page 102
innovaphone IP DECT
are to be set up to remote terminals via the Internet, then appropriate
configuration of the firewall must be ensured.
Firewalls normally have two jobs. They control access to devices and network
areas within your network and they implement the IP address translation in
networks that do not have their own regular network address (NAT). NAT can
also be implemented by routers.
In connection with Voice over IP, both functions require a detailed analysis of the
data stream in order to be implemented. This must be performed by the firewall
or router firmware.
If the product you are using does not have H.323 firewalling, there are two ways
of proceeding:
•
Release the path in the firewall for all required data to and from the VoIP
device.
Although this solution is usually not well received by network
administrators, it does not present a security problem, since the VoIP
device, as a dedicated device, does not perform any services other than
Voice over IP. No security gaps are caused in a network by opening the
path to and from the device.
The number of ports to be released can be restricted if the H.323 devices
whose data is to cross the firewall are all innovaphone devices.
The following ports must be released in both directions:
•
Tcp: destination port
80
(http), any source port, for configuration
•
Tcp: destination port
1720
(h.225), any source port for VoIP calls
•
Udp: destination port >=
2050
, source port
5004
and
5005
(RTP),
for VoIP calls
The following ports should also be released if the RAS protocol is used:
•
Udp: destination port 1718
•
Udp: destination port 1719
•
Udp: source port 1719
