If you are using a Gatekeeper, ensure that it can connect. If you
have restricted access out from your firewall to your internal clients, you
need to allow access through Access Rules in TMG for the below mentioned
protocols, and reverse the directions for TCP (Inbound to Outbound) and UDP (Receive/Send
to Send/Receive).
You need to create Protocols for the following ports:
1719 Receive/Send (if you are using a Gatekeeper with external
provider)
1720 TCP Inbound
3230-3243 TCP Inbound
3230-3341 UPD Receive/Send
1720 TCP Inbound
3230-3243 TCP Inbound
3230-3341 UPD Receive/Send
You need to create Non-Web Server Protocols, one for each of the
above Protocols:
Polycom 1719:
- External to Polycom IP address
- Request appear to come from the original client
- External to Polycom IP address
- Request appear to come from the original client
Polycom 1720:
- External to Polycom IP address
- Request appear to come from the Forefront TMG computer
- External to Polycom IP address
- Request appear to come from the Forefront TMG computer
Polycom 3230-3243 TCP:
- External to Polycom IP address
- Request appear to come from the original client
- External to Polycom IP address
- Request appear to come from the original client
Polycom 3230-3341 UPD:
- External to Polycom IP address
- Request appear to come from the original client
- External to Polycom IP address
- Request appear to come from the original client
As you can see in the above picture, the Denied Connections by Default rule was triggered becasue of wrong direction set in TCP Protocol.
Note: If you set the wrong direction on the UDP protocols such as
setting it to ‘Send/Receive’ instead of ‘Receive/Send’, the protocol will not
appear in the wizard when you publish your non-web server protocol. The same
applies to the TCP protocols if you set them to Outbound.
‘Send/Receive’ of UDP is the equivalent of TCP outbound and vice
versa.
If you look in your firewall log, and you see the H.323 protocol being
triggered, that is because you probably have not setup your rules correctly. If
you look at the rule which triggered it and the port, it should be blank.
The reason for this is because TMG identifies this protocol and
applies the system protocol to the rule, as TMG is not a passive firewalls
where you just open and close ports.
I believe that the H.323 protocol is probably very powerful in
protecting your environment, but blogs and even on Microsoft actually recommend
disabling the H.323 filter in TMG. http://support.microsoft.com/kb/556039/en-us
To avoid TMG to use the H.323 Protocol (not the filter), creating
your user-defined protocol for this port and setting the non-web server rule,
will eliminate this being used.
Please feel free to comment on this blog…
Forefront TMG
includes an H.323 filter that allows H.323 compliant applications, such as
Microsoft Windows NetMeeting® 3, to pass through Forefront TMG. This enables
rich multimedia and real-time collaboration capabilities between enterprises
using the Internet. Organizations that deploy interdepartmental firewalls can
also use this technology to enhance communications between their employees over
their intranets.
Additionally, the
H.323 filter protects communication between internal clients and the Internet,
hiding client IP addresses and restricting access, as needed.
H.323
Protocol
The H.323 protocol
is a set of standards enabling real-time multimedia conferencing and
communications over packet-based networks that do not guarantee Quality of
Service (QoS). The standards were developed to accommodate varying usages. Due
to the inadequate quality of voice over the Internet, it was proposed that
improvements could be made if communications were carried partly on the
Internet and partly on the public switched telephone network (PSTN). The H.323
standards would also provide for communications between a standard PSTN phone
and a computer-based client.
H.323 defines how
compliant components (terminals, gateways, gatekeepers, and multipoint control
units) engage in audio, video, and multipoint conference communications. The
H.323 standards define the mandatory and optional services supplied by a
gatekeeper. The H.323 protocol standard contends with call control and
management for both point-to-point and multipoint conferences. The standard
also defines the gateway operability that allows calls to be connected between
H.323 terminals as well as between LAN and PSTN devices.
By default, the
H.323 filter is applied to the H.323 protocol.
