Link to home
Start Free TrialLog in
Avatar of aceinfotech

asked on

Firewall Restriction

Dear Experts,
I am developing the vioce chat application for transferring live voice over network,
I have already developed the voice chat for Lan with the Help of JMF. But the problem is that i am behind the firewall and want to transfer the voice to another of my friend who is outside my network. it doesn't allow me to bypass firewall.
Avatar of viralypatel
Flag of India image

user a http tunnelling software that would require you to have proxy server configuration option in your application.
Avatar of aceinfotech


Would you alobrate deeply,
Please give me detail about what you want to say? How to do that pls reply as soon as possible
it would help u divert all the traffic through port 80 that is used for http ...
and port 80 is never blocked.

you'll get a better idea if you see this site ...
or check
Let me tell I have use UDP Sockets in java. Is it possible to bypass the Http Proxy
Actually I have already read abt the Http Tunnel but not exactly get how transmit voice over http Tunnel
First, if you are behind a firewall that blocks everything to you, and the only access you have to the Internet is an http proxy, then the chance of commnicating by voice is very small. A proxy looks at the http requests, decides whether they are in the cache or not, decides whether you are allowed to look at them, then gets them from the source, stashes them in a store and gives a copy to you. None of YOUR packets ever gets to the Internet.

So, if you are trying to open any sort of bi-directional channel through a firewall which totally blocks you from the Internet, then forget it. A proxy is not an IP passthrough in any sense.

If that is not the case, and assuming that port 80 is actually open to you i.e. you do NOT have to go via an http proxy and you use  HTTP tunnelling, it will be the case that your friend can never call YOU. You need to explain to the experts just what are you trying to achieve. I will give you some ideas here:

1. Simple, you are the only one behind a firewall (i.e. your friend is not, or is willing to open his firewall), you will always initiate conversation (i.e. not initiated by your friend) and you do not have NAT problems. This would be OK for a couple of you to talk.

2. Fully reciprocal but only between friends i.e. either you or your friend can initiate and both of you are (or at least maybe) behind a firewall.

3. General purpose peer to peer chat and voice between N people.

The HTTP tunnelling is only useful in case 1.  Even though port 80 is open on many firewalls, it is only for OUTBOUND connections. Firewalls understand tcp sessions and open the return path for some period after initiating an outbound tcp session.

Although you use UDP, if you tunnel using HTTP,  AFAIK it will tunnel using TCP on port 80, and be considerably slower. If you wish to study how other people have overcome the problems of voice behind firewalls, Skype has some very cunning solutions to this problem e.g. read

I hope that helps in your quest.

Let me tell that the UDP ports for the voice transmission which i use is already open? then is it require to pass the proxy. Very frankly all this concepts are new for me. so if i make any mistake then sorry for that, and plz guide me to get out from this situation. And the link that you have sended to me is not working so plz retransmit it once again.  

                                                                                              Sunay Shah
The link in this page works for me. It is a .pdf file and so needs a .pdf reader in your browser (or separate). Maybe your proxy does not allow you to access .pdf files. I will look for an alternative explanation of the way that Skype solved some of the problems that you are facing.

You did not answer my question about what you are trying to achieve (see 1,2,3, above).

When you say "the udp ports are already open" do you mean that you have direct end-to-end communication using UDP between you and your friend?
Avatar of Sanktwo
Flag of France image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry, for the late reply. Not yeat i have installed http tunnel between me and my friend pc but let me first check the links that is provided by you. The utlimate question of mine is how to solve the problem of NAT ---> Natwork address Translator. Because I am behind the Http Proxy and for the transmission of voice i m using the RTP protocol. Have cetain idea for this plz help me regarding this

I admit that I have never done all this, but the following is my understanding.

If you are able to establish an http tunnel in both directions between yourself and your friend, the fact that the http session has had to traverse NAT is irrelevant. Suppose you are on a private range address, say, then, as you make the http connection on port 80 to your friends public address, your proxy (or firewall or whatever) will translate YOUR address to a routed address on the internet (the first NAT). If your friend also has a private network, say 192.168.33.*, then his firewall will have to be configured to port-forward port 80 to the computer on which he wishes to talk (say The firewall will translate his public IP to his private IP and pass on the packets. At http level, he will think the packet is destined for his private address from your public. When you receive the packet in return it will appear to come from his public to your private address. None of this matters since the tunnel will be a port on your LOCAL machine, which moves packets to a port on his local machine. RTP will open a connection to port X on and it will magically appear to be delivered to a waiting application on port x on

Of course, if you and your friend exchange packets containing your local IP addresses, they will not be the same as the IP address in the HTTP connection - but I don't think that matters if there is no signalling involved. I.e. you never send a packet saying "call me on".

A much more difficult problem is the choice of the ports for RTP (the x above). I am not sure that a tunnel will offer a huge range of ports which RTP might use. With your current software can YOU choose which port pair are used for RTP? If you can then you can simply tell the tunnel software to forward those ports (one each for client and server).

First, before you do anything too complicated with rtp, see if you can set up the http tunnel and just ensure that you can round-trip packets on two fixed ports. It would be a good idea to measure the round-trip time and its variation. It might be too slow for voice.
First tell me that, i m using RTP protocol for Voice and proxy is http, how can i solve the variation of protocol. b'caz RTP and HTTP both are different protocol
You really have to try to read up on the meaning of "tunnelling".  To do "tunnelling" a tunnel program has to be run at both ends of the connection, a client on your computer, server on your friends computer. This piece of software is "the tunnel". It offers ports on your computer which you can open with whatever protocol you wish. Packets of information that you send are "converted" into the HTTP protocol (put, get etc) and passed over the tunnel. They are reverse-converted at the other end and passed to an application that your friend is running. Thus, independent of what protocol you use, what ACTUALLY gets passed via the HTTP proxy is "pure" html (though meaningless if you tried to display it in a browser).
This is not an efficient thing to do, since work has to be done on your computer, the HTTP protocol is based on TCP which might try re-sends etc leading to jitter and slow packet delivery and then more work has to be done on your friends computer.

See for more information including how their tunnel works (encryption, base64 encoding etc.). If you really want to believe that it is POSSIBLE to do what you are trying to do, see:

EE is not an ideal medium for learning a technique (e.g. no diagrams) so you will have to try to understand tunnels by trying to implement something simple first. Forget RTP just at the moment, just run a tunnel and try to send a single UDP packet over it to your friend.
Thanx for the reply,
Let me tell that i m getting what your are trying to explain. Let me say that should i have to develop the tunneling software myself? because as a developer i have to make all things by myself. if is it so then give me the guidelines for that. and let me tell that on the questions that you have asked above (1,2,3) i would like to choose the third one option in that. How to implement http tunnel in my lan messenger pls tell me as soon as possible...
                                                                                                                  Sunay S Shah
And let me thanx for your Really Appricialble response. :) I m a trainee in the organization hv no more experience in this field. but your support will definiately solve my problem. Once again thax for that pls reply for my above question
One of the most important lessons to learn in the software world is what NOT to develop yourself. You would certainly not decide to write your own compiler, or editor or operating system (although I admit Linus Torvalds did one of those :-))

There is a good rule to learn - if you look at a package of software and say "that software is much too big and complicated to learn to use - I can make a much simpler solution" then you probably don't understand the problem!

So, even if you finally decide to program a tunnel yourself, you really should try to use (and study) an exsiting tunnel. Personally I have only used expensive, commercial tunnels, so I have no direct experience of the FOSS tunnel software. If you really wish to know how a tunnel is programmed then, if you use something like you can get an executable tunnel for Linux and Windows and study the source code to see how somebody else did it.

I will answer separately about your desire to make a fully general communication channel over a tunnel.

By the way, I have been told separately that my comment regarding the difficulty of bypassing proxies using a tunnel is NOT TRUE. The firewall tunnel disables the caching of the proxy so there is no problem there.
"Option 3. General purpose peer to peer chat and voice between N people."

I wondered if you had that in mind. Unfortunately that is a different size of problem to you being behind a proxy with no other access to the internet and your friend on an internet-accessible network and controlling his own firewall. If you are only trying to do option 1, then using an HTTP tunnel is probably OK, though as I have mentioned before, the performance might not be too good.

For both options 2 and 3 I don't think that there is any solution which does not require a third computer on the Internet more or less under YOUR control to at least initiate the connection. (Other experts - any counter examples to that?) In other words, to make use of an HTTP tunnel the destinee of the call has to be able to accept port 80 inbound connections (which you will not be able to do behind a firewall unless you are given specific permission).

Option 3 is what Skype has managed, but if you think using a tunnel is complicated, study what Skype has done. Skype also need access to computers which are not blocked to inbound connections, at least to initiate conversations (and in some cases to carry them).

So, my suggestion is that if you are not happy to stick with Option 1 then you should find another application on which to learn computing.
Thanx for the Replay again,
Let say as i have mentioned i want to stick with the third option is it possible to develop the voice chat in such manner. for a moment think that inbound connection is not open and want to opent that connection is it possible??????????
First, it is clearly POSSIBLE to develop voice chat which works behind firewalls as in option 3 because Skype and Gizmo have already done it. Both work behind firewalls and have techniques for punching holes in firewalls AND handling NAT at both ends of the conversation AND having conference calls between several people.  My only point was that I don't think it is an achievable goal early on in your software career.

Your second question - can inbound connections be opened? :

In order to accept inbound HTTP tunnel connections i.e. to get your friend to contact you, you have to persuade your firewall administrator to forward all connections to port 80 to a computer you control. That means that your organisation cannot run a Web server on the IP address they use for NAT. See for an explanation if you are unsure what port forwarding is.
PS, if you are more enthusiastic about Java than C you might care to look at the source and documentation of "Sockets over HTTP (SOHT)"  on
Thanx Sanktwo,
Let me check the links sended by you. It looks like very helpful. Hope i can implement voice chat thru this link :) it takes two or three days for properly. Then i will contect you. you know that in training period i have to submit the documentation and so on. but i will definetly reply you. Can you tell me how to integrate the (<-----------Java client and server ---------> Reference sended by you in the above answers) in my Lan messanger?
Sorry, I have no experience of Lan Messenger.
i m not asking about the Lan Messenger but i mean to how to integrate the link what you hv sended to me
not a problem if you don't know but you will definately get the points for your help. Hope your suggestion will continue right now i have some work regarding college so it wil take 2 to 3 days to reply back. And Sorry for that.

                                                                                                               With Regards
                                                                                                             Sunay S Shah
I put a lot of effort in to help aceinfotech. I am not hassling for the points but I believe that I answered several of his questions. I don't think points refunded is appropriate.
The Asker still needs help and all the experts had abandoned him. Thus the refund
Venabili, I suggest that you re-read the last post by the author. I was awaiting his response. The comment about "lan messenger" was additional to the original question. I had no intention of abandoning him.
Sorry Venabli and sanktwo,
I was on training in the organization and there are exams of mine in the college, so i couldn't contect you for a long. I really felt guilty, but i really appriciate the help of sanktwo and would like to give points for his help. let me tell right now i am appointed for the job. so there is a long duration or gap between the question and answer. thanks sanktwo for late reply but once again i appriciate your help. and also giving you points for that

                                                                                  with regards
                                                                               Sunay Shah
Sorry Once again Sanketwo,
I realy appriciate your help, and i got many clues by interogating with you.I have implemented voice chat for Lan, now i have to implement for it internet. I have searched 4 a long. and i came to know that stun protocol would help me to get out from the problem. am i right?
If you have idea then plz suggest.
Sunay, Before I go on you should be aware that I have never tried to use a stun server (at least from a program that is).

My initial reaction when you suggested stun protocol was - wow, that is complex for a student project and - needs a publicly available stun server which I did not think existed.

The latter is not true; I have just discovered that at least one public stun server exists at , so that is not a problem.

As you are aware, stun is the protocol to discover a real ip address when you are behind a NAT router. BUT, you told me originally that your access to the internet was blocked except for port 80. To use STUN you need to have the firewall between you and the internet opened for udp access to port 3478 on the Internet. Before we go on, is that true for both you and your friend? Without that, there is no point in considering further.

I will have to do some studying to answer in more detail. Even if you and your friend can find each other's ip address, without some co-operation by your site's firewall administrators or a server on the internet behind a firewall controlled by you, I am still not sure how it is possible for either of you to initiate communications at any time. That might be my misunderstanding - I will study the topic a little more.
Thanx for your co-operation, eagerly waiting for your reply
                                                                                         with regards
                                                                                        Sunay S Shah
Sunay, ok, over to you now. Here is how you and your friend can test
your access to the stun server:

Download version 0.96 stun test client binary for Windows from

Open up a command window in your download directory and type:

If you get:
      STUN client version 0.96
      err 10055 Unknown error in send
      err 10055 Unknown error in send
      err 10055 Unknown error in send
      err 10055 Unknown error in send
      Primary: Blocked or could not reach STUN server
      Return value is 0x00001c

Then you have no access to the STUN server (blocked by a firewall) and you cannot use it.

If you AND your friend get some other return, post them both here and we can inspect them.