We help IT Professionals succeed at work.

Desktop video through 2 ISA servers

I’ve been trying to get a desktop video conferencing system working here but have encountered a bit of a brick wall and I’m hoping you may be able to help.

We use two firewalls, both MS ISA Servers, one (ISA2004)as a back-end firewall and web proxy, the other(TMG) as a front-end firewall and to publish services.  Normally, we would place a given service like our web sites on a 192.168.x.x segment and use NAT on the front-end firewall to handle the routing between an incoming request and the serving of a web page or facility.  Similarly for FTP and other services.

When it comes to this VC Desktop, we have had no problems in installing the software and making suitable firewall rules to connect outwards (UDP 5082) but our front-end firewall insists on blocking the returning signal as it is returned to the firewall external address with no indicator which would enable it to route to the correct internal address.  We are also not ‘publishing’ a server in the classic sense as this is more of a pass-though issue.  We will need users behind the back-end firewall to be able to use this service.

We should perhaps be using secondary ports but we are unclear as to how and what to configure.

Ita may well be that we have completely the wrong approach so any help v gratefully received
Watch Question

Most Valuable Expert 2011

MS ISA Servers, one (ISA2004)as a back-end firewall and web proxy, the other(TMG) as a front-end firewall and to publish services

Ok,...that's backwards.  The most capable and most "intense" firewall needs to be the closest one to the protected resources,...so the ISA should be on the Public Edge and the TMG should be on the LAN edge.

A lot of video conferencing software is quite simply a piece of crap.  They will not work across NATed or Proxyied connections,...it is a limitation of the protocol they use,...it just simply can't do it.   If the protocol encapsulates the internal user's IP# within the packet then it just will not work because the product on the device on the opposite end doesn't have a prayer in the world of knowing how to route back to or in any way reach the source IP# when it is on the External side or Untrusted side or a proxying or NATing device..

The only way around that is if the Firewall or Proxying device has an Application Layer Filter that can disassemble the packet,...change the IP# in the packet,...then reassemble the packet.   There is no way I can know what protocol that thing is using,...telling me "UDP-5082" only tells me the Transport Protocol/Port,...that does not tell me the Application Layer Protocol being used.    Now once we know that,...then,...the ISA and TMG are either going to have a Filter for that,...or they won't,...if they don't,...then you are screwed.
Most Valuable Expert 2011
Then after all that,....the whole problem could repeat itself at the location on the other end.   Both sides have to work,...or nothing works.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.