You are on page 1of 6

Firewall Port Forwarding for H.

323 video | SellerEast Página 1 de 6

LATEST POST Tandberg Precision HD Cameras

HOME PRODUCTS SERVICES ONLINE STORE SOLUTION SEARCH

Firewall Port Forwarding for H.323 video


SEARCH
Posted on March 11, 2013 by Admin Seller

RELATED POST RECENT POSTS

Tandberg Precision HD Cameras


Video Conferencing Year In
Review
Cisco TelePresence EX Series

Videoconferencing Managed
Service Wainhouse Research – Cisco DX70
Ira M. Weinstein / David S.
Maldow
Cisco DX80

Collaboration Trends for 2014


Cisco DX650

Video Conferencing Gets Elastic

RECENT COMMENTS
Firewall ports to open for video
conferencing
maftab03 on Firewall Port
Forwarding for H.323 video
Firewall Port Forwarding for H.323 video
H.323 uses a single fixed TCP port (1720) quotes app on Firewall Port
to start a call using the H.225 protocol Forwarding for H.323 video
(defined by H.323 spec) for call control.
Once that protocol is complete, it then uses
Bhagavan Pabbu on Remote
a dynamic TCP port for the H.245 protocol
Healthcare With Video
(also defined by the H.323 spec) for caps
Conferencing is Increasing
and channel control. Finally, it opens up 2
Successful Treatment
dynamic UDP ports for each type of media
that was negotiated for the call (audio,
video, far-end camera control). This first port carries the RTP protocol data (defined by the Shellydesuza on Video
H.225 spec) and the second one carries the RTCP data (defined by the H.225 spec). Conferencing for Small Businesses

As per TCP/IP standards, ports are divided into 3 sections: 0-1023 (privileged ports), 1024-
49151 (registered ports) and 49152-65535 (dynamic ports). H.323 specifies the dynamic Mubashir Shafi on Scope & Future
ports in the dynamic range are open. Polycom has added a feature to its product line that Of SEO In Pakistan
allows the ports to use a fixed ports (instead of dynamic ports) so that it can more easily
traverse a firewall. Only the system behind the firewall need to turn on this feature, since the
firewall will prevent the audio/video/FECC from the outside to come in unless this is
enabled. ARCHIVES

You must forward the traffic to and from the video endpoint through the firewall using
January 2015
the specified port numbers and
protocol types for outgoing calls.
To receive incoming calls, your December 2014
must forward traffic using the
1720 TCP port.
January 2014
The following are details on port
forwarding assignments for
September 2013
various products:
Polycom Port Forwarding March 2013

For Polycom products, the following ports must be opened in the firewall and assigned to
the IP address of videoconferencing endpoints (e.g. a video endpoint could be at January 2013
192.168.0.109):

http://www.sellereast.com/firewall-port-forwarding-for-h-323-video/ 01/06/2015
Firewall Port Forwarding for H.323 video | SellerEast Página 2 de 6

Port 389 (TCP): For ILS registration April 2012

Port 1503 (TCP): Microsoft NetMeeting T.120 data sharing


March 2012
Port 1718 (UDP): Gatekeeper discovery
Port 1719 (UDP): Gatekeeper RAS (Must be bi-directional) December 2011

Port 1720 (TCP) H.323 Call setup (Must be bi-directional)


December 2010
Port 1731 (TCP): Audio call control (Must be bi-directional)
Ports 3230-3235 (TCP/UDP): Signaling and control for audio, call, video and October 2009
data/FECC
Port 3603 (TCP): ViaVideo Web interface (ViaVideo users only)
CATEGORIES
So, a typical H.323 call would use 2 TCP fixed ports (3230-3231) and 6 UDP fixed ports
(3230-3235) during the call.
Cisco
Polycom m100 Desktop Video Software - from Help Book V 1.0 - Specifying Call Settings
Preferences: Network NATs and firewalls provide security for your network by limiting
outside access to your internal network. Some access, however, is necessary for video Equipments
conferencing. Therefore, to enable your Polycom Telepresence m100 to freely place and
receive calls with the outside world, while still maintaining protection for your network, you Events
must also open ports in the firewall. If your system is on a network where the transmit
bandwidth is significantly lower than the receive bandwidth, use asymmetric network to
ensure that there is sufficient bandwidth for outgoing calls. To open media ports in the Experience
firewall: 1. From the main window, click Menu > Preferences > Call Settings 2. Set the
media port range used by the system. 3. Open the same range of ports in your firewall. You
Network Solutions
must also open these ports in your firewall:
• Port 1718 (UDP): Gatekeeper discovery
News
• Port 1719 (UDP): Gatekeeper RAS (must be bidirectional)
• Port 1720 (TCP): H.323 call setup (must be bidirectional)
• Port 1731 (TCP): Audio call control (must be bidirectional) Polycom
• Port 5060 (TCP and UDP): SIP
Recap of all firewall port configurations for H.323 Polycom video & Network Products
Services
LifeSize Port Forwarding
Login to the Firewall/Router: Tandberg

Forward port 1720 TCP to the private IP of the LifeSize system.


Trends
Forward 2 TCP ports 60,000 and 60,001 to the private IP of the LifeSize
system. If you have other services on these ports, you can forward any other 2
TCP ports in the 60,000 – 64,999 range. Uncategorized

Forward 6 UDP ports 60,000 to 60,007 to the private IP of the LifeSize


system. If you have other services on these ports, you can forward any other 8
UDP ports in the 60,000 – 64,999 range. META

(NOTE: 3 TCP and 8 UDP is the minimum number of ports required for a single point-to-
Register
point H.323 video call.)
Login to the LifeSize system:
Log in
Go to System Menu –> Administrator Preferences –> Network –> NAT
Enable Static NAT, and enter the public IP address of the firewall in the “NAT Entries RSS
Public IP Address”
Comments RSS
Go to System Menu –> Administrator Preferences –> Network –> Reserved
Ports.
WordPress.org
Enter the TCP & UDP port range you chose in the steps above.
TANDBERG Port Forwarding
“In order to properly support a NAT configuration, the firewall will need to be configured as
a one-to-one relationship between a public IP address and the private IP address for all ports
in the H.323 range (which include 1718 UDP, 1719 UDP and 1720 TCP as well as other
vendor-specific TCP and UDP ports needed to complete H.323 calls). For the specific range
needed, consult your endpoint manufacturer.”
Polycom GMS Ports:
21 (FTP) – Software Updates & Provisioning
80 (HTTP) – Pulling ViewStation/VS4000 info

http://www.sellereast.com/firewall-port-forwarding-for-h-323-video/ 01/06/2015
Firewall Port Forwarding for H.323 video | SellerEast Página 3 de 6

3601 (Proprietary) (Data Traffic) – GAB data


3603 – TCP – Pulling ViaVideo info (since might be non-web server PC)
389 (LDAP and ILS)
1002 (ILS)
GMS listens for connections on ports 80 and 3601 (GAB) and in the future will listen on port
3604 (ViaVideo) and other potentials later.
H.323 Ports (IP based video conferencing):
80 – Static TCP – HTTP Interface (optional)
389 – Static TCP – ILS Registration (LDAP)
1503 – Static TCP – T.120
1718 – Static UDP – Gatekeeper discovery (Must be bidirectional)
1719 – Static UDP – Gatekeeper RAS (Must be bidirectional)
1720 – Static TCP – H.323 call setup (Must be bidirectional)
1731 – Static TCP – Audio Call Control (Must be bidirectional)
8080 – Static TCP – HTTP Server Push (optional)
1024-65535 Dynamic TCP H245
1024-65535 Dynamic UDP – RTP (Video data)
1024-65535 Dynamic UDP – RTP (Audio data)
1024-65535 Dynamic UDP RTCP (Control Information)
These ports can be set to “Fixed Ports” on Polycom systems, as opposed to dynamic.
Other Polycom ViewStation Ports:
21 (FTP) – Software Updates & GMS Provisioning
23 (Telnet) – For Diagnostics & API Control
3220 to 3225 – TCP Ports
3230 to 3247 – UDP Ports
Other ViaVideo Ports:
3604 (GMS Server Discovery) (Used by ViaVideo) (Broadcast)
Accord (Polycom Network Systems) Additional Ports:
5001 – Static TCP – MGC Manager (5003 can be chosen instead within MGC)
21 – Static TCP – FTP (retrieve MGC config. Files etc.)
RADVision Additional:
1820 – Gateway Signaling/Call Setup
2720 – MCU Signaling/Call Setup
d-Link DVC-1000 Ports:
The port 1720 (TCP) and the 6 ports 15328-15333 (TCP and UDP) need to be
forwarded. d-Link indicates that NetMeeting and the H.323 cannot co-exist behind the same
router simultaneously.
Here are pages that address specific products and the steps needed to configure the firewalls:
Configuring your firewall | Typical H.323 ports | Additional Materials

Firewalls and H.323 have not been very friendly:


Videoconferencing is a difficult application to negotiate through Firewalls and Network Address
Translation (NAT). Firewalls and Network Access Translation (NAT) are used to provide security by
limiting access to a Local Area Network’s (LAN’s) ports by filtering or blocking inbound Internet
traffic. Recent advancements, at least in the Cisco PIX firewall and recent Polycom software upgrades,
are beginning to be more friendly with each other.
We recommend assigning a public K-20 IP address to your codec and install it on your network
outside of your firewall. A hacker may be able to access a Polycom appliance-based codec that is
outside a firewall, but can do little other than place a call or change its settings. Most Internet viruses

http://www.sellereast.com/firewall-port-forwarding-for-h-323-video/ 01/06/2015
Firewall Port Forwarding for H.323 video | SellerEast Página 4 de 6

and worms attack Microsoft Windows™ and other operating systems. The recommended Polycom
appliance-based codecs do not use these operating systems.

Using your codec behind a firewall?


You have multiple codecs (or distance education classrooms) on the same LAN or Wide Area Network
that need to connect to each other in addition to connecting to other endpoints across K-20 or the
Internet. Those codecs are probably separated by some distance which may make it impossible to
connect each directly to K-20 outside your firewall. You will need to install them inside and will need
to setup the firewall to allow incoming and outgoing calls.
If your endpoint is behind a firewall blocking incoming H.323 calls, and the site you want to connect
with is also, then neither site will be able to connect by placing a call to the other. Your outgoing call
signalling will be blocked by the far end firewall.

How H.323 traverses a Firewall:


H.323 traffic requires the use of several ports that may be protected by the firewall or NAT. If a
firewall is between your codec and the far end codec, certain ports must be set properly before a
connection can be made between the two sites. The codec may also need NAT parameters defined.
H.323 uses a single fixed TCP port (1720) to start a call using the H.225 protocol (defined by H.323
suite) for call control. Once that protocol is complete, it then uses a dynamic TCP port for the H.245
protocol (also defined by the H.323 suite) for capabilities exchange (caps exchange) and channel
control. Finally, it opens up two dynamic UDP ports for each type of media that was negotiated for the
call (audio, video, far-end camera control, etc.). This first port carries the RTP protocol data (defined
by the H.225 specification) and the second one carries the RTCP data (defined by the H.225
specification). See H.323 Basics for explanation of the H.323 Suite.
It is important that you plan your H.323 network from the start, before you even order your first codec
(see Network Design). If you are unable to receive H.323 calls from codecs outside your network,
you probably have firewall or NAT issues. If you are unable to call out to the other codec,
you might have firewall or NAT issues.

Configuring your Firewall:


Netscreen
The following diagram shows a Netscreen basic configuration. It does NOT show all the required ports
needed for successful IP videoconferencing. Please see list of firewall portsbelow.
Cisco Pix
• Pix 6.3(3) This is the preferred one for this version of Pix. It works well with Polycom Viewstation
Codecs that are running on the software version reconmended in this link.
• Pix 6.2 This version can support H.323, but does have different settings than 6.3(3). An upgrade to 6.3
(3)+ is recommended as soon as possible, which may also require codec software upgrades.
• Pix 6.1 This version can support H.323, but does have different settings than 6.3(3). In case you can’t
upgrade, this configuration will work for you.

SonicWall
It is recommended that you place your codec on the outside or DMZ zone of your network if you have
a Sonicwall. Although they can be configured for H.323 ports, our testing was unsuccessfull in gaining
complete access for videoconferencing.

Typical Firewall Port Numbers for H.263/H.323 and T.120:


This is the generic list of ports used by some part of H.323 standard. For specific setup information for
firewalls, see above configurations.
Note: ICMP must be enabled for calls to complete. Unless you have a specific need to share
applications, you do not need to open port 1503. Additional ports may be required by your specific
codec.

1300 TCP & h323hostcallsc H323 Host Call Secure


UDP
1503 TCP & imtc-mcs (multipoint conference server) T.120 application sharing in a multipoint
UDP
1718 TCP & h323gatedisc Gatekeeper discovery
UDP (Must be bidirectional)
1719 TCP & h323gatestat Gatekeeper RAS
UDP (Must be bidirectional)
1720 TCP & h323hostcall Q.931 call setup
UDP (Must be bidirectional)
1731 TCP & msiccp Audio Call Control (VoIP)
UDP (Must be bidirectional)
2979 TCP & h263-video H.263 Video Streaming
UDP
11720 TCP & h323callsigalt h323 Call Signal Alternate
UDP
~Reference: Internet Assigned Numbers Authority (IANA)

http://www.sellereast.com/firewall-port-forwarding-for-h-323-video/ 01/06/2015
Firewall Port Forwarding for H.323 video | SellerEast Página 5 de 6

Other Common Ports used by some codecs:


80 TCP Web browser interface to codec controls and menus
389 TCP ILS Registration (LDAP)
3230-3231 TCP Typical Polycom fixed ports
3230-3235 UDP Typical Polycom fixed ports

Additional Reading Materials about Firewalls:


• Videoconferencing Cookbook (by ViDeNet), see the chapter “Network Matters” and scroll down to
“Network Address Translation (NAT) and Firewalls” for some excellent reading about the trials and
tribulations of firewalls and NAT.
• Polycom information on firewall setup (some of these are PDF files)
◦ Video Communications: Building Blocks for a Simpler Deployment
◦ How is a firewall configured for H.323 video?
◦ Creating Building Blocks For Voice & Video Over IP , a technical white paper by Polycom
addressing issues with H.323, Security & Firewalls.
• Intel Information:
◦ What’s So Difficult About Getting H.323 Through Firewalls?

Read more

Posted in Experience, News, Polycom Tagged H323 port forwarding, Network solutions, Video Conference

COMMENTS

quotes app
 January 19, 2015 at 5:01 pm
I was suggested this website via my cousin. I am no longer positive whether this submit is
written by
him as nobody else recognise such precise approximately my trouble.
You are incredible! Thanks!

Stop by my site: quotes app

 Log in to Reply
maftab03
 January 19, 2015 at 6:07 pm
You can post your question as well. We will try our best to suggest you the solution. Thank
you

 Log in to Reply

LEAVE A COMMENT

You must be logged in to post a comment.

http://www.sellereast.com/firewall-port-forwarding-for-h-323-video/ 01/06/2015
Firewall Port Forwarding for H.323 video | SellerEast Página 6 de 6

CATEGORIES RECENT POSTS ARCHIVES HOME

CISCO TANDBERG PRECISION HD JANUARY 2015


PRODUCTS

EQUIPMENTS CAMERAS DECEMBER 2014


POLYCOM

EVENTS CISCO TELEPRESENCE EX JANUARY 2014


TANBERG

EXPERIENCE SERIES SEPTEMBER 2013


CISCO

NETWORK SOLUTIONS CISCO DX70 MARCH 2013


NETWORK

NEWS JANUARY 2013


UBNT

POLYCOM CISCO DX80 APRIL 2012


SERVICES

SERVICES MARCH 2012


VIDEO CONFERENCE ROOMS

TANDBERG DECEMBER 2011


EVENT MANAGEMENT VTC

TRENDS DECEMBER 2010


LIVE STREAMING

UNCATEGORIZED OCTOBER 2009


ONLINE STORE

SOLUTION

SellerEast

http://www.sellereast.com/firewall-port-forwarding-for-h-323-video/ 01/06/2015