Slashdot Mirror

← Back to Stories (view on slashdot.org)

Video Conferencing Behind a Firewall?

Posted by Cliff on from the seeking-an-option-that-use-less-ports dept.

JShadow21 asks: "I work at a research lab at a hospital. We want to collaborate with colleagues across the pond via video conferencing however the firewall here is very restrictive. There are way too many ports that needed to be opened for H.323 to work so the IT guys won't do that. What alternatives are there? I was considering using an SSH proxy in order to use Netmeeting, or else possibly a web based solution."

42 comments

  1. Your IT guys are lazy by grub · · Score: 4, Insightful

    The Netmeeting rules in our PIX configs need only 5 TCP ports: LDAP, 522, 1503, h323 1731. If you know the IPs of the remote side you can open up a very restrictive set of holes for incoming "calls" or you can initiate the connections and not worry about opening up incoming holes altogether (if you use NAT/PAT this is easiest.)

    Remember: your IT guys aren't running the show, they're there to help you do your job (and I'm an IT weenie at a research lab where Netmeetings are not uncommon...)

    --
    Trolling is a art,
    1. Re:Your IT guys are lazy by grub · · Score: 1

      Whoops, something I neglected to think of when writing my reply; our firewall has "fixup protocol h323" enabled so dynamic port allocation is handled just fine.

      --
      Trolling is a art,
    2. Re:Your IT guys are lazy by bill_mcgonigle · · Score: 3, Insightful

      I used to work in hospital IT. The network manager was affectionately known as Mordac the Preventor.

      Or it could be that your IT guys aren't lazy, they just don't know anything so they can't characterize the risk associated with H.323 or they don't know how to setup NAT for what you need.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:Your IT guys are lazy by austad · · Score: 1

      If he's accepting incoming connections, he'll need a static NAT back to his PC from an outside IP. Someone on one end of the connection is going to need a static NAT.

      I've gotten iChats vid conferencing to work without opening any ports on my side, and only having ports opened on the remote end. I had to initiate the connection though.

      --
      Need Free Juniper/NetScreen Support? JuniperForum
    4. Re:Your IT guys are lazy by Metzli · · Score: 2, Interesting

      It's also possible that NAT won't work and they're concerned about that. We have some Polycom video conference gear and it won't work with NATs. The box embed the endpoint IP in the packet itself, so NATs cause the system not to function. Yay.

      --
      "It's too bad stupidity isn't painful." - A. S. LaVey
    5. Re:Your IT guys are lazy by SirLeNerd · · Score: 2, Insightful

      Depending on your firewall this problem can be overcome. For example on a PIX you can use the H323 fixup to re-write the IP addresses to the NAT.

    6. Re:Your IT guys are lazy by bill_mcgonigle · · Score: 1

      Ugh. I'm running cheap consumer H.323 gear and it works OK behind NAT. Polycomm video conferencing isn't often extolled for its easy setup.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  2. Keep it simple...go with NetMeeting. by TripMaster+Monkey · · Score: 3, Insightful


    I would have to recommend NetMeeting...it's easy to implement, and is already installed on your Windows machines. However, there are quite a few ports that need to be opened...to ensure smooth passage through the firewall, I recommend you take your IT guy to lunch at your local watering hole to discuss it. ^_^

    Seriously, though, the opening of these ports should prove to be a minimal security risk if done correctly. A firewall admin who won't open any ports is a firewall admin who doesn't know how to do his job (Ford Motor Company's firewall boys spring to mind here). Remember, this is a valid request you're making, and implementing that request in a safe and secure manner is their job.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:Keep it simple...go with NetMeeting. by rylin · · Score: 1

      Remember, this is a valid request you're making, and implementing that request in a safe and secure manner is their job.

      Hold your horses there, Master Monkey! Techies shouldn't take just any order from any employee.
      In any sane chain-of-trust, the employee should contact his department-manager, who should either check higher up or check with the tech manager.
      A research lab has potentially dangerous information on hand, and as such, access to any sort of data is most likely on a very restricted basis.
      In other words, the original poster would probably get in trouble by contacting tech straight away.

    2. Re:Keep it simple...go with NetMeeting. by -dsr- · · Score: 1

      Erm, no.

      The valid request is not "open these ports for me, tech-monkey!". The valid request is "we want to teleconference with folks at these other places. Here are email addresses and phone numbers for their tech guys. Can you figure something out that isn't too expensive?"

      You'd think a /. poster might have more respect for their IT department...

    3. Re:Keep it simple...go with NetMeeting. by __david__ · · Score: 2, Funny

      You are correct. Going straight to the person who could help you the most is a grevious violation of protocol. First you file form 457s22 (making sure to initial paragraphs 3, 41, and 72, obviously). Then Submit this form in triplicate to your supervisor, the current head of the TCP/IP security subcommity and the associate vice chairman of the s22OE working group.

      After that has been processed you will recieve form 4208XX which needs to be filled out within 12 hours (!!!) and refiled (in triplicate, of course) to the same people plus the organizational director of document services. Don't worry, after that you only have to wait 6 to 8 weeks for them to approve or deny your request.

      Or you could just go right to the IT guys and buy them lunch as someone else suggested. But isn't the red tape method more rewarding in the end?

      -David

      --
      There. Now go play some cool javascript games!
    4. Re:Keep it simple...go with NetMeeting. by rylin · · Score: 1

      But isn't the red tape method more rewarding in the end?

      I'd say that depends.. are we talking about the original poster, or the tech guy whose name is most likely to appear in a logfile stating that ports were unblocked? ;)

    5. Re:Keep it simple...go with NetMeeting. by MarkGriz · · Score: 1

      You are correct. Going straight to the person who could help you the most is a grevious violation of protocol. First you file form 457s22 (making sure to initial paragraphs 3, 41, and 72, obviously). Then Submit this form in triplicate to your supervisor, the current head of the TCP/IP security subcommity and the associate vice chairman of the s22OE working group.

      After that has been processed you will recieve form 4208XX which needs to be filled out within 12 hours (!!!) and refiled (in triplicate, of course) to the same people plus the organizational director of document services. Don't worry, after that you only have to wait 6 to 8 weeks for them to approve or deny your request.

      Above all, be sure to remember to include your T.P.S. Report Cover Sheet (you did get the memo, right?) otherwise you'll have to repeat the whole process again.

      --
      Beauty is in the eye of the beerholder.
    6. Re:Keep it simple...go with NetMeeting. by TripMaster+Monkey · · Score: 1

      Erm, no.

      The valid request is not "open these ports for me, tech-monkey!".

      I don't believe that I was endorsing such a position (/me peruses original post)...no, that's not at all what I said...thanks for the misrepersentation, though. It just doesn't feel like Slashdot until someone pulls the old straw-man gag.

      Can you figure something out that isn't too expensive?"

      Um...as I said in my previous post, NetMeeting is included in Windows, making the cost pretty much zero.

      You'd think a /. poster might have more respect for their IT department...

      I am the IT department, thanks.

      You'd think a /. poster might have a clue...

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    7. Re:Keep it simple...go with NetMeeting. by Euler · · Score: 2, Interesting

      With most TCP-based applications, it is possible to implement a sane firewall strategy, but H.323 (Netmeeting) makes it pretty much impossible to do so. The protocol has a standard port for the control connection, but it sets up any port it feels like for incoming UDP voice/video traffic. The protocol expects you to leave the server AND CLIENTS in the DMZ, with all the problems that brings; limits other hosts in a NAT network, and obvious over-exposure to security attacks. When I started working with H.323, I realized very quickly that this alone is a show stopper that will/has limited the adoption of practical video/voice conferencing.

      The main issue is that NAT routers and firewalls work well with outgoing TCP connections, because it is easy to contruct the return route with that information alone. UDP and unsolicited TCP connections are nearly impossible to deal with without some protocol specific knowledge. Most video and voice solutions are stuck in the mindset that they have to use UDP for its unreliable, but timely data transmission. One successful exception are systems like Yahoo chat, which I know for a fact works like a charm behind a NAT firewall. It seems they fall back to a server-based TCP connection if UDP fails to route. Netmeeting seems to just go blissfully along in silence as long as the control connection can be established. It won't even do a sanity check to see if the data traffic is getting through at all.

      Only semi-usable solution I know of is to have a extra-fancy router or firewall that does packet inspection and is specifically aware of H.323

      It all works great on a LAN or possibly a VLAN or VPN though.

    8. Re:Keep it simple...go with NetMeeting. by SoundGuy666 · · Score: 1

      Not too fancy - even Netfilter has H323 connection tracking modules now, although they've been in Alpha status for some time now:

      http://www.netfilter.org/patch-o-matic/pom-extra.h tml#pom-extra-h323-conntrack-nat

      Of course, there are those who will (quite rightly) argue that Netfilter is just about as fancy a packet filter as you can get!

      --
      Why can't we all just get along?
  3. Dedicated VPN/video server by n1ywb · · Score: 3, Interesting

    Select a machine somewhere to be a dedicated video conference server and have everybody VPN into that machine. Then all those crazy h.whatever ports should be fine.

    --
    -73, de n1ywb
    www.n1ywb.com
  4. it's not that hard by Jjeff1 · · Score: 1

    you only need to allow in H323. On any recent pix, that's just one ACL entry.
    Access-list incoming tcp host blah eq h323 any
    if you want to be more secure, change the any to the IP of the device calling you. I deal with this stuff all the time, it's really no big deal. Some devices, like tandberg, use extra ports (5555) for other purposes. You might also need LDAP for directory services. If you get an appliance based VC unit instead of a PC based one, you'll be slightly more secure.
    Additionally, if you want to be more secure, Polycom makes units that use AES encryption for the actual video/audio stream.

  5. Home router settings by Hadlock · · Score: 1

    Do what I do at home! Set your videoconferencing computer's IP address to be in the DMZ (demillitarized zone)!

    Hey, it works for bit torrent....

    --
    moox. for a new generation.
    1. Re:Home router settings by Anonymous Coward · · Score: 0

      or you could take the time to learn about how that "router" thing actually works...

    2. Re:Home router settings by tengwar · · Score: 1

      Um. No. I know that's what the router manufacturers call it, but that's not a DMZ. A better router will have three (or more) ethernet interfaces - one to the outside world, one to the main protected network, and one to the DMZ (don't confuse this with the fact that you have several ethernet ports in your router - that's because it also contains a switch). The idea of the three interfaces is that machines in the DMZ do not have access to machines in the protected zone, so it doesn't matter so much if they are compromised. The "DMZ" in your home router is on the same network segment as the rest of your network, so if it's compromised, it can be used to attach all the other machines.

  6. web based solution by sycotic · · Score: 4, Informative

    we use http://www.webex.com/ at our work, works a treat behind a multitude of firewalls and maybe even proxies if I remember rightly.

    you should check it out :)

    --
    -- If I were a fish, I'd be wet
    1. Re:web based solution by WhiteDragon · · Score: 1

      I can vouch for webex. I am behind a completely restrictive firewall. The only traffic out is http through a proxy and email through a mail server. Oh, and DNS, but IP over DNS is pretty much a joke, even though it actually does exist.

      One time I was having some problems with a vendor's computer and I called tech support. He set up a webex meeting for me to connect to and it worked beautifully. We were able to do desktop sharing in real time.

      --
      Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
  7. one way to get what you want, perhaps... by Malor · · Score: 1

    One possibility would be to use a separate, dedicated local network, possibly just one machine sitting by its lonesome. That machine should still be firewalled, especially outbound, and your local network shouldn't trust it at all. Ideally, you'd set it to only be able to reach the networks of whoever you're collaborating with, but if that's likely to change frequently, you may have to open it up to the world.

    If your hospital provides network services to the outside world, it's likely that your IT group will already have implemented the separate-network idea... it's generally called a 'DMZ'. If they already have one, it should be easy to run a wire to a certain, specific machine, ideally one in a conference room. And they'll want to lock down the port so it will only talk to that machine, so that visitors or staff don't try to use the DMZ net by mistake. (Some outfits treat the DMZ as already compromised, so if you connect to it by mistake, your machine is declared untrusted, wiped, and reloaded. Not a lot of fun for anyone involved. Most places aren't that anal, though perhaps they should be.)

    Setting up a machine in an existing DMZ will involve some work on the part of the IT crew. If they're creating a DMZ from scratch, it could potentially be quite a bit of work. If they're jammed, they may not have any brainpower free to help you with it.

    If they can't help you, but you have some budget and live in a big city, you could potentially hook up via a laptop and one of the high-speed cell data networks. In many areas of the country, this is fast enough to be perfectly functional, and you shouldn't need much help getting it running.

    However, if you do this without IT's blessing, you should NEVER AGAIN connect that machine to their network... with that data card in it, that machine can potentially be a back door straight into their systems. If you have any VPN software on that machine with credentials to connect to your network, remove it. Before you plug in the cell card, turn it completely into a standalone system, and make sure that all the passwords are different than any others used on any of your other networks, including your home machines. You are assuming that it WILL be compromised, and you're doing your level best to make sure that there's no data on the machine you care about, nor any sensitive passwords that could give an attacker a wedge into your corporate network.

    Remember, even if you pull the card out, the machine could already be compromised, so connecting it to the internal network could let it 'phone home' to a hacker and give him full access to your systems. So it should never again be connected to the work network in any way, shape, or form. You should always think of it as already compromised.... dangerous and radioactive. This may or may not be actually TRUE, but it's not a bad habit to be in, especially when you're not an expert.

    Disable the Ethernet port so you remember that you don't trust that machine. If you need to move data, burn a CD and sneakernet it. Turn the machine off when you're not using it.

    If you don't have the technical chops to lock it down well, wipe and reload it on a fairly regular basis. Use new passwords every time.

    I don't recommend you do this for a whole bunch of reasons (not the least of which is the potential of getting fired), but if you can't get IT to help you, setting up a cell card like this should be pretty safe. Just make SURE that it knows NOTHING about your internal net before hooking it up.

    Even if IT is otherwise busy, they might be able to give you a 'clean' machine that you can do whatever you want with.

  8. Use a proxy firewall by Anonymous Coward · · Score: 0

    There are several smart proxy firewalls on the market that understand H.323, and will only allow secondary connections as specifically negotiated within the primary connection, thus essentially eliminating the "too many ports" objection. There are probably others, but I know that at least Secure Computing's Sidewinder G2, some of Cyberguard's product lines, and the Symantec Enterprise Firewall offer H.323 proxies.

    Since I work for one of these companies I'm posting AC.

  9. OpenVPN by Noksagt · · Score: 2, Interesting

    OpenVPN is Free (in both senses), fairly fast, cross-platform, but most of all easy to setup. Tunnel all traffic through a single, CONFIGURABLE port. My IT department is also often inept & they're packet-shaper makes most VPN traffic crawl (as if it were P2P or something). We require fast remote control software to be run, so we put it on port 80 & watched the traffic finally fly along.

  10. try hamachi... by 216pi · · Score: 1

    ... it's not a videoconferencing software, but it sets up vpn groups. every client get's an own additional ip and the software got around every firewall/nat I used it. plus the streams are encrypted and transfered via p2p.

    give it a try: http://www.hamachi.cc/

    and use your prefered video conferencing software with it.

    I am currently streaming my music from my office machine to my home computer. both behind firewalls and routers.

    btw. it's windows only.

  11. Who do the IT guys work for by 4/3PI*R^3 · · Score: 1

    I'm sorry. You said your professional development requires you to video conference. Who the #^%&#! do your IT guys think they are! Go to your hospital administrators and show (don't tell) them how your hospital's jack-booted IT nazi's are keeping you from doing your job.

    I have worked in environments where the IT guys forgot they provide a network for the people to use in their jobs, not a network that they can use to build their own personal fiefdom! The best way to break this GOD complex is to have the IT guys boss get his ass chewed by the higher ups.

    The IT guys can solve your video conferencing problem in one of many ways. There job is to figure out how to make it happen not tell you it's not going to happen.

    The next time one of these IT weenies gets hurt on the job tell them you can't administer medical treatment because you have to maintain a firewall between them and you.

  12. VPN by sootman · · Score: 1

    probably the easiest is to convince IT that the people you want to conference with are trustworthy and get them VPN access. Once they're in, you can do whatever you want.

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    1. Re:VPN by Anonymous Coward · · Score: 0

      probably the easiest is to convince IT that the people you want to conference with are trustworthy and get them VPN access. Once they're in, you can do whatever you want.

      And so can they...

    2. Re:VPN by sootman · · Score: 1

      Which is where 'trustworthy' comes into play.

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  13. Yahoo! Webcam by Anonymous Coward · · Score: 0

    Works fine for me ... they route all the traffic though the Yahoo! servers if you cannot establish a direct connection, and it's free!

  14. There is linux version by Anonymous Coward · · Score: 0

    There is a Linux client AFAIK, a friend of mine runs it on his CS server.

    There was also a thread on somethingawful yesterday about this Himachi thing, according to a lot of people it does kicks some major ass.

    http://forums.somethingawful.com/showthread.php?th readid=1619003

  15. h.323 proxy server by Anonymous Coward · · Score: 0

    Depending on your usage and the firewall, you may be able to get by with using a h.323 proxy server.

    This will allow outgoing h.323 connections, but not incoming ones. If you're only connecting to external h.323 servers/nodes and not hosting things inside your firewall, this would work transparently.

    On an implementation here, we added a h.323 proxy server to our firewall and set up a video conferencing server outside the firewall.

    The conferenceing server could be controlled via a web interface to start a conference, then remote and local clients alike would connect to this server for their conference without having to pass any incoming connections through the firewall.

    We found that unless you get some sort of QOS routing by your ISP, the audio latency made the conferencing more annoying than helpful. This led to people going back to conference call for the audio portion, and then realizing that it wasn't worth the effort to set up a corresponding video conference just to get a picture of the talking head to match the phone conference.

    We've now transitioned to a combination of phone conferencing and Webex. Webex just shares the "stuff" (presentations, files, notes, ...etc.) we care about and not the images of bored people.

  16. concerning video conferencing by squatch93 · · Score: 1

    Tanberg offers an easy solution with its gate keep... only requires a small number of ports to open, the gate keeper tracks these. Another solution, cheaper and easier by far, ONT offers a video conferencing software, only requires port 80 or 443.

  17. GNU Gatekeeper (works like a proxy also) by bohlke · · Score: 1

    Gnu Gatekeeper can do the job to you; it can be used like a traditional gatekeeper or like a proxy also; from FAQ:

    "1.2. Can I use the GNU Gatekeeper for NAT/masquerading H323 calls through a firewall ?
    Use the proxy function that has been introduced in version 2.0."

    from manual:

    "When Gatekeeper Routed call signalling is used, the gatekeeper may choose whether to route the H.245 control channel and logical channels.

    Case I.

    The gatekeeper doesn't route them. The H.245 control channel and logical channels are established directly between the endpoints.

    Case II.

    The H.245 control channel is routed between the endpoints through the gatekeeper, while the logical channels are established directly between the endpoints.

    Case III.

    The gatekeeper routes the H.245 control channel, as well as all logical channels, including RTP/RTCP for audio and video, and T.120 channel for data. In this case, no traffic is passed directly between the endpoints. This is usually called an H.323 Proxy, which can be regarded as an H.323-H.323 gateway. "

    http://www.gnugk.org/

  18. Stay away from Tandberg by Anonymous Coward · · Score: 0

    Stay away from Tandberg. I cannot speak about their entire product line, but some of their h323 devices are extremely buggy. I know this first hand because I worked on firewall ALG module for H.323 and Tandberg devices caused us all sorts of grief. To give an idea - they had no problem negotiating one port and then start streaming over the +2 one. Freaky stuff, cant imagine them being interoperable with anything but themselves.

  19. Tandberg Border Controller by arnie_apesacrappin · · Score: 1
    If your problem is inbound TCP ports, the Tandberg Border Controller is a solution. From what I understand it is designed to sit outside the firewall. All parties "register" with the border controller by opening a TCP connection to it (i.e. an outbound connection from the point of view of the firewall admins). The border controller then does all of the call negotiation. None of the clients have to accept TCP connections. Here is a link to the border controller.

    Disclaimer: I don't work for Tandberg and I have never used this product. I looked into it when researching a project. It is not cheap. Take my comments with a grain of salt and do your own research.

    --

    Still, with a plan, you only get the best you can imagine. I'd always hoped for something better than that. -CP

  20. Its their job by Ragein · · Score: 1

    Its my job when someone comes to me with something like that. To look at it and if i dont want to do it there way to offer an alternative. Your tech guys are gonna need a kick (try confiscating their bandwidth till they do some work).

    --
    They fitted George Orwell's coffin with rollers so he could turn over more easily years ago.
  21. MOD PARENT UP!!!! by Anonymous Coward · · Score: 0

    This so-called DMZ offered by home routers is a terrible breach of security!!!

  22. netmeeting is old by Suppafly · · Score: 1

    You might try a host solution like microsoft live meeting or lotus sametime or webex, basically anything that is hosted on a website instead of using direct p2p connection.

    Also assuming the other person isn't behind a firewall you could call out to them using netmeeting.