| Configuring
your firewall | Typical H.323 ports | Additional Materials |
| Firewalls and H.323 have not been very friendly: |
| Videoconferencing is a difficult application to negotiate through
Firewalls and Network Address Translation (NAT). Firewalls and Network
Access Translation (NAT) are used to provide security by limiting
access to a Local Area Network's (LAN's) ports by filtering or blocking
inbound Internet traffic. Recent advancements, at least in the Cisco
PIX firewall and recent Polycom software upgrades, are beginning
to be more friendly with each other. |
| We recommend assigning a public K-20 IP address to your codec and
install it on your network outside of your firewall. A hacker may
be able to access a Polycom appliance-based codec that is outside
a firewall, but can do little other than place a call or change its
settings. Most Internet viruses and worms attack Microsoft Windows™ and
other operating systems. The recommended Polycom appliance-based
codecs do not use these operating systems. |
| |
| Using your codec behind a firewall? |
| You have multiple codecs (or distance education classrooms) on
the same LAN or Wide Area Network that need to connect to each other
in addition to connecting to other endpoints across K-20 or the
Internet. Those codecs are probably separated by some distance which
may make it impossible to connect each directly to K-20 outside
your firewall. You will need to install them inside and will need
to setup the firewall to allow incoming and outgoing calls. |
| If your endpoint is behind a firewall blocking incoming H.323 calls,
and the site you want to connect with is also, then neither site
will be able to connect by placing a call to the other. Your outgoing
call signalling will be blocked by the far end firewall. |
| |
| How H.323 traverses a Firewall: |
| H.323 traffic requires the use of several ports that may be protected
by the firewall or NAT. If a firewall is between your codec and the
far end codec, certain ports must be set properly before a connection
can be made between the two sites. The codec may also need NAT parameters
defined. |
| H.323 uses a single fixed TCP port (1720) to start a call using
the H.225 protocol (defined by H.323 suite) for call control. Once
that protocol is complete, it then uses a dynamic TCP port for the
H.245 protocol (also defined by the H.323 suite) for capabilities
exchange (caps exchange) and channel control. Finally, it opens up
two dynamic UDP ports for each type of media that was negotiated
for the call (audio, video, far-end camera control, etc.). This first
port carries the RTP protocol data (defined by the H.225 specification)
and the second one carries the RTCP data (defined by the H.225 specification).
See H.323 Basics for
explanation of the H.323 Suite. |
| It is important that you plan your H.323 network from
the start, before you even order your first codec (see Network
Design).
If you are unable to receive H.323 calls from codecs outside your
network, you probably have firewall or NAT issues. If you are unable
to call out to the other codec, you might have firewall or NAT issues. |
| |
| Configuring your Firewall: |
| Netscreen |
The following diagram shows a Netscreen basic configuration. It
does NOT show all the required ports needed for successful IP videoconferencing.
Please see list of firewall ports below.
 |
| Cisco Pix |
- Pix 6.3(3) This is the preferred one for this version
of Pix. It works well with Polycom Viewstation Codecs that are
running on the software version reconmended in this link.
- Pix 6.2 This version can support H.323, but does
have different settings than 6.3(3). An upgrade to 6.3(3)+ is recommended
as soon as possible,
which may also require codec software upgrades.
- Pix 6.1 This version can support H.323, but does
have different settings than 6.3(3). In case you can't
upgrade, this configuration will work for you.
|
| SonicWall |
| It is recommended that you place your codec on the outside or DMZ
zone of your network if you have a Sonicwall. Although they can be
configured for H.323 ports, our testing was unsuccessfull in gaining
complete access for videoconferencing. |
| |
| Typical Firewall Port Numbers for H.263/H.323 and T.120: |
This is the generic list of ports used by some part of H.323 standard.
For specific setup information for firewalls, see
above configurations.
Note: ICMP must be enabled for calls to complete. Unless you
have a specific need to share applications, you do not need to
open
port 1503. Additional
ports may be required by your specific codec. |
| 1300 |
TCP & UDP |
h323hostcallsc |
H323 Host Call Secure |
| 1503 |
TCP & UDP |
imtc-mcs (multipoint conference server) |
T.120 application sharing in a multipoint |
| 1718 |
TCP & UDP |
h323gatedisc |
Gatekeeper discovery
(Must be bidirectional) |
| 1719 |
TCP & UDP |
h323gatestat |
Gatekeeper RAS
(Must be bidirectional) |
| 1720 |
TCP & UDP |
h323hostcall |
Q.931 call setup
(Must be bidirectional) |
| 1731 |
TCP & UDP |
msiccp |
Audio Call Control (VoIP)
(Must be bidirectional) |
| 2979 |
TCP & UDP |
h263-video |
H.263 Video Streaming |
| 11720 |
TCP & UDP |
h323callsigalt |
h323 Call Signal Alternate |
|
~Reference: Internet Assigned
Numbers Authority (IANA)
|
| |
| Other Common Ports used by some codecs: |
| 80 |
TCP |
Web browser interface to codec controls and menus |
| 389 |
TCP |
ILS Registration (LDAP) |
| 3230-3231 |
TCP |
Typical Polycom fixed ports |
| 3230-3235 |
UDP |
Typical Polycom fixed ports |
|
| |
| Additional Reading Materials about Firewalls: |
- Videoconferencing
Cookbook (by ViDeNet), see the chapter "Network
Matters" and scroll down to "Network Address Translation
(NAT) and Firewalls" for some excellent reading about the
trials and tribulations of firewalls and NAT.
- Polycom information on firewall setup (some of these are
 PDF
files)
- Intel Information:
|
| ~Exerpts for the material on this page have been graciously contributed
by Wisconsin VCS Videoconference Services |
