Configure the System for Use with a Firewall or NAT

A firewall protects an organization's IP network by controlling data traffic from outside the network. Unless the firewall is designed to work with H.323 video conferencing equipment, you must configure the system and the firewall to allow video conferencing traffic to pass in and out of the network.

Network Address Translation (NAT) network environments use private internal IP addresses for devices within the network, while using one external IP address to allow devices on the LAN to communicate with other devices outside the LAN. If your system is connected to a LAN that uses a NAT, you will need to enter the NAT Public (WAN) Address so that your system can communicate outside the LAN.

Procedure

  1. Go to Admin Settings > Network > IP Network > Firewall .
  2. Configure these settings.
    Table 1. Firewall Settings

    Setting

    Description

    Fixed Ports

    Lets you specify whether to define the TCP and UDP ports.

    • If the firewall is not H.323 compatible, enable this setting. The RealPresence ITP system assigns a range of ports starting with the TCP and UDP ports you specify. The system defaults to a range beginning with port 3230 for both TCP and UDP.

    Note: You must open the corresponding ports in the firewall. You must also open the firewall's TCP port 1720 to allow H.323 traffic.

    • If the firewall is H.323 compatible or the system is not behind a firewall, disable this setting.

    For IP you need 2 TCP and 8 UDP ports per connection. For SIP you need TCP port 5060 and 8 UDP ports per connection.

    Note: Because RealPresence ITP supports ICE, the range of fixed UDP ports is 112. The system cycles through the available ports from call to call. After the system restarts, the first call begins with the first port number, either 49152 or 3230. Subsequent calls start with the last port used, for example, the first call uses ports 3230 to 3236, the second call uses ports 3236 to 3242, the third call uses ports 3242 through 3248, and so on.

    TCP Ports

    UDP Ports

    Specifies the beginning value for the range of TCP and UDP ports used by the system. The system automatically sets the range of ports based on the beginning value you set.

    Note: You must also open the firewall's TCP port 1720 to allow H.323 traffic.

    Enable H.460 Firewall Traversal

    Enables the system to use H.460-based firewall traversal for IP calls.

    NAT

    Specifies whether the system should determine the NAT Public WAN Address automatically.

    • If the system is not behind a NAT or is connected to the IP network through a Virtual Private Network (VPN), select Off.

    • If the system is behind a NAT that allows HTTP traffic, select Auto.

    • If the system is behind a NAT that does not allow HTTP traffic, select Manual.

    NAT Public (WAN) Address

    Displays the address that callers from outside the LAN use to call your system. If you chose to configure the NAT manually, enter the NAT Public Address here.

    This field is editable only when NAT Configuration is set to Manual.

    NAT is H.323 Compatible

    Specifies that the system is behind a NAT that is capable of translating H.323 traffic.

    This field is visible only when NAT Configuration is set to Auto or Manual.

    Address Displayed in Global Directory

    Lets you choose whether to display this system's public or private address in the global directory.

    This field is visible only when NAT Configuration is set to Auto or Manual.

    Enable SIP Keep-Alive Messages

    Specifies whether to regularly transmit keep-alive messages on the SIP signaling channel and on all RTP sessions that are part of SIP calls. Keep-alive messages keep connections open through NAT/Firewall devices that are often used at the edges of both home and enterprise networks.

    When a RealPresence ITP system is deployed or registered in an Avaya SIP environment, Polycom recommends that you disable this setting to allow calls to connect fully.

In environments set up behind a firewall, firewall administrators can choose to limit access to TCP connections only. Although TCP is an accurate and reliable method of data delivery that incorporates error-checking, it is not a fast method. For this reason, real-time media streams often use UDP, which offers speed but not necessarily accuracy. Within an environment behind a firewall, where firewall administrator has restricted media access to TCP ports, calls can be completed using a TCP connection instead of UDP.

CAUTION: Systems deployed outside a firewall are potentially vulnerable to unauthorized access. Visit the Polycom Security section of the Knowledge Base at support.polycom.com for timely security information. You can also register to receive periodic email updates and advisories.