Firewall Traversal
TANDBERG VIDEO COMMUNICATION SERVER ADMINISTRATOR GUIDE
Firewall Traversal Protocols and Ports
Firewall Configuration
Ports for Connections out to the Public Internet
In situations where the VCS Border Controller is attempting to connect to an endpoint on the public internet, you will not know the exact port(s) on the endpoint to which the connection will be made. This is because the ports to be used are determined by the endpoint and advised to the VCS Border Controller only once the server has located the endpoint on the public internet. This may cause problems if your VCS Border Controller is located within a DMZ (i.e. there is a firewall between the VCS Border Controller and the public internet) as you will not be able to specify in advance rules that will allow you to connect out to the endpoint’s ports.
You can however specify the ports on the VCS Border Controller that will be used for calls to endpoints on the public internet so that your firewall administrator can allow connections via these ports. The ports that can be configured for this purpose are:
H.323
•UDP/1719: signaling
•
•
SIP
•UDP/5060 (default): signaling
•
•TCP: a temporary port is allocated
STUN Ports
The VCS Border Controller can be enabled to provide STUN services (STUN Relay and STUN Binding Discovery) that can be used by SIP endpoints which support the ICE firewall traversal protocol.
The ports used by these services are configurable via:
•VCS Configuration > Border Controller > STUN
•xConfiguration Traversal Server STUN
The ICE clients on each of the SIP endpoints must be able to discover these ports, either via SRV records in DNS or by direct configuration.
In order for Expressway™ firewall traversal to function correctly, the firewall must be configured to:
•allow initial outbound traffic from the client to the ports being used by the VCS Border Controller
•allow return traffic from those ports on the VCS Border Controller back to the originating client.
TANDBERG offers a downloadable tool, the Expressway Port Tester, that allows you to test your firewall configuration for compatibility issues with your network and endpoints. It will advise if necessary which ports may need to be opened on your firewall in order for the Expressway™ solution to function correctly. Contact your TANDBERG representative for more information.
! We recommend that you turn off any H.323 and SIP protocol support on the firewall: these are not needed in conjunction with the TANDBERG Expressway™ solution
and may interfere with its operation.
Introduction | Getting | System | System | H.323 & SIP | Registration | Zones and | Call | Firewall | Bandwidth | Maintenance | Appendices | |
Started | Overview | Configuration | Configuration | Control | Neighbors | Processing | Traversal | Control | ||||
|
|
| ||||||||||
D 14049.01 |
|
|
|
| 99 |
|
|
|
|
|
| |
07.2007 |
|
|
|
|
|
|
|
|
|
|
