Server Considerations for NetMeeting

Cc939860.chap_13(en-us,TechNet.10).gifCc939860.image(en-us,TechNet.10).gif

When configuring your network for NetMeeting, you should consider how to handle standardization requirements:

  • Particularly in the corporate environment, communication between local and remote locations is a necessity. To support these user communities, products must interoperate in a standard fashion across platforms and networks.

  • Products of varying levels of functionality must be able to communicate; standards enable compatibility of applications that have a variety of functions and features.

  • As more vendors develop standards-based products, customers benefit from competitive pricing, improved quality, and product upgrades.

The following sections describe the specific types of products and services, including clients, servers, and gateways, that interoperate with NetMeeting. Interoperability testing is described for two International Telecommunications Unions (ITU) standards that NetMeeting currently supports: T.120 for data conferencing and H.323 for audio and video conferencing. This section also discusses the elements that make T.120 and H.323 standards-based products interoperate.

Interoperability Scenarios and NetMeeting

For corporate and home users, many interoperability scenarios are possible between NetMeeting and compatible, standards-based clients, servers, bridges, and gateways:

  • Within an organization, NetMeeting users can connect with each other over the corporate intranet. A T.120 or H.323 conferencing server can provide inbound and outbound connectivity with compatible clients for data, audio, or video conferencing.

  • An H.323 gateway can be used to bridge internal and external networks over a corporate firewall, supporting connections for audio and video conferencing.

  • NetMeeting users can initiate multipoint connections with third-party T.120 clients. T.120 servers can provide administration services for this data conferencing scenario.

  • NetMeeting users can initiate point-to-point connections with H.323 clients. T.120 data conferencing can be supported in conjunction with H.323 audio and video conferencing. H.323 servers can provide administration services for this data conferencing scenario.

  • Through an H.32 x gateway, NetMeeting users can connect to H.320 and H.324 systems. Also, an H.320 server can be used for connectivity with multiple H.320 systems.

  • An H.323 gateway also enables NetMeeting users to connect to people over public switched telephone network (PSTN) lines.

Internet Locator Server

Internet Locator Server (ILS) offers a standards-based, dynamic directory solution to the user location problem on the Internet. ILS supports LDAP conferencing servers and directory servers. These server types are described in following sections.

ILS provides organizations with a directory server for NetMeeting users. Like User Location Service (ULS), which was developed for NetMeeting 1.0, ILS provides a memory-resident database for storing dynamic directory information. This database enables users to find dynamic information, such as an IP address, for people currently logged on to an Internet service or site. The ILS database maintains the entries, which clients update periodically. This process ensures that clients can always access the most current information about each user's Internet location.

The following features distinguish ILS:

  • Support for industry-standard protocols - ILS provides both an LDAP interface for NetMeeting support and a proprietary user location protocol (ULP) interface for legacy support of NetMeeting 1.0. Through these built-in protocols, ILS provides directory server support for NetMeeting. These interfaces allow NetMeeting to access the server for dynamic directory information and facilitate point-to-point Internet communication sessions. Other clients can access ILS through the LDAP interface. For more information, see the Microsoft NetMeeting Software Development Kit. All client applications must migrate to LDAP to access dynamic directory information.

  • Performance monitoring - ILS supports Windows NT Server administration features - including performance monitoring (Perfmon counters), Simple Network Management Protocol (SNMP) monitoring, and event logs - to measure activity and system performance. Operators can make use of administration features, such as transaction logs that collect usage statistics, track messages and transactions, and allow administrators to examine usage patterns. These tools enable administrators to proactively monitor server performance and identify potential problems.

  • Stable, robust server capabilities - As a standards-based Internet directory server, ILS was designed to provide stable, robust directory services. ILS uses thread pooling and connection management to enable more efficient handling of system resources. ILS users experience better performance, because ILS uses binary data packets to optimize performance. Also, the server uses a spanning tree architecture to support many concurrent users in a single server configuration.

  • Customization through Active Server Pages - Using Active Server Pages (.asp files), administrators can combine HTML and scripting components to customize their ILS interface. They can create scripts to display a specific group of NetMeeting users currently online, enable user searches, and initiate real-time communication sessions with other users.

  • Easy setup and administration - ILS provides a graphical setup program so that administrators can install server components quickly and easily. Then, administrators can set options for user logon, security, and server access through the Microsoft Internet Service Manager.

  • Microsoft product support - Microsoft provides worldwide product support through the Microsoft Support Network. ILS users can choose from standard or priority support.

For information about setting up and implementing ILS, see the Microsoft Internet Locator Server Operations Guide or its companion, the Microsoft Internet Locator Service Operations Reference .

LDAP Conferencing Servers

ILS supports the IETF Lightweight Directory Access Protocol (LDAP) version 2 standard for NetMeeting directory services. LDAP servers support the same LDAP protocol, but each server extends LDAP for a particular purpose. For example, ILS applies LDAP for use with dynamic records.

LDAP version 3 designers have proposed dynamic directory services as part of the LDAP protocol. When version 3 is finalized and implemented within NetMeeting, developers can access standards information from the IETF Web site for developing compatible servers. Currently, vendors can develop interoperable servers for NetMeeting by obtaining information about the LDAP extension from Microsoft.

In addition, many people use ULS for locating and connecting to other NetMeeting users. Third-party vendors have developed many interoperable ULSs, such as uls.four11.com, which users can log on to from NetMeeting.

Directory Servers

ILS, an optional component of IIS, supports directory servers that enable NetMeeting users to locate each other on the Internet or corporate intranets. These servers create a directory of NetMeeting users. From this directory, users can select participants for real-time conferencing and collaboration. ILS provides all of the ULS functionality, as well as introducing advanced server technology not previously available. Users can benefit from enhanced features and functions, better performance, and higher scalability to support more NetMeeting users.

Firewall Configuration for NetMeeting

Microsoft NetMeeting can be configured to work with most organizations' existing firewall security. However, because of limitations in most firewall technology, few products are available that allow you to securely transport inbound and outbound NetMeeting calls containing audio, video, and data across a firewall. You might want to consider carefully the relative security risks of enabling different parts of a NetMeeting call in your firewall product. You must especially consider the security risks involved when modifying your firewall configuration to enable any component of an inbound NetMeeting call.

NetMeeting and Firewalls

A firewall is a set of security mechanisms that an organization implements, both logically and physically, to prevent unsecured access to an internal network. Firewall configurations vary from organization to organization. Most often, the firewall consists of several components, which can include a combination of routers, proxy servers, host computers, gateways, and networks with the appropriate security software. Very rarely is a firewall a single component, although a number of newer commercial firewalls attempt to put all of the components in a single package.

For most organizations, an Internet connection is part of the firewall. The firewall identifies itself to the outside network as a number of IP addresses - or as capable of routing to a number of IP addresses - all associated with DNS server entries. The firewall might respond as all of these hosts (a virtual computer) or pass on packets bound for these hosts to assigned computers.

You can configure firewall components in a variety of ways, depending on your organization's specific security policies and overall operations. Although most firewalls are capable of allowing primary (initial) and secondary (subsequent) TCP and User Datagram Protocol (UDP) connections, they might be configured to support only specific connections based on security considerations. For example, some firewalls allow only primary TCP connections, which are considered the most secure and reliable.

To enable NetMeeting multipoint data conferencing (application sharing, whiteboard, file transfer, and directory lookups), your firewall only needs to pass through primary TCP connections on assigned ports. For NetMeeting to make calls that use audio and video conferencing, your firewall must be able to pass through secondary TCP and UDP connections on dynamically assigned ports. Some firewalls can pass through primary TCP connections on assigned ports, but cannot pass through secondary TCP or UDP connections on dynamically assigned ports.

Note NetMeeting audio and video features require secondary TCP and UDP connections. Therefore, when you establish connections through firewalls that accept only primary TCP connections, you are not able to use the audio or video features of NetMeeting.

Establishing a NetMeeting Connection with a Firewall

When you use NetMeeting to call other users over the Internet, several IP ports are required in order to establish the outbound connection. If you use a firewall to connect to the Internet, it must be configured so that the following IP ports are not blocked.

This port

Is used for

389

Internet Locator Server (TCP)

522

User Location Service (TCP)

1503

T.120 (TCP)

1720

H.323 call setup (TCP)

1731

Audio call control (TCP)

Dynamic

H.323 call control (TCP)

Dynamic

H.323 streaming (Real Time Protocol over User Datagram Protocol)

To establish outbound NetMeeting connections through a firewall, the firewall must be configured to do the following:

  • Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731

  • Pass through secondary TCP and UDP connections on dynamically assigned ports (1024-65535)

The H.323 call setup protocol (over port 1720) dynamically negotiates a TCP port for use by the H.323 call control protocol. Also, both the audio call control protocol (over port 1731) and the H.323 call setup protocol (over port 1720) dynamically negotiate UDP ports for use by the H.323 streaming protocol, which is the Real Time Protocol (RTP). In NetMeeting, two UDP ports are determined on each side of the firewall for audio and video streaming, for a total of four ports for inbound and outbound audio and video. These dynamically negotiated ports are selected arbitrarily from all ports that can be assigned dynamically.

NetMeeting directory services require either port 389 or port 522, depending on the type of server you are using. ILS, which supports LDAP for NetMeeting, requires port 389. ULS, developed for NetMeeting 1.0, requires port 522.

Firewall Limitations for NetMeeting

Some firewalls cannot support an arbitrary number of virtual internal IP addresses, or cannot do so dynamically. With these firewalls, you can establish outbound NetMeeting connections from computers inside the firewall to computers outside the firewall, and you can use the audio and video features of NetMeeting. Other people, though, cannot establish inbound connections from outside the firewall to computers inside the firewall. Typically, this restriction is due to limitations in the network implementation of the firewall.

Note Some firewalls are capable of accepting only certain protocols and cannot handle TCP connections. For example, if your firewall is a Web proxy server with no generic connection-handling mechanism, you will not be able to use NetMeeting through the firewall.

.