Opening firewall ports for Security Center communication - Security Center 5.7

series
Security Center 5.7
revised_modified
2018-04-03

Opening Firewall Ports for Security Center Communication

When Security Center is deployed in a network environment with firewalls, you must open the network ports required for proper communication between the Security Center components.

This topic uses deployment scenarios to provide a list of incoming and outgoing network ports that are required by specific Security Center features or functionality, including:

  • Access control
  • Federation™
  • Video

Each Security Center deployment has common network configuration requirements that must be met for proper functioning of the system. This topic does not include these common ports, but builds on top of them. For more information on the Security Center port requirements, refer to Which ports are used in Security Center 5.0 and later?.

Required ports must be opened in each firewall that governs communication between system components such as video units, access control units, other Security Center deployments, and so on.

One Access Manager with one or more Synergis™ Cloud Link units

For Security Center to work properly with Synergis™ Cloud Link units, you must open firewall ports to allow proper communication between the components.

Scenario

In this access control scenario, a Security Center server running the Access Manager role is connected to one or more Synergis™ Cloud Link units, each on a different network segment. To filter all traffic on the network, or if there are firewall rules between each network segment, specific inbound and outbound ports must be defined.

The following table lists the default network network ports that must be opened for the Access Manager:

Application Inbound Outbound Port usage
Access Manager   UDP 2000 Synergis™ extension - discovery
  TCP 443 Secure communication with Synergis™ units (HTTPS)

The following table lists the default network network ports that must be opened for the Synergis™ units:

Application Inbound Outbound Port usage
Synergis™ Softwire (Synergis™ unit) TCP 80 TCP 80 Communication port (HTTP)
TCP 443 TCP 443 Secure communication port (HTTPS)
UDP 2000 UDP 2000 Discovery/Peer-to-Peer

Central Security Center federating one or more remote sites to share video

For a Security Center Federation™ host to properly connect to one or more federated systems to share video, you must open firewall ports to allow proper communication between the sites.

Scenario

In this scenario, a central Security Center server is set up as the Federation™ host to monitor one or more Security Center systems at remote sites. Each system is running the Directory, Media Router, Archiver, Access Manager, and Map Manager roles.

The following table lists the default inbound and outbound ports must be opened for the Federation™ host:

Application Inbound Outbound Port usage
Directory   TCP 5500 Federation™ client connections
Media Router TCP 554   Live and playback stream requests
  TCP 554 Federated Media Router stream requests
Archiver TCP 555   Live and playback stream requests
TCP 605   Incoming edge playback stream requests
Redirector   TCP 554 Communication with Media Router (Security Center Federation™)
TCP 560, 5004   Live and playback stream requests
  TCP 560, 5004 Stream requests to other redirectors
  UDP 8000-12000 Live video and audio unicast
UDP 47806, 47807   Live video and audio mutlicast

The following table lists the default inbound and outbound ports must be opened at the remote site:

Application Inbound Outbound Port usage
Directory TCP 5500   Federation™ client connections
Media Router TCP 554   Federated Media Router stream requests
Archiver   UDP 47806, 47807 Live video and audio mutlicast
TCP 605   Incoming edge playback stream requests
Redirector TCP 554   Communication with Media Router (Security Center Federation™)
  TCP 555 Communication with the Archiver
  TCP 560, 5004 Stream requests to other redirectors
  UDP 6000-6500 Media transmission to client applications
  UDP 8000-12000 Media transmission to other redirectors

Archiver role connecting to cameras behind a firewall

For the Security Center Archiver role to properly connect to one or more cameras behind a firewall, you must open firewall ports to allow proper communication with the devices.

Scenario

In this video surveillance scenario, the Archiver role must connect to one or more cameras behind a firewall. Cameras might be on different networks, or a single network where the firewall controls every connection.

The following table lists the default network network ports that must be opened for the Archiver:

Application Inbound Outbound Port usage
Archiver UDP 15000–199991   Live unicast streaming from IP cameras
UDP 47806, 47807 UDP 47806, 47807 Live multicast streaming from IP cameras
TCP & UDP   Vendor specific ports for events and discovery of IP cameras.
  TCP Vendor specific ports to enroll and control IP cameras.

Common outbound TCP ports are:

80
HTTP
443
HTTPS
554
RTSP

The following table lists the default network network ports that must be opened for the camera:

Application Inbound Outbound Port usage
Archiver   UDP 15000–199991 Live unicast streaming from IP cameras
UDP 47806, 47807 UDP 47806, 47807 Live multicast streaming from IP cameras
  TCP & UDP Vendor specific ports for IP camera events.
TCP   Vendor specific ports to enroll and control IP cameras.

Common outbound TCP ports are:

80
HTTP
443
HTTPS
554
RTSP
1 You can have multiple Archiver agents on the same server. Each Archiver agent assigns a unique UDP port to each video unit it controls. To ensure that the UDP port assignment on a server is unique, each additional Archiver agent on the same server adds 5000 to its starting UDP port number. For example, the first Archiver agent uses ports 15000-19999, the second one uses ports 20000-24999, the third one uses ports 25000-29999, and so on.
NOTE: You can manually assign live streaming reception UDP ports from the Resource tab of the Archiver role.