Firewalls are a common part of network and system configurations these days. Often these are used to protect a home or business network from unwanted connections from the outside, however things are a little more sophisticated these days, and many machines have their own firewalls installed on them. Certainly in a lot of instances we see our services installed on machines that have advanced network firewalls installed, and many data centers that are running LumenVox services have a variety of firewalls. These firewalls are a necessity these days, so this article is aimed at giving you an overview of the different ports that are used by the various LumenVox services, which will allow you to configure your firewall rules as needed.
This information may also be useful if you need to configure proxy servers, or are configuring some NAT setup for your particular needs.
Figure 1: Typical Firewall Diagram
LumenVox Distributed Services
Part of the overall philosophy used when designing each of the LumenVox services was to allow users to configure the services across different physical machines if needed. Installing these services across multiple machines may be done for a number of reasons, such as failover redundancy, load balancing or other implementation specific reasons. Generally, LumenVox services are often installed on a single machine, however this is not always the optimal configuration.
For more detailed information on LumenVox' Distributed architecture, please see our Distributed Architecture for Speech Applications whitepaper on our LVDN site.
LumenVox Server Ports
Each of the LumenVox services is configured to use a specific port on which to receive requests. Most of the packets transmitted between the LumenVox services, and any client applications using them use a proprietary packet format, however the ports that are used, and their direction is fairly well defined as described in the following table.
Clients, such as customer applications that use the LVSpeechPort module, and associated APIs to communicate with the LumenVox services (as opposed to those using our Media Server for connectivity), would utilize these ports. Note that if the Media Server needs to access these services, it will also reach out using these port numbers. The LumenVox Manager, which powers the browser based configuration and diagnostic interface also communicates with the other services using these ports.
To clarify, as shown in the table below, the services themselves require inbound connectivity, but anything (SpeechPort, MediaServer or Manager, etc.) needing to talk to these servers would need corresponding OUT rules permitting connectivity.
Note that the Manager's ADMIN_PORT, which is used by the Dashboard web-based can be configured to use either HTTP or HTTPS (default) protocols, and using the username/password settings in manager.conf, you can configure the web portal to require password authentication. Also, the manager can be configured to use an Access Control List to only permit connectivity to certain IP addresses. You are also encouraged to install your own SSL certificate on each machine to verify authenticity when connecting to the Dashboard from a browser (see our Resolving Dashboard Certificate Issues article for details of how to do this).
Name
|
Default Port
|
Prot.
|
Dir.
|
Configuration Setting
|
Service
|
ASR Server Port
|
5730
|
TCP
|
IN
|
sre_server.conf / [SRE] SRE_PORTNUM
|
ASR Server
|
TTS Server Port
|
7579
|
TCP
|
IN
|
tts_server.conf / [GLOBAL] PORT_NUM
|
TTS Server
|
License Server Port
|
7569
|
TCP
|
IN
|
license_server.conf / [GLOBAL] PORT_NUMBER
|
License Server
|
Call Indexer Port
|
7595
|
TCP
|
IN
|
call_indexer.conf / [SETTINGS] PortNumber
|
CallIndexer
|
Manager (web) Port
|
8080
|
TCP
|
IN
|
manager.conf / [SETTINGS] ADMIN_PORT
|
Manager
|
Media Server Port
|
7590
|
TCP
|
IN
|
media_server.conf / [GLOBAL] messaging_port
|
Media Server
|
Support Removed in Summer 2016
Obsolete: Subscription Licensing Ports
As of the Summer of 2016, the LumenVox Legacy Subscription Licensing system was retired and replaced with the significantly improved Flexible Licensing System. This documentation is therefore deprecated and will be removed in due course.
Any and all users that were using the legacy subscription licensing system should have been contacted and migrated over to the Flexible system. Please contact support@lumenvox.com if you have any questions regarding this transition.
LumenVox offers a number of different licensing models. One of those is our subscription licensing service, where the client application reaches out to our cloud based license servers and using authentication, requests licenses as they are needed. The port numbers used (7569) is fixed and cannot be changed in this licensing model.
See our Licensing Overview article to help determine whether this licensing model applies to you.
These outbound connections are made from either a customer application, if you are using our LVSpeechPort API, or some of our helper tools that use LVSpeechPort, such as SimpleASRClient, SimpleTTSClient, LvShowConfig, etc., and/or from our Media Server if using that for MRCP connectivity.
Typically when using the subscription licensing model, users would not be required to run our License Server service locally.
Note that because the client applications need to be able to reach these LumenVox servers in the cloud, they will need explicit access to these FQDNs on port 7569. Also note that users are encouraged to use these Fully Qualified Domain Names instead of the corresponding IP addresses, as LumenVox may change the IP addresses of these servers periodically.
Name
|
Default Port
|
Prot.
|
Dir.
|
Configuration Setting
|
Service
|
license1.lumenvox.com
|
7569
|
TCP
|
OUT
|
client_property.conf / [GLOBAL] LICENSE_SERVERS
|
Speech Port Client (API)
|
license2.lumenvox.com
|
7569
|
TCP
|
OUT
|
client_property.conf / [GLOBAL] LICENSE_SERVERS
|
Speech Port Client (API)
|
license3.lumenvox.com
|
7569
|
TCP
|
OUT
|
client_property.conf / [GLOBAL] LICENSE_SERVERS
|
Speech Port Client (API)
|
Flexible Licensing Ports
Another licensing model that LumenVox offers is our Flexible Licensing option. With this model, the local License Server (running locally on a customer server) would communicate periodically with a different set of cloud based servers that LumenVox maintains.
See our Licensing Overview article to help determine whether this licensing model applies to you, or our Flexible Licensing Overview for a more detailed description of the Flexible model.
To assist IT Managers accommodate these connections, a number of different ports can be configured when communicating with the LumenVox servers, based on whether
HTTP or
HTTPS connectivity is selected (using the USE_FLEX_REPORTING_HTTPS setting in
license_server.conf).
- 80, 8080, 13449, 24963, 43038 - HTTP
- 443, 8443, 23028, 39520, 48846 - HTTPS
The data passed between the license server and the LumenVox licensing nodes in the cloud are all encrypted, and no sensitive information is contained in these messages, nor is any details of individual decodes or syntheses - only a summary of license use is passed. The option to select HTTPS connectivity is merely to add an additional layer of security if desired. The response from the LumenVox licensing nodes when these messages are sent, is an up to date list of permitted licenses for the license server, which allows for minimal manual intervention whenever new licenses are purchased, or the configuration is changed.
The License Server will attempt to connect to one of the flexible licensing nodes. Only if unsuccessful will it move on to the next available, so typically only one of these flexible licensing nodes would be used, not all of them, however it is best practice to permit connectivity with all of these servers in the case of an outage or maintenance work on one or more of them.
Note that because the client applications need to be able to reach these LumenVox servers in the cloud, they will need explicit access to these FQDNs, listed below, on the selected port(s). Also note that users are encouraged to use these Fully Qualified Domain Names instead of the corresponding IP addresses, as LumenVox may change the IP addresses of these servers periodically.
Name
|
Default Port
|
Protocol
|
Dir.
|
Configuration Setting
|
Service
|
flexlicense1.lumenvox.com
|
80
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT
|
License Server
|
flexlicense2.lumenvox.com
|
80
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT
|
License Server
|
flexlicense3.lumenvox.com
|
80
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT
|
License Server
|
flexlicense4.lumenvox.com
|
80
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT
|
License Server
|
flexlicense5.lumenvox.com
|
80
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT
|
License Server
|
flexlicense6.lumenvox.com
|
80
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT
|
License Server
|
flexlicense7.lumenvox.com
|
80
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT
|
License Server
|
flexlicense8.lumenvox.com
|
80
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT
|
License Server
|
flexlicense9.lumenvox.com
|
80
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT
|
License Server
|
flexlicense10.lumenvox.com
|
80
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT
|
License Server
|
Added in 15.0.100
Introduced with LumenVox 15.0 were a new set of
FQDN values, assigned in FLEX_NODE_LIST_HTTPS, which are designed to be used exclusively when communicating with the LumenVox Flexible Licensing Node using the
HTTP protocol.
Name
|
Default Port
|
Protocol
|
Dir.
|
Configuration Setting
|
Service
|
flexlicense-s01.lumenvox.com
|
443
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT_HTTPS
|
License Server
|
flexlicense-s02.lumenvox.com
|
443
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT_HTTPS
|
License Server
|
flexlicense-s03.lumenvox.com
|
443
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT_HTTPS
|
License Server
|
flexlicense-s04.lumenvox.com
|
443
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT_HTTPS
|
License Server
|
flexlicense-s05.lumenvox.com
|
443
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT_HTTPS
|
License Server
|
flexlicense-s06.lumenvox.com
|
443
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT_HTTPS
|
License Server
|
flexlicense-s07.lumenvox.com
|
443
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT_HTTPS
|
License Server
|
flexlicense-s08.lumenvox.com
|
443
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT_HTTPS
|
License Server
|
flexlicense-s09.lumenvox.com
|
443
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT_HTTPS
|
License Server
|
flexlicense-s10.lumenvox.com
|
443
|
TCP
|
OUT
|
license_server.conf / [GLOBAL] FLEX_REPORTING_PORT_HTTPS
|
License Server
|
Media Server Ports
The LumenVox Media Server is responsible for providing connectivity between various platforms that use the standards-based MRCP protocol to connect to the LumenVox speech services.
Typically when connecting to the LumenVox Media Server, these platforms would use either SIP or RTSP sessions to negotiate the parameters of the connection, including which MRCP port and RTP ports would be used.
Either of the SIP and RTSP ports can be disabled in the media_server.conf configuration file by setting the port value to 0 if not required, although leaving the port enabled does not pose much of an overhead.
LumenVox supports SIP connections using either UDP or TCP protocols, so please be sure to configure the appropriate setting for this port when setting up your firewall rules. Also note that often when LumenVox is installed on the same server as another platform that uses SIP connectivity, there may be a port conflict between the platform and the Media Server, since both are trying to use port 5060 by default, so many times it is easier to change the Media Server sip_port from the default value to something else (perhaps 5066 for example).
We also allow the port ranges for MRCP and RTP connectivity to be configured in the media_server.conf file to avoid overlapping any port range used by other applications. If you change these values, please verify that the range you select does not overlap the ephemeral port range for the machine you are using. See our Network Ports and Ranges article for more details.
RTP data is typically inbound to the Media Server for ASR audio, and outbound from the Media Server for TTS audio.
Name
|
Default Port / Range
|
Protocol
|
Dir.
|
Configuration Setting
|
Service
|
MRCP Connectivity
|
20000 - 24999
|
TCP
|
IN
|
media_server.conf / [GLOBAL] mrcp_server_port_base
|
Media Server
|
RTP audio
|
25000 - 29999
|
UDP
|
IN/OUT
|
media_server.conf / [GLOBAL] rtp_server_port_base
|
Media Server
|
SIP Port
|
5060
|
UDP/TCP
|
IN
|
media_server.conf / [GLOBAL] sip_port
|
Media Server
|
RTSP Port
|
554
|
TCP
|
IN
|
media_server.conf / [GLOBAL] rtsp_port
|
Media Server
|
Dashboard FTPS Port
In versions of LumenVox starting at 14.1.100, the Dashboard provides a new diagnostic interface, which allows users to optionally send diagnostic reports and logs to LumenVox for analysis. This connectivity is performed using File Transfer Protocol Secure (FTPS) to the LumenVox FTP Server hosted at ftp.lumenvox.com and therefore requires traffic to this server to be enabled on the FTPS port (990). This port connection is hard-coded and cannot be changed. This connection is only outbound and only initiated by the Manager service when explicitly requested by a user.
Note that the passive mode (PASV) port range shown will be negotiated for each connection, so one of these ports will be agreed during authentication via the FTPS connection (port 990), which will then cause the manager to open a data connection from one of the available ports in the PASV range to transfer the data.
Both the control connection (port 990) and the data connection (one of the ports in the range 11000 to 13000) will be initiated by the manager software, so these are both outbound connections and should be enabled as such within your firewall rules.
Name
|
Default Port
|
Protocol
|
Dir.
|
Configuration Setting
|
Service
|
FTPS Connection
|
990
|
TCP
|
OUT
|
Not configurable
|
Manager
|
Data (PASV) Connection
|
11000-13000
|
TCP
|
OUT
|
Not configurable
|
Manager
|
SNMP Ports
In versions of LumenVox starting at 15.0.300, the Manager introduced support for Simple Network Management Protocol (SNMP) which must be enabled before any of the ports associated with it are used. When using SNMP, the two associated ports are both configurable within the settings, however below the typically used values are shown.
When enabled, SNMP provides an interface that SNMP managers can use to identify the LumenVox instance. These inbound requests are sent to the AGENT_PORT, which is 0 by default, disabling SNMP. Typically users will configure this port to use 161 when enabled.
In addition, when using SNMP, a new set of trap notifications to issue alerts when certain alarm conditions appear or become resolved have been introduced. These messages are sent to all defined TRAP_SERVERS using the specified TRAP_PORT.
Name
|
Default Port
|
Protocol
|
Dir.
|
Configuration Setting
|
Service
|
SNMP Agent Port
|
0 (typically 161)
|
UDP
|
IN
|
manager.conf / [SNMP] AGENT_PORT
|
Manager
|
SNMP Trap Port
|
162
|
UDP
|
OUT
|
manager.conf / [SNMP] TRAP_PORT
|
Manager
|