IP Ports and Protocols used for NAT/Firewall Traversal by H.323/SIP Devices


Overview:

The purpose of this paper is to simply list the IP Ports and Protocols used by various vendors H.323 and SIP devices during Video Conferences. This is essential information if there are endpoints that are protected behind a Firewall. It lists the IP Port and the Protocol used for various H.323 or SIP functions along with the H.323 and/or SIP devices that may use this specific IP Port.

For a more in-depth discussion about security technologies used by H.323 and SIP devices, such as Virtual Private Networks (VPN), H.235 Encryption, H.460 NAT/Firewall Traversal and SIP Registrars, please see these papers listed below.

It is assumed that the reader has a general knowledge of video conferencing systems and the standards involved. However, the following technical papers are available to provide more information on these topics:

Firewall and Proxy Server:

A firewall is a set of security mechanisms that an organisation implements to prevent unsecured access from the outside world to its internal network. An organisation with its own internal network (intranet) whose users also requires access to the Internet, usually installs a firewall to prevent unauthorised Internet users from accessing its internal network. Firewalls usually work by blocking access of certain network protocols to specific ports. The firewall can also control what Internet resources the organisations users may access. The firewall is generally installed at a specific location in much a manner that no incoming requests can by-pass it and gain access to the internal network.

A Proxy Server acts as an intermediary server that makes network requests on behalf of internal users, so that organisations can ensure security, control and caching services. Proxy Servers are now equipping themselves with security features such as Network Address Translation (NAT). The NAT or Proxy Server works on the concept that there is an outside world (Internet) and an inside world (intranet) and it separates and protects the intranet from the Internet.

Firewalls now usually include a NAT capability. Certainly, most ADSL Routers have a built-in Firewall and NAT functionality that can be setup to work with H.323 and SIP video conferencing systems.

Network Address Translation (NAT):

NAT helps protect the intranet from exposure to unwanted traffic by providing one single external address to remote users. NAT uses a system of local and external addresses to hide an intranet user from other networks. NAT translates the local intranet user's address to an external address, which is then used to identify the local user to remote users. Therefore, remote users use this external address to call the local user, without knowing its actual local address. The latest releases of most vendors software including Polycom and Lifesize all support NAT and allow you to specify the external IP address of the selected endpoint.

Unfortunately, because the H.323 standard defines that it must use a fixed IP Port (1720 TCP) to initiate a call, this effectively means that in a basic NAT setup, you must have a one-to-one mapping of an external public IP address to the internal IP address of an endpoint. You cannot simply NAT one public IP address to the internal IP addresses of several endpoints.

Security and Unwanted Spam Calls:

The big issues now facing implementing H.323 video conferencing are security and avoiding spam calls.

The unforeseen consequence of using a basic NAT setup is that whilst the endpoints internal IP address might be hidden from the outside world, it does not stop anyone from making unwanted spam calls to the public IP address, which are then routed to the endpoint. The endpoint will still 'ring', even if the call is not answered.

The solution is to use a H.323 Gatekeeper such as the Edgewater Networks EdgeProtect 4550 which eliminates using NAT and only routes inbound calls to defined endpoints. Using a H.323 Gatekeeper has other advances. For more information, please see the paper on H.323 Gatekeepers and Endpoints.

IP Ports and Protocols used by various vendors H.323 and SIP Devices:

IP Ports and Protocols used by H.323 & SIP Devices
Port
Type
Description
H.323
Client
H.323
Gatekeeper
Lifesize Cloud Client
Skype for Business Client
SIP
Client
SIP
Registrar
80
Static TCP
HTTP Web Interface
x
 
x
x
x
 
389
Static TCP
LDAP
x
     
443
Static TCP
HTTPS & Port Tunnelling
x
 
  
x
x
443
Static TCP
Edgewater/Polycom VBP
Access Server
x
 
  
x
 
443
Static TCP
Provisioning, ICON Health Check
 
 
x
   
443
Static TCP
Streaming & Playback
 
 
x
   
443
Static TCP
Desktop/Mobile Chat
 
 
x
   
443
Static TCP
HTTPS Reverse Proxy
 
 
 
x
  
443
Static TCP
HTTPS STUN (ICE) Traffic
 
 
 
x
  
443
Static TCP
Access Edge SIP/TLS Signaling
 
 
 
x
  
443
Static TCP
A/V Edge RTP/SRTP Media
 
 
 
x
  
1718
Static UDP
Gatekeeper Discovery
x
x
 
 
  
1719
Static UDP
Gatekeeper RAS
x
x
 
 
  
1720
Static TCP
H.323 Call Setup
x
x
x
   
2253 - 2263
TCP
Sony endpoints
x
   
x
 
2326 - 2485
UDP
Cisco/Tandberg endpoints
x
   
x
 
3230 - 3250
TCP & UDP
RealPresence Desktop
x
   
x
 
3230 - 3235
TCP
Polycom HDX series
x
   
x
 
3230 - 3280
UDP
Polycom HDX series
x
   
x
 
3230 - 3241
TCP
RealPresence Group
x
   
x
 
3230 - 3291
UDP
RealPresence Group
x
   
x
 
5001
TCP & UDP
Polycom PPCIP client
x
   
x
 
5060
TCP & UDP
SIP endpoints
 
 
x
 
x
x
5061
TCP
SIP TLS
 
 
x
x
x
x
5222
TCP
HTTPS Cloud Desktop Chat
  
x
   
5555 - 5574
TCP
Cisco/Tandberg endpoints
x
   
x
 
6000 - 6006
TCP & UDP
Librestream endpoints
 
   
x
 
10000-16000
TCP
H.245 Control Channel
x
 
x
   
10000-28000
UDP
RTP/SRTP Media
x
 
x
 
x
 
14085-15084
TCP
Edgewater/VBP H.225/245
x
   
x
 
16386-20385
UDP
Edgewater/VBP RTP Media
x
   
x
 
35061
TCP
Cloud App Signalling
  
x
   
30000-50000
TCP & UDP
Client A/V Media
  
x
x
  
49152-49239
UDP
Sony endpoints
x
   
x
 
50000-59999
TCP & UDP
Edge Server A/V Media
  
x
x
  
58024-58120
UDP
InGate SIP media
 
   
x
x
60000-64999
TCP & UDP
Lifesize endpoints
x
   
x
 
1024 - 65535
Dynamic TCP
H.245 (Call Parameters)
x
  
x
x
 
1024 - 65535
Dynamic UDP
RTP (Video Stream Data)
x
  
x
x
 
1024 - 65535
Dynamic UDP
RTP (Audio Stream Data)
x
  
x
x
 
1024 - 65535
Dynamic UDP
RTCP (Control Information)
x
  
x
x
 
 

General H.323 and SIP Firewall issues and Protocols:

The table above shows that H.323 and SIP require the use of specific static ports as well as a number of dynamic ports within the range 1024-65535. For the H.323 and SIP to cross a firewall, the specific static ports and all ports within the dynamic range must be opened for all traffic. This clearly causes a security issue that could render a firewall ineffective.

There are several standards based transport protocols used within H.323 and SIP Conferencing. Generally, each configures the data into packets, with each packet having a 'header' that identifies its contents. The protocol used is usually determined by the need to have reliable or unreliable communications. Transmission Control Protocol (TCP) is a reliable protocol designed for transmitting alphanumeric data; it can stop and correct itself when data is lost. This protocol is used to guarantee sequenced, error-free transmission, but its very nature can cause delays and reduced throughput. This can be annoying, especially with audio. User Datagram Protocol (UDP) within the IP stack, is by contrast, an unreliable protocol in which data is lost in preference to maintaining the flow. Real-Time Protocol (RTP) was developed to handle streaming audio and video and uses IP Multicast. RTP is a derivative of UDP in which a time-stamp and sequence number is added to the packet header. This extra information allows the receiving client to re-order out of sequence packets, discard duplicates and synchronise audio and video after an initial buffering period. Real-Time Control Protocol (RTCP) is used to control RTP.

H.323 and SIP are not the same and should not be confused. They might share similar codecs such as H.264 video and G.722.1C audio; be supported on the same video conferencing endpoints and use the same IP ports for media, but they are fundamentally different protocols that use different network and calling procedures (H.323 uses TCP on port 1720 whereas SIP uses UDP or TCP on port 5060 or TCP for TLS on port 5061) that require different Firewall Traversal solutions.

H.323 endpoints use H.460 NAT/Firewall Traversal whilst SIP endpoints use a SIP Registrar to cross firewalls.