As simple on the surface as exposing an internal resource to the public seems, this is not the case with video conferencing systems.

Most providers are happy to sell you video border proxy devices which are fairly costly pieces of hardware that act as a gateway to your internal HD systems, but I could not see why we should not simply massage our firewall settings to make this work without the need for one.

If any of you are reading this because you have already tried to do such a thing and have ripped out most of your hair already, I feel your pain, but for the rest of you I will give some bullet points as to the main issues. Since this is a blog, I will try to keep this short.

Our internal setup

  • 1 HD Polycom unit in a branch office
  • 2 HD Polycom units in our primary office (one permanent installation, and other on a cart)
  • Branch and primary office audio and video transmissions are supported by an internal point to point T1 and each location is on different subnets.
  • Until the external exposure, the HD systems were 100% dedicated to internal communications between offices to provide greater collaboration and to cut down on travel (of which it did both very well).

The issues

  • All HD traffic is to go out through our primary location via our E10 (the branch HD traffic is to go via their subnet over the T1 and out through our E10 at the primary office location)
  • H.323 packet oriented transmission encapsulates the devices' IP (which is internal)
  • We do not have a 'gateway' device to handle external transmission / reception of the internal HD systems
  • The systems need to remain internal to our firewall and therefore must remain on our subnet
  • Direct dedicated 1-1 NAT is required, and our firewalls (Watchguard) are configured for Dynamic NAT.
  • Our firewalls do not fully support H.323 (very common in most that I have reviewed)

The options

When reviewing our internal configurations, and all the failed attempts at workarounds, I came to the conclusion that I either needed to:

  1. Put the HD systems outside our LAN
  2. Bypass our firewalls entirely and put them behind their own standalone basic router
  3. Split the firewall traffic between Dynamic NAT and 1-1 NAT

Option 1 has a few reasons why it is not desirable:

  1. Security, and unauthorized access (primary reason)
  2. Each location has a unit that can be moved from room to room (we would need to have "open" ports in any room it may be used in, which is very undesirable and impractical)
  3. Communications with the branch would now go over their basic SoHo ISP external lines which means poor resolution and/or choppy video.
  4. All internal HD meetings would go over public lines, some of which have monthly data limits : usage would get pricey.

Option 2 was a contender?

Put a switch in front of the firewall, and run a separate line for each HD device to its own isolated basic dumb / cheap router. Setup the HD systems to be on the LAN but advertise a public IP (Polycom units can do this). There was one crippling problem with this option for us however — the branch office:

  1. Traffic inbound for the branch from the router setup in the primary office could not route from the E10 to the router, and then through the primary office subnet to the primary office's Cisco T1 endpoint over to the branch office's T1 endpoint and a different subnet. This just does not work by design, and I could find no cheat or workaround to double route in both directions like this.

Option 3 was the victor...

The Solution

Steps to make this work through a WatchGuard firewall (though I am sure most other firewalls would follow the same arrangement)

  1. Get additional IPs from the E10 ISP (free). I acquired three new IPs from our ISP to do this, as I needed dedicated / unshared IPs for this configuration, and by this stage. I really did not want to mess around with any existing IPs on my firewalls as they would have to be eradicated from configuration etc.
  2. Login to the primary office firewall (we have three) and launch "WFS Policy Manager." I used this firewall as opposed to other ones we have because it is where the T1 endpoint points to for *remaining from the branch T1 endpoint. I also used this one because it is connected to the ISP that I wanted to use for traffic.
  3. Do not add these IPs to the Network External interface — I mention this because normally it would be the first thing I'd do with an additional IP.
  4. Go to NAT (in my case an x700 WSM 7.5 so Setup > NAT)
    1. Click Advanced on the NAT setup screen.
    2. Go to the 1-to-1 NAT Setup tab.
    3. Check Enable 1-to-1 NAT if not already done so, and click add.
    4. Select external interface and 1 host to NAT.
      1. Enter your new external IP into "NAT base"
      2. Enter your HD device's internal LAN IP in Real Base
      3. When done, I have three 1-1 NATs setup.
        One for each HD device — each with a unique external IP.
    5. Click "Ok" and "Ok" to get back to the main WFS Policy Manger page.
  5. Create an H.323 Proxy in for each of your external IPs.
    1. Click + and under Proxies select H323 then add. This will open ports 389, 1720, and 1503.
    2. Enable from "any" to the external IPs.
    3. Note: This is not a NAT, and yes, the "to" are the external IPs.
  6. Create an H.323 Proxy out from each of your HD devices internal IPs:
    1. This is just the same as inbound but in reverse.
  7. Create another filter rule for the remaining required ports:
    1. Create a new filter for the TCP and UDP ports you will statically set on the Polycom devices. In my case I used TCP 3230~3243 and UDP 3230~3285 as they were default.
    2. I also added ip ports 24, 46, and 64 for other reasons (optional).
    3. I did not add these port filters to the H323Proxy in rule as I had issues when they were combined. Keep them like this (as two separate firewall entries).
  8. That is it for the firewall — save your configuration and reboot the firewall when convenient.
  9. Configure your Polycom unit(s):
    1. Login to your Polycom unit — either via the remote, or via Web interface.
      1. The Web interface is much easier to use and I will show that method.
    2. Go to the "Admin Settings" tab.
      1. Select "IP Network" under the "Network" heading on the left.
    3. Under the "Firewall" heading in the main (right) pane, configure the settings as follows:
      1. Check "Fixed Ports" and set the TCP and UDP range to the ports you used for the firewall filter.
      2. Ensure that "H.460 Firewall Traversal" is unchecked.
      3. Set "NAT Configuration" to "Manual."
      4. Enter the public IP you used in the firewall configuration that was intended for this unit into the "NAT Public (WAN) Address" field.
      5. Uncheck "NAT is H.323 Compatible" as it will not work if you do.
      6. Display the Public IP in the Global Directory.
      7. Select "Update."
    4. Go to "LAN Properties" under "Network" on the left-hand side (accept the certificate warning if given).
      1. Set your internal IP (IPv4) that you configured for this unit in the firewall.
      2. Ensure that "Default Gateway" is pointing to the firewall.
      3. Press "Update" and reboot
  10. Test your Polycom unit (or other HD unit if not Polycom). You can find test numbers from Polycom here: Keep in mind that most of these test numbers are not working — at least in my experience, so be sure to try each one until one works.
  11. Done!