Opening firewall ports for Sametime Gateway Server

Work closely with your firewall administrator to open specific ports in the internal and external firewalls to allow messages to flow to and from the Sametime® Gateway Server in the DMZ to the local Sametime community, and to permit access to LDAP and DB2®. In addition, verify that the external firewall allows inbound and outbound connections to and from specific IP addresses. Make sure any kind of SIP fixup or SIP inspection is disabled in your firewall settings.

About this task

A Sametime Gateway Server or cluster is normally deployed in the DMZ, which is the zone between the internal and external firewalls. You also need to open ports in the external firewall to allow the Sametime Gateway Server to connect with external communities.

You can deploy a Network Address Translator (NAT) between local Sametime Community Servers and a Sametime Gateway Server. However, deploying a NAT device between Sametime Gateway Server and the Internet is not supported when trying to connect a Sametime Gateway Server to AOL® or TLS-encrypted SIP-based external communities. While there are SIP-aware NAT devices, they are not sufficient because AOL communities require secure SIP (SSL/TLS) communication, and a NAT device would not be able to decrypt and translate the packets for proper operation.

Procedure

  1. Open the following ports in the internal firewall:
    • Port 1516 on the internal firewall to each Sametime Community Server in the local Sametime community, the Sametime Gateway Server will be the one creating the TCP connection to the destination IP at destination port 1516.
    • Port 389 on the internal firewall to the LDAP directory, or port 636 if LDAP access is over SSL.
    • Port 50000 on the internal firewall to a DB2 server.
  2. Open the following ports on the external firewall as needed:
    • Port 5269 on the external firewall to non-secured XMPP.
    • Port 5270 on the external firewall to secured XMPP.
    • Port 5061 on the external firewall to external Sametime or AOL communities using a secure TLS/SSL connection.
    • Port 5060 on the external firewall to an external Sametime community (only if using a non-TLS/SSL connection).
    • Port 53 on the external firewall to external DNS servers to resolve the fully qualified domain name of external instant messaging community servers.
  3. Verify that the external firewall allows inbound and outbound connections to and from the following IP ranges:
    • AOL:
      205.188.*.*,64.12.*.*.