09999/2106

Practical Experiences Overcoming Firewalls Practical Experiences Overcoming Firewalls and Limited Bandwidth for H.323 Video and Limited Bandwidth for H.323 Video

ConferencingConferencing

AREN

09999/2106

AREN Quick Overview

• Multiple Star Network– Stars originate at the hub

sites and hubs are connected by a North-South backbone

• DS3/Partial OC-3 backbone

• DS1 (T1) or Multiple T1 to clients

• Multiple Internet access points (DS3+)

09999/2106

So What’s the Problem?

• H.323 based VTC systems are increasingly used for K-20 distance learning

• Many Education Networks have limited bandwidth connections with little funding for upgrades

• Most school system networks (many University Networks) are behind firewalls and NAT

09999/2106

The Small Pipe Issue

• In Alabama, most schools connect to their system’s network (and then the Internet) through point to point DS1 (T1s) – 1.5Mbps

• A single H.323 VTC connection with decent quality uses 384kbps (+overhead)

• Conservative Rule of Thumb recommended by Cisco is 20% overhead ~460kbps

• So… a single H.323 session at 384kbps uses almost 1/3 of a T1 line (for design purposes)

• And the real problem…. Most large schools fill the pipe with just Internet traffic

09999/2106

The Huntsville Example

T1

...

Huntsville BOE Office

AREN NOC

100 Mbps Full

MCU

AR

EN

75

13

Layer3Switch

PIX

HS

V

75

13

= QoS Aware

09999/2106

Where did we enable QoS?

• Schools were not using VLANs and most had no QoS support at the LAN level– So No CoS 802.1p could be used

• QoS enabled using DSCP tagging and CBWFQ on routers and layer3 switches– Differentiated Services Code Point (DSCP)

– Class-Based Weighted Fair Queueing (CBWFQ)

• Traffic is classified and tagged at routers based on source/destination IP address

09999/2106

Cisco Router Config Example

class-map match-all VTC-hosts match access-group name VTC-list!policy-map QoS-VTC class VTC-hosts bandwidth percent 50 set ip dscp ef class class-default fair-queue! ip access-list extended VTC-list permit ip any any precedence critical permit ip any any dscp ef permit ip any host 192.168.2.20 permit ip host 192.168.2.20 any

interface FastEthernet0/0 description School LAN bandwidth 100000 ip address 192.168.2.1 255.255.255.0 speed 100 full-duplex service-policy output QoS-VTC!interface Serial0/0 description to Core Router bandwidth 1544 ip address 172.20.2.2 255.255.255.252 service-policy output QoS-VTC!

09999/2106

QoS Through Firewalls?

• Most (all?) firewalls offer no support for QoS guarantees

• The official Cisco comment is that their PIX is so fast there is no congestion

• The PIX firewall does not alter DSCP tagged packets (so QoS can be done on either side of the PIX)

09999/2106

Problems With Firewalls (and NAT)

• H.323 uses multiple tcp connections and udp ports simultaneously for VTC

• The H.323 standard assigns ports dynamically from 1024 to 65535

• During call setup, the IP address of the calling party is sent to the called party in the data field of the IP packet (so NAT can’t translate it)

09999/2106

Solutions to the Firewall Problem

• Don’t NAT H.323 clients – Well…. what’s the firewall doing then?– May or may not open the H.323 client to all ports

• Probably not a good idea to open everything!

• NAT H.323 and rely on the client to be “smart” enough to work through the firewall/NAT– A Polycom client can be told to use specific ports. The client can also be

configured to know its real “outside address” and can use this address in handshaking

• NAT H.323 and rely on the firewall to be “smart” enough to work everything out– Application Proxy etc.

• Use an additional device to perform the Application Proxy– May be useful when deploying a standard solution across diverse

networks

09999/2106

What do you mean “Don’t NAT”?

• If public IP space is available, you could form small public subnets at each site in parallel with the privately addressed network

• Firewall could pass these address on into the Internet without NATing

• Client would need to predefine which TCP/UDP ports will be used so they can be opened through the firewall– Otherwise all ports above 1024 would have to be

opened (back to… Why have a firewall?)

09999/2106

NAT with a “Smart” Client• PAT won’t work but NAT can work with a “smart” client

– I mean true one to one static NAT here (1 public to 1 private)

• Example: Polycom clients have settings in their QoS menu that allow pre-definition of the Clients outside, public address. There is a check box that says “this client is behind NAT”

• Polycom units also allow pre-definition of TCP/UDP ports used – default is 3230-3235

• No application proxy (or fixup) would be configured on the firewall.

• Pre-defined data ports and TCP 1720 (call setup) would be allowed to the statically NATed addresses of the clients

• This method was used for Shelby County schools due to old software version on their PIX firewall.

09999/2106

Polycom Setup Example

09999/2106

NAT with a “Smart” Firewall

• Firewall must either serve as an H.323 Application proxy or somehow snoop the H.323 setup (looking at all the handshaking)

• Cisco PIX version 6.14 and up supports an H.323 “fixup protocol” that overcomes the NAT and port problems by snooping.

• Some PIX versions prior to 6.14 have an “H.323 fixup protocol” but it will only work with Netmeeting, CUSeeMe, etc…

• Even with snooping the call setup port 1720 must be opened to allow calls originating from the outside

09999/2106

Additional Application Proxy

• Most new firewall versions support some form of Application Proxy or snooping– ISA Microsoft Proxy– Checkpoint– Firebox

• New interesting concept (read about but not driven)– Ridgeway Systems