Port 1720: H.323 — Where the Call Asks Permission

Port 1720 is where a VoIP call knocks before it enters. Not where the conversation happens — that moves to dynamically negotiated ports — but where everything starts. The handshake, the codec negotiation, the permission to proceed. If the call is a conversation, port 1720 is the introduction.

The protocol is H.323. The ITU-T published its first version in November 1996, and it carried an ambitious goal: make real-time voice, video, and data sharing work over packet-switched networks that were designed for none of those things.¹

What Happens on Port 1720

When an H.323 endpoint wants to call another, it opens a TCP connection to port 1720 on the destination. Over that connection, it runs Q.931 signaling — the same call-control protocol used in ISDN telephone networks, adapted for IP.² This channel handles setup, maintenance, and teardown of the call.

But Q.931 is just the invitation. Once the call is accepted, H.323 opens a second channel for H.245 — the protocol that negotiates media capabilities. What codecs can you handle? What bandwidth do you have? Can you do video? H.245 answers these questions. Only after that negotiation does the actual media start flowing, on yet more dynamically assigned ports.

Port 1720 starts the whole cascade.

The Protocol That Built Early VoIP

H.323 was everywhere for a decade. Microsoft built it into NetMeeting — the product that let Windows users share desktops and make video calls in the late 1990s, years before anyone had heard of Zoom.³ Cisco built it into their IP telephony systems. Corporations deployed H.323 gatekeepers to manage calls the way PBXs managed traditional phone traffic.

The protocol's roots in ISDN gave it something important: it understood the telephone world. It could bridge IP networks to the public switched telephone network (PSTN), which meant H.323 could connect a computer in Tokyo to a landline in Ohio. That interoperability made it genuinely useful at a time when "Internet phone call" still sounded like science fiction.

Why It Lost

H.323 is baroque. To make one call, it opens port 1720 for Q.931 signaling, negotiates a dynamic port for H.245 capability exchange, then opens separate RTP streams for audio, video, and data. Each of these flows through different ports. Firewalls hated it — you couldn't just open a single port and call it done. NAT traversal was a recurring nightmare. Troubleshooting required understanding a protocol suite that referenced four other protocol suites.⁴

SIP arrived and did the same job with less ceremony. One signaling protocol, simpler NAT handling, easier to debug. By the mid-2000s, new deployments were choosing SIP. H.323 didn't disappear — it ran in too much installed infrastructure to die quickly — but it stopped growing.

Port 1720 became the port that legacy VoIP systems still listen on, long after the rest of the industry moved on.

Security

H.323 has a significant attack surface. Because port 1720 accepts inbound connection requests to initiate calls, anything listening on it is exposed to whatever malformed input an attacker can construct.

The practical consequences have been real. Microsoft's ISA Server 2000 had a buffer overflow in its H.323 filter that could give an attacker control of the Firewall Service.⁵ Cisco voice products had exploitable H.323 vulnerabilities.⁶ The UK's National Infrastructure Security Coordination Centre and the University of Oulu jointly developed an H.323 test suite specifically to find these weaknesses — and found them in implementations from multiple vendors.⁷

If you see port 1720 open on a network today, the question worth asking is: does anything here actually use H.323? If not, close it. An open port 1720 with no legitimate purpose is an invitation addressed to the wrong people.

Related Ports

• 1719/UDP — H.323 RAS (Registration, Admission, Status) — gatekeepers use this to manage endpoints
• 1718/UDP — H.323 multicast gatekeeper discovery
• 5060/UDP — SIP, the protocol that largely replaced H.323

How to Check What's Listening

# On Linux/macOS
ss -tlnp | grep 1720
lsof -i TCP:1720

# On Windows
netstat -ano | findstr :1720

# From outside, with Nmap
nmap -sV -p 1720 <target>

Nmap's service detection will usually identify H.323 and sometimes the specific implementation — useful when you need to know whether you're looking at a Cisco gatekeeper, a legacy NetMeeting installation, or something else entirely.