General Product Information

NetMeeting Home

CHAPTER 4 Firewall Configuration
This chapter describes how Microsoft® NetMeeting™ works with an organization's existing firewall security. You will learn about NetMeeting requirements for transport control protocol (TCP) and user datagram protocol (UDP) connections and the Internet protocol (IP) ports needed to establish a NetMeeting connection.

IMPORTANT: Because of current limitations in most firewall technology, few products are available that allow you to securely transport inbound and outbound NetMeeting calls that contain audio, video, and data across a firewall. You should consider carefully the relative security risks of enabling different parts of a NetMeeting call in your firewall product. Especially, you should consider very carefully the security risks involved when modifying your firewall configuration to enable any component of an inbound NetMeeting call.

Components of a Secured System
NetMeeting and Firewalls
Establishing a NetMeeting Connection with a Firewall
Firewall Limitations
Security and Policy Concerns

Components of a Secured System
A firewall is a set of security mechanisms that an organization implements, both logically and physically, to prevent unsecured access to an internal network. Firewall configurations vary from organization to organization. Most often, the firewall consists of several components, which can include a combination of routers, proxy servers, host computers, gateways, and networks with the appropriate security software. Very rarely is a firewall a single component, although a number of newer commercial firewalls attempt to put all of the components in a single box. The following diagram shows a firewall configuration.

For most organizations, an Internet connection is part of the firewall. The firewall identifies itself to the outside network as a number of IP addresses, or as capable of routing to a number of IP addresses, all associated with domain name service (DNS) entries. The firewall might respond as all of these hosts (a virtual machine) or pass on packets bound for these hosts to assigned computers.

NetMeeting and Firewalls
You can configure firewall components in a variety of ways, depending on your organization's specific security policies and overall operations. While most firewalls are capable of allowing primary (initial) and secondary (subsequent) TCP and UDP connections, they might be configured to support only specific connections based on security considerations. For example, some firewalls allow only primary TCP connections, which are considered the most secure and reliable.

To enable NetMeeting multipoint data conferencing (application sharing, whiteboard, chat, file transfer, and directory lookups), your firewall only needs to pass through primary TCP connections on assigned ports. For NetMeeting to make calls with audio and video conferencing, your firewall must be able to pass through secondary TCP and UDP connections on dynamically assigned ports. Some firewalls can pass through primary TCP connections on assigned ports, but cannot pass through secondary TCP or UDP connections on dynamically assigned ports.

Note: NetMeeting audio and video features require secondary TCP and UDP connections. Therefore, when you establish connections through firewalls that accept only primary TCP connections, you will not be able to use the audio or video features of NetMeeting.

Back to the topBack to the top

Establishing a NetMeeting Connection with a Firewall
When you use NetMeeting to call other users over the Internet, several IP ports are required to establish the outbound connection. If you use a firewall to connect to the Internet, it must be configured so that the following IP ports are not blocked.

This port Is used for
389 Internet Locator Server (TCP)
522 User Location Service (TCP)
1503 T.120 (TCP)
1720 H.323 call setup (TCP)
1731 Audio call control (TCP)
Dynamic H.323 call control (TCP)
Dynamic H.323 streaming (RTP over UDP)

To establish outbound NetMeeting connections through a firewall, the firewall must be configured to do the following:

  • Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731.
  • Pass through secondary TCP and UDP connections on dynamically assigned ports (1024-65535).
The H.323 call setup protocol (over port 1720) dynamically negotiates a TCP port for use by the H.323 call control protocol. Also, both the audio call control protocol (over port 1731) and the H.323 call setup protocol (over port 1720) dynamically negotiate UDP ports for use by the H.323 streaming protocol, called the real time protocol (RTP). In NetMeeting, two UDP ports are determined on each side of the firewall for audio and video streaming, for a total of four ports for inbound and outbound audio and video. These dynamically negotiated ports are selected arbitrarily from all ports that can be assigned dynamically.

NetMeeting directory services require either port 389 or port 522, depending on the type of server you are using. Internet Locator Servers (ILSs), which support the lightweight directory access protocol (LDAP) for NetMeeting, require port 389. The User Location Service (ULS), developed for NetMeeting 1.0, require port 522.

Microsoft Proxy Server Example
The following steps describe how to set up the Microsoft Proxy Server to enable the necessary ports for NetMeeting outbound calls. Use this example as a guideline for configuring your proxy server for NetMeeting. For additional information about configuring the Microsoft Proxy Server, refer to the Microsoft Proxy Server Installation and Administration Guide.

To configure the Microsoft Proxy Server for NetMeeting

  1. Start the Microsoft Internet Service Manager, and then click Winsock Proxy Service.

  2. Click the Protocols tab, and then click Add.

  3. Add each port required for NetMeeting (listed under "Establishing a NetMeeting Connection with a Firewall" in this chapter) by typing or selecting values for the following fields:
    • Protocol Name
    • Port
    • Type
    • Direction
    For example, if you want to add port 389, you would enter the following settings:
    • Protocol Name NetMeeting 2.1
    • Port 389
    • Type TCP (default)
    • Direction Outbound
    For TCP-only ports, click OK after adding information for each port. For ports that require UDP connections, continue with step 4.

  4. For ports that require secondary UDP connections, click Add in the Port Ranges for Subsequent Connections box.

  5. Enter the following values:
    • Port or Range 0-65535
    • Type UDP (default)
    • Direction Inbound or Outbound

Click OK to add the UDP connection information. Repeat this process to add both Inbound and Outbound dynamic port ranges. Then, click OK to add the protocol definition. The following example shows port 1720 configured for both TCP and UDP connections.

Back to the topBack to the top

Firewall Limitations
Some firewalls cannot support an arbitrary number of virtual internal IP addresses, or cannot do so dynamically. With these firewalls, you can establish outbound NetMeeting connections from computers inside the firewall to computers outside the firewall, and you can use the audio and video features of NetMeeting. Other people, though, cannot establish inbound connections from outside the firewall to computers inside the firewall. Typically, this restriction is due to limitations in the network implementation of the firewall.

Note: Some firewalls are capable of accepting only certain protocols and cannot handle TCP connections. For example, if your firewall is a Web proxy server with no generic connection handling mechanism, you will not be able to use NetMeeting through the firewall.

Security and Policy Concerns
Some organizations might have security or policy concerns that require them to limit how fully they support NetMeeting in their firewall configuration. These concerns might be based on network capacity planning or low confidence in the firewall technology being used. For example, security concerns might prohibit an organization from accepting any inbound or outbound flow of UDP data through their firewall. Because these UDP connections are required for NetMeeting audio and video features, disabling this function will exclude audio and video features in NetMeeting for calls through the firewall. The organization can still use NetMeeting data conferencing features--such as application sharing, whiteboard, and chat--for calls through the firewall by allowing only TCP connections on ports 522 and 1503.

A useful reference for firewall design, including policy and security considerations, is Building Internet Firewalls (D. Brent Chapman and Elizabeth D. Zwicky, O'Reilly & Associates, Inc., 1995).

Back to the topBack to the top

© 1998 Microsoft Corporation. All rights reserved. Terms of Use.
Last Updated: Thursday, April 30, 1998
Photos: PhotoDisc