Firewall Config for Polycom video conferencing

Posted on 2011-03-09
Last Modified: 2012-10-11
We have a SoniWall TZ 170 Firewall, and an old Polycom ViewStation 512 unit. Will soon be on a 1.5Mb T1 line.

1) What is the best way to connect the Polycom to our network. (Performance is to priority)

2) Looking for documentation on Firewall / NAT rules to configure the Polycom to work with our firewall.
Question by:InfoTechEE
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 33

Expert Comment

ID: 35087453
review the voip settings on the sonicwall. there should be something on the left hand side. it's been a while since i've been in a 170. do you have the enhanced or standard OS? will you be establishing calls out only or receiving calls to the polycom?

my experience is that if you need to have calls come in, then you must open your sonicwall to the polycom WAN > LAN.

Author Comment

ID: 35087894
Its a video conferencing system. It has enhanced OS. Calls will be going in and out.
If I were to place it on the LAN, I'm pretty sure that we would have LAN > WAN fully open.

So I would mostly be concerned with the WAN > LAN rules, but I don't remember what they are. That's what I'm looking for help with.

Accepted Solution

vikrantambhore earned 250 total points
ID: 35090567
Here is what the you needs to know about NAT/IP conferencing on the Polycom Platform.
If you call Polycom, they will tell you they do not support NAT translation on the MGC 100.  BUT, we do have customers that are setup in their DMZ using NAT and are able to connect to our MCUs.
In the past, Polycom has released this information to InterCall.
For the Viewstation, the bare minimum ports are:

o      1720 – Static TCP – H.323 call set up (must be bi-directional)
o      3230 – 3231 TCP
o      3230 – 3235 UDP

This gives you basic video conferencing capability.  You must have “used fixed ports” selected in the Viewstation UI and this is assuming that the range has not been modified.  The customer should also be aware that the latest versions of Viewstation software (from v 7.2.3) allow you to disable the management ports on the system.  If the customer would like to do T.120 or use a gatekeeper he will need additional ports.

More port information:
H.323 Ports:
80   – Static TCP – HTTP Interface (optional)
389  – Static TCP – ILS Registration (LDAP)
1503 – Static TCP – T.120
1718 – Static UDP – Gatekeeper discovery (must be bi-directional)
1719 – Static UDP – Gatekeeper RAS (must be bi-directional)
1720 – Static TCP – H.323 call set up (must be bi-directional)
1731 – Static TCP – Audio Call Control (must be bi-directional)
8080 – Static TCP – HTTP Server Push (optional)
1024 – 65535 Dynamic TCP H245
1024 – 65535 Dynamic UDP – RTP (Video data)
1024 – 65535 Dynamic UDP – RTP (Audio data)
1024 – 65535 Dynamic UDP RTCP (Control Information)

The dynamic ports shown above can be set to “Fixed Ports” on Polycom systems from the User Interface.

In working with Polycom recently, it was stated that they are transmitting through the 49000 port range.

Our response to customers will be to pull diagnostics from the firewall and view the needed ports for transmission.  We cannot instruct nor assist with reconfiguration of customer firewalls.  We can only relay the above information.

Also, The NAT should be at the firewall, not at the video system.  It should be one to one Static NAT with the private IP address from the unit through the firewall to the public IP address on the firewall.  One can try to Telnet the IP address from the MCU to confirm whether or not there is something blocking the video data being transported.

I should receive some additional information from Engineering soon and I will send it to you as well.

I hope this help, I am working on Polycom but we are using CIsco Firewall for this
LVL 33

Assisted Solution

digitap earned 250 total points
ID: 35091074
@vikrantambhore :: sweet! this is good information. i'd just opened all the ports to my HDX unit because i didn't know what to open. i'll be revisiting this using the information you provided!

@InfoTechEE :: i've attached a screen shot showing pre-configured h323 services on the sonicwall. what you'll want to do for those services that do not appear as specified by vikrantambhore is to create a service object at firewall > services. then, create a service group at firewall > services and include all your service objects. when you run the public server wizard, you select the service group you created. also, when i was original setting up some polycom HDX units, i had to enable H.323 transformations on the sonicwall. i'm not sure if its enabled by default, but we could not call out to another HDX until we enabled this. i'm not sure where it is on the 170 enhanced, but it is on a 3060 enhanced.

here's the help for the VoIP section on the sonicwall.

here's a KB on running the public server wizard.

hope that helps!

Expert Comment

ID: 35092930
Hi digitap,

Glad to know my information was helpfull for you
I just Saw your Profile, U are expet in Exchange server, I need your help in Exchnage 2007, It will be a great if you can look my open question

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Telepresence on backup 3 58
Local DNS and Home Routers 4 58
Access Sonicwall Management Interface from another zone 5 32
IKEv2 on Palo Alto Networks 5050 FW 2 12
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question