To all who requested PIX config for Net Meeting:

I received a number of emails about my rather terse post that I had it
working.  Sorry to keep you waiting.  I had been working on something else
that was haunting me for a solution.  I hope this is what you were looking
for.

Note that I have not tested inbound originated audio capability since I do
not have audio requirements.  I don't think "outside" originated audio will
work, however inside originated sessions should.  Otherwise it works for me.
Outside originated clients can initiate and establish sessions to the inside
hosts and visa-versa.  Note these are ficticious IP's in this config.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol h323 1720
static (inside,outside) 204.71.200.75 10.1.1.75 netmask 255.255.255.255 0 0
conduit permit tcp 204.71.200.75 255.255.255.255 eq 389 any
conduit permit tcp 204.71.200.75 255.255.255.255 eq 522 any
conduit permit tcp 204.71.200.75 255.255.255.255 eq 1503 any
conduit permit tcp 204.71.200.75 255.255.255.255 eq 1731 any
conduit permit tcp 204.71.200.75 255.255.255.255 eq h323 any

You may have other security requirements.  This will let any host start a
netmeeting session to external IP 204.71.200.75 that is pointing to a host
on the inside with  IP 10.1.1.75.

The following is from Microsoft's knowledge Base (Article Q158623)

NetMeeting uses the following Internet Protocol (IP) ports:
   Port      Purpose
   -------------------------------------
   389       Internet Locator Server [Transmission Control Protocol (TCP)]
   522       User Location Server (TCP)
   1503      T.120 (TCP)
   1720      H.323 call setup (TCP)
   1731      Audio call control (TCP)
   Dynamic   H.323 call control (TCP)
   Dynamic   H.323 streaming [Realtime Transport Protocol (RTP) over User
Datagram Protocol (UDP)]
To establish outbound NetMeeting connections through a firewall, the
firewall must be configured to do the following:
  a.. Pass through primary TCP connections on ports 522, 389, 1503, 1720 and
1731.

  b.. Pass through secondary UDP connections on dynamically assigned ports
(1024-65535).

  NOTE: Some firewalls are capable of passing through TCP connections on
specific ports, but are not capable of passing through secondary UDP
connections on dynamically assigned ports. When you establish NetMeeting
connections through these firewalls, you are unable to use the audio
features of NetMeeting.

  In addition, some firewalls are capable of passing through TCP connections
on specific ports and secondary UDP connections on dynamically assigned
ports, but are not capable of virtualizing an arbitrary number of internal
IP addresses, or are not capable of doing so dynamically. With these
firewalls, you are able to establish NetMeeting connections from computers
inside the firewall to computers outside the firewall and you are able to
use the audio features of NetMeeting, but you are unable to establish
connections from computers outside the firewall to computers inside the
firewall.

  The H.323 call setup protocol (over port 1720) dynamically negotiates a
TCP port for use by the H.323 call control protocol. Also, both the audio
call control protocol (over port 1731) and the H.323 call setup protocol
(over port 1720) dynamically negotiate User Datagram Protocol (UDP) ports
for use by the H.323 streaming protocol, called the real time protocol
(RTP). In NetMeeting, two ports are determined on each side of the firewall
for audio and video streaming. These dynamically negotiated ports are
selected arbitrarily from all ports that can be assigned dynamically.

  NetMeeting directory services require either port 389 or port 522,
depending on the type of server you are using. Internet Locator Servers
(ILSs), which support the lightweight directory access protocol (LDAP) for
NetMeeting 2.0 or later, require port 389. User Location Servers (ULSs),
developed for NetMeeting 1.0, require port 522.
John Burgess
fastex.net

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to