Web-to-Phone Firewall Configuration

Note:
There are few available products that an organization can implement to securely transport inbound and outbound NetMeeting calls, which transfer audio, video, and data across a firewall. Because of this, carefully consider the relative security risks of modifying your firewall product to enable NetMeeting features, especially for inbound calls.

Contents

Components of a Secured System
NetMeeting and Firewalls
Establishing a NetMeeting Connection with a Firewall

Components of a Secured System

A firewall is a set of security mechanisms that an organization implements, both logically and physically, to prevent unsecured access to an internal network. Firewall configurations vary from organization to organization. Most often, the firewall consists of several components, which can include a combination of the following:

- Routers
- Proxy servers
- Host computers
- Gateways
- Networks with the appropriate security software

Very rarely is a firewall a single component, although a number of newer commercial firewalls attempt to put all of the components into a single computer. The following illustration shows a firewall configuration.

For most organizations, an Internet connection is part of the firewall. The firewall identifies itself to the outside network as a number of Internet Protocol (IP) addresses, or as capable of routing to a number of IP addresses, all associated with Domain Name Service (DNS) entries. The firewall might respond as a host, resulting in a virtual computer, or pass on packets bound for these hosts to assigned computers.

NetMeeting and Firewalls

You can configure firewall components in a variety of ways, depending on your organization's specific security policies and overall operations. While most firewalls are capable of allowing primary (initial) and secondary (subsequent) Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections, they might be configured to support only specific connections based on security considerations. For example, some firewalls allow only primary TCP connections, which are considered the most secure and reliable.

To enable NetMeeting 3 multipoint data conferencing—program sharing, Whiteboard, Chat, file transfer, and directory access—your firewall only needs to pass through primary TCP connections on assigned ports.

NetMeeting audio and video features require secondary TCP and UDP connections on dynamically assigned ports. Therefore, if you establish connections through firewalls that accept only primary TCP connections, you will not be able to use the audio or video features of NetMeeting.

Establishing a NetMeeting Connection with a Firewall

When you use NetMeeting to call other users over the Internet, several IP ports are required to establish the outbound connection. The following table shows the ports, their functions, and the resulting connection.

If you use a firewall to connect to the Internet, it must be configured so that the IP ports are not blocked.

To establish outbound NetMeeting connections through a firewall, the firewall must be configured to do the following:

- Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731.
- Pass through secondary TCP and UDP connections on dynamically assigned ports (1024-65535).

The H.323 call setup protocol dynamically negotiates a TCP port for use by the H.323 call control protocol. Also, both the audio call control protocol and the H.323 call setup protocol dynamically negotiate UDP ports for use by the H.323 streaming protocol, called the Real-Time Transfer Protocol (RTP). In NetMeeting, two UDP ports are determined on each side of the firewall for audio and video streaming, for a total of four ports for inbound and outbound audio and video. These dynamically negotiated ports are selected arbitrarily from all ports that can be assigned dynamically.

NetMeeting directory services require port 389. Microsoft Internet Locator Service (ILS) servers, which support the Lightweight Directory Access Protocol (LDAP) for NetMeeting, also require port 389.