Videoconferencing at UVa
Firewall Behavior with an H.323 Client
The firewalls that are part of Windows were tested using two Polycom PVX videoconferencing systems. Also, the More Secure Network (MSN) VPN and a MSN port configuration were tested. Good news for home users: Chances are that your home DSL hardware has a firewall that interferes with using a personal endpoint like Polycom PVX. If you use UVa Anywhere you will be able to connect just as though you were physically on a UVa network.
The Situation Has Improved!
Firewalls have changed over the years to become more aware of network-intensive applications like videoconferencing. Experimentation using older personal firewalls often showed failures in one direction or the other involving the video stream, audio stream, call set-up and control, or collaboration.
Newer operating system versions and videoconferencing applications rarely show these problems anymore. Network settings within the videoconferencing software can even compensate for use of a NAT address (Network Address Translation, provided by a firewall). Some hardware firewalls have a feature that make them "H.323-aware", which means that all the different ports specified in a standard that is actually a suite of ports are handled appropriately without a technician having to make extensive configuration attempts (guesses, actually).
Initial use of a videoconferencing application on a recent Windows operating system may trigger a pop-up dialog box that asks whether the application should be allowed through the machine's firewall. After allowing the initial access, this setting is automatically added to the computer's firewall configuration, and the user does not need to make any further adjustments.
More Secure Network
At UVa there is provision on the local network for staff to have the port used by their desktop computer set to use the More Secure Network. Alternately, the user can log on to a MSN VPN. The More Secure Network is protected by a hardware firewall. The MSN firewall is videoconference-aware. However, the MSN site must initiate the videoconference call. Devices outside the MSN firewall cannot initiate the contact (which is the reason for having a firewall anyway). The MSN site can use a gatekeeper-registered address to initiate a call, but cannot recieve a call via a gatekeeper address.
A computer whose user has logged into the MSN VPN is able to access the UVa gatekeeper and to both initiate and receive videoconference calls with devices located both on the "open" UVa network and to devices at non-UVa locations.
Machines that need to run videoconference software should not be placed behind a hardware firewall that is not videoconference-aware. There are commercial products known as "firewall traversal units" , but these are an expensive solution to a problem that is easily avoided.
The typical sign of a firewall problem is that one site can call the other, but not the reverse. Or one of the audio or video streams (or both) can be viewed at one site but not the other. It is very easy to rule out your personal firewall as the source of a problem—just disable it. If the videoconference still doesn't work, that wasn't the problem. If it is the problem, leaving it disabled for a one-hour meeting might be an acceptable option. The slight chance that a firewall device somewhere between one site and another will cause a problem is the primary reason for making a pre-conference test call. If there is a problem, the technicians/LSP will have time to work out a solution before the actual conference.
Why can this be complicated?
Some services, such as the Web, use just one port for all network data. The H.323 protocol describes a service that uses many network ports. Moreover, both TCP and UDP ports are used. There are approximately 10 TCP ports and a couple of UDP large address ranges used in the protocol.
Many firewalls will allow incoming data to a port if it is returning in response to an outgoing request on that same port. If the incoming data is on a different port, this simple rule doesn't work. An H.323 outgoing data stream may occur on one port, and the corresponding incoming data stream will be on a different port. There are so many ports involved, and the ranges of addresses on the UDP (lower level) ports so extensive that manually opening all the ports on a firewall to allow general videoconferencing is tantamount to not having a firewall at all.