Aethra avc8500 Mode D'Emploi
77
they cannot attack it and cause disruptions. NAT also allows a company to use more IP addresses than they might otherwise
be allocated. Since these addresses are only used internally, there is no problem with IP address conflicts with other
organisations.
be allocated. Since these addresses are only used internally, there is no problem with IP address conflicts with other
organisations.
Problems with Video and Voice Communications on NAT/Firewall Protected Networks
The IP based voice and video protocols like H.323 require that terminals be capable of establishing audio-video communication
channels using IP addresses and data ports. In this situation, a problem arises: terminals must “listen” for incoming calls to
establish IP connections, but the firewall is generally configured in such a way as not to allow packets past that are not
The IP based voice and video protocols like H.323 require that terminals be capable of establishing audio-video communication
channels using IP addresses and data ports. In this situation, a problem arises: terminals must “listen” for incoming calls to
establish IP connections, but the firewall is generally configured in such a way as not to allow packets past that are not
expressly requested. Even if the network administrator left a port open for the terminal to receive notification of a call (port
1720, designated as a “well-known TCP port”) the video and voice communication protocols for IP necessitate the opening of
other ports in order to receive control messages and open audio and video channels.
The identities of these additional ports are determined dynamically, not in advance, meaning that the network administrator
would have to open all the firewall ports to allow video and voice communication, thus virtually disabling the firewall. Network
1720, designated as a “well-known TCP port”) the video and voice communication protocols for IP necessitate the opening of
other ports in order to receive control messages and open audio and video channels.
The identities of these additional ports are determined dynamically, not in advance, meaning that the network administrator
would have to open all the firewall ports to allow video and voice communication, thus virtually disabling the firewall. Network
administrators are unlikely to do this (and wisely so), since it effectively eliminates network security policies.
NAT also creates an obstacle for voice and video communications over IP. NAT allows an organisation to assign private IP
addresses to machines on the local network, but routers that control the flow of data towards the internet can handle only
packets with routable addresses or public IP addresses.
A terminal located behind the NAT device on the LAN can initiate communication with any other terminal in the same LAN
NAT also creates an obstacle for voice and video communications over IP. NAT allows an organisation to assign private IP
addresses to machines on the local network, but routers that control the flow of data towards the internet can handle only
packets with routable addresses or public IP addresses.
A terminal located behind the NAT device on the LAN can initiate communication with any other terminal in the same LAN
because the IP addresses within the LAN are routable, meaning that it is possible to have subnets in a company managed by
an internal router. This allows the establishment of audio-video communications on different branches of the subnet.
Because they have private addresses, and are therefore not accessible from outside the NAT, terminals on the LAN cannot be
reached by externally originating calls. Even if they initiate calls to external terminals, a problem still arises. When the call is
initiated, the IP address of the calling terminal is contained in the payload of the packet sent. The destination terminal receives
an internal router. This allows the establishment of audio-video communications on different branches of the subnet.
Because they have private addresses, and are therefore not accessible from outside the NAT, terminals on the LAN cannot be
reached by externally originating calls. Even if they initiate calls to external terminals, a problem still arises. When the call is
initiated, the IP address of the calling terminal is contained in the payload of the packet sent. The destination terminal receives
call setup packets, examines them and starts to transmit audio and video towards the terminal from which the call was
received, and from which the IP address was obtained by examining the contents of the received packets.
If this IP address is private, the router for Internet access discards the audio and video packets sent from the terminal external
to NAT towards the internal terminal because the packets sent were non-routable. The connection between two terminals
received, and from which the IP address was obtained by examining the contents of the received packets.
If this IP address is private, the router for Internet access discards the audio and video packets sent from the terminal external
to NAT towards the internal terminal because the packets sent were non-routable. The connection between two terminals
appears to be successful but in reality the NAT-internal terminal never receives the audio or video from the external terminal.
Solution for the NAT/Firewall Problem
The only equipment that does not create any of the problems described above is a NAT/firewall H.323-compatible device. Such
a firewall does not block the TCP 1720 port and allows access to the other, dynamically-determined H.323 ports.
Videoconferencing systems usually have private IP addresses that are not accessible from external routers. To allow calls to
The only equipment that does not create any of the problems described above is a NAT/firewall H.323-compatible device. Such
a firewall does not block the TCP 1720 port and allows access to the other, dynamically-determined H.323 ports.
Videoconferencing systems usually have private IP addresses that are not accessible from external routers. To allow calls to
function properly, the network administrator can define static NAT (a permanent association between a private IP address and
a public IP address reserved for H.323 videoconferences) for every terminal that must be accessible from an external
connection.
The NAT device substitutes the static IP address in the payload and header setup packet sent from the internal terminal to the
a public IP address reserved for H.323 videoconferences) for every terminal that must be accessible from an external
connection.
The NAT device substitutes the static IP address in the payload and header setup packet sent from the internal terminal to the
external terminal. The destination terminal uses that address for addressing the reply packets, which are routed through the
NAT device to the internal terminal.
NAT device to the internal terminal.
Firewall ALG
Application Level Gateways (ALGs) are firewalls programmed to recognize specific IP protocols like H.323.
Instead of looking only at the information contained in packet headers to determine whether to transmit or block packets, ALGs
Application Level Gateways (ALGs) are firewalls programmed to recognize specific IP protocols like H.323.
Instead of looking only at the information contained in packet headers to determine whether to transmit or block packets, ALGs
analyse in detail the data contained in the payload packet. The H.323 protocol inserts important control information such as
audio and video port identification in the payload packets. The terminal expects to receive audio and video connections from
the remote calling terminal on these ports. By analysing which port the terminal expects to use, the ALG dynamically opens
only those ports, leaving the others closed to preserve network security. An example of a firewall ALG follows.
The Aethra Application Level Gateway is present in the Aethra Stargate xDSL Router and allows any videoconferencing
audio and video port identification in the payload packets. The terminal expects to receive audio and video connections from
the remote calling terminal on these ports. By analysing which port the terminal expects to use, the ALG dynamically opens
only those ports, leaving the others closed to preserve network security. An example of a firewall ALG follows.
The Aethra Application Level Gateway is present in the Aethra Stargate xDSL Router and allows any videoconferencing
terminal, independent of its manufacturer, resolve the NAT/firewall problem. The Stargate router is capable of checking every
incoming and outgoing H.323 call and dynamically opening only the ports being used for the H.323 videoconference.
The Stargate router also supports NAT functionality and is therefore capable of substituting the public NAT address for the
private IP address automatically inserted in the H.323 payload packets by the internal terminal. When the Aethra ALG
incoming and outgoing H.323 call and dynamically opening only the ports being used for the H.323 videoconference.
The Stargate router also supports NAT functionality and is therefore capable of substituting the public NAT address for the
private IP address automatically inserted in the H.323 payload packets by the internal terminal. When the Aethra ALG
functionality is used with an Aethra videoconferencing system, the “Aethra NAT” function of the videoconferencing system
must be disabled because the network equipment is H.323 compatible.
must be disabled because the network equipment is H.323 compatible.