uses ports 20000 - 24999, the third one uses ports 25000 - 29999, and so on.
NOTE: You can manually assign live streaming reception UDP ports from the Resource tab of the Archiver role.