Firewalls are a common cause of videoconferencing problems because of the number of ports that need to be opened to allow video signals to flow freely through them.
NAT or Private IP Addresses for Video Conferencing.
Since most outgoing firewall ports are open and incoming ports are restricted for security it is easy to make an outgoing call from inside your firewall. An issue exists when incoming video calls have to travel through your firewall and find your endpoint’s IP address, especially if the IP address is a private NAT address. Incoming calls to your video unit will not arrive at your video system unless your firewall is configured to forward the IP video ports to the private static IP address of your video unit. See figure B.
Figure B illustrates that when using network address translation there is no real IP address that is visible to the public network, so an incoming call is unable to find its destination.An outgoing call from the video system has no trouble calling a public IP through the firewall because typically the outgoing ports of the local firewall are open.If your system is able to make calls but not receive calls, it is likely that you will have to configure one of the four options for your system to work correctly.
Your
configuration
ITS Video Network Services will assist local technical personnel with video firewall solutions. ITS Video Network Services cannot guarantee a solution for every firewall unless the Ridgeway Solution is elected.
Clients have four ways to address firewall issues, listed in order of preference:
1. If the video conferencing system is an appliance (not PC Based) establish the end point outside the firewall or in a public DMZ with a public IP address. Refer to the section covering System Security and Password Protection to secure and protect your endpoint from intrusion.
ITS Video Network Services will assist local technical personnel with video firewall solutions. ITS Video Network Services cannot guarantee a solution for every firewall unless the Ridgeway Solution is elected.
Clients have four ways to address firewall issues, listed in order of preference:
1. If the video conferencing system is an appliance (not PC Based) establish the end point outside the firewall or in a public DMZ with a public IP address. Refer to the section covering System Security and Password Protection to secure and protect your endpoint from intrusion.
Video Conferencing Appliances
Figure A illustrates a public IP being
used by the video system. For proper operation of the video network
it is not uncommon to see public IP addresses assigned to video systems.
Since most group video systems tend to be appliance-based systems, there
is no operating system such as Windows or Linux with typical vulnerabilities.
As long as the systems web interface, FTP interface, SNMP, and Telnet interface
are either password protected and turned off, the system is secure.
2.
Establish the end point inside the firewall with a private NAT address and
forward all H.323 related ports to the IP address of your video endpoint.
Make a rule that will allow any IP address to and from the IP address of
your endpoint for all ports listed in the table below.
Port forwarding of IP video traffic is one option that can be used to enable two-way communications with your video system. A more reliable and secure option is to use an H.323 proxy or a firewall traversal solution (proxy). Refer to the section covering System Security and Password Protection to secure and protect your endpoint from intrusion.
H.323 Port Requirements
Port Required/Opt Port Type Usage Direction
80 Optional/Required for outside remote Maintenance Static TCP HTTP Interface
21 Optional/Required for outside remote Maintenance TCP Software Updates (Must Be Bidirectional)
23 Optional/Required for outside remote Maintenance TCP Telnet (Diagnostics & API Control (Must Be Bidirectional)
389 Optional/Required if network uses ILS Static TCP ILS Registration (LDAP) (Must Be Bidirectional)
1503 Optional/Required if using T.120 Static TCP T.120 (Must Be Bidirectional)
1718 Required Static UDP Gatekeeper Discovery (Must Be Bidirectional)
1719 Required Static UDP Gatekeeper RAS (Must Be Bidirectional)
1720 Required Static TCP H.323 Call Setup (Must Be Bidirectional)
1731 Required Static TCP Audio Call Control (Must Be Bidirectional)
1024 - 65535 Required Dynamic TCP Port Allocation H.245 (Must Be Bidirectional)
1024 - 65535 Required Dynamic UDP Port Allocation RTP (Video Data) (Must Be Bidirectional)
1024 - 65535 Required Dynamic UDP Port Allocation RTP (Video Data) (Must Be Bidirectional)
1024 - 65535 Required Dynamic UDP Port Allocation RTCP (Video Data) (Must Be Bidirectional)
Note: Other ports may be required depending on application and manufacturer of equipment.
Figure C illustrates that allowing or forwarding IP video ports to the private static IP address of your video unit will enable incoming calls to find their destination.Ports can be limited to only the H.323 ports. It is important to note that IP video systems dynamically select ports above 1024 for video, audio, and control. Fixed ports can only be selected on certain brands of equipment.This option will require assistance from your firewall administrator and is part of the pre-configuration that must be accomplished prior to certification.
Other video endpoint
manufactures may use different methods of handling firewalls. It is
important to determine how your endpoint manufacturer handles firewall traversal.
For additional security refer to the section covering System Security and Password Protection to secure and protect your endpoint from intrusion.
4. Establish the end point behind the firewall and use the Ridgeway Solution. Video Network Services can provide a firewall proxy (Ridgeway) and assist with setup and configuration. The service uses only two well-known ports to pass video traffic through your agency’s firewall. 2776 UDP/TCP and 2777 UDP are the only ports that need to be allowed through the firewall for video traffic. With the proxy service the video system’s static NAT IP is assigned an alias. The proxy takes care of routing the incoming call to your NAT video system by sending the call to the system’s alias. This service allows both outgoing and incoming calls to your unit with no special firewall configuration. The solution is the preferred method of handling NAT and firewalls because it allows your video system to use both its dial-in and dial-out features. IP Video bridging and scheduling services have the ability to dial into your system if they can be reached. Without configuring your firewall with port forwarding or using the Ridgeway service, your video system will be restricted to dial-out only.
The Ridgeway Group (Site) Client must be installed on a stand alone PC connected to the same network segment as your video units. This machine must have Internet access with an Internet browser installed. There must be no firewall restrictions on the internal network from the Group client to each video appliance since they will both be on the same internal secured network. The stand alone PC must remain on at all times and therefore must have a UPS system installed to maintain power. If the Ridgeway group client is turned off or looses power then video endpoints will loose connectivity. Figure D explains the configuration.
The Group client must adhere to the following specifications:
Intel Pentium III, 600Mhz
128 Meg RAM
4.0Gb Hard Drive
100Mb NIC Card
Operating System: Windows 2000 server, Windows 2000 Professional, or XP.
If the Ridgeway Solution is used for firewall traversal, VNS will assist the client in configuring the end point to work with either the Ridgeway Personal or Group Clients. VNS will supply the Ridgeway software and accounts.
Figure D illustrates the Ridgeway group client configuration that provides a video proxy through your firewall.Ports through the firewall can be limited to only 2776 and 2777 for video.Additional video systems may use the same proxy to traverse the firewall.ITS Video Network Services will provide the Ridgeway application software. Your agency would provide the workstation hardware.This solution provides a reliable method of handling security through the firewall. This relatively simple installation also allows two way dialing.
Port forwarding of IP video traffic is one option that can be used to enable two-way communications with your video system. A more reliable and secure option is to use an H.323 proxy or a firewall traversal solution (proxy). Refer to the section covering System Security and Password Protection to secure and protect your endpoint from intrusion.
H.323 Port Requirements
Port Required/Opt Port Type Usage Direction
80 Optional/Required for outside remote Maintenance Static TCP HTTP Interface
21 Optional/Required for outside remote Maintenance TCP Software Updates (Must Be Bidirectional)
23 Optional/Required for outside remote Maintenance TCP Telnet (Diagnostics & API Control (Must Be Bidirectional)
389 Optional/Required if network uses ILS Static TCP ILS Registration (LDAP) (Must Be Bidirectional)
1503 Optional/Required if using T.120 Static TCP T.120 (Must Be Bidirectional)
1718 Required Static UDP Gatekeeper Discovery (Must Be Bidirectional)
1719 Required Static UDP Gatekeeper RAS (Must Be Bidirectional)
1720 Required Static TCP H.323 Call Setup (Must Be Bidirectional)
1731 Required Static TCP Audio Call Control (Must Be Bidirectional)
1024 - 65535 Required Dynamic TCP Port Allocation H.245 (Must Be Bidirectional)
1024 - 65535 Required Dynamic UDP Port Allocation RTP (Video Data) (Must Be Bidirectional)
1024 - 65535 Required Dynamic UDP Port Allocation RTP (Video Data) (Must Be Bidirectional)
1024 - 65535 Required Dynamic UDP Port Allocation RTCP (Video Data) (Must Be Bidirectional)
Note: Other ports may be required depending on application and manufacturer of equipment.
Figure C illustrates that allowing or forwarding IP video ports to the private static IP address of your video unit will enable incoming calls to find their destination.Ports can be limited to only the H.323 ports. It is important to note that IP video systems dynamically select ports above 1024 for video, audio, and control. Fixed ports can only be selected on certain brands of equipment.This option will require assistance from your firewall administrator and is part of the pre-configuration that must be accomplished prior to certification.
3.
Establish the end point behind firewalls and use the endpoint software to
limit the number of ports that need to be opened. A firewall technician
will then need to make exceptions to and from this IP address with the specified
ports. Some equipment manufacturers, Polycom for instance, allows you to
keep the large port range 1024-65535 closed and open only 6 ports 3230-3235
for audio, video and control. This is known as using fixed ports.
Example of port requirements for Polycom video endpoint appliances.
Port Required/Opt Port Type Usage Direction
389 Optional/Required if network uses ILS Static TCP ILS Registration (LDAP) (Must Be Bidirectional)
1718 Required Static UDP Gatekeeper Discovery (Must Be Bidirectional)
1719 Required Static UDP Gatekeeper RAS (Must Be Bidirectional)
1720 Required Static TCP H.323 Call Setup (Must Be Bidirectional)
1731 Required Static TCP Audio Call Control (Must Be Bidirectional)
3230 3235 Required TCP/UDP Signaling and control for audio, call, video, and data/FECC (Must Be Bidirectional)
3603 Optional Static TCP Web Interface (Must Be Bidirectional)
Example of port requirements for Polycom video endpoint appliances.
Port Required/Opt Port Type Usage Direction
389 Optional/Required if network uses ILS Static TCP ILS Registration (LDAP) (Must Be Bidirectional)
1718 Required Static UDP Gatekeeper Discovery (Must Be Bidirectional)
1719 Required Static UDP Gatekeeper RAS (Must Be Bidirectional)
1720 Required Static TCP H.323 Call Setup (Must Be Bidirectional)
1731 Required Static TCP Audio Call Control (Must Be Bidirectional)
3230 3235 Required TCP/UDP Signaling and control for audio, call, video, and data/FECC (Must Be Bidirectional)
3603 Optional Static TCP Web Interface (Must Be Bidirectional)
For additional security refer to the section covering System Security and Password Protection to secure and protect your endpoint from intrusion.
4. Establish the end point behind the firewall and use the Ridgeway Solution. Video Network Services can provide a firewall proxy (Ridgeway) and assist with setup and configuration. The service uses only two well-known ports to pass video traffic through your agency’s firewall. 2776 UDP/TCP and 2777 UDP are the only ports that need to be allowed through the firewall for video traffic. With the proxy service the video system’s static NAT IP is assigned an alias. The proxy takes care of routing the incoming call to your NAT video system by sending the call to the system’s alias. This service allows both outgoing and incoming calls to your unit with no special firewall configuration. The solution is the preferred method of handling NAT and firewalls because it allows your video system to use both its dial-in and dial-out features. IP Video bridging and scheduling services have the ability to dial into your system if they can be reached. Without configuring your firewall with port forwarding or using the Ridgeway service, your video system will be restricted to dial-out only.
The Ridgeway Group (Site) Client must be installed on a stand alone PC connected to the same network segment as your video units. This machine must have Internet access with an Internet browser installed. There must be no firewall restrictions on the internal network from the Group client to each video appliance since they will both be on the same internal secured network. The stand alone PC must remain on at all times and therefore must have a UPS system installed to maintain power. If the Ridgeway group client is turned off or looses power then video endpoints will loose connectivity. Figure D explains the configuration.
The Group client must adhere to the following specifications:
Intel Pentium III, 600Mhz
128 Meg RAM
4.0Gb Hard Drive
100Mb NIC Card
Operating System: Windows 2000 server, Windows 2000 Professional, or XP.
If the Ridgeway Solution is used for firewall traversal, VNS will assist the client in configuring the end point to work with either the Ridgeway Personal or Group Clients. VNS will supply the Ridgeway software and accounts.
Figure D illustrates the Ridgeway group client configuration that provides a video proxy through your firewall.Ports through the firewall can be limited to only 2776 and 2777 for video.Additional video systems may use the same proxy to traverse the firewall.ITS Video Network Services will provide the Ridgeway application software. Your agency would provide the workstation hardware.This solution provides a reliable method of handling security through the firewall. This relatively simple installation also allows two way dialing.