IP Ports and Protocols used for NAT/Firewall Traversal by H.323/SIP Devices
The purpose of this paper is to simply list the IP Ports and Protocols used by various vendors H.323 and SIP devices during Video Conferences. This is essential information if there are endpoints that are protected behind a Firewall. It lists the IP Port and the Protocol used for various H.323 or SIP functions along with the H.323 and/or SIP devices that may use this specific IP Port.
For a more in-depth discussion about security technologies used by H.323 and SIP devices, such as Virtual Private Networks (VPN), H.235 Encryption, H.460 NAT/Firewall Traversal and SIP Registrars, please see these papers listed below.
It is assumed that the reader has a general knowledge of video conferencing systems and the standards involved. However, the following technical papers are available to provide more information on these topics:
- How to choose a Video Conferencing system?
- Video Conferencing Standards and Terminology.
- H.323 Gatekeepers and Endpoints.
- H.323 (E.164) Numbers and Dial Plan used by Gatekeepers etc.
- H.460 NAT/Firewall Traversal and SIP Registrars.
- H.239 Data Sharing with Video Conferencing.
- Cloud or On-Premise Video Conferencing system?
- H.221 Framing used in ISDN Conferences.
Firewall and Proxy Server:
A firewall is a set of security mechanisms that an organisation implements to prevent unsecured access from the outside world to its internal network. An organisation with its own internal network (intranet) whose users also requires access to the Internet, usually installs a firewall to prevent unauthorised Internet users from accessing its internal network. Firewalls usually work by blocking access of certain network protocols to specific ports. The firewall can also control what Internet resources the organisations users may access. The firewall is generally installed at a specific location in much a manner that no incoming requests can by-pass it and gain access to the internal network.
A Proxy Server acts as an intermediary server that makes network requests on behalf of internal users, so that organisations can ensure security, control and caching services. Proxy Servers are now equipping themselves with security features such as Network Address Translation (NAT). The NAT or Proxy Server works on the concept that there is an outside world (Internet) and an inside world (intranet) and it separates and protects the intranet from the Internet.
Firewalls now usually include a NAT capability. Certainly, most ADSL Routers have a built-in Firewall and NAT functionality that can be setup to work with H.323 and SIP video conferencing systems.
Network Address Translation (NAT):
NAT helps protect the intranet from exposure to unwanted traffic by providing one single external address to remote users. NAT uses a system of local and external addresses to hide an intranet user from other networks. NAT translates the local intranet user's address to an external address, which is then used to identify the local user to remote users. Therefore, remote users use this external address to call the local user, without knowing its actual local address. The latest releases of most vendors software including Polycom and Lifesize all support NAT and allow you to specify the external IP address of the selected endpoint.
Unfortunately, because the H.323 standard defines that it must use a fixed IP Port (1720 TCP) to initiate a call, this effectively means that in a basic NAT setup, you must have a one-to-one mapping of an external public IP address to the internal IP address of an endpoint. You cannot simply NAT one public IP address to the internal IP addresses of several endpoints.
Security and Unwanted Spam Calls:
The big issues now facing implementing H.323 video conferencing are security and avoiding spam calls.
The unforeseen consequence of using a basic NAT setup is that whilst the endpoints internal IP address might be hidden from the outside world, it does not stop anyone from making unwanted spam calls to the public IP address, which are then routed to the endpoint. The endpoint will still 'ring', even if the call is not answered.
The solution is to use a H.323 Gatekeeper such as the Edgewater Networks EdgeProtect 4550 which eliminates using NAT and only routes inbound calls to defined endpoints. Using a H.323 Gatekeeper has other advances. For more information, please see the paper on H.323 Gatekeepers and Endpoints.
IP Ports and Protocols used by various vendors H.323 and SIP Devices:
IP Ports and Protocols used by H.323 & SIP Devices Port Type Description H.323
Lifesize Cloud Client Skype for Business Client SIP
80 Static TCP HTTP Web Interface x x x x 389 Static TCP LDAP x 443 Static TCP HTTPS & Port Tunnelling x x x 443 Static TCP Edgewater/Polycom VBP
x x 443 Static TCP Provisioning, ICON Health Check x 443 Static TCP Streaming & Playback x 443 Static TCP Desktop/Mobile Chat x 443 Static TCP HTTPS Reverse Proxy x 443 Static TCP HTTPS STUN (ICE) Traffic x 443 Static TCP Access Edge SIP/TLS Signaling x 443 Static TCP A/V Edge RTP/SRTP Media x 1718 Static UDP Gatekeeper Discovery x x 1719 Static UDP Gatekeeper RAS x x 1720 Static TCP H.323 Call Setup x x x 2253 - 2263 TCP Sony endpoints x x 2326 - 2485 UDP Cisco/Tandberg endpoints x x 3230 - 3250 TCP & UDP RealPresence Desktop x x 3230 - 3235 TCP Polycom HDX series x x 3230 - 3280 UDP Polycom HDX series x x 3230 - 3241 TCP RealPresence Group x x 3230 - 3291 UDP RealPresence Group x x 5001 TCP & UDP Polycom PPCIP client x x 5060 TCP & UDP SIP endpoints x x x 5061 TCP SIP TLS x x x x 5222 TCP HTTPS Cloud Desktop Chat x 5555 - 5574 TCP Cisco/Tandberg endpoints x x 6000 - 6006 TCP & UDP Librestream endpoints x 10000-16000 TCP H.245 Control Channel x x 10000-28000 UDP RTP/SRTP Media x x x 14085-15084 TCP Edgewater/VBP H.225/245 x x 16386-20385 UDP Edgewater/VBP RTP Media x x 35061 TCP Cloud App Signalling x 30000-50000 TCP & UDP Client A/V Media x x 49152-49239 UDP Sony endpoints x x 50000-59999 TCP & UDP Edge Server A/V Media x x 58024-58120 UDP InGate SIP media x x 60000-64999 TCP & UDP Lifesize endpoints x x 1024 - 65535 Dynamic TCP H.245 (Call Parameters) x x x 1024 - 65535 Dynamic UDP RTP (Video Stream Data) x x x 1024 - 65535 Dynamic UDP RTP (Audio Stream Data) x x x 1024 - 65535 Dynamic UDP RTCP (Control Information) x x x
General H.323 and SIP Firewall issues and Protocols:
The table above shows that H.323 and SIP require the use of specific static ports as well as a number of dynamic ports within the range 1024-65535. For the H.323 and SIP to cross a firewall, the specific static ports and all ports within the dynamic range must be opened for all traffic. This clearly causes a security issue that could render a firewall ineffective.
There are several standards based transport protocols used within H.323 and SIP Conferencing. Generally, each configures the data into packets, with each packet having a 'header' that identifies its contents. The protocol used is usually determined by the need to have reliable or unreliable communications. Transmission Control Protocol (TCP) is a reliable protocol designed for transmitting alphanumeric data; it can stop and correct itself when data is lost. This protocol is used to guarantee sequenced, error-free transmission, but its very nature can cause delays and reduced throughput. This can be annoying, especially with audio. User Datagram Protocol (UDP) within the IP stack, is by contrast, an unreliable protocol in which data is lost in preference to maintaining the flow. Real-Time Protocol (RTP) was developed to handle streaming audio and video and uses IP Multicast. RTP is a derivative of UDP in which a time-stamp and sequence number is added to the packet header. This extra information allows the receiving client to re-order out of sequence packets, discard duplicates and synchronise audio and video after an initial buffering period. Real-Time Control Protocol (RTCP) is used to control RTP.
H.323 and SIP are not the same and should not be confused. They might share similar codecs such as H.264 video and G.722.1C audio; be supported on the same video conferencing endpoints and use the same IP ports for media, but they are fundamentally different protocols that use different network and calling procedures (H.323 uses TCP on port 1720 whereas SIP uses UDP or TCP on port 5060 or TCP for TLS on port 5061) that require different Firewall Traversal solutions.