Firewall Traversal

TANDBERG VIDEO COMMUNICATION SERVER ADMINISTRATOR GUIDE

Firewall Traversal Protocols and Ports

Firewall Configuration

Ports for Connections out to the Public Internet

In situations where the VCS Border Controller is attempting to connect to an endpoint on the public internet, you will not know the exact port(s) on the endpoint to which the connection will be made. This is because the ports to be used are determined by the endpoint and advised to the VCS Border Controller only once the server has located the endpoint on the public internet. This may cause problems if your VCS Border Controller is located within a DMZ (i.e. there is a firewall between the VCS Border Controller and the public internet) as you will not be able to specify in advance rules that will allow you to connect out to the endpoint’s ports.

You can however specify the ports on the VCS Border Controller that will be used for calls to endpoints on the public internet so that your firewall administrator can allow connections via these ports. The ports that can be configured for this purpose are:

H.323

UDP/1719: signaling

UDP/50,000-51200: media

TCP/15,000-19999: signaling

SIP

UDP/5060 (default): signaling

UDP/50,000-51200: media

TCP: a temporary port is allocated

STUN Ports

The VCS Border Controller can be enabled to provide STUN services (STUN Relay and STUN Binding Discovery) that can be used by SIP endpoints which support the ICE firewall traversal protocol.

The ports used by these services are configurable via:

VCS Configuration > Border Controller > STUN

xConfiguration Traversal Server STUN

The ICE clients on each of the SIP endpoints must be able to discover these ports, either via SRV records in DNS or by direct configuration.

In order for Expressway™ firewall traversal to function correctly, the firewall must be configured to:

allow initial outbound traffic from the client to the ports being used by the VCS Border Controller

allow return traffic from those ports on the VCS Border Controller back to the originating client.

TANDBERG offers a downloadable tool, the Expressway Port Tester, that allows you to test your firewall configuration for compatibility issues with your network and endpoints. It will advise if necessary which ports may need to be opened on your firewall in order for the Expressway™ solution to function correctly. Contact your TANDBERG representative for more information.

! We recommend that you turn off any H.323 and SIP protocol support on the firewall: these are not needed in conjunction with the TANDBERG Expressway™ solution

and may interfere with its operation.

Introduction

Getting

System

System

H.323 & SIP

Registration

Zones and

Call

Firewall

Bandwidth

Maintenance

Appendices

Started

Overview

Configuration

Configuration

Control

Neighbors

Processing

Traversal

Control

 

 

 

D 14049.01

 

 

 

 

99

 

 

 

 

 

 

07.2007

 

 

 

 

 

 

 

 

 

 

Page 99
Image 99
TANDBERG D14049.01 manual Ports for Connections out to the Public Internet, Stun Ports, 323