09999/2106 Practical Experiences Overcoming Firewalls and Limited Bandwidth for H.323 Video Conferencing AREN
09999/2106 AREN Quick Overview Multiple Star Network –Stars originate at the hub sites and hubs are connected by a North-South backbone DS3/Partial OC-3 backbone DS1 (T1) or Multiple T1 to clients Multiple Internet access points (DS3+)
09999/2106 So Whats the Problem? H.323 based VTC systems are increasingly used for K-20 distance learning Many Education Networks have limited bandwidth connections with little funding for upgrades Most school system networks (many University Networks) are behind firewalls and NAT
09999/2106 The Small Pipe Issue In Alabama, most schools connect to their systems network (and then the Internet) through point to point DS1 (T1s) – 1.5Mbps A single H.323 VTC connection with decent quality uses 384kbps (+overhead) Conservative Rule of Thumb recommended by Cisco is 20% overhead ~460kbps So… a single H.323 session at 384kbps uses almost 1/3 of a T1 line (for design purposes) And the real problem…. Most large schools fill the pipe with just Internet traffic
09999/2106 The Huntsville Example
09999/2106 Where did we enable QoS? Schools were not using VLANs and most had no QoS support at the LAN level –So No CoS 802.1p could be used QoS enabled using DSCP tagging and CBWFQ on routers and layer3 switches –Differentiated Services Code Point (DSCP) –Class-Based Weighted Fair Queueing (CBWFQ) Traffic is classified and tagged at routers based on source/destination IP address
09999/2106 Cisco Router Config Example class-map match-all VTC-hosts match access-group name VTC-list ! policy-map QoS-VTC class VTC-hosts bandwidth percent 50 set ip dscp ef class class-default fair-queue ! ip access-list extended VTC-list permit ip any any precedence critical permit ip any any dscp ef permit ip any host permit ip host any interface FastEthernet0/0 description School LAN bandwidth ip address speed 100 full-duplex service-policy output QoS-VTC ! interface Serial0/0 description to Core Router bandwidth 1544 ip address service-policy output QoS-VTC !
09999/2106 QoS Through Firewalls? Most (all?) firewalls offer no support for QoS guarantees The official Cisco comment is that their PIX is so fast there is no congestion The PIX firewall does not alter DSCP tagged packets (so QoS can be done on either side of the PIX)
09999/2106 Problems With Firewalls (and NAT) H.323 uses multiple tcp connections and udp ports simultaneously for VTC The H.323 standard assigns ports dynamically from 1024 to During call setup, the IP address of the calling party is sent to the called party in the data field of the IP packet (so NAT cant translate it)
09999/2106 Solutions to the Firewall Problem Dont NAT H.323 clients –Well…. whats the firewall doing then? –May or may not open the H.323 client to all ports Probably not a good idea to open everything! NAT H.323 and rely on the client to be smart enough to work through the firewall/NAT –A Polycom client can be told to use specific ports. The client can also be configured to know its real outside address and can use this address in handshaking NAT H.323 and rely on the firewall to be smart enough to work everything out –Application Proxy etc. Use an additional device to perform the Application Proxy –May be useful when deploying a standard solution across diverse networks
09999/2106 What do you mean Dont NAT? If public IP space is available, you could form small public subnets at each site in parallel with the privately addressed network Firewall could pass these address on into the Internet without NATing Client would need to predefine which TCP/UDP ports will be used so they can be opened through the firewall –Otherwise all ports above 1024 would have to be opened (back to… Why have a firewall?)
09999/2106 NAT with a Smart Client PAT wont work but NAT can work with a smart client –I mean true one to one static NAT here (1 public to 1 private) Example: Polycom clients have settings in their QoS menu that allow pre-definition of the Clients outside, public address. There is a check box that says this client is behind NAT Polycom units also allow pre-definition of TCP/UDP ports used –default is No application proxy (or fixup) would be configured on the firewall. Pre-defined data ports and TCP 1720 (call setup) would be allowed to the statically NATed addresses of the clients This method was used for Shelby County schools due to old software version on their PIX firewall.
09999/2106 Polycom Setup Example
09999/2106 NAT with a Smart Firewall Firewall must either serve as an H.323 Application proxy or somehow snoop the H.323 setup (looking at all the handshaking) Cisco PIX version 6.14 and up supports an H.323 fixup protocol that overcomes the NAT and port problems by snooping. Some PIX versions prior to 6.14 have an H.323 fixup protocol but it will only work with Netmeeting, CUSeeMe, etc… Even with snooping the call setup port 1720 must be opened to allow calls originating from the outside
09999/2106 Additional Application Proxy Most new firewall versions support some form of Application Proxy or snooping –ISA Microsoft Proxy –Checkpoint –Firebox New interesting concept (read about but not driven) –Ridgeway Systems