Great points! Do you find it just a coincidence that the only NAT'ing firewall that can easily support Netmeeting is (tada!): Micro$oft Internet Security and Acceleration (ISA) server? It's an option in the ISA install for H323 support. It is better than MS' Proxy 2(you shoulda seen the look on my face when I was asked to open the ports for Netmeeting so a building less than a half-mile away could hold a videoconference!). I'm not an MS junkie, but I can say that the VPN in ISA is pretty smooth and easy to install. Secure? I believe so. The bottom line is that I have enough points garnered from this list to convince the arguer that VNC is the way to go. Thanks, list!
----------------- J.Dylan McNeill Technology Coordinator Oregon Community School District #220 OCUSD District Office 206 South Tenth Street 815.732.4313 Oregon, IL 61061 -----Original Message----- From: Scott C. Best [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 13, 2001 12:25 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Help me settle a friendlly argument Heyaz. Sorry to chime in so late to this, but I though I might add some detail. I'm the developer of the echowall firewall package for the LEAF/LRP Linux distro (lead.sf.net), and I've learned a thing or two about supporting Netmeeting thru a NAT'ing firewall/router. Let me start off by saying it's incredibly nasty. In fact, I'm at a loss to think of an application which is worse to support behind a NAT'ing firewall than Netmeeting. As with many apps, it's not the firewall that's the problem, it's the NAT'ing part. As you know, Network Address Translation changes, on the fly, the source-ip and source-port of an outgoing packet as it passes thru your router. This way you can have a whole LAN of (say) 192.168.x.y machines all share a single 'real world' Internet IP address. The router manages state so that the return packets get re-translated and back to the right LAN machine. All automatically. Pretty cool. Trouble is...some problematic apps record the IP address of the end-user's machine not just in the packet's header, but in the packet's *datagram* as well. Oi. FTP does this a little because it was created in the 70's, long before NAT was dreamed up. IPSec does this in some modes to enhance security. Netmeeting does this a lot because it uses H.323 and, well, it was created by Microsoft which (in many, many ways) acts as if it's the tail that wags the Internet dog. Anyhow. For Linux-based NAT'ing firewalls, there are some special modules you can add to your firewall so that they can NAT the embedded addresses in these problematic apps. They look like "ip_masq_xxxx.o", and I've seen them for ftp, quake, and for netmeeting (see netmeetingmasq.sf.net). Or, as someone suggested, you could use a VPN to connect two sites -- VPN's typically act as secure bridges, ie a connection down at layer 2, which is "under" all this layer-3 IP business. Of course, VPN's require a good deal of pre-configuration, which pretty much rules out connecting to a machine on an as-needed, ad-hoc basic. So, back to masq modules. Of course...it couldn't be just that easy. :) Netmeeting uses a lot more than just H.323, it uses a whole mismash of protocols: similar to how VNC uses TCP-port 5900, Netmeeting uses ports 389 (LDAP), 522 (ULP), 1503, 1720 (H.323 host call), and 1731 (MS ICCP). Phew. And that's just for control of *outgoing* calls: incoming calls and audio requires a range of several thousand "dynamically assigned UDP ports". Yucko. More info at: http://support.microsoft.com/support/kb/ARTICLES/Q158/6/23.asp In comparison...VNC uses a single TCP port, 5900, by default. You need exactly two rules in your NAT'ing firewall to make it work: one to allow the incoming connection to the external side of your firewall, and one to forward the packet into your LAN to the target machine. Many of the best (imo) developed apps are done in exactly this manner. Makes my life supporting a firewall script that much easier. :) Hope this helps! cheers, Scott > Date: Wed, 12 Dec 2001 08:32:51 -0500 > From: David Brodbeck <[EMAIL PROTECTED]> > Subject: RE: Help me settle a friendlly argument > > Unfortunately these ports are chosen more or less at random, which makes > Netmeeting impossible to use through a firewall or NAT router unless you use > some kind of VPN. VNC is relatively easy to punch through. > > - -----Original Message----- > From: AceMiles, Inc. [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 11, 2001 10:29 PM > To: '[EMAIL PROTECTED]' > Subject: RE: Help me settle a friendlly argument > > One for sound, one for video, one for chat/whiteboard, and one for Desktop > Share. > <snip> --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html --------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
