|
If you have a campus firewall, you must configure it to allow H.323 traffic through it (both incoming and outgoing). The CVS Gatekeeper
also functions as a proxy server, so as long as you allow H.323 traffic from that IP address, anyone on your campus who registers their
codecs with your gatekeeper should be able to videoconference.
In order to give CENIC access required to configure and manage your campus gatekeeper, you must:
- Permit all traffic from the gatekeeper destined for the outside world.
- Permit all traffic to the gatekeeper from the following networks:
- 205.154.240.0/22 (/22 = 255.255.252.0)
- 137.164.80.0/20 (/20 = 255.255.240.0)
- 137.164.29.0/24 (/24 = 255.255.255.0)
The applications CENIC will use to manage your gatekeeper from these addresses include:
- tftp - UDP port 69
- telnet - TCP port 23
- SSH - TCP port 22
- SNMP - UDP and TCP port 161
- ICMP - all ICMP
- Permit the in H.323 ports listed below and ICMP traffic from the entire internet.
- If your site is using a Juniper Firewall, please disable ALG H323 settings.
You may open all the ports for your gatekeeper on your firewall to that address range, or, if you prefer, open just the management ports (telnet,
ssh, snmp and tftp) in addition to the H.323 ports listed below.
The following information is adapted from the University of Wisconsin H.323
IP Videoconferencing Services web site. Another site that we have found useful is the Indiana Higher Education Telecommunication System
ITN Gatekeeper Proxy Lab Set-up page.
Special note on Cisco PIX firewalls: By default the Cisco PIX firewalls are set to disconnect all H.323 sessions after 2 hours. Please make sure you
change this setting if you expect to have videoconferences longer than 2 hours. There are two lines that should be changed:
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 0:00:00
timeout h323 16:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
Also note that we have found that upgrading to version Pix 6.3(4) can resolve issues within NAT'd environments.
|
H.323 traffic requires the use of several ports that may be protected by the firewall or NAT. If a firewall is between your campus gatekeeper and the
regional gatekeeper, certain ports must be set properly before a connection can be made between the two sites.
H.323 uses a single fixed TCP port (1720) to start a call using the H.225 protocol (defined by H.323 suite) for call control. Once that protocol is
complete, it then uses a dynamic TCP port for the H.245 protocol (also defined by the H.323 suite) for capabilities exchange (caps exchange) and
channel control. Finally, it opens up two dynamic UDP ports for each type of media that was negotiated for the call (audio, video, far-end camera
control, etc.). This first port carries the RTP protocol data (defined by the H.225 specification) and the second one carries the RTCP data (defined
by the H.225 specification).
If you are unable to receive H.323 calls from codecs or gatekeepers outside your network, you probably have firewall or NAT issues. If you are unable
to call out to the other codec, you might have firewall or NAT issues.
It is worth noting here that videoconferencing is a difficult application to negotiate through Firewalls and Network Address Translation (NAT). Firewalls
and Network Access Translation (NAT) are used to provide security by limiting access to a Local Area Network's (LAN's) ports by filtering or blocking
inbound Internet traffic. Recent advancements, at least in the Cisco PIX firewall and recent Polycom software upgrades, are beginning to be more tolerante
of one other.
Following is a generic list of typical firewall port numbers for H.263/H.323 and T.120 taken from the Internet
Assigned Numbers Authority:
| 1300 TCP & UDP |
h323hostcallsc |
H.323 Host Call Secure |
| 1503 TCP & UDP |
imtc-mcs (multipoint conference server) |
T.120 application sharing in a multipoint
|
| 1718 TCP & UDP |
h323gatedisc |
Gatekeeper discovery (Must be bidirectional) |
| 1719 TCP & UDP |
h323gatestat |
Gatekeeper RAS (Must be bidirectional) |
| 1720 TCP & UDP |
h323hostcall |
Q.931 call setup (Must be bidirectional) |
| 1731 TCP & UDP |
msiccp |
Audio Call Control (VoIP) (Must be bidirectional) |
| 2979 TCP & UDP |
h263-video |
H.263 Video Streaming |
| 11720 TCP & UDP |
h323callsigalt |
H.323 Call Signal Alternate |
|
![[CVS: Scheduling Desk]](../pix/global/int_schedule.gif){kind=small}
![[CVS: User's Guide]](../pix/global/int_guide.gif){kind=small}
![[CVS: Equipment Guide]](../pix/global/int_equipment_hl.gif){kind=small}
![[Migration Information]](../pix/equipment/int_equipment_migration.gif){kind=small}
![[Gatekeeper Information]](../pix/equipment/int_equipment_gatekeeper.gif){kind=small}
![[MCU Information]](../pix/equipment/int_equipment_mcu.gif){kind=small}
![[Firewall Configuration]](../pix/equipment/int_equipment_firewall_hl.gif){kind=small}
![[Endpoint Equipment Configuration]](../pix/equipment/int_equipment_endpoint.gif){kind=small}
![[Equipment Recommendations]](../pix/equipment/int_equipment_recs.gif){kind=small}
![[CVS: Videoconferencing Tutorials]](../pix/global/int_tutorials.gif){kind=small}
![[CVS: CVS Committees]](../pix/global/int_committees.gif){kind=small}
![[Network Operations Center]](http://cvs.cenic.org/pix/global/noc_button.gif){kind=small}
![[CalREN Video Services]](http://cvs.cenic.org/pix/global/cvs_button_hl.gif){kind=small}
![[Board Member Login]](http://cvs.cenic.org/pix/global/board_button.gif){kind=small}
![[CVS: Equipment Guide]](../pix/equipment/equipment_header.GIF){kind=small}
