Q: How speech and video communications cross firewalls and NAT? A: A simple way to solve the firewall and NAT issues is to avoid using them. For most organizations, this method is too risky, network security is not guaranteed, and it is necessary to get enough routes of IP address perhaps Difficult, expensive. So most people who want to use IP multimedia communications will inevitably face the challenge of firewall or NAT. In fact, most institutions use firewalls and NAT at the same time, so solving one of the problems is not enough. Some existing solutions are as follows: 1. Use a PSTN gateway
If you don't care if IP communication outside the LAN is based, you can use the gateway to convert the IP voice and video on the LAN to the public circuit switched online PSTN voice and video. Using such a gateway does not have to care about the problem of the network firewall, because there is no packet to pass the firewall. This also solves the NAT problem, all calls to the terminal terminals are routed, because the calls entering the local area network through the gateway are routed. Today, most IP phones are communicating through a gateway and a non-IP phone. The gateway method is a partial solution that requires all the participating callers to have a corresponding gateway after the last NAT and the firewall.
2. DMZ MCU
Some agencies solve the firewall and NAT crosses by putting the MCU in the so-called DMZ area. The DMZ area is usually located between external Internet and internal network firewalls, and institutions that provide their own Internet services (such as web services, FTP services, Email services, and domain service) generally put these services in the DMZ area, which can be very Hello your private network.
The MCU placed in the DMZ area is installed on two network cards, so a network card provides an entry to access private networks, and another network card provides access to the public Internet. One of this solution is that even if a call is performed, it is necessary to use the MCU, and if there is a plurality of NAT devices on the call path, one MCU needs to be placed at the location of each NAT device.
3. H.323 agent
The H.323 agent can be used to solve the NAT issue or to solve the NAT and firewall issues, depending on how the agent is configured. The agent is actually a special type of gateway, but it is not converted to other IP protocols, and the same protocol is used on both sides of the agent. The agent makes the terminal to the terminal calling process look like two separate calls: one is from the private network terminal to the agent, the other is from the agent to the public online, the agent is transferred to this call to resolve NAT issues.
The H.323 agent generally combines the standard gatekeepers and the proxy function of the RTP / RTCP multimedia stream. This type of solution is typical application to put a H.323 agent after the firewall, and the agent needs to be assigned a public IP address. The firewall is configured to allow a proxy and external multimedia communication. Sometimes a NAT device is applied along the network path in many locations, and it is necessary to place a proxy in each place where NAT is used.
4. Application layer gateway
Application Layer Gateway is a firewall that is designed to identify the specified IP protocol (like H.323 and SIP protocol), also known as Alg Firewall. It is not simply viewing the header information to determine if the packet can pass, but the data in which the data package load within the negative data package is also the application layer. The H.323 and SIP protocols are placed in their loads, such as which of the voice and video terminals use which data ports are used to receive voice and video data of other terminals. By analyzing which port needs to be opened, the firewall dynamically opens those ports that are applied, and all other ports remain safely closed.
If a NAT is applied to block the internal IP address, ALG needs an agent, some firewall manufacturers combine the agent to the ALG crossed NAT.
The main firewall manufacturers are like Cisco, Checkpoint, and Gauntlets provide H.323 ALG upgrade for their firewall products, but most firewalls on the market also do not support ALG. This solution has some shortcomings: Since the data package load is to be analyzed, the firewall is added to the firewall processing task, affecting the operation of the network, becoming a potential network bottleneck; and if there are multi-layer firewall and NAT, the call path is Each firewall on the upper firewall must be upgraded to support the ALG function; the firewall for most companies is a critical part, and some companies have added an ALG may be difficult. 5. Virtual private network (VPN)
VPN technology is one of the methods of providing secure communication on the IP network. You can solve the firewall cross problem in the same VPN network; soon, in the future, ensure network security and QoS vPRN technology will be the most media communication on IP online Potential solution.
In the VPN technology, the IPSec layer under the UDP and TCP layers is used to provide secure IP communication, but because of the VPN technology-based IPSec layer uses its own connection identifier instead of the UDP or TCP port, and the layer above IPSec To be encrypted, this set of mechanisms cannot be passed by NAT, especially NAPT. In order to solve the NAT crossing problem, it is best to choose a solution for integrated firewalls, NAPT, and VPN features provided by a manufacturer.
In addition, although the VPN scheme is very secure, it only allows communication located within the same VPN to communicate, and cannot communicate with end users located in the public network.
6. Tunnel penetration program
General Enterprise Network does not want to upgrade or change their firewall and NAT equipment configuration, and do not want internal and external interactions to bypass these devices, using allow IP voice and video through firewall and NAT tunnel penetration plan perhaps the most appropriate, There is currently a US Ridgeway, which is currently available.
The tunnel penetration solution consists of two components, Server software and Client software. Client is placed in the private network in the firewall, and it has a gatekeeper function and proxy function. The terminal within the private network is registered on the client, and it is a signaling and control channel, which creates a signaling and control channel, and all registration and calls. Control signaling forwarded to Server, and forwarding audio and video data to Server, replacing the address and port number of the internal terminal and the address and port number sending the internal terminal to the terminal. Server is placed outside the public space outside the firewall, which can be located in the service provider network or the role of the company's DMZ area, Server plays a gatekeeper agent, all registrations and call signaling received from the client to the center gateway .
Communication between Server and Client mainly transmits data through two fixed ports, which are 2776 and 2777 ports, which are allocated to ridgeway by IANA institutions.
When the private network is started:
1. It establishes a fixed connection to transfer control and status information with 2776 ports on the Server;
2. It monitors the private network H.323 gatekeeper registration and request information;
When a terminal starts:
1. The terminal transmits the registration information to the center gateway through the connection between Client / Server.
2. Server assigned to each registered terminal a unique port number (corresponding to the IP address of the Server).
When a terminal calls another terminal outside the firewall, all packets are routed to the server through the client, and the returned data is also returned from the server via the Client route back to the terminal. When the call is created, the client ensures that all required firewalls are kept open so that audio and video data can be transmitted through the channels open on these firewalls.
Using this method IP address information is well shielded because all packets are forwarded through Server, each terminal seems to be in direct and server, not with other terminals, which guarantees the terminal. The IP address is not available outside the network. And this method does not have to make any modifications to the firewall configuration in most cases. For those of those firewall settings to open outward ports, administrators can create simple principles to allow outward connections to both Client to Server 2776 and 2777. The maximum disadvantage of this method is that all firewalls must be transferred via Server, which can cause potential bottlenecks, which increases less than 5ms from the process of client and server. But this is a must, because Server is the unique trust of the firewall.
