Solved

Firewall Config for Polycom video conferencing

Posted on 2011-03-09
5
9,007 Views
Last Modified: 2012-10-11
We have a SoniWall TZ 170 Firewall, and an old Polycom ViewStation 512 unit. Will soon be on a 1.5Mb T1 line.

1) What is the best way to connect the Polycom to our network. (Performance is to priority)
* WAN
* DMZ
* LAN

2) Looking for documentation on Firewall / NAT rules to configure the Polycom to work with our firewall.
0
Comment
Question by:InfoTechEE
  • 2
  • 2
5 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 35087453
review the voip settings on the sonicwall. there should be something on the left hand side. it's been a while since i've been in a 170. do you have the enhanced or standard OS? will you be establishing calls out only or receiving calls to the polycom?

my experience is that if you need to have calls come in, then you must open your sonicwall to the polycom WAN > LAN.
0
 

Author Comment

by:InfoTechEE
ID: 35087894
Its a video conferencing system. It has enhanced OS. Calls will be going in and out.
If I were to place it on the LAN, I'm pretty sure that we would have LAN > WAN fully open.

So I would mostly be concerned with the WAN > LAN rules, but I don't remember what they are. That's what I'm looking for help with.
0
 
LVL 6

Accepted Solution

by:
vikrantambhore earned 250 total points
ID: 35090567
Here is what the you needs to know about NAT/IP conferencing on the Polycom Platform.
If you call Polycom, they will tell you they do not support NAT translation on the MGC 100.  BUT, we do have customers that are setup in their DMZ using NAT and are able to connect to our MCUs.
In the past, Polycom has released this information to InterCall.
For the Viewstation, the bare minimum ports are:

o      1720 – Static TCP – H.323 call set up (must be bi-directional)
o      3230 – 3231 TCP
o      3230 – 3235 UDP

This gives you basic video conferencing capability.  You must have “used fixed ports” selected in the Viewstation UI and this is assuming that the range has not been modified.  The customer should also be aware that the latest versions of Viewstation software (from v 7.2.3) allow you to disable the management ports on the system.  If the customer would like to do T.120 or use a gatekeeper he will need additional ports.

More port information:
H.323 Ports:
80   – Static TCP – HTTP Interface (optional)
389  – Static TCP – ILS Registration (LDAP)
1503 – Static TCP – T.120
1718 – Static UDP – Gatekeeper discovery (must be bi-directional)
1719 – Static UDP – Gatekeeper RAS (must be bi-directional)
1720 – Static TCP – H.323 call set up (must be bi-directional)
1731 – Static TCP – Audio Call Control (must be bi-directional)
8080 – Static TCP – HTTP Server Push (optional)
1024 – 65535 Dynamic TCP H245
1024 – 65535 Dynamic UDP – RTP (Video data)
1024 – 65535 Dynamic UDP – RTP (Audio data)
1024 – 65535 Dynamic UDP RTCP (Control Information)

The dynamic ports shown above can be set to “Fixed Ports” on Polycom systems from the User Interface.

In working with Polycom recently, it was stated that they are transmitting through the 49000 port range.

Our response to customers will be to pull diagnostics from the firewall and view the needed ports for transmission.  We cannot instruct nor assist with reconfiguration of customer firewalls.  We can only relay the above information.

Also, The NAT should be at the firewall, not at the video system.  It should be one to one Static NAT with the private IP address from the unit through the firewall to the public IP address on the firewall.  One can try to Telnet the IP address from the MCU to confirm whether or not there is something blocking the video data being transported.


I should receive some additional information from Engineering soon and I will send it to you as well.

I hope this help, I am working on Polycom but we are using CIsco Firewall for this
1
 
LVL 33

Assisted Solution

by:digitap
digitap earned 250 total points
ID: 35091074
@vikrantambhore :: sweet! this is good information. i'd just opened all the ports to my HDX unit because i didn't know what to open. i'll be revisiting this using the information you provided!

@InfoTechEE :: i've attached a screen shot showing pre-configured h323 services on the sonicwall. what you'll want to do for those services that do not appear as specified by vikrantambhore is to create a service object at firewall > services. then, create a service group at firewall > services and include all your service objects. when you run the public server wizard, you select the service group you created. also, when i was original setting up some polycom HDX units, i had to enable H.323 transformations on the sonicwall. i'm not sure if its enabled by default, but we could not call out to another HDX until we enabled this. i'm not sure where it is on the 170 enhanced, but it is on a 3060 enhanced.

here's the help for the VoIP section on the sonicwall.
http://help.mysonicwall.com/sw/eng/305/ui2/23200/VoIP/Settings.htm?p=305&o=751

here's a KB on running the public server wizard.
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7027

hope that helps!
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35092930
Hi digitap,

Glad to know my information was helpfull for you
I just Saw your Profile, U are expet in Exchange server, I need your help in Exchnage 2007, It will be a great if you can look my open question

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26853203.html


http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26851949.html
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now