Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Port forwarding for inbound Polycom calls

Posted on 2011-09-25
5
Medium Priority
?
744 Views
Last Modified: 2012-05-12
What ports need to be forwarded to enable incoming Polycom calls?  I have a Polycom VSX7000e device receiving the calls.  I've found numerous white sheets and spoken to Polycom tech support.  (Their level of apathy is discouraging.)  The following ports look to be the most reasonable.  Has someone actually configured a firewall for incoming Polycom calls?  Do these values look correct?

http://support.polycom.com/global/documents/support/user/products/video/pvx_internet_intranet_calling.pdf
1.      1720 H.323 call setup TCP
2.      5060 SIP call setup TCP and UDP
3.      3230-3237 Signaling and control for audio, call, video, and data/FECC, TCP and UDP
4.      1503 (optional) T.120 data collaboration TCP


0
Comment
Question by:jdana
  • 2
5 Comments
 
LVL 9

Expert Comment

by:user_n
ID: 36595426
Yes they lokk reasonable. For sip default port is usually 5060. But all this usually dependes from the configuration of the devices from the both site of the firewall. http://en.wikipedia.org/wiki/RTP_Control_Protocol

You can see for SIP the real ports that are used in wireshark and sdp.
 http://en.wikipedia.org/wiki/Session_Description_Protocol
http://www.cisco.com/en/US/docs/voice_ip_comm/sip/proxies/2.2/administration/guide/eflows.html
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
0
 

Author Comment

by:jdana
ID: 36596284
RockMod,

Much better.  Thanks
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 1000 total points
ID: 36923786
If you are using NAT, then for using H323 you also need to be using a H323 aware NAT device. This is because the endpoint addresses are also in the "payload" part of the packet as well as the packet header.

As a for instance a PIX running 6.3.5 will not work.

Looking at the rule set on a production ASA5510 with a VSX7000e that is just used in H323 mode, it is configured with a static NAT on the public address to the private address and then an ACL that allows inbound traffic to 1503, 1719, 1720 and 1731. Outbound traffic is not filtered.

If you do not have a H323 aware NAT "firewall" then you would need to either add an additional firewall, replace the existing firewall or run the VSX7000e on an external IP address. The "DMZ" function on most "residential" devices is usually only a full NAT and without the H323 aware ALG (Application Level Gateway) it will not work.

Any firewall that runs as a "filtering bridge" should be able to be configured.


0
 

Author Closing Comment

by:jdana
ID: 37011160
Wow!  Thanks!
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question