Opening Firewall Ports for Security Center Communication
When Security Center is deployed in a network environment with firewalls, you must open the network ports required for proper communication between the Security Center components.
This topic uses deployment scenarios to provide a list of incoming and outgoing network ports that are required by specific Security Center features or functionality, including:
- Access control
- Federation™
- Video
Each Security Center deployment has common network configuration requirements that must be met for proper functioning of the system. This topic does not include these common ports, but builds on top of them. For more information on the Security Center port requirements, refer to Default ports used by Security Center.
Required ports must be opened in each firewall that governs communication between system components such as video units, access control units, other Security Center deployments, and so on.
One Access Manager with one or more Synergis Cloud Link units
For Security Center to work properly with Synergis™ Cloud Link units, you must open firewall ports to allow proper communication between the components.
Scenario
In this access control scenario, a Security Center server running the Access Manager role is connected to one or more Synergis Cloud Link units, each on a different network segment. To filter all traffic on the network, or if there are firewall rules between each network segment, specific inbound and outbound ports must be defined.
The following table lists the default network ports that must be opened for the Access Manager:
Port usage | Inbound port | Outbound port | Protocol | Executable file |
---|---|---|---|---|
Synergis extension - discovery | UDP 2000 | Genetec Inc. proprietary protocol | GenetecAccessManager.exe | |
Secure communication with Synergis units | TCP 443 | HTTPS TLS 1.2 |
GenetecAccessManager.exe |
The following table lists the default network ports that are opened on Synergis units:
Port usage | Inbound port | Outbound port | Protocol |
---|---|---|---|
Secure communication with the Access Manager | TCP 443 | HTTPS TLS 1.2 |
|
Discovery | UDP 2000 | Genetec Inc. proprietary protocol | |
Peer-to-peer1 | TCP 443 | TCP 443 | HTTPS TLS 1.2 |
1 In the context of peer-to-peer, Synergis Cloud Link appliances require both inbound and outbound TCP 443 because each appliance can act as the client or as the server.
Central Security Center federating one or more remote sites to share video
For a Security Center Federation™ host to properly connect to one or more federated systems to share video, you must open firewall ports to allow proper communication between the sites.
Scenario
In this scenario, a central Security Center server is set up as the Federation™ host to monitor one or more Security Center systems at remote sites. Each system is running the Directory, Media Router, Archiver, Access Manager, and Map Manager roles.
The following table lists the default inbound and outbound ports must be opened for the Federation™ host:
Port usage | Inbound port | Outbound port | Protocol | Executable file |
---|---|---|---|---|
Security Center Federation | ||||
Federation client connections | TCP 5500 | TLS 1.2 | GenetecSecurityCenter Federation.exe | |
Media Router | ||||
Live and playback stream requests, and announce requests | TCP 554 | RTSP over TLS when secure communication enabled | GenetecMediaRouter.exe | |
Federated Media Router stream requests | TCP 554 | RTSP over TLS when secure communication is enabled | GenetecMediaRouter.exe | |
Archiver | ||||
Live and playback stream requests | TCP 555 | RTSP over TLS when secure communication is enabled | GenetecArchiverAgent32.exe | |
Edge playback stream requests | TCP 605 | RTSP | GenetecVideoUnit Control32.exe | |
Redirector | ||||
Communication with Media Router (Security Center Federation) | TCP 554 | RTSP over TLS when secure communication is enabled | GenetecRedirector.exe | |
Live and playback stream requests | TCP 560 | RTSP over TLS when secure communication enabled | GenetecRedirector.exe | |
Stream requests to other redirectors | TCP 560 | RTSP over TLS when secure communication enabled | GenetecRedirector.exe | |
Media transmission to client applications | TCP 960 | TCP 960 | SRTP when using encryption in transit from Archiver or in transit and at rest | GenetecRedirector.exe |
Media transmission to other redirectors | UDP 8000 – 12000 | SRTP when using encryption in transit from Archiver or in transit and at rest | GenetecRedirector.exe | |
Live video and audio multicast streaming | UDP 47806, 47807 | SRTP when using encryption in transit from Archiver or in transit and at rest | GenetecRedirector.exe |
The following table lists the default inbound and outbound ports that must be opened at the remote site:
Port usage | Inbound port | Outbound port | Protocol | Executable file |
---|---|---|---|---|
Security Center Federation | ||||
Federation host connections | TCP 5500 | TLS 1.2 | GenetecServer.exe | |
Media Router | ||||
Federated Media Router stream requests | TCP 554 | RTSP over TLS when secure communication is enabled | GenetecMediaRouter.exe | |
Archiver | ||||
Edge playback stream requests | TCP 605 | RTSP | GenetecVideoUnit Control32.exe | |
Live video and audio multicast streaming | UDP 47806, 47807 | SRTP when using encryption in transit from Archiver or in transit and at rest | GenetecArchiverAgent32.exe GenetecVideoUnit Control32.exe |
|
Redirector | ||||
Communication with Media Router (Security Center Federation) | TCP 554 | RTSP over TLS when secure communication enabled | GenetecRedirector.exe | |
Communication with Archiver | TCP 555 | RTSP over TLS when secure communication enabled | GenetecRedirector.exe | |
Stream requests to other redirectors | TCP 560 | RTSP over TLS when secure communication enabled | GenetecRedirector.exe | |
Media transmission to client applications | UDP 6000-6500 TCP 9603 |
SRTP when using encryption in transit from Archiver or in transit and at rest | GenetecRedirector.exe | |
Media transmission to other redirectors | UDP 8000 – 12000 | SRTP when using encryption in transit from Archiver or in transit and at rest | GenetecRedirector.exe |
Archiver role connecting to cameras behind a firewall
For the Security Center Archiver role to properly connect to one or more cameras behind a firewall, you must open firewall ports to allow proper communication with the devices.
Scenario
In this video surveillance scenario, the Archiver role must connect to one or more cameras behind a firewall. Cameras might be on different networks, or a single network where the firewall controls every connection.
The following table lists the default network ports that must be opened for the Archiver:
Port usage | Inbound port | Outbound port | Protocol | Executable file |
---|---|---|---|---|
Live unicast streaming from IP cameras | UDP 15000 – 199991 | SRTP when using encryption in transit from Archiver or in transit and at rest | GenetecVideoUnit Control32.exe | |
Live video and audio multicast streaming | UDP 47806, 47807 | UDP 47806, 47807 | SRTP when using encryption in transit from Archiver or in transit and at rest | GenetecArchiverAgent32.exe GenetecVideoUnit Control32.exe |
Vendor-specific ports for cameras | TCP & UDP | TCP Common ports include:
|
|
GenetecVideoUnit Control32.exe |
The following table lists the default network ports that must be opened for the camera:
Port usage | Inbound port | Outbound port | Protocol |
---|---|---|---|
Live unicast streaming from IP cameras | UDP 15000 – 199991 | SRTP when using encryption in transit from Archiver or in transit and at rest | |
Live video and audio multicast streaming | UDP 47806, 47807 | UDP 47806, 47807 | SRTP when using encryption in transit from Archiver or in transit and at rest |
Vendor-specific ports for cameras | TCP Common ports include:
|
TCP & UDP |
|