Firewall Config for Polycom video conferencing

We have a SoniWall TZ 170 Firewall, and an old Polycom ViewStation 512 unit. Will soon be on a 1.5Mb T1 line.

1) What is the best way to connect the Polycom to our network. (Performance is to priority)
* WAN
* DMZ
* LAN

2) Looking for documentation on Firewall / NAT rules to configure the Polycom to work with our firewall.
InfoTechEEAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
vikrantambhoreConnect With a Mentor Commented:
Here is what the you needs to know about NAT/IP conferencing on the Polycom Platform.
If you call Polycom, they will tell you they do not support NAT translation on the MGC 100.  BUT, we do have customers that are setup in their DMZ using NAT and are able to connect to our MCUs.
In the past, Polycom has released this information to InterCall.
For the Viewstation, the bare minimum ports are:

o      1720 – Static TCP – H.323 call set up (must be bi-directional)
o      3230 – 3231 TCP
o      3230 – 3235 UDP

This gives you basic video conferencing capability.  You must have “used fixed ports” selected in the Viewstation UI and this is assuming that the range has not been modified.  The customer should also be aware that the latest versions of Viewstation software (from v 7.2.3) allow you to disable the management ports on the system.  If the customer would like to do T.120 or use a gatekeeper he will need additional ports.

More port information:
H.323 Ports:
80   – Static TCP – HTTP Interface (optional)
389  – Static TCP – ILS Registration (LDAP)
1503 – Static TCP – T.120
1718 – Static UDP – Gatekeeper discovery (must be bi-directional)
1719 – Static UDP – Gatekeeper RAS (must be bi-directional)
1720 – Static TCP – H.323 call set up (must be bi-directional)
1731 – Static TCP – Audio Call Control (must be bi-directional)
8080 – Static TCP – HTTP Server Push (optional)
1024 – 65535 Dynamic TCP H245
1024 – 65535 Dynamic UDP – RTP (Video data)
1024 – 65535 Dynamic UDP – RTP (Audio data)
1024 – 65535 Dynamic UDP RTCP (Control Information)

The dynamic ports shown above can be set to “Fixed Ports” on Polycom systems from the User Interface.

In working with Polycom recently, it was stated that they are transmitting through the 49000 port range.

Our response to customers will be to pull diagnostics from the firewall and view the needed ports for transmission.  We cannot instruct nor assist with reconfiguration of customer firewalls.  We can only relay the above information.

Also, The NAT should be at the firewall, not at the video system.  It should be one to one Static NAT with the private IP address from the unit through the firewall to the public IP address on the firewall.  One can try to Telnet the IP address from the MCU to confirm whether or not there is something blocking the video data being transported.


I should receive some additional information from Engineering soon and I will send it to you as well.

I hope this help, I am working on Polycom but we are using CIsco Firewall for this
1
 
digitapCommented:
review the voip settings on the sonicwall. there should be something on the left hand side. it's been a while since i've been in a 170. do you have the enhanced or standard OS? will you be establishing calls out only or receiving calls to the polycom?

my experience is that if you need to have calls come in, then you must open your sonicwall to the polycom WAN > LAN.
0
 
InfoTechEEAuthor Commented:
Its a video conferencing system. It has enhanced OS. Calls will be going in and out.
If I were to place it on the LAN, I'm pretty sure that we would have LAN > WAN fully open.

So I would mostly be concerned with the WAN > LAN rules, but I don't remember what they are. That's what I'm looking for help with.
0
 
digitapConnect With a Mentor Commented:
@vikrantambhore :: sweet! this is good information. i'd just opened all the ports to my HDX unit because i didn't know what to open. i'll be revisiting this using the information you provided!

@InfoTechEE :: i've attached a screen shot showing pre-configured h323 services on the sonicwall. what you'll want to do for those services that do not appear as specified by vikrantambhore is to create a service object at firewall > services. then, create a service group at firewall > services and include all your service objects. when you run the public server wizard, you select the service group you created. also, when i was original setting up some polycom HDX units, i had to enable H.323 transformations on the sonicwall. i'm not sure if its enabled by default, but we could not call out to another HDX until we enabled this. i'm not sure where it is on the 170 enhanced, but it is on a 3060 enhanced.

here's the help for the VoIP section on the sonicwall.
http://help.mysonicwall.com/sw/eng/305/ui2/23200/VoIP/Settings.htm?p=305&o=751

here's a KB on running the public server wizard.
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7027

hope that helps!
0
 
vikrantambhoreCommented:
Hi digitap,

Glad to know my information was helpfull for you
I just Saw your Profile, U are expet in Exchange server, I need your help in Exchnage 2007, It will be a great if you can look my open question

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26853203.html


http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26851949.html
0
All Courses

From novice to tech pro — start learning today.