Firewalls and Network Address Translation (NAT)

Firewalls and H.323 have not been very friendly:

Videoconferencing is a difficult application to negotiate through Firewalls and Network Address Translation (NAT). Firewalls and Network Access Translation (NAT) are used to provide security by limiting access to a Local Area Network's (LAN's) ports by filtering or blocking inbound Internet traffic. Recent advancements, at least in the Cisco PIX firewall and recent Polycom software upgrades, are beginning to be more friendly with each other.

We recommend assigning a public K-20 IP address to your codec and install it on your network outside of your firewall. A hacker may be able to access a Polycom appliance-based codec that is outside a firewall, but can do little other than place a call or change its settings. Most Internet viruses and worms attack Microsoft Windows™ and other operating systems. The recommended Polycom appliance-based codecs do not use these operating systems.

Using your codec behind a firewall?

You have multiple codecs (or distance education classrooms) on the same LAN or Wide Area Network that need to connect to each other in addition to connecting to other endpoints across K-20 or the Internet. Those codecs are probably separated by some distance which may make it impossible to connect each directly to K-20 outside your firewall. You will need to install them inside and will need to setup the firewall to allow incoming and outgoing calls.

If your endpoint is behind a firewall blocking incoming H.323 calls, and the site you want to connect with is also, then neither site will be able to connect by placing a call to the other. Your outgoing call signalling will be blocked by the far end firewall.

How H.323 traverses a Firewall:

H.323 traffic requires the use of several ports that may be protected by the firewall or NAT. If a firewall is between your codec and the far end codec, certain ports must be set properly before a connection can be made between the two sites. The codec may also need NAT parameters defined.

H.323 uses a single fixed TCP port (1720) to start a call using the H.225 protocol (defined by H.323 suite) for call control. Once that protocol is complete, it then uses a dynamic TCP port for the H.245 protocol (also defined by the H.323 suite) for capabilities exchange (caps exchange) and channel control. Finally, it opens up two dynamic UDP ports for each type of media that was negotiated for the call (audio, video, far-end camera control, etc.). This first port carries the RTP protocol data (defined by the H.225 specification) and the second one carries the RTCP data (defined by the H.225 specification). See H.323 Basics for explanation of the H.323 Suite.

It is important that you plan your H.323 network from the start, before you even order your first codec (see Network Design). If you are unable to receive H.323 calls from codecs outside your network, you probably have firewall or NAT issues. If you are unable to call out to the other codec, you might have firewall or NAT issues.

Configuring your Firewall:

Netscreen

The following diagram shows a Netscreen basic configuration. It does NOT show all the required ports needed for successful IP videoconferencing. Please see list of firewall ports below.

• 7.x has been released. We do not have any information for this version.
• 6.3(4) or higher is the preferred version for Pix firewalls, especially with Polycom VSX software version 7.5.1 or higher. The Cisco/Polycom lab has fixed some bugs that were present in lower versions of both products (firewall and codec).
• Older versions, if at all possible, you should upgrade to the latest version of Pix. Versions 6.3(4) and above have improved H.323 capabilities, enough so to make it worth your efforts to upgrade. If you are not able to upgrade just now, then follow the steps for these versions. Note that 6.1 and 6.2 do not support codecs using NAT very well.
  • Pix 6.3(3) This version works well with Polycom Viewstation and VSX Codecs that are running on the software version recommended in this link.
  • Pix 6.2 This version can support H.323, but does have different settings than 6.3(3). An upgrade to 6.3(3)+ as soon as possible is recommend, which may also require codec software upgrades.
  • Pix 6.1 This version can support H.323, but does have different settings than 6.3(3). In case you can't upgrade, this configuration will work.
  • Older versions, refer to Cisco and Pix Release Notes.

SonicWall

• SonicWall Pro3060
• Troubleshooting Tips

Typical Firewall Port Numbers for H.263/H.323 and T.120:

This is the generic list of ports used by some part of H.323 standard. For specific setup information for firewalls, see above configurations.

Note: ICMP must be enabled for calls to complete. Unless you have a specific need to share applications, you do not need to open port 1503. Additional ports may be required by your specific codec.

~Reference: Internet Assigned Numbers Authority (IANA)

Other Common Ports used by some codecs:

Additional Reading Materials about Firewalls:

• Videoconferencing Cookbook (by ViDeNet), see the chapter "Network Matters" and scroll down to "Network Address Translation (NAT) and Firewalls" for some excellent reading about the trials and tribulations of firewalls and NAT.
• Polycom information on firewall setup (some of these are PDF files)
  • Video Communications: Building Blocks for a Simpler Deployment (pdf)
  • How is a firewall configured for H.323 video?
  • Creating Building Blocks For Voice & Video Over IP (pdf), a technical white paper by Polycom addressing issues with H.323, Security & Firewalls.
• Intel Information:
  • What's So Difficult About Getting H.323 Through Firewalls?

~Exerpts for the material on this page have been graciously contributed by Wisconsin VCS Videoconference Services