I recently received a request to set up video conferencing between a client’s Polycom ViewStation FX unit and a Leadtek Research BVP 8750 unit in Taiwan via the Internet. The client had previously used the Polycom units internally among its offices through VPN tunnels. As you know, interoperability between different vendors' products can be challenging.
The first step was to upgrade the Polycom units with the latest firmware. Although this client had the same FX units at all its locations, several units had different versions of the firmware because the units were purchased at different times. At the time of this writing, the latest version of firmware is FX 6.03.
Next, I configured the SonicWALL 4060 PRO firewall using the following steps. The steps are generic, so you can apply them to any firewall.
1. I created an address object on the firewall with the internal IP address of the Polycom unit. The video-conference unit needs a fixed IP address and shouldn't use DHCP to obtain an address automatically. If you let the unit connect to the Internet, you should shut off the unit when you’re not using it.
2. If your firewall doesn't have predefined protocols for H323 (the standard for video conferencing), you must create them. Listed below are the protocols I created for the FX unit.
- H323 Call Signaling—port range:1720 – 1720; protocol: TCP
- H323/3230—port range: 3230-3231; protocol: TCP
- H323UDP—port range: 3230-3237; protocol: UDP
- H323/H245—port range: 11000-11999; protocol: TCP
Some firewalls let you create a logical group of services. If your firewall lets you do this, I suggest that you create a logical group of services that contain the protocols listed above. For this configuration, I created a service group called H323Polycom to simplify rule creation.
3. The Sonicwall Pro 4060 lets you set up a Network Address Translation (NAT) policy so that a given device can have a different outside address depending on whether the traffic is outbound or inbound. For this configuration, I set up an outbound NAT policy that uses an available public address assigned by the client’s ISP.
4. I redirected inbound traffic destined for the FX outside address to the internal address of the FX unit.
5. I created an inbound rule that lets the H323Polycom service group access the internal Polycom unit. I created a group of public IP addresses on which the client wants to run video conferences, so only specified IP addresses are allowed to connect to the unit.
6. I created a rule to allow the H323Polycom service group to pass through the firewall from the FX to the Internet. According to Polycom Technical Support, I also needed to change the FX firewall settings to indicate that the FX was behind a firewall. As far as I can tell, this is important if you don't have H323 Transformations enabled on the Sonicwall 4060. The Sonicwall 4060 firewall is running the 220.127.116.11 firmware. With this version of the firmware, I was able to connect to a test Polycom unit on the Internet, as well as connect to other internal Polycom units via the VPN tunnels set up on the Sonicwall 4060 with H323 Transformations enabled.
The latest version of the Sonicwall 4060 firmware is 18.104.22.168e. I tried to upgrade to this version, but it doesn't let the Polycom unit connect to other Polycom units via the VPN (connecting to other units on the Internet works fine). Sonicwall enhanced its support of H323 starting with the firmware version 2.5.x.x.
The real fun began when I tried to connect to the LeadTek 8750 video conference unit in Taiwan. With the 22.214.171.124 firmware, Taiwan could connect to us, but on our side we had no video or audio. I tested the Sonicwall 126.96.36.199e firmware and got a video signal but still no audio. Polycom Technical Support wasn't able to give me any compatibility information. However, I was able to connect the FX directly to the Internet and bypass the Sonicwall 4060, so the connectivity problem is related to the firewall or settings on the FX. After trying different settings with the firewall and the FX I was finally able to get the FX and the Leadtek units to talk to each other. Here are the changes I made:
Sonicwall 4060 Changes:
- I disabled H323 Transformations on the Sonicwall 4060. This setting is located in the Firewall, Advanced (firmware 2.2.x.x) or Firewall, VoIP (firmware 2.5.x.x) depending on the firmware loaded on your Sonicwall 4060.
- I set up the FX unit on a dedicated NAT address that isn't shared with any other device.
- I modified the outbound rule for the FX to allow all outbound traffic from the FX to the Internet.
- I modified the H323Polycom service group to allow TCP 1718-1720 and UDP 8050-8060 traffic. The LeadTek unit uses these ports.
Polycom FX Changes:
On the FX, I opened System Info, Admin Setup, LAN/H323, LAN/Internet, Firewall/LAN Connection and made the following changes:
- Use Fixed Ports (Checked)
- TCP Ports 3230 to 3235
- UDP Port 3230 to 3253
- System is Behind a NAT (Checked)
- NAT is H323 Compatible (Clear)
- Auto Discover NAT: (Checked)
- Select Menu
If the FX doesn't pick up the correct NAT address, clear the Auto Discover NAT checkbox and manually enter the outside address of the FX, according to your firewall configuration. These changes are necessary to run a video conference with a unit on the Internet. To use the FX with other units via the VPN, use the following settings on the FX: - Use Fixed Ports (Clear)
- System is Behind a NAT (Clear)
- NAT is H323 Compatible (Clear)
- Auto Discover NAT: (Clear)
- Select Menu
When changing these settings, I found it helpful to shut off the FX unit, and after making the modifications, restart the firewall, then the FX unit. Sometimes it appeared as though the FX and the Sonicwall retained their old connection to each other, and the changes weren't reflected until both the FX and the Sonicwall were reset. With these changes, I can connect to the LeadTek unit and other FX units via the VPN (although not simultaneously). Multivendor connectivity problems are some of the most challenging problems facing IT departments. Often, vendors blame each other for interoperability problems. If you’re like me, I don’t care where the problem is, I just want it fixed.
Tip: VX2 Spyware
There appears to be new VX2 spyware variants on the Internet. VX2 is one of the most difficult pieces of spyware to clean from your PC. If your computer is infected with this spyware, try the following sites for help removing this piece of software:
AdAware with the VX2 Cleaner Add In