Overcoming Firewall & NAT problems in H.323

Similar documents
Crossing firewalls. Liane Tarouco Leandro Bertholdo RNP POP/RS. Firewalls block H.323 ports

Scopia Desktop Server

VidyoConferencing Network Administrators Guide

Ports utilisés. Ports utilisés par le XT1000/5000 :

White Paper. Traversing Firewalls with Video over IP: Issues and Solutions

Considerations for a successful demo and implementation of Simplicity Video

Setting up a reflector-reflector interconnection using Alkit Reflex RTP reflector/mixer

Application Note. Onsight Mobile Collaboration Video Endpoint Interoperability v5.0

Technical Requirements

IP Ports and Protocols used by H.323 Devices

Polycom. RealPresence Ready Firewall Traversal Tips

Requirements. System Requirements. System Requirements, page 1 Port Requirements, page 4 Supported Codecs, page 5

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

Application Note. Onsight TeamLink And Firewall Detect v6.3

CQG Trader Technical Specifications. December 1, 2014 Version

A Comparative Study of Signalling Protocols Used In VoIP

Online course syllabus. MAB: Voice over IP

IOCOM Whitepaper: Connecting to Third Party Organizations

Internet and Intranet Calling with Polycom PVX 8.0.1

Video Conferencing and Firewalls

Network Considerations for IP Video

StarLeaf Network Guide

Webinar Information. Title: Websense Remote Filtering Audio information: Dial-in numbers:

VidyoWay IT Guide Product Version 3.0 Document Version 3.0 A 5/9/2014

Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks

Secure VoIP for optimal business communication

F-Secure Internet Gatekeeper Virtual Appliance

Avigilon Control Center Server User Guide

Proxy & Firewall Target Server List to Permit Communication

Configuring a Softphone for Windows for Virtual Contact Center

KFUPM Enterprise Network. Sadiq M. Sait

SIP and VoIP 1 / 44. SIP and VoIP

Steelcape Product Overview and Functional Description

Level 1 Technical Firewall Traversal & Security. Level 1 Technical. Firewall Traversal & Security. V3 Page 1 of 15

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

VIDEOCONFERENCING. Video class

Why SSL is better than IPsec for Fully Transparent Mobile Network Access

Zeenov Agora High Level Architecture

System Requirements. SuccessMaker 5

Vidyo Network Configuration Guide Windows XP and Vista

Scopia XT Desktop Server for IP Office

MINISTRY OF HEALTH CUSTOMER PROPOSAL

TECHNICAL CHALLENGES OF VoIP BYPASS

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Balancing Security and Performance in Videoconferencing Deployments

How To Set Up Foglight Nms For A Proof Of Concept

VIA CONNECT PRO Deployment Guide

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

Streaming Media System Requirements and Troubleshooting Assistance

Administrator Guide for Avaya Scopia Management for Aura Collaboration Suite

Voice-Over-IP. Daniel Zappala. CS 460 Computer Networking Brigham Young University

Developing Higher Density Solutions with Dialogic Host Media Processing Software

LifeSize Transit Deployment Guide June 2011

White Paper. Solutions to VoIP (Voice over IP) Recording Deployment

PacketizerTM. Overview of H Paul E. Jones. Rapporteur, ITU-T Q2/SG16

I3: Maximizing Packet Capture Performance. Andrew Brown

BigConnect v1.x. Software Guide

Prepare your IP network for HD video conferencing

You must download the desktop client before you start, this is found on the Yuuguu page on your Ezereach web portal.

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

How To Install Sedar On A Workstation

An Examination of the Firewall/NAT Problem, Traversal Methods, and Their Pros and Cons

D1.2 Network Load Balancing

VegaStream Information Note Considerations for a VoIP installation

VIDEO CONFERENCE. Alessandro Benni & VIDEO COMMUNICATIONS. Bologna, Videorent srl - Video & Multimedia Branch

Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications VIDYO

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

SIP Security Controllers. Product Overview

Packetized Telephony Networks

Introduction to Cloud Computing

NetLeverage UK ThinPoint Solution Overview Version 2 Copyright 2012 NetLeverage UK

NTRsupport Videoconference. Whitepaper

Proof of Concept Guide

System Requirements - filesmart

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Video Conferencing and Security

APPENDIX C. I. IT Standards and Levels of Support Service Provided by ITS. and ITS Performance Pledges

System Requirements. 60GB free after OS and Updates, Raid 5 or Hybrid SSD array

Configuring Bria 3 Mac for Virtual Contact Center

OAISYS and ShoreTel: Call Recording Solution Configuration. An OAISYS White Paper

Technical White Paper for Traversal of Huawei Videoconferencing Systems Between Private and Public Networks

Firewalls and their Impact on Multimedia Systems

Unit 23. RTP, VoIP. Shyam Parekh

QuickSpecs. Models. Features and benefits Configuration. HP VCX x3250m2 IP Telecommuting Module. HP VCX x3250m2 IP Telecommuting Module Overview

Development of SIP-H.323 Gateway Project

Network Projector Operation Guide

Application Note. Onsight Connect Network Requirements v6.3

Voice over IP Communications

Security Technology: Firewalls and VPNs

White paper. SIP An introduction

Application Note. Onsight Connect Network Requirements V6.1

Ignify ecommerce. Item Requirements Notes

Hardware Requirements

File System Design and Implementation

Signiant Agent installation

SMART Bridgit software

Will Your Next Video Bridge Be Software-Based? Examining a Next-Generation Software-Based Video Conference Server

Desktop Videoconferencing Guide

Transcription:

Overcoming Firewall & NAT problems in H.323 QUESTnet 2005, Coolum, Australia July 2005

Outline The problem ( a brief description) Solutions The proxy How does it work? What proxy to use??? Wait a second, this talk is supposed to say something about NAT?? Lets talk about security again Is this a reliable system? Resources/Additional information

The problem ( a brief description) Complexity and diversity of media/signaling streams Use of several sub-protocols for each channel per sessions, e.g. H.225, H.245, Q.931, Complexity makes it hard to analyze (and debug!!) Dynamic allocation of communication ports H.323 uses a few fixed ports, e.g. 1719, 1720 (for signaling only) The ports for the audio/video streams are dynamically negotiated during the setup process Used port range: > 2 10 < 2 16 About 6 to 8 ports necessary per videoconference? next slide How do you open ports on a firewall if you don t know them before?

The problem ( a brief description) Example: Screenshot below shows a videoconference using a Viavideo 8 channels opened 3 TCP (Setup, H.225, H.245) 5 UDP (media streams (audio/video))

The problem ( a brief description) The big picture, or what happens if Connection gets established (TCP) The external video client receives audio and video The internal video client receives nothing (black screen of silence) Firewall blocks the incoming traffic Internal video endpoint (protected by Firewall) external video endpoint (not protected) Signaling (TCP) Media streams (UDP)

Solutions There are several solutions Do not use H.323? OpenFirewalling? Open the Firewall for all video endpoints Only acceptable for a very small number of endpoints (1-5) Only acceptable if only set-top systems» Not acceptable if desktop systems only Use of a commercial solution/statefull firewall You get great support, but it still doesn t work Use a proxy solution (this is the main topic of this talk )

The proxy How does it work? The proxy acts as an intermediate systems It takes all streams (TCP/UDP) coming from each endpoint and forwards it to the other (all streams are proxied ) The endpoints don t know that they are not talking directly with each other Internal video endpoint (protected by Firewall) external video endpoint (not protected) DMZ Signaling (TCP) Media streams (UDP)

The proxy How does it work? How does it solve the Firewall problem? The easiest way is to place the Proxy in the DMZ If you don t have a DMZ, place the Proxy in the internal network, and just open the Firewall for this one IP address? all other clients are still protected by the Firewall Is it secure? No, no system which is connected to the Internet in one way or another is protected against attacks, hijack attempts, etc. beside that, YES it is secure (and its possible to make the structure even more secure? a bit later

What proxy to use? AARNet decided to use GnuGK because: Its free It runs on Linux, Windows and Macs It works Many institutions, organizations and companies around the world use it, e.g. Max-Planck Gesellschaft (Germany), KFKI (Hungary), AARNet (Australia), Ohio State University (USA), and many many more It comes with a Gatekeeper It is H.350 aware It also supports several other authentication/authorization methods Several other options Proxy can be (partially) disabled? standard Gatekeeper functionality Port range limitation Support for NATed endpoints LoadBalacing Can proxy basically every protocol (except SIP) H.323, H.225, H.245, H.239, T.120, T.38, DuoVideo, People+Content, H.26x, G.7xx, AES/DES encrypted media streams

?? Wait a second, this talk is supposed to say something about NAT?? NAT Network Address Translation (can) cause a lot of trouble, and it usually doesn t work with H.323 Problem: Translation of IP address private? public and vice versa GnuGK supports NATed endpoints and it works The internal endpoint talks only to the internal address of the GK/Proxy The external endpoint talks only to the external address of the GK/Proxy The GK/Proxy talks to each endpoint on the specific interface (internal/external) and the proxy forwards the streams Does it work? Yes, I installed two systems using GK/Proxy and NAT University of Ljubljana (Slovenia), JET (UK)

?? Wait a second, this talk is supposed to say something about NAT?? Example: The GK/Proxy has two interfaces Internal: 10.10.10.5 External: 203.22.212.245 10.10.10.1 > 10.10.10.5 10.10.10.5 > 10.10.10.1 10.10.10.1 > 10.10.10.5 10.10.10.5 > 10.10.10.1 203.22.212.245 > 59.76.3.5 59.75.3.5 > 203.22.212.245 203.22.212.245 > 59.76.3.5 59.75.3.5 > 203.22.212.245 Internal video endpoint (protected by Firewall) external video endpoint (not protected) Signaling (TCP) DMZ This is the Miracle bubble Media streams (UDP)

Lets talk about security again The GK/Proxy solution in general is secure (as secure as any other system with a network connection) Is it possible to make the structure even more secure? Yes DualProxy Only the two GK/Proxy IPs are allowed to bypass the Firewall, and only if they talk to each other Internal video endpoint (protected by Firewall) external video endpoint (not protected) DMZ Signaling (TCP) Media streams (UDP)

Is this a reliable system? GnuGK proved to be very reliable A few numbers (GK/Proxy of Max-Planck in 2004) ~ 11000 videoconferences >> 2TB of traffic proxied Max. Bandwidth used at one time: > 60Mb/s System availability: 98.63% In 2005 (until 5/2005) > 5500 videoconferences ~ 2TB of traffic Average per day: 3.5Mb/s

Is this a reliable system? Hardware needed: Depending on the amount of traffic, usually a modern standard PC should do the job One of my first systems (was up and running for ~ 2 years (died of a disk failure)) PIII, 1.6GHz; 256MB Ram; SuSE Linux 7.3 Second system (still in use) IBM x35; Quad Intel Xeon 2.4GHz; 1.5GB Ram, Redhat Linux 9

Resources/Additional information You should have joined my workshop yesterday Use these slides New audio/videoconferencing website of AARNet (coming soon), http://www.aarnet.edu.au K. Stoeckigt, E. Verharen; Secure realtime audio/video communication H.350, encryption and Gatekeeper/Proxy using H.323, 19 th Apan Meeting, Bangkok, Thailand K. Stoeckigt; Setup and maintaining GnuGK, 3 rd TelOzConf K. Stoeckigt; Experiences with an OpenSource Solution for the H.323 Firewall issues, Sura/Vide 6 th annual video workshop, Indianapolis, USA K. Stoeckigt, H.323 videoconferencing, NZNOG 04, Hamilton, New Zealand http://www.gnugk.org http://www.rzg.mpg.de/vc If you are interested in running a hands-on workshop in your organization, University, etc. send me an email

www.aarnet.edu.au

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information