Configure the H.460 Firewall/NAT Traversal

You can enable and configure H.460 firewall or NAT traversal on your RealPresence Group Series system.

Before you begin

Make sure your system is registered with a network device that supports the H.460.18 and H.460.19 standards (e.g., the Polycom® RealPresence® Access Director™ system or Polycom® VBP device).

Procedure

  1. Enable firewall traversal on the system.
    1. In the system web interface, go to Admin Settings > Network > IP Network > Firewall.
    2. Select Enable H.460 Firewall Traversal.
  2. Verify the firewalls that will be traversed allow your system to use outbound TCP and UDP connections.
    • Firewalls with a stricter rule set should allow the system to use at least the following outbound TCP and UDP ports: 1720 (TCP), 14085-15084 (TCP), 1719 (UDP), and 16386-25386 (UDP).
    • Firewalls should allow inbound traffic to the TCP and UDP ports used for outbound traffic.
  3. Configure the following settings and select Save.
    Setting Description
    Fixed Ports

    If enabled, you can define which TCP and UDP ports your system uses for traversal.

    Enable this if your firewall isn’t H.323 compatible. The system assigns a port range starting with the TCP and UDP ports you specify (port 3230 is where the range begins by default).

    Note: You must open the corresponding ports in your firewall. For H.323, open TCP port 1720. For SIP, open UDP port 5060, TCP 5060, or TCP 5061 depending on if you’re using UDP, TCP, or TLS, respectively, as the SIP transport protocol.

    Disable this if your firewall is H.323 compatible or the system isn’t behind a firewall.

    TCP Ports

    UDP Ports

    The starting value for the range of TCP and UDP ports used by the system. The system automatically configures the range based on the beginning value you set here.

    To allow H.323 traffic, you need two TCP and eight UDP ports per connection. You must also open TCP port 1720 on the firewall.

    To allow SIP traffic, you need TCP port 5060 and eight UDP ports per connection.

    UDP port range: Because systems support ICE, the range of fixed UDP ports is is 32, 62, and 82 for RealPresence Group Series 300/310, 500, and 700 systems, respectively. The system cycles through the available ports from call to call. After the system restarts, the first call begins with the first port number, either 49152 or 3230. Subsequent calls start with the last port used. For example, the first call uses ports 3230-3236, the second call 3236-3242, the third call 3242-3248, and so on.

    Fixed ports range and filters: You might notice that the source port of a SIP signaling message is not in the fixed ports range. When your firewall is filtering on source ports, in the system web interface, go to the SIP page and enable Force Connection Reuse. When enabled, the system uses port 5060 and 5061 for the source and destination port (these must be open on the firewall).

    NAT Configuration Specifies if the system should automatically determine the NAT public (WAN) address.
    • If the system is not behind a NAT or is connected to the network through a VPN, set to Off.
    • If the system is behind a NAT that allows HTTP traffic, set to Auto.
    • If the system is behind a NAT that does not allow HTTP traffic, set to Manual.
    NAT Public (WAN) Address The address callers from outside the LAN use to call your system. If you configured the NAT manually, enter the NAT public address here.

    You can set this only when NAT Configuration is set to Manual.

    NAT is H.323 Compatible Identifies that the system is behind a NAT that can translate H.323 traffic.

    Available only when NAT Configuration is set to Auto or Manual.

    Address Displayed in Global Directory Choose whether to display the system's public or private address in the global directory.

    Available only when NAT Configuration is set to Auto or Manual.

    Enable SIP Keep-Alive Messages Specifies whether to regularly transmit keep-alive messages on the SIP signaling channel and on RTP sessions part of SIP calls. Keep-alive messages maintain connections through firewall/NAT devices that are often used at network edges.

    If your system is in an Avaya SIP environment, Polycom recommends that you disable this setting to allow calls to fully connect.

Real-time media streams often use UDP for its speed. If your system is behind a firewall that restricts access to UDP ports, however, you can configure your system for only TCP connections.
CAUTION: Systems deployed outside a firewall are potentially vulnerable to unauthorized access. Visit the Polycom Security section of the Knowledge Base at Polycom Support for timely security information. You can also register to receive periodic updates and advisories.