Solved

Port forwarding for inbound Polycom calls

Posted on 2011-09-25
5
726 Views
Last Modified: 2012-05-12
What ports need to be forwarded to enable incoming Polycom calls?  I have a Polycom VSX7000e device receiving the calls.  I've found numerous white sheets and spoken to Polycom tech support.  (Their level of apathy is discouraging.)  The following ports look to be the most reasonable.  Has someone actually configured a firewall for incoming Polycom calls?  Do these values look correct?

http://support.polycom.com/global/documents/support/user/products/video/pvx_internet_intranet_calling.pdf
1.      1720 H.323 call setup TCP
2.      5060 SIP call setup TCP and UDP
3.      3230-3237 Signaling and control for audio, call, video, and data/FECC, TCP and UDP
4.      1503 (optional) T.120 data collaboration TCP


0
Comment
Question by:jdana
  • 2
5 Comments
 
LVL 9

Expert Comment

by:user_n
ID: 36595426
Yes they lokk reasonable. For sip default port is usually 5060. But all this usually dependes from the configuration of the devices from the both site of the firewall. http://en.wikipedia.org/wiki/RTP_Control_Protocol

You can see for SIP the real ports that are used in wireshark and sdp.
 http://en.wikipedia.org/wiki/Session_Description_Protocol
http://www.cisco.com/en/US/docs/voice_ip_comm/sip/proxies/2.2/administration/guide/eflows.html
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
0
 

Author Comment

by:jdana
ID: 36596284
RockMod,

Much better.  Thanks
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 250 total points
ID: 36923786
If you are using NAT, then for using H323 you also need to be using a H323 aware NAT device. This is because the endpoint addresses are also in the "payload" part of the packet as well as the packet header.

As a for instance a PIX running 6.3.5 will not work.

Looking at the rule set on a production ASA5510 with a VSX7000e that is just used in H323 mode, it is configured with a static NAT on the public address to the private address and then an ACL that allows inbound traffic to 1503, 1719, 1720 and 1731. Outbound traffic is not filtered.

If you do not have a H323 aware NAT "firewall" then you would need to either add an additional firewall, replace the existing firewall or run the VSX7000e on an external IP address. The "DMZ" function on most "residential" devices is usually only a full NAT and without the H323 aware ALG (Application Level Gateway) it will not work.

Any firewall that runs as a "filtering bridge" should be able to be configured.


0
 

Author Closing Comment

by:jdana
ID: 37011160
Wow!  Thanks!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question