nfpfoil
asked on
Video Conferencing & Pix Firewall Problems
My IT dept are trying to set up a 'polycom' video solution from office to my home.
There appears to be a problem at the office end with getting the comms through the 'pix' forewall.
They tell me that in testing they are able to comment to the polycom test site but are not able to see any video or hear any audio.
Can anyone offer any possible solutions.
There appears to be a problem at the office end with getting the comms through the 'pix' forewall.
They tell me that in testing they are able to comment to the polycom test site but are not able to see any video or hear any audio.
Can anyone offer any possible solutions.
What version PIX?
the only other option would be something hosted like WebEx or e/pop. Anything you host internally would still go through the PIX. My suggestion would be to get them to fix the ACL's on the PIX that are blocking the traffic.
Many people have problems with H323 Video Conferencing through a CISCO PIX.
The problem with H.323 VC is that it can use any dynamic ports from 1024-65535!! There are a couple of methods to resolve this and they are;
1. Use the integrated CISCO PIX 'fixup or inspect' - This will dynamically inspect any VC traffic and open and close the relevant ports as and when required. The downside is that CISCO only support H.323 version 4, so it will not support all Video Conferencing features (some that are not supported are, Encrpytion & Dual Display/DuoVideo/People&Co
2. Set your Video Conferencing endpoint to use static Ports and open those up on the firewall (If using this option you have to swtich the 'fixup' or 'inspect' off on the CISCO firewall otherwise it will interfere.
There are set of instructions on what ports and how to open then up on a CISCO PIX here:
http://www.firstconnections.co.uk/support/viewkb.asp?id=26
If you have any problems, please contact me as I have much experience with H323 & CISCO PIX, but this should be enough info to help you out.
Good Luck!
Dave.
The problem with H.323 VC is that it can use any dynamic ports from 1024-65535!! There are a couple of methods to resolve this and they are;
1. Use the integrated CISCO PIX 'fixup or inspect' - This will dynamically inspect any VC traffic and open and close the relevant ports as and when required. The downside is that CISCO only support H.323 version 4, so it will not support all Video Conferencing features (some that are not supported are, Encrpytion & Dual Display/DuoVideo/People&Co
2. Set your Video Conferencing endpoint to use static Ports and open those up on the firewall (If using this option you have to swtich the 'fixup' or 'inspect' off on the CISCO firewall otherwise it will interfere.
There are set of instructions on what ports and how to open then up on a CISCO PIX here:
http://www.firstconnections.co.uk/support/viewkb.asp?id=26
If you have any problems, please contact me as I have much experience with H323 & CISCO PIX, but this should be enough info to help you out.
Good Luck!
Dave.
Does delete mean this information will literally be deleted?
I have posted some very usefull information and feel it may be relevant for future searches?
I have posted some very usefull information and feel it may be relevant for future searches?
Yes, that is what the recommendation means.
Whilst your link may well have sorted the issue, this could easily have been down to the proverbial double-nat problems that have often impacted H323-type communications (although we don't know if there was a second firewall/gateway in use inside the pix perimeter).
As the question asker has not responded to any of the comments it is impossible to know definitively. That said, if you feel your contribution should be kept i am happy to change the recommendation to PAQ - no refund.
Regards
keith
Whilst your link may well have sorted the issue, this could easily have been down to the proverbial double-nat problems that have often impacted H323-type communications (although we don't know if there was a second firewall/gateway in use inside the pix perimeter).
As the question asker has not responded to any of the comments it is impossible to know definitively. That said, if you feel your contribution should be kept i am happy to change the recommendation to PAQ - no refund.
Regards
keith
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.