03-07-2012 06:20 AM - edited 03-17-2019 02:15 PM
I am trying to determine what ports need to be opened on a firewall to allow a movi client to register to my VCS-Control through a VPN connection. This is what I am thinking. Did I miss anything?
03-07-2012 06:43 AM
Hi Darren,
Please take a look at the pictures below:
The RTP stream will normally use 2 ports (one for video and one for audio).
The RTCP stream will normally use 2 ports (one to control video and one to control audio).
The SIP signaling will use one port (to 5060 (tcp) or 5061 (tls)).
BTW: Please note if you experience any problems with Movi over VPN, it’s usually a problem with the MTU size. The default MTU for most networks is configured to 1500 bytes. If you have set a lower MTU value than 1500 bytes on the VPN tunnel, Movi can get intermittent problems as the fragments won’t be packed as efficiently as for a network with 1500 bytes set for MTU.
Movi use 1300 MTU + headers (about 1356 bytes in total). You can define your own Movi MTU size in Windows registry, if necessary.
Let me know if you have any questions.
Hope this helps,
Arne
03-07-2012 06:56 AM
So my plan is to have the Movi client register to the VCS Control. The ephemeral ports in the diagrams you show are not listed in the firewall documents I have been reading. What port range needs to be added to the firewall rules and in what direction to make this work?
03-07-2012 07:01 AM
The signaling ephemeral port for Movi (from Movi to VCS) could be any port between 1024 and 65535, going to either 5060 (SIP) or 5061 (SIP Secure). The port selection will be determined by the operative system, e.g. Windows.
Normally, these ephemeral ports won’t be needed to be specified in your firewall (as it’s outbound traffic).
03-07-2012 02:28 PM
Hello Darren!
First of all, yes, its absolut possible to run movi in a firewalled enviroment on vpn clients.
but (as Arne also remarked)
* check your MTU settings
* double load of encrypting traffic on computers with a vpn client will occur (one for the movi/jabber media encryption and then again for the vpn)
* a hole range of ports need to be open to many internal video sites
You can picture it like this, the signalling (port 5061 / 5060) will always go towards the VCS.
Media on some calls can come from the VCS-C, but in the case of a "local call" media will come
directly from the remote site to the client, and the remote site is not only movi, its everything
like other movi/jabber clients, endpoints, lync/moc clients (if you do not use the b2bua), mcus, ...
Often you do not have control over the port ranges used on the remote endpoints, so you might end up
having to open from to the movi rtp range to 1024-65535.
But this is all dependent on your setup and your security demands.
If this is a bit "chatty" for you, you could always consider about deploying an extra VCS-E, also
inside your organization, with or without using your VPN on top.
This would give you the full and easy control on how the traffic is flowing as the movi/jabber
client will only talk to the VCS-E for signalling and media and the VCS-E will talk to the rest
of your network.
Martin
Please remember to rate helpful responses and identify
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: