Firewall Traversal

TANDBERG VIDEO COMMUNICATION SERVER ADMINISTRATOR GUIDE

Overview

Ports play a vital part in firewall traversal configuration. The correct ports must be set on the VCS Border Controller, traversal client and firewall in order for connections to be permitted.

Ports are initially configured on the VCS Border Controller and then advised to the firewall administrator and the traversal client administrator, who must then configure their systems to connect to these specific ports on the server. The only port configuration that is done on the client is the range of ports it uses for outgoing connections; the firewall administrator will need to know this information so that if necessary they can configure the firewall to allow outgoing connections from those ports.

Process

Each traversal client connects via the firewall to a unique port on the VCS Border Controller.

The server identifies each client by the port on which it receives the connection, and the Authentication credentials provided by the client.

Once established, the client constantly sends a probe to the VCS Border Controller via this connection in order to keep the connection alive.

When the VCS Border Controller receives an incoming call for the client, it uses this initial connection to send an incoming call request to the client.

The client then initiates a connection to the server. The ports used for the call will differ for signaling and media, and will depend on the protocol being used (i.e. SIP, Assent or H.460.18/19).

Firewall Traversal Protocols and Ports

Ports for Initial Connections from Traversal Clients

Each traversal server zone specifies an H.323 port and a SIP port to be used for the initial connection from the client.

Each time you configure a new traversal server zone on the VCS, you will be allocated default port numbers for these connections:

H.323 ports will start at 6001 and increment by 1 for every new traversal server zone

SIP ports will start at 7001 and increment by 1 for every new traversal server zone.

You can change these default ports if necessary but you must ensure that the ports are unique for each traversal server zone.

Once the H.323 and SIP ports have been set on the VCS Border Controller, matching ports must be configured on the corresponding traversal client.

!The default port used for the initial connections from MXP endpoints is the same as that used for standard RAS messages, i.e. UDP/1719. While it is possible to

change this port on the VCS server, most endpoints will not support connections to ports other than UDP/1719. We therefore recommend that this be left as the default.

H.323 Firewall Traversal Protocols

The VCS supports two different firewall traversal protocols for H.323: Assent and H.460.18/H.460.19.

Assent is TANDBERG’s proprietary protocol.

H.460.18 and H.460.19 are ITU standards which define protocols for the firewall traversal of signaling and media respectively. These standards are based on the original TANDBERG Assent protocol.

In order for a traversal server and traversal client to communicate, they must be using the same protocol.

The two protocols each use a slightly different range of ports.

Assent Ports

For connections to the VCS Border Controller using the Assent protocol, the default ports are:

Call signaling

UDP/1719: listening port for RAS messages

TCP/2776: listening port for H.225 and H.245 protocols Media

UDP/2776: RTP media port

UDP/2777: RTCP media control port

H.460.18/19 Ports

For connections to the VCS Border Controller using the H.460.18/19 protocols, the default ports are:

Call signaling

UDP/1719: listening port for RAS messages

TCP/1720: listening port for H.225 protocol

TCP/2777: listening port for H.245 protocol Media

UDP/2776: RTP media port

UDP/2777: RTCP media control port

SIP Ports

Call signaling

SIP call signaling uses the same port as used by the initial connection between the client and server.

Media

Where the traversal client is a VCS or Gatekeeper, SIP media uses Assent to traverse the firewall . The default ports are the same as for H.323, i.e.:

UDP/2776: RTP media port

UDP/2777: RTCP media control port

Introduction

Getting

System

System

H.323 & SIP

Registration

Zones and

Call

Started

Overview

Configuration

Configuration

Control

Neighbors

Processing

 

D 14049.01

 

 

 

 

98

 

 

07.2007

 

 

 

 

 

 

Firewall

Bandwidth

Maintenance

Appendices

Traversal

Control

 

 

Page 98
Image 98
TANDBERG D14049.01 manual Firewall Traversal Protocols and Ports