Firewall Port Forwarding for H.323 video

H.323 uses a single fixed TCP port (1720) to start a call using the H.225 protocol (defined by H.323 spec) for call control. Once that protocol is complete, it then uses a dynamic TCP port for the H.245 protocol (also defined by the H.323 spec) for caps and channel control. Finally, it opens up 2 dynamic UDP ports for each type of media that was negotiated for the call (audio, video, far-end camera control). This first port carries the RTP protocol data (defined by the H.225 spec) and the second one carries the RTCP data (defined by the H.225 spec).

As per TCP/IP standards, ports are divided into 3 sections: 0-1023 (privileged ports), 1024-49151 (registered ports) and 49152-65535 (dynamic ports). H.323 specifies the dynamic ports in the dynamic range are open.  Polycom has added a feature to its product line that allows the ports to use a fixed ports (instead of dynamic ports) so that it can more easily traverse a firewall. Only the system behind the firewall need to turn on this feature, since the firewall will prevent the audio/video/FECC from the outside to come in unless this is enabled.

You must forward the traffic to and from the video endpoint through the firewall using the specified port numbers and protocol types for outgoing calls. To receive incoming calls, your must forward traffic using the 1720 TCP port.

The following are details on port forwarding assignments for various products:

Polycom Port Forwarding

• Recap of all firewall port configurations for H.323 Polycom video & Network Products - 2013

For Polycom products, the following ports must be opened in the firewall and assigned to the IP address of videoconferencing endpoints (e.g. a video endpoint could be at 192.168.0.109):

• Port 389 (TCP): For ILS registration
• Port 1503 (TCP): Microsoft NetMeeting T.120 data sharing
• Port 1718 (UDP): Gatekeeper discovery
• Port 1719 (UDP): Gatekeeper RAS (Must be bi-directional)
• Port 1720 (TCP) H.323 Call setup (Must be bi-directional)
• Port 1731 (TCP): Audio call control (Must be bi-directional)
• Ports 3230-3235 (TCP/UDP): Signaling and control for audio, call, video and data/FECC
• Port 3603 (TCP): ViaVideo Web interface (ViaVideo users only)

So, a typical H.323 call would use 2 TCP fixed ports (3230-3231) and 6 UDP fixed ports (3230-3235) during the call.

Polycom m100 Desktop Video Software - from Help Book V 1.0 - Specifying Call Settings Preferences: Network NATs and firewalls provide security for your network by limiting outside access to your internal network. Some access, however, is necessary for video conferencing. Therefore, to enable your Polycom Telepresence m100 to freely place and receive calls with the outside world, while still maintaining protection for your network, you must also open ports in the firewall. If your system is on a network where the transmit bandwidth is significantly lower than the receive bandwidth, use asymmetric network to ensure that there is sufficient bandwidth for outgoing calls. To open media ports in the firewall: 1. From the main window, click Menu > Preferences > Call Settings 2. Set the media port range used by the system. 3. Open the same range of ports in your firewall. You must also open these ports in your firewall:

• Port 1718 (UDP): Gatekeeper discovery

• Port 1719 (UDP): Gatekeeper RAS (must be bidirectional)

• Port 1720 (TCP): H.323 call setup (must be bidirectional)

• Port 1731 (TCP): Audio call control (must be bidirectional)

• Port 5060 (TCP and UDP): SIP

 

LifeSize Port Forwarding

Login to the Firewall/Router:

• Forward port 1720 TCP to the private IP of the LifeSize system.
• Forward 2 TCP ports 60,000 and 60,001 to the private IP of the LifeSize system. If you have other services on these ports, you can forward any other 2 TCP ports in the 60,000 - 64,999 range.
• Forward 6 UDP ports 60,000 to 60,007 to the private IP of the LifeSize system. If you have other services on these ports, you can forward any other 8 UDP ports in the 60,000 - 64,999 range.

(NOTE: 3 TCP and 8 UDP is the minimum number of ports required for a single point-to-point H.323 video call.)

Login to the LifeSize system:

• Go to System Menu --> Administrator Preferences --> Network --> NAT
• Enable Static NAT, and enter the public IP address of the firewall in the "NAT Public IP Address"
• Go to System Menu --> Administrator Preferences --> Network --> Reserved Ports.
•  Enter the TCP & UDP port range you chose in the steps above.

TANDBERG Port Forwarding

"In order to properly support a NAT configuration, the firewall will need to be configured as a one-to-one relationship between a public IP address and the private IP address for all ports in the H.323 range (which include 1718 UDP, 1719 UDP and 1720 TCP as well as other vendor-specific TCP and UDP ports needed to complete H.323 calls). For the specific range needed, consult your endpoint manufacturer."

Polycom GMS Ports:

• 21 (FTP) - Software Updates & Provisioning
• 80 (HTTP) - Pulling ViewStation/VS4000 info
• 3601 (Proprietary) (Data Traffic) - GAB data
• 3603 - TCP - Pulling ViaVideo info (since might be non-web server PC)
• 389 (LDAP and ILS)
• 1002 (ILS)

GMS listens for connections on ports 80 and 3601 (GAB) and in the future will listen on port 3604 (ViaVideo) and other potentials later.

H.323 Ports (IP based video conferencing):

• 80 - Static TCP - HTTP Interface (optional)
• 389 - Static TCP - ILS Registration (LDAP)
• 1503 - Static TCP - T.120
• 1718 - Static UDP - Gatekeeper discovery (Must be bidirectional)
• 1719 - Static UDP - Gatekeeper RAS (Must be bidirectional)
• 1720 - Static TCP - H.323 call setup (Must be bidirectional)
• 1731 - Static TCP - Audio Call Control (Must be bidirectional)
• 8080 - Static TCP - HTTP Server Push (optional)
   

• 1024-65535 Dynamic TCP H245
• 1024-65535 Dynamic UDP - RTP (Video data)
• 1024-65535 Dynamic UDP - RTP (Audio data)
• 1024-65535 Dynamic UDP RTCP (Control Information)

These ports can be set to "Fixed Ports" on Polycom systems, as opposed to dynamic.

Other Polycom ViewStation Ports:

• 21 (FTP) - Software Updates & GMS Provisioning
• 23 (Telnet) - For Diagnostics & API Control
• 3220 to 3225 - TCP Ports
• 3230 to 3247 - UDP Ports

Other ViaVideo Ports:

• 3604 (GMS Server Discovery) (Used by ViaVideo) (Broadcast)

Accord (Polycom Network Systems) Additional Ports:

• 5001 - Static TCP - MGC Manager (5003 can be chosen instead within MGC)
• 21 - Static TCP - FTP (retrieve MGC config. Files etc.)

RADVision Additional:

• 1820 - Gateway Signaling/Call Setup
• 2720 - MCU Signaling/Call Setup

d-Link DVC-1000 Ports:

The port 1720 (TCP) and the 6 ports 15328-15333 (TCP and UDP) need to be forwarded. d-Link indicates that NetMeeting and the H.323 cannot co-exist behind the same router simultaneously.

Here are pages that address specific products and the steps needed to configure the firewalls:

• Polycom ViaVideo firewalls

• d-Link i2Eye firewalls

LinkSys Port Forwarding for H.323 audio video:

Here are the specific steps for H.323 port forwarding: https://portforward.com/english/routers/port_forwarding/Linksys/WRT54GC/H323.htm

"H323 requires you to forward the following ports: 1023,1024,1502,1503,1504,1730,1731,1732,65534." These static port settings do  not seem quite right for Polycom system which need:

Port	Type	Protocol	Function
1719	Static	UDP	H.323 Gatekeeper (H.225.0 RAS)
1720	Static	TCP	H.323 Calling (H.225.0 Call Signaling)
49152 -65535	Dynamic	TCP	H.323 Control (H.245)
1718	Static	UDP	H.323 Gatekeeper Discovery (H.225.0)

Configure a Cisco ASA 5505 for H.323 Video Conferencing:

customer_service/support/firewall/How To - Configure Cisco ASA 5505.pdf

 

04/06/2024