cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1254
Views
5
Helpful
4
Replies

Movi registration through VPN connection

Darren McKinnon
Level 1
Level 1

I am trying to determine what ports need to be opened on a firewall to allow a movi client to register to my VCS-Control through a VPN connection.  This is what I am thinking.  Did I miss anything?

Ports for VPN.jpg

4 Replies 4

aostense
Level 1
Level 1

Hi Darren,

Please take a look at the pictures below:

The RTP stream will normally use 2 ports (one for video and one for audio).

The RTCP stream will normally use 2 ports (one to control video and one to control audio).

The SIP signaling will use one port (to 5060 (tcp) or 5061 (tls)).

BTW: Please note if you experience any problems with Movi over VPN, it’s usually a problem with the MTU size. The default MTU for most networks is configured to 1500 bytes. If you have set a lower MTU value than 1500 bytes on the VPN tunnel, Movi can get intermittent problems as the fragments won’t be packed as efficiently as for a network with 1500 bytes set for MTU.

Movi use 1300 MTU + headers (about 1356 bytes in total). You can define your own Movi MTU size in Windows registry, if necessary.

Let me know if you have any questions.

Hope this helps,

Arne

So my plan is to have the Movi client register to the VCS Control.  The ephemeral ports in the diagrams you show are not listed in the firewall documents I have been reading.  What port range needs to be added to the firewall rules and in what direction to make this work?

The signaling ephemeral port for Movi (from Movi to VCS) could be any port between 1024 and 65535, going to either 5060 (SIP) or 5061 (SIP Secure). The port selection will be determined by the operative system, e.g. Windows.

Normally, these ephemeral ports won’t be needed to be specified in your firewall (as it’s outbound traffic).

Martin Koch
VIP Alumni
VIP Alumni

Hello Darren!

First of all, yes, its absolut possible to run movi in a firewalled enviroment on vpn clients.

but (as Arne also remarked)

* check your MTU settings

* double load of encrypting traffic on computers with a vpn client will occur (one for the movi/jabber media encryption and then again for the vpn)

* a hole range of ports need to be open to many internal video sites

You can picture it like this, the signalling (port 5061 / 5060) will always go towards the VCS.

Media on some calls can come from the VCS-C, but in the case of a "local call" media will come

directly from the remote site to the client, and the remote site is not only movi, its everything

like other movi/jabber clients, endpoints, lync/moc clients (if you do not use the b2bua), mcus, ...

Often you do not have control over the port ranges used on the remote endpoints, so you might end up

having to open from to the movi rtp range to 1024-65535.

But this is all dependent on your setup and your security demands.

If this is a bit "chatty" for you, you could always consider about deploying an extra VCS-E, also

inside your organization, with or without using your VPN on top.

This would give you the full and easy control on how the traffic is flowing as the movi/jabber

client will only talk to the VCS-E for signalling and media and the VCS-E will talk to the rest

of your network.

Martin

Please remember to rate helpful responses and identify

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: