AREN

1
AREN
Practical Experiences Overcoming Firewalls and
Limited Bandwidth for H.323 Video Conferencing
2
AREN Quick Overview

• Multiple Star Network
• Stars originate at the hub sites and hubs are
  connected by a North-South backbone
  
• DS3/Partial OC-3 backbone
• DS1 (T1) or Multiple T1 to clients
• Multiple Internet access points (DS3)

3
So Whats the Problem?

• H.323 based VTC systems are increasingly used for
  K-20 distance learning
  
• Many Education Networks have limited bandwidth
  connections with little funding for upgrades
  
• Most school system networks (many University
  Networks) are behind firewalls and NAT

4
The Small Pipe Issue

• In Alabama, most schools connect to their
  systems network (and then the Internet) through
  point to point DS1 (T1s) 1.5Mbps
  
• A single H.323 VTC connection with decent quality
  uses 384kbps (overhead)
  
• Conservative Rule of Thumb recommended by Cisco
  is 20 overhead ? 460kbps
  
• So a single H.323 session at 384kbps uses almost
  1/3 of a T1 line (for design purposes)
  
• And the real problem. Most large schools fill
  the pipe with just Internet traffic

5
The Huntsville Example
6
Where did we enable QoS?

• Schools were not using VLANs and most had no QoS
  support at the LAN level
  
• So No CoS 802.1p could be used
• QoS enabled using DSCP tagging and CBWFQ on
  routers and layer3 switches
  
• Differentiated Services Code Point (DSCP)
• Class-Based Weighted Fair Queueing (CBWFQ)
• Traffic is classified and tagged at routers based
  on source/destination IP address
  

7
Cisco Router Config Example
class-map match-all VTC-hosts match access-grou
p name VTC-list ! policy-map QoS-VTC class VT
C-hosts bandwidth percent 50 set ip dscp e
f class class-default fair-queue ! ip ac
cess-list extended VTC-list permit ip any any p
recedence critical permit ip any any dscp ef
permit ip any host 192.168.2.20
permit ip host 192.168.2.20 any
interface FastEthernet0/0 description School LAN
bandwidth 100000 ip address 192.168.2.1 255.2
55.255.0 speed 100 full-duplex service-polic
y output QoS-VTC ! interface Serial0/0 descrip
tion to Core Router bandwidth 1544 ip address
172.20.2.2 255.255.255.252 service-policy output
QoS-VTC !
8
QoS Through Firewalls?

• Most (all?) firewalls offer no support for QoS
  guarantees
  
• The official Cisco comment is that their PIX is
  so fast there is no congestion
  
• The PIX firewall does not alter DSCP tagged
  packets (so QoS can be done on either side of the
  PIX)

9
Problems With Firewalls (and NAT)

• H.323 uses multiple tcp connections and udp ports
  simultaneously for VTC
  
• The H.323 standard assigns ports dynamically from
  1024 to 65535
  
• During call setup, the IP address of the calling
  party is sent to the called party in the data
  field of the IP packet (so NAT cant translate
  it)

10
Solutions to the Firewall Problem

• Dont NAT H.323 clients
• Well. whats the firewall doing then?
• May or may not open the H.323 client to all
  ports
  
• Probably not a good idea to open everything!
• NAT H.323 and rely on the client to be smart
  enough to work through the firewall/NAT
  
• A Polycom client can be told to use specific
  ports. The client can also be configured to know
  its real outside address and can use this
  address in handshaking
• NAT H.323 and rely on the firewall to be smart
  enough to work everything out
  
• Application Proxy etc.
• Use an additional device to perform the
  Application Proxy
  
• May be useful when deploying a standard solution
  across diverse networks

11
What do you mean Dont NAT?

• If public IP space is available, you could form
  small public subnets at each site in parallel
  with the privately addressed network
  
• Firewall could pass these address on into the
  Internet without NATing
  
• Client would need to predefine which TCP/UDP
  ports will be used so they can be opened through
  the firewall
  
• Otherwise all ports above 1024 would have to be
  opened (back to Why have a firewall?)

12
NAT with a Smart Client

• PAT wont work but NAT can work with a smart
  client
  
• I mean true one to one static NAT here (1 public
  to 1 private)
  
• Example Polycom clients have settings in their
  QoS menu that allow pre-definition of the Clients
  outside, public address. There is a check box
  that says this client is behind NAT
• Polycom units also allow pre-definition of
  TCP/UDP ports used
  
• default is 3230-3235
• No application proxy (or fixup) would be
  configured on the firewall.
  
• Pre-defined data ports and TCP 1720 (call setup)
  would be allowed to the statically NATed
  addresses of the clients
  
• This method was used for Shelby County schools
  due to old software version on their PIX firewall.

13
Polycom Setup Example
14
NAT with a Smart Firewall

• Firewall must either serve as an H.323
  Application proxy or somehow snoop the H.323
  setup (looking at all the handshaking)
  
• Cisco PIX version 6.14 and up supports an H.323
  fixup protocol that overcomes the NAT and port
  problems by snooping.
  
• Some PIX versions prior to 6.14 have an H.323
  fixup protocol but it will only work with
  Netmeeting, CUSeeMe, etc
  
• Even with snooping the call setup port 1720 must
  be opened to allow calls originating from the
  outside
  

15
Additional Application Proxy

• Most new firewall versions support some form of
  Application Proxy or snooping
  
• ISA Microsoft Proxy
• Checkpoint
• Firebox
• New interesting concept (read about but not
  driven)
  
• Ridgeway Systems