Firewall Requirements for Installation
In this section:
Tables Use the ESS Default Port Numbers
The ports referred to in these tables for HTTP (8080), HTTPS (8443) and SFTP (8022) are the EchoSystem Server (ESS) default port numbers. These firewall rules change to ports set when configuring the system.
On Windows, the ESS can be configured to run on the following native ports: HTTP (80), HTTPS (443), and SFTP (22). On Linux, the ESS cannot be configured to run on protected ports below 1024.
Do not change the following ESS default ports: HTTP (8080), HTTPS (8443), and SFTP (8022).
EchoSystem Server
Outbound Traffic Proxy Not Supported
The ESS does not support being placed behind an outbound traffic proxy. We are aware that many IT departments require the use of an outbound traffic proxy and that the ESS requires an exception. An outbound traffic proxy (even a transparent proxy) imposes numerous communications issues. It is not supported.
Native Ports and ESS Default Ports
A native port for a service is the assumed port. That is, when no port number is specified, web browsers and any connecting client assume that a particular service is running on its native port.
For three services (HTTP, HTTPS, and SFTP) the ESS default ports are different from the native ports, as shown in the table below.
Port Description | Native Port | ESS Port |
|---|---|---|
SFTP (Secure File Transfer Protocol) | 22 | 8022 |
HTTP (Hypertext Transfer Protocol) | 80 | 8080 |
HTTPS (Secure Hypertext Transfer Protocol) | 443 | 8443 |
For example, the URL for the admin interface running on the EchoSystem default port would be:
https://yourdns.edu:8443
If running on the native port, the URL would be:
https://yourdns.edu
Two Options if You are Running Windows
- Change the default ESS ports back to their native ports. See Change ESS Default Ports to Native Ports and follow the port configurations in ESS Firewall Ports for Windows-Only Configuration with Native Ports.
- Leave them at the ESS defaults. Follow the port configurations in ESS Default Firewall Ports for Windows and Linux.
Change ESS Default Ports to Native Ports
Follow these steps.
- Navigate to System > System Settings.
- Click Edit.
- Change the port for HTTPS back to its native port by removing :8443 from the Application Base URL for Application Settings.
- Change the port for HTTP back to its native port by removing :8080 from the Echo Base URL for Application Settings.
- Change the port for SFTP back to its native port by changing the FTP Port for Intake Settings to 22.
- Change the port for HTTP back to its native port by removing :8080 from the Internal Base URL for Active Echo Settings.
- Click Save.
- Restart the EchoSystem Service.
ESS Default Firewall Ports for Windows and Linux
This configuration assumes that you are using the built-in support for the ESS to provide a webserver, SFTP server, and Wowza Media Server (Wowza). If these services are being provided by dedicated or external services, the applicable firewall rules need to be applied to those systems instead.
The following table lists the default ESS firewall port configurations for each supported protocol.
Port Description | Port | Port Direction | Protocol | Comment | Open on local/server firewall? | Open between the institution and rest of world? |
|---|---|---|---|---|---|---|
FTP (File Transfer Protocol) | 21 | outbound | TCP | If using the Easy captioning plugin | Yes | Yes |
SFTP (Secure File Transfer Protocol) | 22 | outbound | TCP | To upload log files to Echo360 support | Yes | Yes |
SMTP (Simple Mail Transfer Protocol) | 25 | outbound | TCP | To send email alerts and notifications via your mail server | Yes | – |
DNS (Domain Name Service) | 53 | outbound | UDP | – | Yes | – |
HTTP (Hypertext Transfer Protocol) | 80 | outbound | TCP | If using Echo360 search indexing Publisher | Yes | Yes |
NTP (Network Time Protocol) | 123 | outbound | UDP | – | Yes | – |
HTTPS (Secure Hypertext Transfer Protocol) | 443 | outbound | TCP | Needed to register for and use the Collaboration and Statistics Service | Yes | Yes |
RTMP (Real Time Messaging Protocol) | 1935 | inbound | TCP | – | Yes | Yes |
HTTP (Apple HTTP Streaming Protocol) | 1935 | inbound | TCP | – | Yes | Yes |
SFTP (Secure File Transfer Protocol) | 8022 | inbound | TCP | – | Yes | – |
HTTP (Hypertext Transfer Protocol) | 8080 | inbound | TCP | – | Yes | Yes |
HTTPS (Secure Hypertext Transfer Protocol) | 8443 | inbound | TCP | – | Yes | Yes |
HTTPS (Secure Hypertext Transfer Protocol) | 8446 | outbound | TCP | Required for Server Licensing | Yes | Yes |
ESS Firewall Ports for Windows-Only Configuration with Native Ports
This configuration assumes that you are using the built-in support for the ESS to provide a webserver, SFTP server, and Wowza Media Server. If these services are being provided by dedicated or external services, the applicable firewall rules need to be applied to those systems instead.
The following table lists the default ESS firewall port configurations for the native ports on a Windows-Only environment.
Port Description | Port | Port Direction | Protocol | Comment | Open on local/server firewall? | Open between the institution and rest of world? |
|---|---|---|---|---|---|---|
FTP (File Transfer Protocol) | 21 | outbound | TCP | If using the Easy captioning plugin | Yes | Yes |
SFTP (Secure File Transfer Protocol) | 22 | outbound | TCP | To upload log files to Echo360 support | Yes | Yes |
SMTP (Simple Mail Transfer Protocol) | 25 | outbound | TCP | To send email alerts and notifications via your mail server | Yes | – |
DNS (Domain Name Service) | 53 | outbound | UDP | – | Yes | – |
HTTP (Hypertext Transfer Protocol) | 80 | both | TCP | If using Echo360 search indexing Publisher | Yes | Yes |
NTP (Network Time Protocol) | 123 | outbound | UDP | – | Yes | – |
HTTPS (Secure Hypertext Transfer Protocol) | 443 | both | TCP | – | Yes | Yes |
RTMP (Real Time Messaging Protocol) | 1935 | inbound | TCP | – | Yes | Yes |
HTTP (Apple HTTP Streaming Protocol) | 1935 | inbound | TCP | – | Yes | Yes |
SFTP (Secure File Transfer Protocol) | 8022 | inbound | TCP | – | Yes | -- |
HTTPS (Secure Hypertext Transfer Protocol) | 8446 | outbound | TCP | Required for Server Licensing | Yes | Yes |
EchoSystem Media Processor
The following table lists the default port configurations for the EchoSystem Media Processor.
Port Description | Port | Port Direction | Protocol |
|---|---|---|---|
DNS (Domain Name Service) | 53 | outbound | UDP |
HTTPS (Secure Hypertext Transfer Protocol) | 8443 | outbound | TCP |
NTP (Network Time Protocol) | 123 | outbound | UDP |
SFTP (Secure File Transfer Protocol) | 8022 | outbound | TCP |
EchoSystem Capture Appliances
The following table lists the default port configurations for the EchoSystem capture appliances. Some of these can be changed on the System Settings page. See Change ESS Default Ports to Native Ports.
Port Description | Default Port | Port Direction | Protocol | Comment |
|---|---|---|---|---|
DHCP (Dynamic Host Configuration Protocol) | 67, 68 | both | UDP | – |
DNS (Domain Name Service) | 53 | outbound | UDP | – |
HTTP (Hypertext Transfer Protocol) | 8080 | inbound | TCP | Can be changed on the System Settings page. See Change ESS Default Ports to Native Ports. |
HTTPS (Secure Hypertext Transfer Protocol) | 8443 | both | TCP | Can be changed on the System Settings page. See Change ESS Default Ports to Native Ports. |
NTP (Network Time Protocol) | 123 | outbound | UDP | – |
SFTP (Secure File Transfer Protocol) | 8022 | outbound | TCP | Can be changed on the System Settings page. See Change ESS Default Ports to Native Ports. |
Wowza Media Server
Port Configurations
The following table lists the port configurations for the Wowza Media Server.
Port Description | Port | Port Direction | Protocol | Comments |
|---|---|---|---|---|
HTTP (Hypertext Transfer Protocol) | 80 | outbound | TCP | Used to validate the Wowza license. The Wowza 3 server sends a registration request when:
The request is sent to:
|
| RTMP (Real Time Messaging Protocol) | 1935 | both | TCP | |
| HTTP (Apple HTTP Streaming Protocol) | 1935 | both | TCP | |
| Live Webcasting | 49152-65535 | both | UDP | Port allocation between the SafeCapture HD and Wowza Media Server for Live Webcasting. See Port Allocation Between the SafeCapture HD and Wowza (Live Webcasting) for details and examples. |
Port Allocation Between the SafeCapture HD and Wowza (Live Webcasting)
Live webcasting uses the RTP protocol (over UDP) for communication between the SafeCapture HD and Wowza.
Ports are dynamically allocated by the ESS in groups of eight for each webcast. The port block is reserved 30 minutes before the event starts and is freed 15 minutes after the event completes.
Port allocation begins at the top of the IANA dynamic or private port range of 49152 to 65535 and works down:
- group 0 = UDP ports 65528-65535
- group 1 = UDP ports 65520-65527
and so on until...
- group 2046 = UDP ports 49160-49167
- group 2047 = UDP ports 49152-49159
If you need more than 2047 overlapping port group reservations for a single ESS, we will grow below the start of the IANA dynamic port range.
Within each port group, ports are allocated to different functions:
- Even numbered ports are for media streams
- The next higher odd numbered port is for the control stream for that media stream
This means that a single port group can support up to four media streams, allocated as shown:
| This pair... | Is... |
|---|---|
| First pair | Used for audio |
| Second pair | Used for graphics channel 1 (primary display/secondary video) |
| Third pair | Used for for graphics channel 2 (primary video, secondary display) |
| Fourth pair | Reserved for future use |
Port Allocation Example - Audio/Display/Video Capture (Live Webcasting)
If port group 0 (ports 65528-65535) is used for an audio/display/video capture, allocation would be like this:
| Allocation | Port Number |
|---|---|
| Primary audio stream | 65528 |
| Primary audio control | 65529 |
| Primary display stream | 65530 |
| Primary display control | 65531 |
| Primary video stream | 65532 |
| Primary video control | 65533 |
| Unused | 65534 |
| Unused | 65535 |
Port Allocation Example - Audio/Dual Video Capture (Live Webcasting)
If port group 14 (ports 65416-65423) is used for an audio/dual video capture, allocation would be like this:
| Allocation | Port Number |
|---|---|
| Primary audio stream | 65416 |
| Primary audio control | 65417 |
| Secondary video stream | 65418 |
| Secondary video control | 65419 |
| Primary video stream | 65420 |
| Primary video control | 65421 |
| Unused | 65422 |
| Unused | 65423 |
Classroom Capture Software
The following table lists the default port configurations for Classroom Capture.
Port Description | Port | Port Direction | Protocol |
|---|---|---|---|
DNS (Domain Name Service) | 53 | outbound | UDP |
HTTP (Hypertext Transfer Protocol) | 8080 | both | TCP |
HTTPS (Secure Hypertext Transfer Protocol) | 8443 | both | TCP |
NTP (Network Time Protocol) to *.pool.ntp.org | 123 | outbound | UDP |
SFTP (Secure File Transfer Protocol) | 8022 | both | TCP |
Personal Capture
The following table lists the default port configurations for Personal Capture.
Personal Capture always connects to the ESS via HTTPS. For hosted environments, that port is always 443; for on-site deployments, the default is 8443, however, this setting is configurable.
Port Description | Port | Port Direction | Protocol |
|---|---|---|---|
DNS (Domain Name Service) | 53 | outbound | UDP |
HTTP (Hypertext Transfer Protocol) | 80 | outbound | TCP |
HTTPS (Secure Hypertext Transfer Protocol) | 8443 or 443 (see above note) | outbound | TCP |
SFTP (Secure File Transfer Protocol) | 8022 | outbound | TCP |