Dear Professor Phil,
We’ve encountered a problem when getting video conferencing calls established through our firewall. A consultant solved the problem but I don’t understand how his changes eliminated the difficulty. The calls used H.323 and he indicated that he made the firewall H.323 aware. What does that mean?
Kyra, Tampa Fl
Some protocols create a particular problem to conventional firewall operation because they list the IP address in some part of the packet other than the IP header. Of course, the IP header must carry the source and destination IP addresses in order that the packet can be properly routed. But in part of the H.323 protocol, the IP address of the endpoint making the call may also be listed twice. First, it’s in the IP header, in order that the packet can be routed properly. Then, it’s written again in the H.323 part of the packet, which will appear after the TCP header. Here it is used to define the address/port combination to which the voice packets will be delivered. H.323 uses multiple ports for this purpose.
Under normal operation, the firewall might be doing network address translation in order to protect the identity of corporate devices. In this process, an address such as 10.3.4.5 could be changed to a registered address that would be routed on the Internet. However, unless the router is configured at the factory or by an engineer managing the firewall, the second address may not be changed. Consequently, a packet may arrive at a gateway or H.323 server with a mismatch between the IP header address and the H.323 address. An unpredictable behavior, like discarding the packet, could be the consequence.
To address this issue most modern firewalls allow for a rule that looks for a second appearance of the IP address and makes sure that any secondary appearance of the address matches the one in the IP header. Your consultant likely added such a rule to the firewall.
Phil Hippensteel, PhD, is a professor of information systems at Penn State Harrisburg.