Firewall Wizards mailing list archives
Re: Dealing with MS Netmeeting & H.323
From: "Tony Schliesser" <aschlies () citynet net>
Date: Wed, 3 Jun 1998 11:05:22 -0400
Its tricky. From my understanding, a few firewall appliances are using a proxies to "listen" to the data between client/server and client/client so it knows what ports to open up for the dynamic ports you mentioned, much like an FTP proxy would handle the data channel. The only other box that has this type of proxy is the Watchguard Firebox. Version 3.00a is in beta and should be out soon. I have used this in a test lab and it does work well. TS -----Original Message----- From: Hal <hal () mrj com> To: 'firewall-wizards () nfr com' <firewall-wizards () nfr net> Date: Monday, June 01, 1998 11:31 PM Subject: Dealing with MS Netmeeting & H.323 I'm wondering if anyone has had much luck securing Microsoft's Netmeeting product? This topic has been discussed here and on other lists. People usually just throw up their hands when dealing with it. What's the best advice In summary here's what I found out about it.. It's based on an H.323. architecture using T.120's transport, the IETF Realtime Protocol/(RTP)/ Real Time Control Protocols (RTCP) for its audio and video feeds and includes a few additional features. Ports: (TCP) 389 - Internet Locator (LDAP), 522- HTTP based User Locator (I think this is a MS proprietary protocol), 1503 -T.124 "media independent transport". 1720- H323 call setup , 1731 H323 audio call setup (not sure what this is for). Here are the zingers: Dynamically assigned TCP and UDP ports in the "ephemeral" range (> 1024) carrying RTP & RTCP (allocated as dynamically assigned even/odd pairs, one pair per direction and media type). RTCP is used for feedback about the real time channel (congestion, quality, etc..) The actual port numbers for these associations are passed in an ASN.1 open local channel request on port 1720. Issues: (1) Router filters control a single port or port range. Dynamic port assignments require the range to be very large defeating the filter's purpose. (2) Network Address Translation. H.323 logical channel open fetches the local client address and passes that bound into an application (session) PDU to the destination causing internal address leakage. (The destination tries to send to the untranslated internal address of the source instead of the translated external address) An H.323 proxy could solve these problems. Firewall-1 states they can handle H.323 and work with Netmeeting (Does anyone have any experience with this?). Guantlet/NT has an H.323. proxy but their administrator's guide, which lists several multimedia applications, does not list NetMeeting. Are there other firewalls that can handle netmeeting? One suggestion I received was to allow just the data portion of Netmeeting by blocking the dynamically assigned ports that carry the audio and video. Difficult to satisfy a customer expecting interactive audio and video. Regards Hal. Hal () mrj com
Current thread:
- Re: Dealing with MS Netmeeting & H.323, (continued)
- Re: Dealing with MS Netmeeting & H.323 Henry Hertz Hobbit (Jun 02)
- Re: Dealing with MS Netmeeting & H.323 Kjell Wooding (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 02)
- Re: Dealing with MS Netmeeting & H.323 Frederick M Avolio (Jun 02)
- Re: Dealing with MS Netmeeting & H.323 David Bonn (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Rob Poland (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Frederick M Avolio (Jun 02)
- FW: Dealing with MS Netmeeting & H.323 Hal (Jun 02)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 ark (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Bernhard Schneck (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 ark (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Tony Schliesser (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Bob Acosta (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Ryan Russell (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Frederick M Avolio (Jun 05)
- Re: Dealing with MS Netmeeting & H.323 Bob Acosta (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 05)
- Cisco IOS Firewall NetSurfer (Jun 07)
- Re: Cisco IOS Firewall Henry Hertz Hobbit (Jun 08)
- Cisco IOS Firewall NetSurfer (Jun 07)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 08)
- Re: Dealing with MS Netmeeting & H.323 Ryan Russell (Jun 08)