TANDBERG D14049.01 User Manual
98
D 14049.01
07.2007
07.2007
98
H.33 Firewall Traversal Protocols
The VCS supports two different firewall traversal protocols for
H.323: Assent and H.460.18/H.460.19.
H.323: Assent and H.460.18/H.460.19.
Assent is TANDBERG’s proprietary protocol.
H.460.18 and H.460.19 are ITU standards which define
protocols for the firewall traversal of signaling and media
respectively. These standards are based on the original
TANDBERG Assent protocol.
H.460.18 and H.460.19 are ITU standards which define
protocols for the firewall traversal of signaling and media
respectively. These standards are based on the original
TANDBERG Assent protocol.
In order for a traversal server and traversal client to
communicate, they must be using the same protocol.
The two protocols each use a slightly different range of ports.
communicate, they must be using the same protocol.
The two protocols each use a slightly different range of ports.
•
•
•
Firewall Traversal Protocols and Ports
SIP Ports
Call signaling
SIP call signaling uses the same port as used by the initial
connection between the client and server.
connection between the client and server.
Media
Where the traversal client is a VCS or Gatekeeper, SIP media
uses Assent to traverse the firewall . The default ports are the
same as for H.323, i.e.:
uses Assent to traverse the firewall . The default ports are the
same as for H.323, i.e.:
UDP/2776: RTP media port
UDP/2777: RTCP media control port
UDP/2777: RTCP media control port
•
•
•
Overview
Ports play a vital part in firewall traversal configuration. The
correct ports must be set on the VCS Border Controller,
traversal client and firewall in order for connections to be
permitted.
Ports are initially configured on the VCS Border Controller and
then advised to the firewall administrator and the traversal
client administrator, who must then configure their systems to
connect to these specific ports on the server. The only port
configuration that is done on the client is the range of ports it
uses for outgoing connections; the firewall administrator will
need to know this information so that if necessary they can
configure the firewall to allow outgoing connections from those
ports.
correct ports must be set on the VCS Border Controller,
traversal client and firewall in order for connections to be
permitted.
Ports are initially configured on the VCS Border Controller and
then advised to the firewall administrator and the traversal
client administrator, who must then configure their systems to
connect to these specific ports on the server. The only port
configuration that is done on the client is the range of ports it
uses for outgoing connections; the firewall administrator will
need to know this information so that if necessary they can
configure the firewall to allow outgoing connections from those
ports.
!
The default port used for the initial connections from
MXP endpoints is the same as that used for standard
RAS messages, i.e. UDP/1719. While it is possible to
MXP endpoints is the same as that used for standard
RAS messages, i.e. UDP/1719. While it is possible to
change this port on the VCS server, most endpoints will not
support connections to ports other than UDP/1719. We
therefore recommend that this be left as the default.
support connections to ports other than UDP/1719. We
therefore recommend that this be left as the default.
Ports for Initial Connections from Traversal Clients
Each traversal server zone specifies an
H.323 port
and a
SIP port
to be used for the initial connection from the client.
Each time you configure a new traversal server zone on the
VCS, you will be allocated default port numbers for these
connections:
VCS, you will be allocated default port numbers for these
connections:
H.323 ports will start at 6001 and increment by 1 for every
new traversal server zone
SIP ports will start at 7001 and increment by 1 for every new
traversal server zone.
new traversal server zone
SIP ports will start at 7001 and increment by 1 for every new
traversal server zone.
You can change these default ports if necessary but you must
ensure that the ports are unique for each traversal server zone.
Once the H.323 and SIP ports have been set on the VCS
Border Controller, matching ports must be configured on the
corresponding traversal client.
ensure that the ports are unique for each traversal server zone.
Once the H.323 and SIP ports have been set on the VCS
Border Controller, matching ports must be configured on the
corresponding traversal client.
•
•
Process
Each traversal client connects via the firewall to a unique
port on the VCS Border Controller.
The server identifies each client by the port on which it
receives the connection, and the Authentication credentials
provided by the client.
Once established, the client constantly sends a probe to the
VCS Border Controller via this connection in order to keep
the connection alive.
When the VCS Border Controller receives an incoming call
for the client, it uses this initial connection to send an
incoming call request to the client.
The client then initiates a connection to the server. The
ports used for the call will differ for signaling and media,
and will depend on the protocol being used (i.e. SIP, Assent
or H.460.18/19).
port on the VCS Border Controller.
The server identifies each client by the port on which it
receives the connection, and the Authentication credentials
provided by the client.
Once established, the client constantly sends a probe to the
VCS Border Controller via this connection in order to keep
the connection alive.
When the VCS Border Controller receives an incoming call
for the client, it uses this initial connection to send an
incoming call request to the client.
The client then initiates a connection to the server. The
ports used for the call will differ for signaling and media,
and will depend on the protocol being used (i.e. SIP, Assent
or H.460.18/19).
•
•
•
•
•
H.460.8/9 Ports
For connections to the VCS Border Controller using the
H.460.18/19 protocols, the default ports are:
H.460.18/19 protocols, the default ports are:
Call signaling
UDP/1719: listening port for RAS messages
TCP/1720: listening port for H.225 protocol
TCP/2777: listening port for H.245 protocol
TCP/1720: listening port for H.225 protocol
TCP/2777: listening port for H.245 protocol
Media
UDP/2776: RTP media port
UDP/2777: RTCP media control port
UDP/2777: RTCP media control port
•
•
•
•
•
•
•
•
Assent Ports
For connections to the VCS Border Controller using the Assent
protocol, the default ports are:
protocol, the default ports are:
Call signaling
UDP/1719: listening port for RAS messages
TCP/2776: listening port for H.225 and H.245 protocols
TCP/2776: listening port for H.225 and H.245 protocols
Media
UDP/2776: RTP media port
UDP/2777: RTCP media control port
UDP/2777: RTCP media control port
•
•
•
•
•
•
TANDBERG
VIDEO COMMUNICATION SERVER
ADMINISTRATOR GUIDE
Firewall Traversal
Firewall Traversal