Cablecast Firewall Guide

October 16, 2023

Introduction

Ensuring network security is critical to protect your organization's digital assets from potential threats. Managing internal and external TCP ports is a key aspect of network security. In this guide, we will focus on CablecastDeviceControl service's specific port requirements and firewall/antivirus exclusion recommendations. Understanding these port configurations is essential for maintaining a secure and efficient network environment.

CablecastDeviceControl and HTTP Ports

CablecastDeviceControl relies on various TCP ports for different HTTP traffic, primarily utilizing HTTP proxying to forward requests to the appropriate services or servers. This approach enables Cablecast to provide essential features such as API Requests, Confidence Thumbnails, Digital File Transfers, File Preview, Trimming and more.

Ports Required For User Interface, VOD, Live Streaming, Internet Channels, and Reflect Access

Cablecast needs relatively few ports opened for standard operation. These fall under two main categories. The first most common are standard TCP HTTP ports 80 and 443 required for standard web traffic. These ports should be ether NAT (Network-Address-Translated or Port Forwarded) to the Host Cablecast server. The Host Cablecast server is the server that is used to access the Cablecast User Interface. The host server will provide access to all video on demand and live streaming content. CDN services like Cablecast Reflect will use ports 80 and 443 to access VOD and Live Stream content to cache it in Cablecast’s Cloud.

Cablecast Servers should never be connected directly to the public internet without some sort of firewall appliance filtering traffic between the public internet and the Cablecast appliance.

The other major category of port forwards required for public access would be for Network Streams that require pushing streams to Cablecast servers. An example of such a network stream would be SRT. Specific guidance can not be given in a general purpose article as requirements for port forwarding and firewall rules will vary on a site by site basis.

PortProtocolPurposeNotes
80TCPHTTPWhen HTTPS is enabled all HTTP traffic is automatically redirected to HTTPS
443TCPHTTPSfor SSL
VariesVariesNetwork StreamsUser defined Incoming ports for network streams such as SRT

Service-based firewalls such as Palo Alto

Service-based firewalls such as Palo Alto can block outgoing traffic from a cablecast livestream. This usually blocks .TS and .M4S video stream segments from going out through a public web address. Please ensure that Palo Alto firewalls are configured to allow http-video and passthrough .TS file segments and .M4S.

Starting in Cablecast 7.8 .M4S replaces .TS for video transport in live streams

https://applipedia.paloaltonetworks.com/home/app/http-video

ServiceStandard PortsLayerFile ExtensionCablecast Version
http-video80,4437 (Application).TS7.7 and Lower
http-video80,4437 (Application).M4S7.8 and Higher

Inter-server communication

Cablecast systems typically are composed of multiple servers where one acts as the host of the user interface, and others acting as secondary video servers, live streaming servers, etc. To perform their standard operations these servers use a variety of ports to communicate internally.

The Cablecast installer automatically makes the necessary changes to the Windows Firewall to allow for normal operation. When using a third party firewall or other network security these channels of communication should remain open for normal operation.

PortMachineProtocolPurposeNotes
55001AllTCPHTTPInternal HTTP server used for file transfers and communications.
56700AllTCORemoting ServiceCablecast Device Control Remoting Service
57907Host UnitTCPCablecast CG NotificationsAllows CablecastCG to signal notifications for bulletin updates. When blocked will fallback to polling reducing updating interval frequency.