Solved

Port forwarding for inbound Polycom calls

Posted on 2011-09-25
5
724 Views
Last Modified: 2012-05-12
What ports need to be forwarded to enable incoming Polycom calls?  I have a Polycom VSX7000e device receiving the calls.  I've found numerous white sheets and spoken to Polycom tech support.  (Their level of apathy is discouraging.)  The following ports look to be the most reasonable.  Has someone actually configured a firewall for incoming Polycom calls?  Do these values look correct?

http://support.polycom.com/global/documents/support/user/products/video/pvx_internet_intranet_calling.pdf
1.      1720 H.323 call setup TCP
2.      5060 SIP call setup TCP and UDP
3.      3230-3237 Signaling and control for audio, call, video, and data/FECC, TCP and UDP
4.      1503 (optional) T.120 data collaboration TCP


0
Comment
Question by:jdana
  • 2
5 Comments
 
LVL 9

Expert Comment

by:user_n
ID: 36595426
Yes they lokk reasonable. For sip default port is usually 5060. But all this usually dependes from the configuration of the devices from the both site of the firewall. http://en.wikipedia.org/wiki/RTP_Control_Protocol

You can see for SIP the real ports that are used in wireshark and sdp.
 http://en.wikipedia.org/wiki/Session_Description_Protocol
http://www.cisco.com/en/US/docs/voice_ip_comm/sip/proxies/2.2/administration/guide/eflows.html
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
0
 

Author Comment

by:jdana
ID: 36596284
RockMod,

Much better.  Thanks
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 250 total points
ID: 36923786
If you are using NAT, then for using H323 you also need to be using a H323 aware NAT device. This is because the endpoint addresses are also in the "payload" part of the packet as well as the packet header.

As a for instance a PIX running 6.3.5 will not work.

Looking at the rule set on a production ASA5510 with a VSX7000e that is just used in H323 mode, it is configured with a static NAT on the public address to the private address and then an ACL that allows inbound traffic to 1503, 1719, 1720 and 1731. Outbound traffic is not filtered.

If you do not have a H323 aware NAT "firewall" then you would need to either add an additional firewall, replace the existing firewall or run the VSX7000e on an external IP address. The "DMZ" function on most "residential" devices is usually only a full NAT and without the H323 aware ALG (Application Level Gateway) it will not work.

Any firewall that runs as a "filtering bridge" should be able to be configured.


0
 

Author Closing Comment

by:jdana
ID: 37011160
Wow!  Thanks!
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
how should I extend my cat5 cable by 20 feet? 11 71
IPv6 NAT to IPv4 27 48
ERR_NAME_NOT_RESOLVED 7 19
Monitor Bandwidth throughput in Fortigate 100D 1 19
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question