powered by Jive Software

What Ports do I need Open

Hello. I am sorry if this has been answered before, but I could not find anything in my search.

I have a firewall policy that allows all needed traffic to forward to my openfire server. The problem is that I can’t connect to Red5 sparkweb when I use my custom policy. The only way I can get a connection is when I use the “any” service option in the policy.

I would like to know what ports I actually need open.



OK. I figured this out. The ports this stuff uses is a total mystery if you go by what you read in the threads. I mean I read so many conflicting posts on this subject, so I thought I would share what worked for me so I can hopefuly spare another from these issues.

For me, I had to create a virtual IP that mapped a public IP to the private IP of my Open Fire Server. Once that was created I had to make a policy that would restrict as much traffic as possible while allowing red5 sparkweb to work.

The policy I created contains the following port openings:

TCP port 7070 source 1-65535 - this maps port 7070 to any port it wants.

TCP port 2000-65535 source 1-65535.

As you can see I had to open a lot of ports to get this to work. I had to use tcpview to see what was being used, and I could only find 5223 being used, but opening only 7070 and 5223 did not work.

This is what worked for me. I am also running this traffic through an IPS to help keep things secure, and I am not sure I would feel good about opening such a large amount of ports without the traffic being filtered and monitored.

If anyone can clue me into a more secure way to get red5 sparkweb open without using so many ports I would love to have that info.



From the top of my head, Red5 Sparkweb uses the following ports

xmpp socket 5222 and 5223 (changeable from admin web console)

http-bind - 7070 and 7443 (changeable from admin web console)

rtmp - 1935 (changeable from red5 xml files)

rtmpt - 8000 (changeable from red5 xml files)

pool of SIP clients ports - 5070-5099 (changeable from admin web console)

pool of RTP media ports - 3000-30029 (changeable from admin web console)

There could be more, but without looking at code, I cannot tell

Hi Dele Olajide, I have been reading this post with interest & feel you may be able to help, I have a similar problem but not with ports - more a case of IP addresses. I have an Openfire server behind a firewall performing NAT (so the Openfire Server’s real address is “hidden”), I have forwarded the relevant ports and chat works fine, no issues at all. However, when I try a “computer-to-computer” voice call (between clients), the client on the “untrusted” side of the firewall does not send a reply to the correct source IP address e.g. the firewalls “untrusted” IP address therefore the call fails. The client on the “untrusted” side sends its reply to the Openfire Server’s “real” IP address (saw this in a Wireshark trace).

My question is: Would you or anyone else be able to tell me if there is a way of “telling” client to reply directly to the sending IP address as opposed to one that appears to be pre-configured or at least provided to the client by the Openfire server? In the case of voice calls If you see what I mean?

I had thought about using the Media Proxy facility but I would still place the Server behind a firewall for security reasons. Any ideas?

Any help or advice would be very much appreciated.

With thanks,


Unfortunately, you have not told me what client you are using. My guess is Spark and you are using the jingle phone plugin. I think the media server was added to Openfire to solve these types of problems. My advice would be to try it out and see if it makes a difference.

Hi Dele, many thanks for your reply. I’ve managed to figure out the “replying” IP address bit however, I attempted setting up the Medai Proxy but with no success. Any ideas on the best way?

With thanks & much appreciated.