Weak current College】 【voice and video traffic to pass through firewalls and NAT? --- Power By】 【China power house network.

<br> Q: How does the voice and video communications through firewalls and NAT? a: actually solve firewall and NAT issues one of the most simple way is to avoid using them, for most organizations, this approach is too risky, network security is .no guarantee, but also to get enough of routable IP address may be difficult and expensive. Most want to leverage IP multimedia communications providers will inevitably face the challenge of a firewall or NAT. In fact, most organizations are using a firewall and NAT, therefore .only solve one of the problems is not enough. Existing solution is as follows: 1. use PSTN gateway if you do not care much whether in LAN-based IP communications, you can use the gateway to LAN IP voice and video conversion for the Internet .public circuit switched PSTN voice and video. Use a gateway is not concerned with the problem of penetrating the network firewall, because no data packets through the firewall. This also solves the problem, all NAT to LAN Terminal calls are routed through the gateway for entering .the local area network calls are routed. Today most IP phones through a gateway and non-IP phone for communication. Gateway is a partial solution, requiring all participation in the caller in the last line of NAT and firewalls and want to have an appropriate gateway .. Some institutions through 2.DMZ MCU the MCU on the so-called DMZ zone to resolve firewall and NAT through problems. DMZ zone is typically located outside Internet and the internal network firewall, and want to offer their own Internet services (such as web .services, ftp services, email services and domain name service) of the institutions in general these services is placed in the DMZ area, this is a good way to protect their private network. Placed in the DMZ area of MCU is fitted with two network cards ., a card provides access to the private network access, another piece of card provides access to the public network to the Internet portal. This solution is one of the biggest drawback is that even in a point-to-point calls also required the use of .MCU, if you call path has multiple NAT device, each NAT device location will need to place a MCU. 3.H.323 agent h.323 proxy can be used to solve problems or to simultaneously address NAT NAT and firewall issues, depending on .how the agent is configured. Agent is actually a special type of gateway, but does not convert other IP protocols, use the agent is the same protocol. Agent allows the Terminal to Terminal call process look like two separate calls: one is from a private .online Terminal to the Agency, the other is from the proxy to the public Internet terminal, the agent through the call for interim fixes NAT issues. H.323 proxy generally binding standards of gatekeeper functions and RTP / RTCP multimedia streaming proxy functionality. This solution .is a typical use is placed behind a firewall, an H.323 proxy agent needs to be assigned a public IP address. The firewall is configured to allow agents and external for multimedia communication. Sometimes along the network path in many locations are applied a NAT .device, you will need in each use NAT place SOCKS proxy. 4. application layer gateway application layer gateway (Application layer gateways) is designed to recognize the specified IP protocols (like H.323 and SIP protocol) firewall, also called ALG Firewall. .It is not simply view the header information to decide whether the packet can be, but a deeper analysis of the data in the packet payload, also is the application layer data. H.323 and SIP protocols are on load in the important control information, .such as voice and video terminal which data port to receive the level of the terminal's voice and video data. Through the analysis of which ports need to open the Firewall dynamically opens ports that are being applied, and all other ports are still safe to keep off .. If a NAT is applied to the internal IP address masking, ALG need a proxy, firewall manufacturer to agent to ALG over NAT. Major firewall vendors like Cisco, Checkpoint, Gauntlet firewall on their products provide H.323 ALG upgrade feature, but the .market most firewalls do not support the ALG. This solution also has some disadvantages: as to analyze the packet payload, which adds to the firewall processing tasks that affect the network running, become a potential network bottlenecks; and if there are multiple layers of firewalls .and NATs, the call path of each firewall must be upgraded to support the ALG feature; on most corporate networks, firewalls are a key part in a number of companies to increase a ALG may be difficult. 5. virtual private network (VPN) VPN .technology is currently in the IP network to provide secure communication on one of the methods in the same VPN network can solve the problem through the firewall; the near future to ensure network security and QoS VPRN technology will be the IP network for multimedia communication most potential .solutions. In the VPN technology, UDP and TCP layer under the IPSec layer is used to provide security for IP communications, but based on VPN IPSec layer using its own connection identifier instead of UDP or TCP port and IPSec above layer to be encrypted, set .their own mechanism on NAT NAPT is in particular not be adopted. In order to solve the problem through the NAT, it is best to choose from a manufacturer of integrated firewall and VPN capabilities, NAPT. In addition, although the VPN solution is very safe ., but it is only allowed in the same VPN devices to communicate inside, not on the public network for end users to communicate. 6. all tunnel through programmes for General Enterprise nets do not want to upgrade or change their firewall and NAT devicesConfiguration, you .do not want the interactive communication within and outside the bypass these devices allow IP voice and video through firewalls and NAT's tunneling scheme might be the most appropriate, currently offer such solutions have a United States company of Ridgeway. Tunneling solution consists of two components, the .Server software and Client software. Client on a private network inside a firewall, it has both a gatekeeper functions and proxy capabilities, a private network inside the Terminal registered to the Client, and Server outside the firewall by creating a signalling and control channel, you .can put all your registration and call control signaling are forwarded to the Server, also put forward the audio and video data to the Server that forwards it to the internal Terminal sent and external packets destined to the terminal's address and port number to be replaced by your .own. Server is placed in the public space outside the firewall, can be located on the service provider network or in a corporate network DMZ zone, Server plays the role of gatekeeper agent, received from the Client all registration and call signaling are forwarded to the .central network Server. Server and Client communication mainly through two fixed port to transfer data, the two port is the port 2776 2777, and IANA agencies assigned to Ridgeway systems. When private network Client starts: 1. it and Server port 2776 on a fixed .connection to transfer control and status information; 2. it listens to the private network in H.323 gatekeeper registration and requests for information; when a Terminal starts: 1. Terminal through Client / Server connection to send registration information to a central gateway; 2 .. Server assigned to each registered terminal a unique port number (the IP address of the corresponding Server). When a Terminal calls outside of the firewall when another Terminal, all packets are routed through the Client Server, data that is returned from the Server through .Client routing back to the Terminal. When a call is established, the Client to ensure that all necessary audio and video through a firewall to keep open channels, audio and video data through the firewall open channel for transmission. Use this method for IP address information .is a good mask, because all the packets transmitted by Server to route, each terminal like seem to directly communicate with Server instead and other Terminal, this ensures that Terminal IP address cannot be obtained outside the network. But this method in most cases not to .make any modifications to the firewall configuration. For those firewall settings limit open outward ports, administrator can create a simple principles to allow from the Client to the Server on two fixed port 2776 and 2777 of outgoing connections. This is the biggest disadvantage is that all .traffic through the firewall must go through the Server to perform, this causes a potential bottleneck, the Client and Server via the process increases less than 5ms delay. However this is necessary because Server is behind a firewall only trusted devices..