Topp Banner bilde
 

Vårt nettverk

MS NetMeeting

Meeting Point

Eye Chat


Våre Kamera


Krav til Nettverk

Spørsmål og Svar

Din IP-adresse

Tilbake til Teknisk Info

Tilbake til hovedmeny


Firewall problems when arranging videoconferences on broadband.

Today most companies and organisations use firewalls to give an extra level of security around important networks,and as serving at workstations. Videoconference equipment today uses the protocol H.323 to talk together despite of producers and different products. This is a relatively complex standard/protocol that use many dynamic TCP and UDP ports to communicate each way. The simplest is, of course, to make use of "legal" IP addresses that access directly to the net, but that can cause problems in relation to a company's security regulations.

Simply explained, one has a little set of standard defined ports that must be opened in firewalls, but in addition one must obtain some extra ports, which usually are randomly selected in intervals 1024 to 65535. In reality this theory means that one must open these ports for traffic, but fortunately some firewalls (e.g. Cisco, CheckPoint, Gaulet) support H.323 protocol, and opens and closes only the ports when needed and as needed. This is an ideal solution, but these firewalls are often expensive to purchase. Some client programmes (from e.g.VCON) can reduce the interval that uses for example ports 5000-5200, which is much better than opening all 64000 ports. This is a solution that can be used when one has a VCON MXM central server.


In principal there exists to types of network translating writing (NAT): "one to one" and "one to many". Address translation means that a router and firewall rewrites traffic between private and public IP addresses. With "one to one" address rewriting each private IP address one will have a corresponding public address, while with "one to many" rewriting many private addresses will have one shared public address.

Video Conference equipment that is not NAT compatible will make available its own private local net address to others (which is invalid on the internet.) Some equipment can be forced to give a special official IP address and thus solves this problem. If this is not the case one must have a H.323 proxy (generally embedded in the firewall) that solves the problem for you. Videoconference clients from First Virtual which are delivered in the system Click to Meet (see: www.fvc.com) deal with this better than other systems.

In general, if one has a "one to one" address, rewriting will make Video conference equipment function, as detailed earlier, but with a "one to many" address translation you simply have the possibility to use one Video conference unit one per available IP address. With Click to Meet (Express) we can, on the other hand, use more web clients behind a public address, since the Click to Meet server automatically understands NAT and we can specify 4 ports manually, which are used instead of dynamic ports. Basically NAT is not a problem here. The conclusion for this type of net configuration is to change the set up for standard H.323 conferences or keep the Click to Meet solution.

If we want two places to connect during the videoconference it will be practical to set up a direct tunnel between these locations. This is easily done, by setting up a "virtual private net" (VPN). Since VPN is crypted, and both parties trust each other, one can often skip a firewall (or at least have a less restrictive firewall) between these places. This will thus solve problems with firewalls and, in addition, secure all conversations against eavesdropping on the Internet. This is a solution that will function well even with address rewriting, but it does require that a solution for VPN is installed and configured on both ends. This can be everything from expensive routers to a normal PC, and does not necessarily have to be expensive.
However if one wants a number of VPN connections we do recommend dedicated boxes for this.

Please do not hesitate to make contact with Jan Vidar Krey at OHD (jvk@ohd.no) or Otto Øksnes (otto.oksnes@statped.no) for help with configuring firewall or anything else.

 

The following links are perhaps interesting for those who wish for a deeper knowledge of the topic:


http://www.fvc.com/eng/webconferencing/whitepaper_desc.htm

http://www.vcon.com/support/white.papers.html

http://www.packetizer.com/