Firewall Port Requirements for AV Systems and Services

Typically Audio Video devices can be segregated onto a closed off VLAN from the enterprise network with no East/West communication to other VLANs. This is the best practice from a security standpoint as these devices will not be able to communicate with anything outside of their VLAN. Ideally the AV devices will have North/South access to the internet for configuration and remote support purposes.

However, if inter-VLAN communication is required, the firewall ports for typical devices are included below.

The following does not take into consideration firewall requirements for VoIP, dedicated video codecs (i.e. Cisco SX-80, WebEx Room Kit, Polycom RealPresence, etc.), or software based video calling systems (i.e. Zoom, Microsoft Teams Rooms, PC based WebEx). See the end of this document for a collection of links to support articles for some of these services

Best practices show that MAC address based DHCP reservations allow the devices to be configured and maintained as easily as possible.

Crestron

For inter-VLAN communication, Crestron devices require the following ports for communication with each other or with a machine running the Crestron configuration software (Crestron Toolbox).

    
      Port
      Protocol 
      Service
      Notes
    

      80
      TCP 
      Web Server
      Web pages can also be hosted via IIS or other corporate web server
    

        443
        TCP 
        Secure Web Server
        Use for secure SSL access
    

        41794
        TCP 
        Crestron over IP
        Proprietary Crestron control communications
    

        41796
        TCP 
        Secure Crestron over IP
        Proprietary Crestron control communications when SSL is enabled
    

        49200
        TCP 
        Secure Crestron over IP (for Crestron HTML5 User Interface)
        Proprietary Crestron control communications over WebSocket when SSL is enabled
    

Q-SYS

For inter-VLAN communication, Q-SYS devices require the following ports for communication with each other or with a machine running the Q-SYS configuration software (Q-SYS Designer).

    
      Port
      Protocol 
      Service
      Notes
    

      443
      TCP 
      Secure Web Server
      Q-SYS Designer software as well as Q-SYS UCI viewers communication to the Q-SYS Core
    

        1702
        TCP 
        Q-SYS External Control - ACSII
        Proprietary Q-SYS control communication with the ACSII based API
    

        1710
        TCP 
        Q-SYS External Control - JSONRPC
        Proprietary Q-SYS control communication with the JSONRPC based API
    

        N/A
        ICMP 
        Ping
        The remote PC must be able to exchange ICMP (ping) echo messages with the Q-SYS Core
    

BIAMP

For inter-VLAN communication, Biamp Tesira devices require the following ports for communication with each other or with a machine running the Biamp configuration software.

    
      Port
      Protocol 
      Service
      Notes
    

        22
        TCP 
        SSH
        3rd party secure control of Tesira server-class devices
    

        443
        TCP 
        Secure Web Server
        Activation of Tesira & Biamp Canvas software
    

        5353
        UDP 
        mDNS Discovery
        Device discovery
    

        12003
        TCP / UDP 
        Proprietary
        Device discovery
    

        61451
        TCP / UDP 
        Proprietary
        Device discovery & communication
    

SHURE

For inter-VLAN communication, Shure MXA devices require the following ports for communication with each other or with a machine running the Shure configuration software (Shure Designer).

    
      Port
      Protocol 
      Service
      Notes
    

        22
        TCP 
        SSH
        Secure Shell Interface
    

        80
        TCP 
        Web Server
        Required to launch embedded web server
    

        443
        TCP 
        Secure Web Server
        N/A
    

        2202
        TCP 
        ACSII Control Protocol
        Required for 3rd party control strings
    

        5353
        UDP 
        mDNS Discovery
        Device discovery
    

        5568
        UDP 
        SDT
        Required for inter-device communication
    

        64000
        TCP 
        Telnet
        Required for Shure Firmware Update Utility
    

Voice and Video Support Articles

Below are links to manufacturer specific support articles regarding firewall and network considerations for software based voice and video calling. These articles are frequently updated by the manufacturer with the most up to date information regarding their services.

Crestron

XiO Cloud Security

Crestron® Flex Unified Communications Pre-Deployment Checklist

Microsoft Teams

Assessing Microsoft 365 network connectivity

Prepare your organization's network for Microsoft Teams

Microsoft 365 network connectivity test

Zoom

Zoom network firewall or proxy server settings

Firewall Configuration for Zoom Rooms

Biamp

VoIP Support Page

Q-SYS

Softphone and SIP Overview