Application Note - Using Tenor behind a Firewall/NAT



Similar documents
Firewall VPN Router. Quick Installation Guide M73-APO09-380

Automatic External (Public) IP Discovery Through NAT

Multi-Homing Dual WAN Firewall Router

IP Ports and Protocols used by H.323 Devices

VegaStream Information Note Considerations for a VoIP installation

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Lab Configuring Access Policies and DMZ Settings

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Broadband Phone Gateway BPG510 Technical Users Guide

Firewall Defaults and Some Basic Rules

Firewall Firewall August, 2003

Application Note Patton SmartNode in combination with a CheckPoint Firewall for Multimedia security

About Firewall Protection

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Personal Telepresence. Place the VidyoPortal/VidyoRouter on a public Static IP address

FIREWALLS & CBAC. philip.heimer@hh.se

Knowledgebase Solution

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

UIP1868P User Interface Guide

DLink-655 Router Configuration Guide for VoIP

Multi-Homing Security Gateway

LifeSize Transit Deployment Guide June 2011

Cisco TelePresence Video Communication Server (Cisco VCS) IP Port Usage for Firewall Traversal. Cisco VCS X8.5 December 2014

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

White Paper. Traversing Firewalls with Video over IP: Issues and Solutions

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Application Note. Onsight Connect Network Requirements V6.1

Chapter 11 Cloud Application Development

Cisco Expressway IP Port Usage for Firewall Traversal. Cisco Expressway X8.1 D December 2013

Chapter 4 Firewall Protection and Content Filtering

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

ADTRAN 3120 / 3130 Internet Configuration Guide

SIP Trunking Configuration with

Chapter 4 Security and Firewall Protection

Securing Networks with PIX and ASA

Technical White Paper for Traversal of Huawei Videoconferencing Systems Between Private and Public Networks

Chapter 3 Security and Firewall Protection

Internet and Intranet Calling with Polycom PVX 8.0.1

Application Note. Onsight Connect Network Requirements v6.3

Application Note. Onsight TeamLink And Firewall Detect v6.3

6.40A AudioCodes Mediant 800 MSBG

nexvortex Setup Template

Chapter 4 Firewall Protection and Content Filtering

Lab Configuring Access Policies and DMZ Settings

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

Hosted Voice. Best Practice Recommendations for VoIP Deployments

Com.X Router/Firewall Module. Use Cases. White Paper. Version 1.0, 21 May Far South Networks

Chapter 12 Supporting Network Address Translation (NAT)

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

Protecting the Home Network (Firewall)

Overview - Using ADAMS With a Firewall

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

allow all such packets? While outgoing communications request information from a

Implementing Network Address Translation and Port Redirection in epipe

UCi2i Video Conference Endpoint Firewall Requirements. UCi2i Video Conference Endpoint Firewall Requirements

Accessing Remote Devices via the LAN-Cell 2

Overview - Using ADAMS With a Firewall

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

CSCE 465 Computer & Network Security

Load Balance Router R258V

Basic Network Configuration

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

Enterprise Edge Communications Manager. Data Capabilities

Chapter 4 Customizing Your Network Settings

Configuring Network Address Translation (NAT)

Using the NetVanta 7100 Series

TW100-BRF114 Firewall Router. User's Guide. Cable/DSL Internet Access. 4-Port Switching Hub

Service Managed Gateway TM. How to Configure a Firewall

Polycom. RealPresence Ready Firewall Traversal Tips

Thank you for purchasing a Panasonic Pure IP-PBX. Please read this manual carefully before using this product and save this manual for future use.

NAT (Network Address Translation)

Voice Over IP and Firewalls

Any to Any Connectivity Transparent Deployment Site Survivability

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP LTM for SIP Traffic Management

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

IP Filter/Firewall Setup

Chapter 15. Firewalls, IDS and IPS

Gigabit Content Security Router

HOSTED VOICE Bring Your Own Bandwidth & Remote Worker. Install and Best Practices Guide

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Security perimeter white paper. Configuring a security perimeter around JEP(S) with IIS SMTP

DSL-G604T Install Guides

Customer Guide. BT Business - BT SIP Trunks. BT SIP Trunks: Firewall and LAN Guide. Issued by: BT Business Date Issue: v1.

MyIC setup and configuration (with sample configuration for Alcatel Lucent test environment)

nexvortex Setup Guide

SIP Trunking with Microsoft Office Communication Server 2007 R2

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Internet Security Firewalls

To ensure you successfully install Timico VoIP for Business you must follow the steps in sequence:

WEB CONFIGURATION. Configuring and monitoring your VIP-101T from web browser. PLANET VIP-101T Web Configuration Guide

ThinkTel ITSP with Registration Setup Quick Start Guide

Network Address Translation (NAT)

GlobalSCAPE DMZ Gateway, v1. User Guide

Using a Cisco PIX Firewall to Limit Outbound Internet Access

Chapter 1 Personal Computer Hardware hours

An Examination of the Firewall/NAT Problem, Traversal Methods, and Their Pros and Cons

SSVP SIP School VoIP Professional Certification

Transcription:

Application Note - Using Tenor behind a Firewall/NAT Introduction This document has been created to assist Quintum Technology customers who wish to install equipment behind a firewall and NAT (Network Address Translation) server for their application. The information and application examples provided here may not match your application exactly, but should provide the necessary information to understand how you might want to configure the Tenor for your application. Tenor Hardware & Software This document covers the following Quintum products: Tenor AX/AS/AF Tenor DX/BX Tenor CMS Call Relay 60 Call Relay SP The Challenge One of the major issues that has faced companies wishing to deploy H.323-based VoIP telephony networks has been concern about maintaining the security and integrity of the corporate LAN infrastructure. Until now it has been impossible to deploy H.323-based VoIP equipment behind most NAT firewalls without opening up the firewall to the point where the security of the corporate LAN is seriously compromised. Solutions to this problem have included: Deploying the Gateway outside of the firewall on the Public section of the LAN. Deploying the Gateway behind the firewall in the De-Militarized Zone (DMZ). Deploying the Gateway behind the firewall on the Private section of the LAN but with the firewall partially opened up to enable H.323 traffic to pass through it correctly. Page 1 of 8

Typical LAN Infrastructure Corporate LAN infrastructures typically contain three domains, at a minimum, as follows: Public domain, which is located behind the main router but in front of the firewall The public LAN is used to deploy any IP devices that must be easily accessible by any other IP device. These devices must use addresses from the range reserved for public usage. They are fully exposed to the WAN and are not protected in any way. Demilitarized Zone, or DMZ, which is connected to the DMZ port of the firewall The DMZ LAN is used to deploy IP devices in a more secure area where they have broad public access and are somewhat protected by some of the features of the firewall. Examples would be Web servers, or FTP servers, which need to be exposed to the WAN but can be protected to some extent by the IP address and port screening techniques used for packet filtering in the firewall. In the case of a Web server, for example, the firewall could be configured to restrict all traffic in and out of the DMZ to HTTP and HTTPS (ports 80 and 443) only. Private domain, which is located completely behind the firewall The private LAN is used to support all internal IP devices within the corporation and is very secure, as it is entirely behind the firewall. The firewall can employ techniques such as packet filtering, stateful (dynamic) packet inspection, and Network Address Translation (NAT) to provide a high degree of protection to all the devices on the internal network. Devices on the private LAN use IP addresses assigned for private use. Figure 1 Typical Enterprise LAN Infrastructure Page 2 of 8

NAT Firewalls and the H.323 Protocol Network address translation is a very powerful technique providing a high degree of security for the private LAN. All the IP addresses for devices on the private LAN are translated into a single public IP address on the public LAN. In this way, the internal infrastructure and its addresses are hidden from public view. This also has the advantage of requiring only one public IP address to support many devices on the private LAN side. Using NAT does pose problems for some applications. In the case of the H.323 protocol, some of the addressing information is contained in the IP packet header and some in the packet itself. In the course of the NAT process, the firewall unpacks the packet headers and translates all the addresses that it finds into another alias address, and keeps a table of these translations. However, it does not translate the addresses contained in the IP packets and, as a result, the H.323 communication session fails. This problem often exhibits itself in such a way that the H.323 session connects correctly but the voice connections only work in one direction. Deploying H.323 Gateways in the Public Domain A common way of bypassing the problems caused by NAT firewalls is to place the H.323 Gateway outside of the firewall on the public LAN. In this way, it is fully accessible to other IP Gateways throughout the WAN. However, there are security concerns in the form of unauthorized usage of the Gateway, and exposure to malicious attacks from hackers who may be able to reconfigure or disable the Gateway. Figure 2 Deploying a conventional VoIP Gateway on the Public LAN Deploying H.323 Gateways in the DMZ Domain The next most secure method of deploying an H.323 Gateway in a corporate network is to place it in the DMZ. In this way, it is fully accessible to other IP Gateways throughout the WAN, but is somewhat protected by the packet filtering regime imposed in the firewall. However, this only improves the security to the extent that it limits traffic to specific addresses and ports used by the H.323 application. The same concerns apply as in the public domain, except that any would-be attacker must be familiar with all the ports used in the H.323 protocol. Page 3 of 8

Figure 3 Deploying a Conventional VoIP Gateway in the DMZ of the Firewall Deploying H.323 Gateways in the Private Domain The most secure way to deploy the H.323 Gateway is behind the firewall on the private LAN. Theoretically, it can take advantage of all the security measures imposed on the LAN. In practice, it is necessary to open up a significant number of ports to support H.323 applications. Opening up these ports creates a hole in the firewall, which somewhat reduces the security provided by the firewall. In addition to this reduction in the efficacy of the firewall, problems will be experienced in the connection of H.323 calls if the firewall uses Network Address Translation as part of its armory of security tools. Figure 4 Deploying a Conventional VoIP Gateway on the Private LAN NATAccess Technology Provides the Solution Quintum s NATAccess technology enables the Tenor MultiPath VoIP Switches to operate correctly behind a NAT-equipped firewall (this feature does not apply to the CMS and Call Relay SP). This means that the Tenor can be successfully deployed on the private LAN behind the NAT firewall. This eliminates one of the major security concerns expressed by network administrators when working with H.323 VoIP, and greatly eases installation in conventional network infrastructures. NATAccess is built-in to every Tenor VoIP switch and enables the Tenor to operate directly on the private LAN if it is the only H.323 endpoint on the LAN. Page 4 of 8

Figure 5 Deploying the Quintum Tenor with NATAccess on the Private LAN Quintum s CallRelay, a separate standalone unit, may be used in the event that there are multiple H.323 endpoints deployed on the LAN. Page 5 of 8

Application Example Figure 6 Tenor Connected to an Internal LAN As shown in the figure above, this example shows a Tenor connected to an internal LAN or private network. The Tenor is behind a Firewall/NAT, which provides two main functions. The first is to secure the internal network by not allowing unknown outside users to initiate connections to the internal network. This is done by securing the different ports (and sometimes IP addresses) that are used. The second function is to avoid using any public IP addresses on the internal network. This allows the customer to purchase a small amount of public IP addresses from the ISP, but have virtually unlimited endpoints on the internal network. To state it simply, when a user on the internal network initiates a request to the Internet, his/her private IP address is translated to the public IP address when the request goes through the firewall/nat to the Internet. This is so the destination site knows the IP address to which it should return the information. The firewall/nat maintains a log of which endpoints requested what destinations, and when a response is received from a destination site, the firewall/nat directs it to the endpoint that made the original request. Issues and Solution When set up as in the previous Application Example, if you only provide the Tenor with a private IP address and the Tenor needs to send and receive calls from the public IP address, the calls do not work. This could be for two reasons: the firewall does not allow the traffic out or in based on the ports requested; or the IP address is sent out incorrectly. Both are explained below. Firewall Port Access Because firewalls are used to secure the internal network from attacks from the public network, they typically have many of the port numbers required for VoIP disabled or closed from being accessed. If they are closed, then you will not be able to get a VoIP call up between your internal network and anywhere on the public network. In order to make this work, you will need to re-configure your firewall to open specific inbound port(s) for VoIP. Below is a list of port numbers, protocols, and uses that you will need to consider opening to make this work. Not every port needs to be opened. Check on your needs and only open the ones you require, and ensure that there is no blocking on outbound ports. Page 6 of 8

Tenor Port System-level Name Ping Type Port # Comments ICMP FTP TCP 20, 21 Software upgrade Telnet TCP 23 CLI SNTP Client UDP 123 Time setting SNMP UDP 161 Management HTTP TCP 8080 Configuration Manager Alarms TCP 9000 Alarm reporting Call Events TCP 9001 Call events reporting CDR TCP 9002, 9003, 9004*, 9005* CDR Delivery Tenor Monitor TCP 9021 NMS protocol used to monitor Tenor events *CR-SP and CMS only Configuration Manager Configuration Command Line Interface Configuration Only configurable in CLI config-ethernetinterface-sl1dv1ei1# set wsp {num} Systemwide Configuration > CDR Servers > CDR Server-n > CDR Server Port config-cdrserver-n# set cdrserverport {num} config-cdrserver-n# set cdrserverport {num} Media (needed for both H.323 and SIP) Name Type Port Comments PacketSaver UDP 10064 GW-to-GW communications RTP/RTCP Media UDP 10240-13120 H.323 Signaling Voice-related packets GW-to-GW Each VoIP call needs 2 UDP ports (one for RTP and the other for RTCP). AS/AX/AF/BX/DX: 10240 11200 (960 ports 480 RTP and 480 RTCP) CMS: 10240 12160 (1920 ports 960 RTP and 960 RTCP) Call Relay SP: 10240 13120 (2880 ports 1440 RTP and 1440 RTCP) Name Type Port # Comments Discovery (RAS) UDP 1718 GW-to-GK RAS communications Registration (RAS) Call Signaling (Q.931) UDP 1719 GW register to GK RAS communications TCP 1720 GW-to-GW communications (Q.931-H.225.0 Signal) Configuration Manager Configuration Command Line Interface Configuration VoIP Configuration > Gatekeeper/Border Element > General tab > GK Listening Port config-gatekeeperparam-1# set gklp {num} VoIP Configuration > Gatekeeper/Border Element > General tab > Registration Port config-gatekeeperparam-1# set rp {num} Page 7 of 8

Name Type Port # Comments H.245 Signaling TCP 2000 3999 Service / BE Control GW-to-GW communications where H.245 tunneling is not used. One port needed for each active VoIP call. UDP 5001 GK register to BE communications BE = Border Element, GK = Gatekeeper, GW = Gateway Configuration Manager Configuration Command Line Interface Configuration SIP Signaling Name Type Port # Comments Session Initiation Protocol SIP 5060 All SIP signaling. 5060 is the default Listening Port for the first SIP User Agent be sure to take account of all Listening Ports configured in all SIP Signaling Groups. Configuration Manager Configuration Command Line Interface Configuration VoIP Configuration > SIP Signaling Groups > SIP Signaling Group-n > User Agent tab > Add button > Add User Agent dialog > SIP Listen Port config-sipsignalinggroup-1# add lp {ListenPort} Once you configure your firewall to allow the correct ports to be opened for communication, the application will work at this level. You still need to check the NAT function. NAT Translation As shown in Figure 6 at the beginning of this Application Example, when the Tenor is on a private network and needs to access the public network, the call goes through a NAT, or Network Address Translation Server. The NAT translates the IP address in the IP header, but generally, it is not able to translate the IP address in the H.323 frame. There are a number of things that must be done for this to work correctly. First, your NAT must be configured to map a public IP address to the Tenor. For example, the NAT would be configured so that 208.225.141.100 is mapped to 192.168.1.100 (Tenor private IP address), so that any incoming calls to 208.225.141.100 are sent to the Tenor at 192.168.1.100. Additionally, if your NAT can perform H.323 translation, this should be turned off. The reason for this is that in the NAT servers we have seen to date that can perform this function, they can only do so for basic VoIP software like NetMeeting and do not perform this function correctly on higher end VoIP Gateways like the Tenor. Finally, in the Tenor, you must configure the EthernetInterface External NAT IP as the public IP address. So the Tenor will have two IP addresses at the Ethernet Interface prompt. The IP Address is the private IP address (192.168.1.100) and the External NAT IP is the public IP address (208.225.141.100). When the Tenor needs to send or receive a call to/from the public IP, the Tenor translates the IP address in the H.323 frames and the NAT translates the IP packet address. If your ISP connection is using DHCP, you may not always know the public IP to assign to the Tenor. Please refer to the document called Auto External IP located on our web site in our Customer Service area under the Cross-Platform Technical Documentation - Networking and Interop section. Page 8 of 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information