NetMeeting 3.0 Resource Kit
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
This chapter describes how Microsoft® Windows® NetMeeting® 3 works with an organization's existing firewall security. You will learn about NetMeeting requirements for TCP and UDP connections, as well as the IP ports needed to establish a NetMeeting connection.
Note There are few available products that an organization can implement to securely transport inbound and outbound NetMeeting calls, which transfer audio, video, and data across a firewall. Because of this, carefully consider the relative security risks of modifying your firewall product to enable NetMeeting features, especially for inbound calls.
Components of a Secured System
A firewall is a set of security mechanisms that an organization implements, both logically and physically, to prevent unsecured access to an internal network. Firewall configurations vary from organization to organization. Most often, the firewall consists of several components, which can include a combination of the following:
Routers
Proxy servers
Host computers
Gateways
Networks with the appropriate security software
Very rarely is a firewall a single component, although a number of newer commercial firewalls attempt to put all of the components into a single computer. The following illustration shows a firewall configuration.
.gif "Cc767130.ntmc0401(en-us,TechNet.10).gif")
For most organizations, an Internet connection is part of the firewall. The firewall identifies itself to the outside network as a number of Internet Protocol (IP) addresses, or as capable of routing to a number of IP addresses, all associated with Domain Name Service (DNS) entries. The firewall might respond as a host, resulting in a virtual computer, or pass on packets bound for these hosts to assigned computers.
NetMeeting and Firewalls
You can configure firewall components in a variety of ways, depending on your organization's specific security policies and overall operations. While most firewalls are capable of allowing primary (initial) and secondary (subsequent) Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections, they might be configured to support only specific connections based on security considerations. For example, some firewalls allow only primary TCP connections, which are considered the most secure and reliable.
To enable NetMeeting 3 multipoint data conferencing — program sharing, Whiteboard, Chat, file transfer, and directory access— your firewall only needs to pass through primary TCP connections on assigned ports.
NetMeeting audio and video features require secondary TCP and UDP connections on dynamically assigned ports. Therefore, if you establish connections through firewalls that accept only primary TCP connections, you will not be able to use the audio or video features of NetMeeting.
Establishing a NetMeeting Connection with a Firewall
When you use NetMeeting to call other users over the Internet, several IP ports are required to establish the outbound connection. The following table shows the ports, their functions, and the resulting connection.
Port |
Function |
Outbound Connection |
|---|---|---|
389 |
Internet Locator Service (ILS) |
TCP |
522 |
User Location Service |
TCP |
1503 |
T.120 |
TCP |
1720 |
H.323 call setup |
TCP |
1731 |
Audio call control |
TCP |
Dynamic |
H.323 call control |
TCP |
Dynamic |
H.323 streaming |
Real-Time Transfer Protocol (RTP) over UDP |
If you use a firewall to connect to the Internet, it must be configured so that the IP ports are not blocked.
To establish outbound NetMeeting connections through a firewall, the firewall must be configured to do the following:
Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731.
Pass through secondary TCP and UDP connections on dynamically assigned ports (1024-65535).
The H.323 call setup protocol dynamically negotiates a TCP port for use by the H.323 call control protocol. Also, both the audio call control protocol and the H.323 call setup protocol dynamically negotiate UDP ports for use by the H.323 streaming protocol, called the Real-Time Transfer Protocol (RTP). In NetMeeting, two UDP ports are determined on each side of the firewall for audio and video streaming, for a total of four ports for inbound and outbound audio and video. These dynamically negotiated ports are selected arbitrarily from all ports that can be assigned dynamically.
NetMeeting directory services requires port 389. Microsoft Internet Locator Service (ILS) servers, which support the Lightweight Directory Access Protocol (LDAP) for NetMeeting, also require port 389.
Microsoft Proxy Server Example
This section provides a guideline for setting up the Microsoft Proxy Server to enable the necessary ports for NetMeeting outbound calls. For additional information about configuring the Microsoft Proxy Server, refer to the Microsoft® Proxy Server Installation and Administration Guide.
Microsoft Proxy Server and Microsoft Internet Information Server are run on Windows NT 4.0 (with Service Pack 3 or greater). The Microsoft Internet Service Manager is part of Internet Information Server.
To configure the Microsoft Proxy Server for NetMeeting
Start the Microsoft Internet Service Manager, and then click Winsock Proxy Service.
.gif "Cc767130.ntmc0402(en-us,TechNet.10).gif")
If your browser does not support inline frames, click here to view on a separate page.Click the Protocols tab, and then click Add. The Protocol Definition dialog box appears.
.gif "Cc767130.ntmc0403(en-us,TechNet.10).gif")
If your browser does not support inline frames, click here to view on a separate page.Refer to the table in "Establishing a NetMeeting Connection with a Firewall" and add each port required for NetMeeting by typing or selecting values for the following fields:
Protocol name
Port
Type
Direction
For example, if you want to add port 389, you would enter the following settings:
In
Do this
Protocol name
Type LDAP
Port
Type 389
Type
Click TCP (default)
Direction
Click Outbound
.gif "Cc767130.ntmc0406(en-us,TechNet.10).gif")
For TCP-only ports, click OK after adding information for each port and then continue to step 5. For ports that require UDP connections, continue with step 4.
For ports that require secondary UDP connections, click Add in the Port Ranges for Subsequent Connections box, and then enter the following values:
In
To this
Port or Range
Type 0-65535
Type
Click UDP (default)
Direction
Click Inbound or Outbound
.gif "Cc767130.ntmc0404(en-us,TechNet.10).gif")
Click OK to add the UDP connection information. Repeat this process to add both Inbound and Outbound dynamic port ranges.
The following screen shot illustrates the setting for port 1720, configured for both TCP and UDP connections.
.gif "Cc767130.ntmc0405(en-us,TechNet.10).gif")
After you have added all necessary connection information, click OK to add the protocol definition.
.gif){kind=link}
.gif){kind=link}
Firewall Limitations
Some firewalls cannot support an arbitrary number of virtual internal IP addresses, or cannot do so dynamically. With these firewalls, you can establish outbound NetMeeting connections from computers inside the firewall to computers outside the firewall, and you can use the audio and video features of NetMeeting. Other people, though, cannot establish inbound connections from outside the firewall to computers inside the firewall. Typically, this restriction is due to limitations in the network implementation of the firewall.
Note Some firewalls are capable of accepting only certain protocols and cannot handle TCP connections. For example, if your firewall is a Web proxy server with no generic connection handling mechanism, you will not be able to use NetMeeting through the firewall.
Security and Policy Concerns
Some organizations might have security or policy concerns that require them to limit how fully they support NetMeeting in their firewall configuration. These concerns might be based on network capacity planning or low confidence in the firewall technology being used. For example, security concerns might prohibit an organization from accepting any inbound or outbound flow of UDP data through their firewall. Because these UDP connections are required for NetMeeting audio and video features, disabling this function excludes audio and video features in NetMeeting for calls through the firewall. The organization can still use NetMeeting data conferencing features—such as program sharing, file transfer, Whiteboard, and Chat— for calls through the firewall by allowing only TCP connections on ports 522 and 1503.
For more information about firewall design, policy, and security considerations for firewall design in general, see Building Internet Firewalls, D. Brent Chapman and Elizabeth D. Zwicky, O'Reilly & Associates, Inc., 1995.