Firewall Traversal
TANDBERG VIDEO COMMUNICATION SERVER ADMINISTRATOR GUIDE
Overview
Ports play a vital part in firewall traversal configuration. The correct ports must be set on the VCS Border Controller, traversal client and firewall in order for connections to be permitted.
Ports are initially configured on the VCS Border Controller and then advised to the firewall administrator and the traversal client administrator, who must then configure their systems to connect to these specific ports on the server. The only port configuration that is done on the client is the range of ports it uses for outgoing connections; the firewall administrator will need to know this information so that if necessary they can configure the firewall to allow outgoing connections from those ports.
Process
•Each traversal client connects via the firewall to a unique port on the VCS Border Controller.
•The server identifies each client by the port on which it receives the connection, and the Authentication credentials provided by the client.
•Once established, the client constantly sends a probe to the VCS Border Controller via this connection in order to keep the connection alive.
•When the VCS Border Controller receives an incoming call for the client, it uses this initial connection to send an incoming call request to the client.
•The client then initiates a connection to the server. The ports used for the call will differ for signaling and media, and will depend on the protocol being used (i.e. SIP, Assent or H.460.18/19).
Firewall Traversal Protocols and Ports
Ports for Initial Connections from Traversal Clients
Each traversal server zone specifies an H.323 port and a SIP port to be used for the initial connection from the client.
Each time you configure a new traversal server zone on the VCS, you will be allocated default port numbers for these connections:
•H.323 ports will start at 6001 and increment by 1 for every new traversal server zone
•SIP ports will start at 7001 and increment by 1 for every new traversal server zone.
You can change these default ports if necessary but you must ensure that the ports are unique for each traversal server zone.
Once the H.323 and SIP ports have been set on the VCS Border Controller, matching ports must be configured on the corresponding traversal client.
!The default port used for the initial connections from MXP endpoints is the same as that used for standard RAS messages, i.e. UDP/1719. While it is possible to
change this port on the VCS server, most endpoints will not support connections to ports other than UDP/1719. We therefore recommend that this be left as the default.
H.323 Firewall Traversal Protocols
The VCS supports two different firewall traversal protocols for H.323: Assent and H.460.18/H.460.19.
•Assent is TANDBERG’s proprietary protocol.
•H.460.18 and H.460.19 are ITU standards which define protocols for the firewall traversal of signaling and media respectively. These standards are based on the original TANDBERG Assent protocol.
In order for a traversal server and traversal client to communicate, they must be using the same protocol.
The two protocols each use a slightly different range of ports.
Assent Ports
For connections to the VCS Border Controller using the Assent protocol, the default ports are:
Call signaling
•UDP/1719: listening port for RAS messages
•TCP/2776: listening port for H.225 and H.245 protocols Media
•UDP/2776: RTP media port
•UDP/2777: RTCP media control port
H.460.18/19 Ports
For connections to the VCS Border Controller using the H.460.18/19 protocols, the default ports are:
Call signaling
•UDP/1719: listening port for RAS messages
•TCP/1720: listening port for H.225 protocol
•TCP/2777: listening port for H.245 protocol Media
•UDP/2776: RTP media port
•UDP/2777: RTCP media control port
SIP Ports
Call signaling
SIP call signaling uses the same port as used by the initial connection between the client and server.
Media
Where the traversal client is a VCS or Gatekeeper, SIP media uses Assent to traverse the firewall . The default ports are the same as for H.323, i.e.:
•UDP/2776: RTP media port
•UDP/2777: RTCP media control port
Introduction | Getting | System | System | H.323 & SIP | Registration | Zones and | Call | |
Started | Overview | Configuration | Configuration | Control | Neighbors | Processing | ||
| ||||||||
D 14049.01 |
|
|
|
| 98 |
|
| |
07.2007 |
|
|
|
|
|
|
Firewall | Bandwidth | Maintenance | Appendices | |
Traversal | Control | |||
|
|
