RSS Feed

RSS - VC Alberta News
RSS
Network and Firewall Considerations
Those implementing Videoconferencing systems often discover that firewalls and routers often inhibit videoconference sessions. This article aims to shed some light on the issue. The solutions are simpler than one might think.

Option 1 Bypass the Firewall

The simplest way to deal with videoconferencing and firewalls is to assign your videoconferencing system a static IP address outside the firewall. This removes any potential for the firewall to cause a problem. This is only wise to do if you are using a non-PC based videoconferencing appliance because if someone were to compromise the system, there is not much they can do to an appliance. However, if a PC-based videoconferencing system is compromised, the attacker could potentially do much more damage to your network and attached clients.

Option 2: Open the Specific Videoconferencing Ports

A second strategy is to open only the ports that videoconferencing uses only for the specific IP address of your videoconference system. The following are some common ports used by videoconferencing systems. You should consult your user manual for ports specific to your device as it will provide a tighter range. Also consult with your firewall administrator and explain you need to open firewall ports for H.323. (Administration tools and remote login ports for your specific system are likely not listed here and may need to be opened if you want to administer your system remotely.)

Port
Type
Description

80

Static TCP

HTTP Interface (optional)

389

Static TCP

ILS v2.0 Registration (LDAP)

1002

Static TCP

Win 2000 ILS Registration

1503

Static TCP

T.120 (a family of protocols)

1718

Static TCP

Gatekeeper Discovery

1719

Static TCP

Gatekeeper RAS

1720

Static TCP

H.323 Call Setup. H.225 umbrella includes: Q931 for call signaling

1731

Static TCP

Audio Call Control

8080

Static TCP

HTTP Server Push (optional)

1024-65535

Dynamic TCP

H.245 (Call Parameters)

1024-65535

Dynamic UDP

RTP (Video Stream Data) H.261, H.263

1024-65535

Dynamic UDP

RTP (Audio Stream Data) G.711, G.722, G.723.1, G.728, G.729

1024-65535

Dynamic UDP

RTCP (Call Control Information) H.245

NAT (Network Address Translation)

Videoconferencing systems do not work well with NAT unless the NAT is set up for videoconferencing. Even then it may not work unless your videoconferencing system supports NAT.

NAT provides an internal IP address for network devices that is hidden to those outside your internal network. NAT is not the best solution for your videoconferencing system. But if you must use NAT, then you need to assign a static internal private NAT address to your videoconferencing system and map that to a static external public address. The static external public address is necessary for remote videoconferencing systems to call you.

Videoconferencing systems that support NAT will have a place to enter the external IP address that translates to its internal NAT address in its setup menu. This makes the videoconferencing system aware of the NAT you are using and it will compensate. (NOTE: not all videoconferencing systems support this feature.)


For more detailed information than what is presented here, the following articles are useful:

http://www.teamsolutions.co.uk/tsfirewall.html
and
http://www.giac.org/practical/GSEC/Steve_Cypher_GSEC.pdf

CRDC, University of Lethbridge
Last Updated on Monday, 29 March 2010 21:00