FIREWALL RECOMMENDATIONS & GUIDELINES

Before We Start

When configuring a video conferencing system, please ensure any H.323 protocol inspection engines are disabled.  This includes, but is not limited to, H.323, H.245, H.239 and H.225 inspection.  Having these protocol inspection engines enabled usually causes more problems than good, often resulting in significant packet loss.  Please check with your firewall manufacturer on how you can disable H.323 inspection.

Also ensure that you don't have any pre-existing rules or services that may conflict with the recommendations given below. We suggest that new, bi-directional rules for the ports listed below are created and clearly indicated for future reference.*

For firewall information regarding your web browser or Easymeeting Desktop, please read our helpdesk article: Our company is behind a very strict firewall, can I still join using my web browser (WebRTC) or Easymeeting Desktop?


THE FOLLOWING OPTIONS EXIST, PLEASE PICK ONE:

Option 1

Video system outside the firewall with public IP address:

FIREWALL SETTINGS No configuration necessary. However, we would recommend that your system is not configured to permit unauthorized access.

Since the video system is outside of the firewall, no configuration in necessary.  We do not recommend this configuration for permanent installations and only recommend it for troubleshooting or demonstration purposes.  While outside the firewall, your system’s web admin interface will be exposed to the Internet and you’ll have an increased exposure to video conferencing SPAM.

Easymeeting does offer a SPAM filter with our Cloud Connect subscription. If you are interested in learning more, please contact sales@easymeeting.net.

 

Option 2

Video system located in a DMZ:

FIREWALL SETTINGS Ensure that all TCP/UDP ports in the range 1024 – 65535 is open for outbound traffic. OPEN TCP and UDP ports specified for your system in the table below to the public IP of your system.

You will need to create a static 1-to-1 NAT policy from the public side of your firewall to the semi-private side of the DMZ.  Some firewalls require you to create an additional policy to translate the semi-private DMZ to the public side of your firewall.

Please reference the table, “H323 Firewall Ports Used for Audio/Video/Data” to get a list of ports you should enable bi-directionally  on your firewall and “Endpoint Settings” below to ensure you’ve enable Static NAT for your video system.

If you’re video system is not listed below, please check with your hardware manufacturer.

 

Option 3

Endpoint located on private network:

FIREWALL SETTINGS: Ensure that all TCP/UDP ports in the range 1024 – 65535 is open for outbound traffic. FORWARD TCP and UDP ports specified for your system in the table below to the public IP of your system.

This configuration has the video conferencing endpoint on your private network.  You will need to create a static 1-to-1 NAT policy from the public side of your firewall to the private side of the LAN.  Some firewalls require you to create an additional policy to translate the private LAN to the public side of your firewall.

Please reference the table, “H323 Firewall Ports Used for Audio/Video/Data” to get a list of ports you should enable bi-directionally on your firewall and “Endpoint Settings” below to ensure you’ve enable Static NAT for your video system.

If you’re video system is not listed below, please check with your hardware manufacturer.

 

OPTION 4

Easymeeting's Cloud Connect Services:

Sometimes, companies don’t have the technical resources to configure complicated firewalls.  With Easymeeting.net’s Cloud Connect, you can seamlessly integrate your video conferencing systems into the Easymeeting Cloud and with other video conferencing devices across the globe. To receive more information about Easymeeting Cloud Connect services, please contact sales@easymeeting.net or visit www.easymeeting.net/cloudconnect.


*Please note, Easymeeting cannot be responsible for the configuration of your firewall/router. This information is intended as a guideline to help you realize all features of the Easymeeting service.


H323 FIREWALL PORTS USED FOR AUDIO/VIDEO/DATA

Refer to your system user manual for complete list of ports in use by your specific end point.

System TCP UDP
All systems 80 & 443 (Remote management - Optional)
1720 (H.323 call setup)
1719 (Gatekeeper registration)
Cisco 5555-5574 (audio/video/data) 2326-2485 (audio/video/data)
LifeSize 60000-64999 (audio/video/data) 60000-64999 (audio/video/data)
Polycom
(when configured with "fixed ports")
3230-3243 (audio/video/data)
21 (for software updates)
3230-3290 (audio/video/data)
Radvision
(when configured with "fixed ports")
3230 - 3242 (audio/video/data) 3230 - 3287 (audio/video/data)
Sony 2253-2255 (audio/video/data) 49152-49239 (audio/video/data)
Tandberg 5555 - 5574 (audio/video/data)
21 (software update)
2326 - 2385 (audio/video/data)
(2326 - 2485 for internal multipoint units)
TWS 3230 - 3280 (audio/video/data) 3230 - 3280 (audio/video/data)
Yealink 50000 - 50499 (audio/video/data) 50000 - 50499 (audio/video/data)
ZTE 3230 - 3280 (audio/video/data) 3230 - 3280 (audio/video/data)
 

ADDITIONAL VIDEO SYSTEM SETTINGS

WHEN USING OPTIONS 2 & 3, PORT FORWARDING: If your system isn’t listed, or you are unsure how to properly configure your system, please refer to your system user manual or hardware manufacturer for assistance with configuring Static NAT.

Easymeeting TWS video systems

     * Navigate to Settings -> Network -> Firewall
     * Static NAT Traversal = Enabled
     * Public IP Address = [Enter the NAT public IP address]

LifeSize Express series video systems

     * System Menu --> Administrator Preferences --> Network --> NAT
     * Enable Static NAT, and enter the public IP address of the firewall in the "NAT Public IP Address"

Polycom video systems

     * Admin Setup -> Network -> IP Network
     * Fixed Ports: On (checked)
     * NAT Configuration: AUTO or choose MANUAL to enter the address if the system can’t find NAT Public (WAN) address automatically.
     * NAT is H.323 Compatible: Off (not checked)

Radvision XT1000 series video systems

     * Settings -> Network -> Preferences -> Dynamic Ports
     * Auto Detect (TCP) = Disabled
     * Auto Detect (UDP) = Disabled
     * Settings -> Networks -> Preferences -> NAT
     * NAT Traversal = Enabled
     * NAT Discovery = Manual
     * Public IP Address = [Enter the NAT public IP address]

ZTE T700 video systems

     * Navigate to Settings -> Network -> Firewall -> H323
     * NAT Mode = Static NAT
     * NAT Address = [Enter the NAT public IP address]


Network Guidelines

These recommended network guidelines are intended to allow you to obtain the best experience when accessing the Easymeeting services. Video performance and quality of experience is directly related to network performance, should a network link be unreliable or give intermittent performance, this can have the same impact on your video experience.

BANDWIDTH (BI-DIRECTIONAL)

  • Minimum bandwidth requirements for Standard Definition (SD) video conferencing, including PC, Mac, and Mobile: 384kbps

  • Recommended bandwidth requirements for Standard Definition (SD) video conferencing, including PC, Mac, and Mobile : 768kbps

  • Minimum bandwidth requirements for High Definition (HD) video conferencing, including PC, Mac, and Mobile: 1024kbps

  • Recommended bandwidth requirements for High Definition (HD) video conferencing, including PC, Mac, and Mobile: 1536kbps

PACKET LOSS

Packet loss should be less than 1%.  Anything higher will result in pixelated images within the video call; “video artifacts” as we like to call them. 1% is noticeable while 5% is intolerable.

NETWORK DUPLEX MODE

Set the switchport and the video conference system to full duplex. Duplex mismatch is the number one cause of packet loss and video freezing.

LATENCY (DELAY)

Intermediate routers may prioritize the video and audio packet sizes differently, creating differing transit times.  In severe cases, audio and video packets become out of sync, resulting in video motion not “lining up” with audio spoken in a video call.

  • 0 – 150 ms : recommended

  • 150 – 299 ms : acceptable

  • 300 – 400 ms : not recommended

  • 400 ms : unacceptable

JITTER

The term 'jitter' refers to the variation in timing of the picture as packets are received, buffered, and distributed to the screen as the available bandwidth changes. An increase in jitter caused by an underpowered network connection can cause “skipping” or “freezing” of a picture.  It is recommended to have jitter below 20 milliseconds.

QUALITY OF SERVICE

Quality of Service (QoS) maps or tags certain traffic with varying degrees of priority.  If  you wish to implement QoS for the voice and video applications with your network, please ensure they are tagged for the highest priority configurable.  Please be aware that QoS doesn’t work over the public Internet to the Easymeeting services.

APPLICATION LAYER GATEWAY, H.323 PROXY OR OTHER “FIREWALL-HELPERS“

Most firewalls have an application filter making H.323 easier to work with and they all go by different names, depending on the vendor.  In most environments, it’s HIGHLY recommended they are disabled.