rixride

Because I get a lot of emails with people not being able to connect to netmeeting connections, here is the info on how to connect through a firewall.

This chapter describes how Microsoft® Windows® NetMeeting® 3 works with an organization's existing firewall security. You will learn about NetMeeting requirements for TCP and UDP connections, as well as the IP ports needed to establish a NetMeeting connection.

ote:
There are few available products that an organization can implement to securely transport inbound and outbound NetMeeting calls, which transfer audio, video, and data across a firewall. Because of this, carefully consider the relative security risks of modifying your firewall product to enable NetMeeting features, especially for inbound calls.
Contents

Components of a Secured System
NetMeeting and Firewalls
Establishing a NetMeeting Connection with a Firewall
Microsoft Proxy Server Example
Firewall Limitations
Security and Policy Concerns

Components of a Secured System

A firewall is a set of security mechanisms that an organization implements, both logically and physically, to prevent unsecured access to an internal network. Firewall configurations vary from organization to organization. Most often, the firewall consists of several components, which can include a combination of the following:

* Routers
* Proxy servers
* Host computers
* Gateways
* Networks with the appropriate security software

Very rarely is a firewall a single component, although a number of newer commercial firewalls attempt to put all of the components into a single computer. The following illustration shows a firewall configuration.
Click here to see a diagram.

For most organizations, an Internet connection is part of the firewall. The firewall identifies itself to the outside network as a number of Internet Protocol (IP) addresses, or as capable of routing to a number of IP addresses, all associated with Domain Name Service (DNS) entries. The firewall might respond as a host, resulting in a virtual computer, or pass on packets bound for these hosts to assigned computers.
NetMeeting and Firewalls

You can configure firewall components in a variety of ways, depending on your organization's specific security policies and overall operations. While most firewalls are capable of allowing primary (initial) and secondary (subsequent) Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections, they might be configured to support only specific connections based on security considerations. For example, some firewalls allow only primary TCP connections, which are considered the most secure and reliable.

To enable NetMeeting 3 multipoint data conferencing—program sharing, Whiteboard, Chat, file transfer, and directory access—your firewall only needs to pass through primary TCP connections on assigned ports.

NetMeeting audio and video features require secondary TCP and UDP connections on dynamically assigned ports. Therefore, if you establish connections through firewalls that accept only primary TCP connections, you will not be able to use the audio or video features of NetMeeting.
Establishing a NetMeeting Connection with a Firewall

When you use NetMeeting to call other users over the Internet, several IP ports are required to establish the outbound connection. The following table shows the ports, their functions, and the resulting connection.
Port Function Outbound Connection
389 Internet Locator Service (ILS) TCP
522 User Location Service TCP
1503 T.120 TCP
1720 H.323 call setup TCP
1731 Audio call control TCP
Dynamic H.323 call control TCP
Dynamic H.323 streaming Real-Time Transfer Protocol (RTP) over UDP

If you use a firewall to connect to the Internet, it must be configured so that the IP ports are not blocked.

To establish outbound NetMeeting connections through a firewall, the firewall must be configured to do the following:

* Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731.
* Pass through secondary TCP and UDP connections on dynamically assigned ports (1024-65535).

The H.323 call setup protocol dynamically negotiates a TCP port for use by the H.323 call control protocol. Also, both the audio call control protocol and the H.323 call setup protocol dynamically negotiate UDP ports for use by the H.323 streaming protocol, called the Real-Time Transfer Protocol (RTP). In NetMeeting, two UDP ports are determined on each side of the firewall for audio and video streaming, for a total of four ports for inbound and outbound audio and video. These dynamically negotiated ports are selected arbitrarily from all ports that can be assigned dynamically.

NetMeeting directory services require port 389. Microsoft Internet Locator Service (ILS) servers, which support the Lightweight Directory Access Protocol (LDAP) for NetMeeting, also require port 389.
Microsoft Proxy Server Example

This section provides a guideline for setting up the Microsoft Proxy Server to enable the necessary ports for NetMeeting outbound calls. For additional information about configuring the Microsoft Proxy Server, refer to the Microsoft® Proxy Server Installation and Administration Guide.

Microsoft Proxy Server and Microsoft Internet Information Services are run on Windows NT 4.0 (with Service Pack 3 or greater). The Microsoft Internet Service Manager is part of Internet Information Services.

To configure the Microsoft Proxy Server for NetMeeting

1. Start the Microsoft Internet Service Manager, and then click Winsock Proxy Service.

Click here to see a screenshot.
2. Click the Protocols tab, and then click Add. The Protocol Definition dialog box appears.

Click here to see a screenshot.
3. Refer to the table in "Establishing a NetMeeting Connection with a Firewall" and add each port required for NetMeeting by typing or selecting values for the following fields:
* Protocol name
* Port
* Type
* Direction

For example, if you want to add port 389, you would enter the following settings:
In Do this
Protocol name Type LDAP
Port Type 389
Type Click TCP (default)
Direction Click Outbound

Click here to see a screenshot.

For TCP-only ports, click OK after adding information for each port and then continue to step 5. For ports that require UDP connections, continue with step 4.
4. For ports that require secondary UDP connections, click Add in the Port Ranges for Subsequent Connections box, and then enter the following values:
In To this
Port or Range Type 0-65535
Type Click UDP (default)
Direction Click Inbound or Outbound

Click here to see a screenshot.

Click OK to add the UDP connection information. Repeat this process to add both Inbound and Outbound dynamic port ranges.

The following screen shot illustrates the setting for port 1720, configured for both TCP and UDP connections.

Click here to see a diagram.
5. After you have added all necessary connection information, click OK to add the protocol definition.

Firewall Limitations

Some firewalls cannot support an arbitrary number of virtual internal IP addresses, or cannot do so dynamically. With these firewalls, you can establish outbound NetMeeting connections from computers inside the firewall to computers outside the firewall, and you can use the audio and video features of NetMeeting. Other people, though, cannot establish inbound connections from outside the firewall to computers inside the firewall. Typically, this restriction is due to limitations in the network implementation of the firewall.

Note:
Some firewalls are capable of accepting only certain protocols and cannot handle TCP connections. For example, if your firewall is a Web proxy server with no generic connection handling mechanism, you will not be able to use NetMeeting through the firewall.
Security and Policy Concerns

Some organizations might have security or policy concerns that require them to limit how fully they support NetMeeting in their firewall configuration. These concerns might be based on network capacity planning or low confidence in the firewall technology being used. For example, security concerns might prohibit an organization from accepting any inbound or outbound flow of UDP data through their firewall. Because these UDP connections are required for NetMeeting audio and video features, disabling this function excludes audio and video features in NetMeeting for calls through the firewall. The organization can still use NetMeeting data conferencing features—such as program sharing, file transfer, Whiteboard, and Chat—for calls through the firewall by allowing only TCP connections on ports 522 and 1503.

For more information about firewall design, policy, and security considerations for firewall design in general, see Building Internet Firewalls, D. Brent Chapman and Elizabeth D. Zwicky, O'Reilly & Associates, Inc., 1995.

__________________
-=Welcome to PBXInfo=-
-Become a PBXInfo Supporter
-Get more PM Space, Profile Picture, a Signature
-Add yourself to Pbxinfo's Frappr
-Find Nortel Software