Firewall Port Forwarding for H.323 video

Video Conferencing Equipment and Services for Installation & Maintenance – Cisco TANDBERG, Polycom, LifeSize, Sony, Vaddio

Firewall Port Forwarding for H.323 video

H.323 uses a single fixed TCP port (1720) to start a call using the H.225 protocol (defined by H.323 spec) for call control. Once that protocol is complete, it then uses a dynamic TCP port for the H.245 protocol (also defined by the H.323 spec) for caps and channel control. Finally, it opens up 2 dynamic UDP ports for each type of media that was negotiated for the call (audio, video, far-end camera control). This first port carries the RTP protocol data (defined by the H.225 spec) and the second one carries the RTCP data (defined by the H.225 spec).

As per TCP/IP standards, ports are divided into 3 sections: 0-1023 (privileged ports), 1024-49151 (registered ports) and 49152-65535 (dynamic ports). H.323 specifies the dynamic ports in the dynamic range are open. Polycom has added a feature to its product line that allows the ports to use a fixed ports (instead of dynamic ports) so that it can more easily traverse a firewall. Only the system behind the firewall need to turn on this feature, since the firewall will prevent the audio/video/FECC from the outside to come in unless this is enabled.

You must forward the traffic to and from the video endpoint through the firewall using the specified port numbers and protocol types for outgoing calls. To receive incoming calls, your must forward traffic using the 1720 TCP port.

The following are details on port forwarding assignments for various products:

Polycom Port Forwarding

For Polycom products, the following ports must be opened in the firewall and assigned to the IP address of videoconferencing endpoints (e.g. a video endpoint could be at 192.168.0.109):

Port 389 (TCP): For ILS registration
Port 1503 (TCP): Microsoft NetMeeting T.120 data sharing
Port 1718 (UDP): Gatekeeper discovery
Port 1719 (UDP): Gatekeeper RAS (Must be bi-directional)
Port 1720 (TCP) H.323 Call setup (Must be bi-directional)
Port 1731 (TCP): Audio call control (Must be bi-directional)
Ports 3230-3235 (TCP/UDP): Signaling and control for audio, call, video and data/FECC
Port 3603 (TCP): ViaVideo Web interface (ViaVideo users only)
So, a typical H.323 call would use 2 TCP fixed ports (3230-3231) and 6 UDP fixed ports (3230-3235) during the call.

Polycom M100 Desktop Video Software – from Help Book V 1.0 – Specifying Call Settings Preferences: Network NATs and firewalls provide security for your network by limiting outside access to your internal network. Some access, however, is necessary for video conferencing. Therefore, to enable your Polycom Telepresence m100 to freely place and receive calls with the outside world, while still maintaining protection for your network, you must also open ports in the firewall. If your system is on a network where the transmit bandwidth is significantly lower than the receive bandwidth, use asymmetric network to ensure that there is sufficient bandwidth for outgoing calls. To open media ports in the firewall: 1. From the main window, click Menu > Preferences > Call Settings 2. Set the media port range used by the system. 3. Open the same range of ports in your firewall. You must also open these ports in your firewall:

• Port 1718 (UDP): Gatekeeper discovery
• Port 1719 (UDP): Gatekeeper RAS (must be bidirectional)
• Port 1720 (TCP): H.323 call setup (must be bidirectional)
• Port 1731 (TCP): Audio call control (must be bidirectional)
• Port 5060 (TCP and UDP): SIP

Recap of all firewall port configurations for H.323 Polycom video & Network Products

LifeSize Port Forwarding

Login to the Firewall/Router:

Forward port 1720 TCP to the private IP of the LifeSize system.
Forward 2 TCP ports 60,000 and 60,001 to the private IP of the LifeSize system. If you have other services on these ports, you can forward any other 2 TCP ports in the 60,000 – 64,999 range.
Forward 6 UDP ports 60,000 to 60,007 to the private IP of the LifeSize system. If you have other services on these ports, you can forward any other 8 UDP ports in the 60,000 – 64,999 range.
(NOTE: 3 TCP and 8 UDP is the minimum number of ports required for a single point-to-point H.323 video call.)

Login to the LifeSize system:

Go to System Menu –> Administrator Preferences –> Network –> NAT
Enable Static NAT, and enter the public IP address of the firewall in the "NAT Public IP Address"
Go to System Menu –> Administrator Preferences –> Network –> Reserved Ports.
Enter the TCP & UDP port range you chose in the steps above.

Tandberg Port Forwarding

"In order to properly support a NAT configuration, the firewall will need to be configured as a one-to-one relationship between a public IP address and the private IP address for all ports in the H.323 range (which include 1718 UDP, 1719 UDP and 1720 TCP as well as other vendor-specific TCP and UDP ports needed to complete H.323 calls). For the specific range needed, consult your endpoint manufacturer."

Polycom GMS Ports:

21 (FTP) – Software Updates & Provisioning
80 (HTTP) – Pulling ViewStation/VS4000 info
3601 (Proprietary) (Data Traffic) – GAB data
3603 – TCP – Pulling ViaVideo info (since might be non-web server PC)
389 (LDAP and ILS)
1002 (ILS)
GMS listens for connections on ports 80 and 3601 (GAB) and in the future will listen on port 3604 (ViaVideo) and other potentials later.

H.323 Ports (IP based video conferencing):

80 – Static TCP – HTTP Interface (optional)
389 – Static TCP – ILS Registration (LDAP)
1503 – Static TCP – T.120
1718 – Static UDP – Gatekeeper discovery (Must be bidirectional)
1719 – Static UDP – Gatekeeper RAS (Must be bidirectional)
1720 – Static TCP – H.323 call setup (Must be bidirectional)
1731 – Static TCP – Audio Call Control (Must be bidirectional)
8080 – Static TCP – HTTP Server Push (optional)

1024-65535 Dynamic TCP H245
1024-65535 Dynamic UDP – RTP (Video data)
1024-65535 Dynamic UDP – RTP (Audio data)
1024-65535 Dynamic UDP RTCP (Control Information)
These ports can be set to "Fixed Ports" on Polycom systems, as opposed to dynamic.

Other Polycom ViewStation Ports:

21 (FTP) – Software Updates & GMS Provisioning
23 (Telnet) – For Diagnostics & API Control
3220 to 3225 – TCP Ports
3230 to 3247 – UDP Ports
Other ViaVideo Ports:

3604 (GMS Server Discovery) (Used by ViaVideo) (Broadcast)
Accord (Polycom Network Systems) Additional Ports:

5001 – Static TCP – MGC Manager (5003 can be chosen instead within MGC)
21 – Static TCP – FTP (retrieve MGC config. Files etc.)
RADVision Additional:

1820 – Gateway Signaling/Call Setup
2720 – MCU Signaling/Call Setup
d-Link DVC-1000 Ports:

The port 1720 (TCP) and the 6 ports 15328-15333 (TCP and UDP) need to be forwarded. d-Link indicates that NetMeeting and the H.323 cannot co-exist behind the same router simultaneously.

 

further reading

Services

Support and Maintenance
Video Conferencing Bridging
Video Conferencing Hire
Streaming Events
Installation
Hybrid Meetings 

Solutions

Polycom Telepresence
Video Conferencing Room Systems
Video Conferencing in education
Video Conferencing for small and Medium Business
Video conferencing for remote workers

About

About us
Advice
Customer Testimonials
Environmental Policy
Equal opportunities policy
Health and safety policy
News

Resources

Video library
Useful links
Glossary of Terms

Contact

Contact

Copyright since 2003 Central AV Limited ©

Terms of Use | Privacy Policy

Design by Mirza Alamin