Video Conferencing Behind a Firewall?

JShadow21 asks: "I work at a research lab at a hospital. We want to collaborate with colleagues across the pond via video conferencing however the firewall here is very restrictive. There are way too many ports that needed to be opened for H.323 to work so the IT guys won't do that. What alternatives are there? I was considering using an SSH proxy in order to use Netmeeting, or else possibly a web based solution."

Dedicated VPN/video server

[n1ywb]

Select a machine somewhere to be a dedicated video conference server and have everybody VPN into that machine. Then all those crazy h.whatever ports should be fine.

OpenVPN

[Noksagt]

OpenVPN is Free (in both senses), fairly fast, cross-platform, but most of all easy to setup. Tunnel all traffic through a single, CONFIGURABLE port. My IT department is also often inept & they're packet-shaper makes most VPN traffic crawl (as if it were P2P or something). We require fast remote control software to be run, so we put it on port 80 & watched the traffic finally fly along.

Re:Keep it simple...go with NetMeeting.

[Euler]

With most TCP-based applications, it is possible to implement a sane firewall strategy, but H.323 (Netmeeting) makes it pretty much impossible to do so. The protocol has a standard port for the control connection, but it sets up any port it feels like for incoming UDP voice/video traffic. The protocol expects you to leave the server AND CLIENTS in the DMZ, with all the problems that brings; limits other hosts in a NAT network, and obvious over-exposure to security attacks. When I started working with H.323, I realized very quickly that this alone is a show stopper that will/has limited the adoption of practical video/voice conferencing.

The main issue is that NAT routers and firewalls work well with outgoing TCP connections, because it is easy to contruct the return route with that information alone. UDP and unsolicited TCP connections are nearly impossible to deal with without some protocol specific knowledge. Most video and voice solutions are stuck in the mindset that they have to use UDP for its unreliable, but timely data transmission. One successful exception are systems like Yahoo chat, which I know for a fact works like a charm behind a NAT firewall. It seems they fall back to a server-based TCP connection if UDP fails to route. Netmeeting seems to just go blissfully along in silence as long as the control connection can be established. It won't even do a sanity check to see if the data traffic is getting through at all.

Only semi-usable solution I know of is to have a extra-fancy router or firewall that does packet inspection and is specifically aware of H.323

It all works great on a LAN or possibly a VLAN or VPN though.

Re:Your IT guys are lazy

[Metzli]

It's also possible that NAT won't work and they're concerned about that. We have some Polycom video conference gear and it won't work with NATs. The box embed the endpoint IP in the packet itself, so NATs cause the system not to function. Yay.