Video Conference through Juniper SSg20

Emanuel used Ask the Experts™
Hi all,
I have a small problem in that we have a video conference unit going through our firewall but as the call is being made to connect the Sony PCS1 conference unit sees the call but can't answer.  I have opened 'ANY' port traffic and using Wireshark can see it asking for 1720.  However it cannot complete the connection.
Could this be to do with the 'Application' element of the firewall?

If we connect the video conference unit directly to the internet it works fine.  Only using port 1720...
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
It sounds like you have to setup port forwarding on your firewall.  You need to redirect the traffic coming from the WAN (internet) on port 1720 to an internal LAN IP address, this is referred to as NAT (Network Address Translation).  I am not familiar with the user interface on the Juniper unit but I would download the manual and follow the instructions for port forwarding/NAT.


I have that and currently to try and solve the problem I have forwarded all ports.  But still the unit doesnt respond.
Don't forward all ports, only the port you need for the video conferencing.  What is the internal  LAN IP address of the computer or device you are trying to forward the traffic to?

For example if you had a computer or device on  your local network with an IP address of and your WAN IP address provided by your ISP was  Then you would need to setup a specific NAT/Port forwarding rule within  your Firewall that would filter inbound traffic coming from the WAN and redirect it to your local network address.  In this example with the IP address I supplied you would need to setup port forwarding for all inbound traffic coming from your WAN on port 1720 and port forward that traffic to your internal LAN IP address

The firewall has to know what IP address on your local network you want to route that traffic to.  Give me a few minutes I am going to download the manual for your firewall and I will give you the exact steps to set this up on the Juniper
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Check out this link it will show you how to setup a VIP (Virtual IP address) for port forwarding in your firewall.

Let me know if you have any questions.


Thats very kind.

Originally I did have specific ports set, but the unit wouldn't answer the call, even when the calls were coming in on port 1720.

The ports I had open;
Service = VC
TCP src port: 0-65355, dst port: 2253-2255
UDP src port: 0-65355, dst port: 49152-49239
TCP src port: 0-65355, dst port: 1718-1720

My internet address is

My internal address is

My Policy is currently,
Source Any, Destination ConferenceUnit (, Service (VC).  It has destination translation ticked and translating to the above internal address.



I have an address setup as the IP address., it is called ConferenceUnit.
Do I still need the Virtual IP address.  If yes, why?
Yes you still need the Virtual IP address configured in order to route traffic from to an internal IP address.  Do you what the local IP address is of the computer or device you want to use to view your video conference?  Is the device you wish to use to receive video conference calls a computer or some other device?

If it is a computer from the computer assuming it is running a Windows operating can go to a command prompt, by clicking Start menu button, select run then type CMD and hit enter.  At the command prompt c:> type IPCONFIG /ALL and you get the IP address of the computer.  Also if the device is a computer you should set the computer to have a static IP address and not DHCP assigned because this will ensure the IP address never changes during a reboot....because if the IP address of the local device changes the Firewall you set up will not work.
Also to avoid confusion before you setup the VIP I would delete the 'VC' policy you described above from the firewall config.  One of the steps in the link I provided is creating a new service for the VIP.

did you configure 'source based NAT' on the outgoing traffic policy? This usually help me when i have Voip or vidoe conferencing equipment behind a juniper firewall.

Also i turn off the SIP ALG options
"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
The issue with the way you have defined your ingress policy is that traffic will be allowed, but not forwarded.
As said before, you need to create a VIP. You can use the service as defined (VC) for the VIP definition, but need an additional setting which can only be set via the CLI (telnet or ssh):
   set vip multi-port
   reset safe-config yes no-prompt
The last command will start rebooting the device, which is required for the setting to be applied.

After having done above, you only need to set the "VIP(«interface»)" (or named similar) as destination address in your policy.
before setting the VIP or MIP you must first at least go one way that is from your network to outside, so I think it is an ALG issue, try first to un-check the H323 option and the SIP I can't remember which, but un-check them both and try, and this will work :)


Many thanks for those that answered.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial