Firewalls and H.323

Videoconferencing is a difficult application to negotiate through Firewalls and Network Address Translation (NAT). Firewalls and NAT are used to provide security by limiting access to a Local Area Network's (LAN's) ports by filtering or blocking inbound Internet traffic.

Appliance-based codecs do not operate on Windows, the popular operating system that hackers and virus writers seem to target. Generally, all a hacker can do is access your codec's web browser and change menu settings on your codec. You can password protect this access point.

There are three easy solutions:

1. DMZ:
   Install your codec outside the firewall, in your DMZ (works best with integrated classroom codecs, not rollabout because you would have to route the copper path for each jack the codec might use).
2. VPN:
   Create a VPN around the firewall for your codec (works best with integrated classroom codecs, not rollabout).
3. H.323 Firewall/Gatekeeper:
   Install an H.323 firewall solution that works parallel to your data firewall. None of your H323 traffic will ever flow through your data firewall again. The Polycom V²IU is just such a solution. You register your codec (use the gatekeeper registration menu) with the V²IU. It then knows where your codec is on the LAN. It can also register with our gatekeeper, to provide GDS dialing using E.164 phone number-like dialing strings.   more info
4. Transversing the Firewall for H.323:
   Our least favorite and the most work for firewall administrators is configuring your firewall to pass H.323 connections. This can be complex and takes a lot of trial and error depending on the model and version of your firewall. Configuring means providing for outbout and inbound calls. This is because the incoming video signal does not look, to your firewall, like traffic requested by a computer indise your firewall. You may be seen by the far end, but you can't see or hear them is a firewall problem. In fact, transfersing can be so completed that the rest of this page and linked pages is devoted to this topic.

Transversing a Firewall

If you must use your firewall, read below and good luck! It is doable, but can be a lot of staff time setting up and maintaining with each codec and firewall upgrade.

ALERT! Some firewalls may block Gatekeeper registration:

If your codec does have difficulty registering or you would like to register your codec or your V²IU with our Gatekeeper, click here.

Configure your Cisco Pix firewall to support H.323:

The following information is no longer updated, since the introduction of the V²IU. We stopped trying to keep up with software revision changes and what it meant to H.323. If you do not have a V²IU and must configure a PIX firewall for H.323, refer to these links below for the basics. Also read the release notes for your firewall version and for the codec model and version you are using. Polycom release notes are PDF's which, when opened, can be serached by the keywprd "firewall". Polycom release notes are available at the Polycom Resource Center.

• 6.3(4) and higher: The Cisco/Polycom co-lab has fixed some bugs that were present in lower versions of both products (firewall and codec). There has not been a whole lot of improvement yet in subsequent versions of PIX.
  • Note: if H.239 is not passing through your PIX, be sure to uncheck in the Polycom menu the box "Firewall is NAT Compatible".
• Older versions, if at all possible, you should upgrade to the latest version of Pix. Versions 6.3(4) and above have improved H.323 capabilities, enough so to make it worth your efforts to upgrade. If you are not able to upgrade just now, then follow the steps for these versions. Note that 6.1 and 6.2 do not support codecs using NAT very well.
  • Pix 6.3(3) Door County came up with this solution in 2006. It works well with Polycom Viewstation and VSX Codecs that are running on the software version recommended in this link.
  • Pix 6.2 This version can support H.323, but does have different settings than 6.3(3). As soon as possible we recommend you upgrade to 6.3(3)+ which may also require codec software upgrades.
  • Pix 6.1 Same here, we recommend 6.3(3). But in case you can't upgrade, we have a configuration here that will work.
  • Older versions, refer to Cisco and Pix Release Notes.

Other Firewalls:

Other firewalls, see our Firewall Reference page for generic information about the ports used by H.323. With this information, you might be able to figure out how to setup your firewall. Also, refer to your firewall and codec manuals for additional information, or call their help desks.

Universal Plug and Play (UPnP) :

UPnP is a firewall standard that we hope will make transverssing a firewall easier. If your firewall and your codec supports UPnP, they should auto setup to allow H.323 connections to work. None of our clients have reported using this method.