Video Conference through Juniper SSg20

Hi all,
I have a small problem in that we have a video conference unit going through our firewall but as the call is being made to connect the Sony PCS1 conference unit sees the call but can't answer.  I have opened 'ANY' port traffic and using Wireshark can see it asking for 1720.  However it cannot complete the connection.
Could this be to do with the 'Application' element of the firewall?

If we connect the video conference unit directly to the internet it works fine.  Only using port 1720...
EmanuelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patmac951Commented:
It sounds like you have to setup port forwarding on your firewall.  You need to redirect the traffic coming from the WAN (internet) on port 1720 to an internal LAN IP address, this is referred to as NAT (Network Address Translation).  I am not familiar with the user interface on the Juniper unit but I would download the manual and follow the instructions for port forwarding/NAT.
0
EmanuelAuthor Commented:
Hi,
I have that and currently to try and solve the problem I have forwarded all ports.  But still the unit doesnt respond.
0
Patmac951Commented:
Don't forward all ports, only the port you need for the video conferencing.  What is the internal  LAN IP address of the computer or device you are trying to forward the traffic to?

For example if you had a computer or device on  your local network with an IP address of 192.168.1.10 and your WAN IP address provided by your ISP was 66.45.22.15.  Then you would need to setup a specific NAT/Port forwarding rule within  your Firewall that would filter inbound traffic coming from the WAN and redirect it to your local network address.  In this example with the IP address I supplied you would need to setup port forwarding for all inbound traffic coming from your WAN 66.45.22.15 on port 1720 and port forward that traffic to your internal LAN IP address 192.168.1.10.

The firewall has to know what IP address on your local network you want to route that traffic to.  Give me a few minutes I am going to download the manual for your firewall and I will give you the exact steps to set this up on the Juniper
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Patmac951Commented:
Check out this link it will show you how to setup a VIP (Virtual IP address) for port forwarding in your firewall.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4740

Let me know if you have any questions.
0
EmanuelAuthor Commented:
Thats very kind.

Originally I did have specific ports set, but the unit wouldn't answer the call, even when the calls were coming in on port 1720.

The ports I had open;
Service = VC
TCP src port: 0-65355, dst port: 2253-2255
UDP src port: 0-65355, dst port: 49152-49239
TCP src port: 0-65355, dst port: 1718-1720

My internet address is 193.74.12.248

My internal address is 192.168.16.230

My Policy is currently,
Source Any, Destination ConferenceUnit (193.74.12.248), Service (VC).  It has destination translation ticked and translating to the above internal address.

Regards,
0
EmanuelAuthor Commented:
I have an address setup as the IP address.  193.74.12.248, it is called ConferenceUnit.
Do I still need the Virtual IP address.  If yes, why?
0
Patmac951Commented:
Yes you still need the Virtual IP address configured in order to route traffic from 193.74.12.248 to an internal IP address.  Do you what the local IP address is of the computer or device you want to use to view your video conference?  Is the device you wish to use to receive video conference calls a computer or some other device?

If it is a computer from the computer assuming it is running a Windows operating system...you can go to a command prompt, by clicking Start menu button, select run then type CMD and hit enter.  At the command prompt c:> type IPCONFIG /ALL and you get the IP address of the computer.  Also if the device is a computer you should set the computer to have a static IP address and not DHCP assigned because this will ensure the IP address never changes during a reboot....because if the IP address of the local device changes the Firewall you set up will not work.
0
Patmac951Commented:
Also to avoid confusion before you setup the VIP I would delete the 'VC' policy you described above from the firewall config.  One of the steps in the link I provided is creating a new service for the VIP.
0
Sanga CollinsSystems AdminCommented:
did you configure 'source based NAT' on the outgoing traffic policy? This usually help me when i have Voip or vidoe conferencing equipment behind a juniper firewall.

Also i turn off the SIP ALG options
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
The issue with the way you have defined your ingress policy is that traffic will be allowed, but not forwarded.
As said before, you need to create a VIP. You can use the service as defined (VC) for the VIP definition, but need an additional setting which can only be set via the CLI (telnet or ssh):
   set vip multi-port
   reset safe-config yes no-prompt
The last command will start rebooting the device, which is required for the setting to be applied.

After having done above, you only need to set the "VIP(«interface»)" (or named similar) as destination address in your policy.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
khdourCommented:
before setting the VIP or MIP you must first at least go one way that is from your network to outside, so I think it is an ALG issue, try first to un-check the H323 option and the SIP I can't remember which, but un-check them both and try, and this will work :)
0
EmanuelAuthor Commented:
Many thanks for those that answered.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.