Forgot your password?
typodupeerror
Networking

Video Conferencing Behind a Firewall? 42

Posted by Cliff
from the seeking-an-option-that-use-less-ports dept.
JShadow21 asks: "I work at a research lab at a hospital. We want to collaborate with colleagues across the pond via video conferencing however the firewall here is very restrictive. There are way too many ports that needed to be opened for H.323 to work so the IT guys won't do that. What alternatives are there? I was considering using an SSH proxy in order to use Netmeeting, or else possibly a web based solution."
This discussion has been archived. No new comments can be posted.

Video Conferencing Behind a Firewall?

Comments Filter:
  • by grub (11606) <slashdot@grub.net> on Wednesday July 20, 2005 @01:59PM (#13115896) Homepage Journal

    The Netmeeting rules in our PIX configs need only 5 TCP ports: LDAP, 522, 1503, h323 1731. If you know the IPs of the remote side you can open up a very restrictive set of holes for incoming "calls" or you can initiate the connections and not worry about opening up incoming holes altogether (if you use NAT/PAT this is easiest.)

    Remember: your IT guys aren't running the show, they're there to help you do your job (and I'm an IT weenie at a research lab where Netmeetings are not uncommon...)

    • Whoops, something I neglected to think of when writing my reply; our firewall has "fixup protocol h323" enabled so dynamic port allocation is handled just fine.
      • If he's accepting incoming connections, he'll need a static NAT back to his PC from an outside IP. Someone on one end of the connection is going to need a static NAT.

        I've gotten iChats vid conferencing to work without opening any ports on my side, and only having ports opened on the remote end. I had to initiate the connection though.
    • by bill_mcgonigle (4333) * on Wednesday July 20, 2005 @02:29PM (#13116221) Homepage Journal
      I used to work in hospital IT. The network manager was affectionately known as Mordac the Preventor [dilbert.com].

      Or it could be that your IT guys aren't lazy, they just don't know anything so they can't characterize the risk associated with H.323 or they don't know how to setup NAT for what you need.
      • by Metzli (184903)
        It's also possible that NAT won't work and they're concerned about that. We have some Polycom video conference gear and it won't work with NATs. The box embed the endpoint IP in the packet itself, so NATs cause the system not to function. Yay.
  • by TripMaster Monkey (862126) * on Wednesday July 20, 2005 @01:59PM (#13115897)

    I would have to recommend NetMeeting...it's easy to implement, and is already installed on your Windows machines. However, there are quite a few ports [microsoft.com] that need to be opened...to ensure smooth passage through the firewall, I recommend you take your IT guy to lunch at your local watering hole to discuss it. ^_^

    Seriously, though, the opening of these ports should prove to be a minimal security risk if done correctly. A firewall admin who won't open any ports is a firewall admin who doesn't know how to do his job (Ford Motor Company's firewall boys spring to mind here). Remember, this is a valid request you're making, and implementing that request in a safe and secure manner is their job.
    • Remember, this is a valid request you're making, and implementing that request in a safe and secure manner is their job.

      Hold your horses there, Master Monkey! Techies shouldn't take just any order from any employee.
      In any sane chain-of-trust, the employee should contact his department-manager, who should either check higher up or check with the tech manager.
      A research lab has potentially dangerous information on hand, and as such, access to any sort of data is most likely on a very restricted basis.
      I
      • You are correct. Going straight to the person who could help you the most is a grevious violation of protocol. First you file form 457s22 (making sure to initial paragraphs 3, 41, and 72, obviously). Then Submit this form in triplicate to your supervisor, the current head of the TCP/IP security subcommity and the associate vice chairman of the s22OE working group.

        After that has been processed you will recieve form 4208XX which needs to be filled out within 12 hours (!!!) and refiled (in triplicate, of cour
        • But isn't the red tape method more rewarding in the end?

          I'd say that depends.. are we talking about the original poster, or the tech guy whose name is most likely to appear in a logfile stating that ports were unblocked? ;)
        • You are correct. Going straight to the person who could help you the most is a grevious violation of protocol. First you file form 457s22 (making sure to initial paragraphs 3, 41, and 72, obviously). Then Submit this form in triplicate to your supervisor, the current head of the TCP/IP security subcommity and the associate vice chairman of the s22OE working group.

          After that has been processed you will recieve form 4208XX which needs to be filled out within 12 hours (!!!) and refiled (in triplicate, of cour
    • Erm, no.

      The valid request is not "open these ports for me, tech-monkey!". The valid request is "we want to teleconference with folks at these other places. Here are email addresses and phone numbers for their tech guys. Can you figure something out that isn't too expensive?"

      You'd think a /. poster might have more respect for their IT department...
      • Erm, no.

        The valid request is not "open these ports for me, tech-monkey!".

        I don't believe that I was endorsing such a position (/me peruses original post)...no, that's not at all what I said...thanks for the misrepersentation, though. It just doesn't feel like Slashdot until someone pulls the old straw-man gag.

        Can you figure something out that isn't too expensive?"

        Um...as I said in my previous post, NetMeeting is included in Windows, making the cost pretty much zero.

        You'd think a /. poster might
    • With most TCP-based applications, it is possible to implement a sane firewall strategy, but H.323 (Netmeeting) makes it pretty much impossible to do so. The protocol has a standard port for the control connection, but it sets up any port it feels like for incoming UDP voice/video traffic. The protocol expects you to leave the server AND CLIENTS in the DMZ, with all the problems that brings; limits other hosts in a NAT network, and obvious over-exposure to security attacks. When I started working with H.3
  • by n1ywb (555767) on Wednesday July 20, 2005 @02:01PM (#13115908) Homepage Journal
    Select a machine somewhere to be a dedicated video conference server and have everybody VPN into that machine. Then all those crazy h.whatever ports should be fine.
  • you only need to allow in H323. On any recent pix, that's just one ACL entry.
    Access-list incoming tcp host blah eq h323 any
    if you want to be more secure, change the any to the IP of the device calling you. I deal with this stuff all the time, it's really no big deal. Some devices, like tandberg, use extra ports (5555) for other purposes. You might also need LDAP for directory services. If you get an appliance based VC unit instead of a PC based one, you'll be slightly more secure.
    Additionally, if you
  • Do what I do at home! Set your videoconferencing computer's IP address to be in the DMZ (demillitarized zone)!

    Hey, it works for bit torrent....
    • Um. No. I know that's what the router manufacturers call it, but that's not a DMZ. A better router will have three (or more) ethernet interfaces - one to the outside world, one to the main protected network, and one to the DMZ (don't confuse this with the fact that you have several ethernet ports in your router - that's because it also contains a switch). The idea of the three interfaces is that machines in the DMZ do not have access to machines in the protected zone, so it doesn't matter so much if they
  • web based solution (Score:4, Informative)

    by sycotic (26352) on Wednesday July 20, 2005 @02:31PM (#13116239) Homepage
    we use http://www.webex.com/ [webex.com] at our work, works a treat behind a multitude of firewalls and maybe even proxies if I remember rightly.

    you should check it out :)
    • I can vouch for webex. I am behind a completely restrictive firewall. The only traffic out is http through a proxy and email through a mail server. Oh, and DNS, but IP over DNS is pretty much a joke, even though it actually does exist.

      One time I was having some problems with a vendor's computer and I called tech support. He set up a webex meeting for me to connect to and it worked beautifully. We were able to do desktop sharing in real time.
  • One possibility would be to use a separate, dedicated local network, possibly just one machine sitting by its lonesome. That machine should still be firewalled, especially outbound, and your local network shouldn't trust it at all. Ideally, you'd set it to only be able to reach the networks of whoever you're collaborating with, but if that's likely to change frequently, you may have to open it up to the world.

    If your hospital provides network services to the outside world, it's likely that your IT group
  • OpenVPN (Score:3, Interesting)

    by Noksagt (69097) on Wednesday July 20, 2005 @03:39PM (#13116877) Homepage
    OpenVPN [openvpn.net] is Free (in both senses), fairly fast, cross-platform, but most of all easy to setup. Tunnel all traffic through a single, CONFIGURABLE port. My IT department is also often inept & they're packet-shaper makes most VPN traffic crawl (as if it were P2P or something). We require fast remote control software to be run, so we put it on port 80 & watched the traffic finally fly along.
  • ... it's not a videoconferencing software, but it sets up vpn groups. every client get's an own additional ip and the software got around every firewall/nat I used it. plus the streams are encrypted and transfered via p2p.

    give it a try: http://www.hamachi.cc/ [hamachi.cc]

    and use your prefered video conferencing software with it.

    I am currently streaming my music from my office machine to my home computer. both behind firewalls and routers.

    btw. it's windows only.
  • I'm sorry. You said your professional development requires you to video conference. Who the #^%&#! do your IT guys think they are! Go to your hospital administrators and show (don't tell) them how your hospital's jack-booted IT nazi's are keeping you from doing your job.

    I have worked in environments where the IT guys forgot they provide a network for the people to use in their jobs, not a network that they can use to build their own personal fiefdom! The best way to break this GOD complex is to hav
  • by sootman (158191)
    probably the easiest is to convince IT that the people you want to conference with are trustworthy and get them VPN access. Once they're in, you can do whatever you want.
  • Tanberg offers an easy solution with its gate keep... only requires a small number of ports to open, the gate keeper tracks these. Another solution, cheaper and easier by far, ONT offers a video conferencing software, only requires port 80 or 443.
  • Gnu Gatekeeper can do the job to you; it can be used like a traditional gatekeeper or like a proxy also; from FAQ:

    "1.2. Can I use the GNU Gatekeeper for NAT/masquerading H323 calls through a firewall ?
    Use the proxy function that has been introduced in version 2.0."

    from manual:

    "When Gatekeeper Routed call signalling is used, the gatekeeper may choose whether to route the H.245 control channel and logical channels.

    Case I.

    The gatekeeper doesn't route them. The H.245 control channel and logical channe
  • If your problem is inbound TCP ports, the Tandberg Border Controller is a solution. From what I understand it is designed to sit outside the firewall. All parties "register" with the border controller by opening a TCP connection to it (i.e. an outbound connection from the point of view of the firewall admins). The border controller then does all of the call negotiation. None of the clients have to accept TCP connections. Here [tandberg.net] is a link to the border controller.

    Disclaimer: I don't work for Tandberg

  • Its my job when someone comes to me with something like that. To look at it and if i dont want to do it there way to offer an alternative. Your tech guys are gonna need a kick (try confiscating their bandwidth till they do some work).
  • You might try a host solution like microsoft live meeting or lotus sametime or webex, basically anything that is hosted on a website instead of using direct p2p connection.

    Also assuming the other person isn't behind a firewall you could call out to them using netmeeting.

Recent research has tended to show that the Abominable No-Man is being replaced by the Prohibitive Procrastinator. -- C.N. Parkinson

Working...