ClearOne NetPoint Firewall Traversal, Installation And Setup Manual, Page: 12 / 35

12 NetPoint Firewall Traversal Server: Installation and Setup Manual
F
IREWALLS
To protect their networks and data resources from external hazards such as hacking and
virus propagation, some organizations install firewalls.
Firewalls check the IP address and destination port of each data packet received from
external sources. The type of permitted incoming traffic depends on the firewall’s
configuration. For example, the firewall may allow traffic from an external source to pass if a
node inside the firewall initiated communication with it. Usually, they will block or discard
unsolicited packets.
In order to deal with desirable requests for information while protecting most of their user
nodes, many organizations place relevant information on a web server inside the firewall.
The firewall is then configured to permit traffic to and from the web server’s IP address and
port 80 to pass.
EFFECTS OF FIREWALLS AND NATS ON H.323
VIDEOCONFERENCING
Compared to other data communications protocols such as HTTP and FTP, H.323 has
unique characteristics that cause difficulties in enterprise environments protected by
firewalls and NATs.

H.323 transmissions include the embedding of the sender’s IP address inside the data
packets. The call recipient transmits audio and video in return to the initiating user at the
IP address embedded in the original transmissions. If this IP address is private, Internet
routers typically discard the audio and video packets sent from the external endpoint
because they are being sent to an un-routable private IP address.

During H.323 communications, several protocol parameters, including IP port values,
are determined dynamically during call setup negotiation instead of in advance. This
poses a problem in security devices such as firewalls, which usually require a security
schema based on opening specific known ports.
 The use of H.323 video and voice communication requires a firewall to open a wide
range of ports so that traffic can pass unhindered. The IP voice and video
communications protocols require several open ports to receive call control messages
and to establish the voice and video data channels. These additional port numbers are
determined dynamically, not in advance. Therefore, network administrators would have
to open up all the firewall ports to allow the H.323 traffic to pass through. This
constitutes a breach of the firewall’s purpose, which prefers to close as many ports as
possible.

H.460.18 and H.460.19 are ITU standards that enable H.323 devices to exchange
signaling and media across boundaries imposed by NAT and firewalls, without the need
for any additional equipment.
In most organizations, firewalls are configured to severely limit the types of inbound data
traffic that will arrive to internal users’ workstations, servers, and peripheral equipment.