|
||||
|
Firewall Configuration ::CalREN Video Services:: |
||||
|
|
|||||||||||
If you have a campus firewall, you must configure it to allow H.323 traffic through it (both incoming and outgoing). The CVS Gatekeeper also functions as a proxy server, so as long as you allow H.323 traffic from that IP address, anyone on your campus who registers their codecs with your gatekeeper should be able to videoconference.
In order to give CENIC access required to configure and manage your campus gatekeeper, we need you to:
205.154.240.0/22 (/22 = 255.255.252.0) 137.164.80.0/20 (/20 = 255.255.240.0) 137.164.29.0/24 (/24 = 255.255.255.0)The applications CENIC will use to manage your gatekeeper from these addresses include:
tftp UDP port 69 telnet TCP port 23 SSH TCP port 22 SNMP UDP and TCP port 161 ICMP all ICMP
You may open all the ports for your gatekeeper on your firewall to that address range, or, if you prefer, open just the management ports (telnet, ssh, snmp and tftp) in addition to the H.323 ports listed below.
The following information is adapted from the University of Wisconsin H.323 IP Videoconferencing Services web site.
Videoconferencing is a difficult application to negotiate through Firewalls and Network Address Translation (NAT). Firewalls and Network Access Translation (NAT) are used to provide security by limiting access to a Local Area Network's (LAN's) ports by filtering or blocking inbound Internet traffic. Recent advancements, at least in the Cisco PIX firewall and recent Polycom software upgrades, are beginning to be more friendly with each other.
H.323 traffic requires the use of several ports that may be protected by the firewall or NAT. If a firewall is between your campus gatekeeper and the regional gatekeeper, certain ports must be set properly before a connection can be made between the two sites.
H.323 uses a single fixed TCP port (1720) to start a call using the H.225 protocol (defined by H.323 suite) for call control. Once that protocol is complete, it then uses a dynamic TCP port for the H.245 protocol (also defined by the H.323 suite) for capabilities exchange (caps exchange) and channel control. Finally, it opens up two dynamic UDP ports for each type of media that was negotiated for the call (audio, video, far-end camera control, etc.). This first port carries the RTP protocol data (defined by the H.225 specification) and the second one carries the RTCP data (defined by the H.225 specification).
If you are unable to receive H.323 calls from codecs or gatekeepers outside your network, you probably have firewall or NAT issues. If you are unable to call out to the other codec, you might have firewall or NAT issues.
This is the generic list of ports used by some part of H.323 standard.
| 1300 TCP & UDP | h323hostcallsc | H323 Host Call Secure |
| 1503 TCP & UDP | imtc-mcs (multipoint conference server) | T.120 application sharing in a multipoint |
| 1718 TCP & UDP | h323gatedisc | Gatekeeper discovery |
| 1719 TCP & UDP | h323gatestat | Gatekeeper RAS (Must be bidirectional) |
| 1720 TCP & UDP | h323hostcall | Q.931 call setup (Must be bidirectional) |
| 1731 TCP & UDP | msiccp | Audio Call Control (VoIP) (Must be bidirectional) |
| 2979 TCP & UDP | h263-video | H.263 Video Streaming |
| 11720 TCP & UDP | h323callsigalt | h323 Call Signal Alternate |
(reference: Internet Assigned Numbers Authority (IANA))
Last updated July 29, 2004 . Questions? Contact: webmaster@cenic.org
