Tag Archives: Firewall

Day 4: Making H.323 Video Conferencing Work on a Network

This post continues our 20 Day Challenge to understand the technical aspects of videoconferencing.

There are two main methods for installing videoconference hardware on your network. We prefer the NAT static IP method; but we also realize that’s “old school”. Be that as it may, we’ve noticed a trend across the U.S. that some states with a strong Internet2 influence are more likely to use the static IP method.

Let’s consider in more depth the two methods for installing your videoconference system.

1. Static IP NATed Through Firewall

This method provides a public IP address that can be dialed and so the endpoint can easily place and receive calls.

To setup:

  1. First on the router (or firewall), set up a NAT (Network Address Translation) mapping an assigned static public IP address to the internal address that the endpoint will use.
  2. Then, on the endpoint, go into the LAN settings and put in the internal IP address information (DNS, internal IP, gateway, etc.). This part is very similar to how you would set up a computer on your network.
  3. Next, on the endpoint, go into the IP Network H.323 Firewall settings, and add the Public IP address. Some systems have options for autodetecting the NAT, manual defining the NAT, and H.460 Firewall Traversal, and fixed ports. You may need to experiment with these settings until you find the one that works best with your firewall. Change one setting at a time, then try to dial out to a test site and see if it will connect. (At this point, you may or may not receive video from the test site; but at least see if it will dial out.)

The endpoint needs to know the NAT information so that it can properly package the bits of data so that return traffic actually gets through!

Videoconference Traffic Ports
The final area you’ll need to set is to make sure that the firewall is allowing traffic through the right ports for videoconferencing.

First, a little history. The H.323 standard was developed without firewalls in mind. So since then, manufacturers have been challenged to develop equipment and work together to adapt the standards to work better through firewalls. This means that the way H.323 communicates on your network isn’t exactly firewall friendly. It’s helpful to know what happens when a call is set up:

  • First the two systems communicate through TCP and UDP port 1720 to set up the call. This is standard across all vendors.
  • If a gatekeeper is used, then the endpoint communicates with the gatekeeper through ports 1718 and 1719 (TCP and UDP). (More on gatekeepers in a future post.)
  • During this initial communication, the two endpoints talk to each other to share capabilities (called the caps exchange). This includes, which ports the video and audio streaming is shared through. There is a wide range of ports allowed for this streaming, and it depends on your settings (i.e. fixed ports), and the other endpoints settings, on what it will actually settle on.
  • For a full list of ports used in videoconferencing, see this list.

Bottom Line
For ports, you need to open these ports for the static IP that the videoconference system is using:

  • 1720 TCP UDP both ways
  • If you use a gatekeeper off your network, 1718 and 1719. (Janine’s schools do this; Shane & Roxanne’s don’t).
  • The fixed ports you set on the endpoint.

That’s the minimum.

In our cases, we also need to remote manage the school’s endpoints. So we also have the tech director open these ports:

  • Web access (port 80)
  • Telnet access
  • FTP access (for remotely upgrading the system)
  • SNMP (if we have the systems in a management system such as RENOVO, Tandberg Management Suite (TMS), or Polycom Converged Management Application (CMA).

If there are concerns about security, these ports can be set to accept traffic only from our network.

Some Final Notes

  • Call a test site and make sure you can send and receive video and audio.
  • Some of our schools are set up this way, but due to restrictions on the firewall’s capabilities or on the school network policy, the units can only dial out. However, wherever possible, we try to get the units set up so they can place & receive calls to an IP address.
  • One security method is to keep the unit turned off when it is not in use.
  • In some cases, if you do not have the videoconference unit NATed, you are still able to dial out of your network to other public sites, but are not able to have other sites dial back to you.

2. Firewall Traversal Appliance

Firewall

The newer method, recommended by resellers and manufacturers, is to purchase an additional firewall traversal product. The firewall traversal box sits on the edge of the network, usually beside the firewall. In this setup, video traffic goes through the traversal box, and regular traffic goes through the firewall.

Some choices for this product include:

Generally you’ll have better luck if you buy the same vendor’s firewall traversal product as the endpoints.

Installation will be done by the reseller that sold you the equipment; so there isn’t any extra configuration needed on your end.

Dialing
So the way dialing happens with this scenario, is the person off your network calls the IP of the firewall traversal product and the extension of the endpoint. There is no public IP for the endpoint (although if someone wants your public IP, you give them the IP of the firewall traversal product plus the alias or extension.)

The challenge with dialing is that there are currently three different methods for passing the extension, and not all of the vendors support all of the methods. i.e. This is an area that isn’t really standardized yet. It’s a good place for arguments too, as you’ll hear the vendors say their way is better. But as an end user, you need to be able to call any K12 school. Period.

Advantages

  • You don’t have to configure your network as described above.

Disadvantages

  • You will guaranteed have problems with other schools calling you. Cisco-Tandberg units can’t dial into the Polycom method; (although Polycom units can dial the Cisco-Tandberg method). More on dialing in a future post.
  • Extra cost.

References

Your Turn

  • Which method was used for installing your videoconference system?
  • Do you have an opinion or preference for one of these methods? Please share!
  • If you disagree with our view here, we welcome your thoughtful (not flaming) comments.

Team-written by Janine Lim, Shane Howard, and Roxanne Glaser. The opinions expressed in these posts are based on our collective video conference experience connecting classes across multiple networks to connect them to zoos, museums, experts and other classes during the past 10 years. This series of posts reflects our usage and understanding, not that of any vendor or manufacturer. No one is paying us to write these. We are just sharing what we have learned.