Re: Dealing with MS Netmeeting & H.323

["Tony Schliesser" <aschlies () citynet net>]

Its tricky. From my understanding, a few firewall appliances are using
a proxies to "listen" to the data between client/server and
client/client so it knows what ports to open up for the dynamic ports
you mentioned, much like an FTP proxy would handle the data channel.

The only other box that has this type of proxy is the Watchguard
Firebox.  Version 3.00a is in beta and should be out soon.  I have
used this in a test lab and it does work well.

TS
-----Original Message-----
From: Hal <hal () mrj com>
To: 'firewall-wizards () nfr com' <firewall-wizards () nfr net>
Date: Monday, June 01, 1998 11:31 PM
Subject: Dealing with MS Netmeeting & H.323




    I'm wondering if anyone has had much luck securing Microsoft's
Netmeeting product?    This topic has been
discussed here and on other lists. People usually just throw up their
hands when dealing with it.  What's the best  advice

In summary here's what  I found out about it..

It's based on an H.323. architecture using T.120's  transport, the
IETF Realtime Protocol/(RTP)/ Real Time Control  Protocols (RTCP) for
its audio and video feeds and includes a few additional features.
Ports:  (TCP) 389 - Internet Locator (LDAP), 522- HTTP based User
Locator (I think this is a MS proprietary protocol), 1503 -T.124
"media independent transport".  1720- H323 call setup , 1731 H323
audio call setup (not sure what this is for).  Here are the zingers:
Dynamically assigned TCP and UDP ports in the "ephemeral" range (>
1024) carrying RTP & RTCP (allocated as  dynamically assigned even/odd
pairs, one pair per direction and media type). RTCP is used for
feedback about the real time channel (congestion, quality, etc..) The
actual  port numbers for these associations are passed in an ASN.1
open local channel request on port 1720.


Issues:  (1)  Router filters control a single port or port range.
Dynamic port assignments require the range to be very large defeating
the filter's purpose.
(2) Network Address Translation.  H.323 logical channel open fetches
the local client address and passes that  bound into an application
(session) PDU to the destination causing internal address leakage.
(The destination tries to send to the untranslated internal address of
the source instead of the translated external address)

An H.323 proxy could solve these problems.  Firewall-1 states they can
handle H.323  and work with Netmeeting (Does anyone have any
experience with this?).  Guantlet/NT has an H.323. proxy but  their
administrator's guide, which lists several multimedia  applications,
does not list NetMeeting.   Are there other firewalls that can handle
netmeeting?

One suggestion I received was to allow just the data portion of
Netmeeting by blocking the dynamically assigned ports that carry the
audio and video.   Difficult to satisfy a customer expecting
interactive audio and video.


Regards Hal.
Hal () mrj com