StarLeaf Cloud: Port Requirements

For H.323 Systems

Confirm your firewall allows outbound access from your network to the following destination ports. Static NAT and inbound ports may also be required. Check the manufacturers specifications.

H.323 endpoint firewall requirements

Protocol Source IP Source Port Destination IP Destination Port Description
UDP Any Any <example>  1719 H.225 registration
TCP Any Any <example>  1720 H.225 call signalling
TCP Any Any <example>  1721 H.225 call signalling
UDP Any Any <example>  1722 H.225 call registration
TCP Any Any <example>  10000-10199 H.245 call signaling
UDP Any Any <example>  16384-24576 RTP media

The StarLeaf Cloud directory service ports to which your H.323 endpoints will connect are listed in the table below. If in doubt, simply allow outbound connections to all TCP and UDP ports at 

H.323 directory requirements

Protocol Source IP Source Port Destination IP Destination Port Description
TCP Any Any 80 HTTP directory sync
TCP Any Any 443 HTTPS directory sync
TCP Any Any 389 LDAP directory sync
TCP Any Any 636 LDAPS directory sync 

H.323 endpoints should have any NAT settings (where you enter the public IP address of your gateway onto the endpoint itself) disabled. The purpose of these settings is to assist firewall traversal, but they can interfere with proper operation of the H.460 protocol 

Firewalls should have any H.323-aware mode (ALG/Application-layer gateway for H.323) disabled. As with the NAT settings described above, ALGs are intended to help with firewall traversal but are not required when H.460 is in use and can cause problems (typically, failure of inbound audio, video or content channels). How to do this depends on the manufacturer of your firewall. In many firewalls, this mode is enabled by default, and has to actively be turned off.


Some examples are:


Create rules matching the port ranges described above and with a source/destination of Set the protocol for these rules to be 'None', which will disable all inspection of matching traffic.


Alternatively, the GUI of your Checkpoint firewall might allow you to disable all H.323 features under

SmartDefense>Application Intelligence->VoIP 

Cisco PIX or ASA

Remove the fixup and inspect commands for H.323, H.225 and RAS protocols.


Delete the session helpers for RAS (port 1719) and H.225 (port 1720). In the default configuration, these are session helpers 2 and 3.


Palo Alto Networks

  1. Disable the ALG (Application Layer Gateway) for H.323
  2. Create a new application object for h.225 based on the used ports (TCP 1720, UDP 1719,1720) and configure an application override policy that matches the h.225 traffic initiated by the endpoint so that the default h.225 app won’t be applied
  3. Increase the „TCP Time Wait“ value for h.225 (new app object); default is 15 seconds
  4. Create/modify the security policy matching the h.225 traffic initiated by the endpoint; Use the previously defined application object as application 


Under VoIP -> Settings -> H.323 Settings, disable 'Enable H.323 Transformation'. More information here