Important: The contents of this page are only relevant for StarLeaf customers from the United Kingdom’s National Health Service (“NHS”), who have previously discussed the usage of the StarLeaf Point of Presence on the Health and Social Care Network (“the HSCN”) with a StarLeaf Sales Representative.

On this page:

Introduction

StarLeaf operates a Point of Presence (“PoP”) on the HSCN in the United Kingdom. Any NHS customer of StarLeaf has the option to be hosted on this PoP.

The PoP has two network interfaces referred to as “Border Controllers” for the purposes of this guide:

  • One Border Controller routes through the public internet
  • One Border Controller routes through the HSCN

NHS customers can choose to route through the public internet Border Controller only, or through both Border Controllers.

They cannot route by just the HSCN Border Controller, as this would prevent connections for home and mobile users, as well as remove redundancy.

The diagram below shows how this can work in a typical configuration scenario.

DNS rules required for routing traffic through the StarLeaf HSCN Border Controller

Domain name DNS record type IP address
config.starleaf.com A 212.196.252.230
dns-hscn-live.starleaf.com A 212.196.252.229

Network routing

StarLeaf endpoint and H.323 (if applicable) video traffic needs to route from the relevant endpoints to the subnet of the StarLeaf PoP on the HSCN.

Rule type Traffic type Destination IP Subnet Destination Network
Static route All 212.196.252.224/29 N3 / HSCN

Firewall configuration for StarLeaf Endpoints (with example)

For StarLeaf endpoints to be able to access the StarLeaf platform, certain ports must be reachable for outbound connections through your firewall to the public internet and to the HSCN network. It is not necessary to open up any ports for inbound connections.

The port requirement is the same regardless of whether you are installing the Starleaf app, or a hardware endpoint. Most firewalls, operating at a normal level of security, already meet these requirements.

  Source Host Source Port Destination Host Destination Port Description
StarLeaf app and meeting room StarLeaf endpoints >1024

config.starleaf.com /

89.202.39.64/26

80.231.134.0/26

72.28.120.32/27

72.28.118.192/27

TCP 443 StarLeaf authentication and automatic service discovery

<example>.call.sl

Routed publicly: 46.235.173.64/27

Routed via HSCN: 212.196.252.224/29

TCP 443 StarLeaf tunnel for registration, provisioning, call signaling, and media
UDP 24704 StarLeaf tunnel for registration, provisioning, call signaling, and media

Related articles for both general and HSCN setups

Firewall configuration for registered H.323 endpoints (with example)

If the endpoint is on a private IP network (behind NAT), it must use the H.460 protocol to traverse its firewall and connect to StarLeaf. Some endpoints use H.460 automatically, while others only do when they have been configured to do so. H.460 allows multiple H.323 endpoints to connect to StarLeaf from behind a single NAT gateway and provides an excellent firewall traversal solution for audio, video, and content channels.

There are some other network conditions that have to be met for the H.460 protocol to work properly. Here are the key points to check:

  • The firewall needs to allow outbound connections from all your H.323 endpoints to the DNS host name of your StarLeaf gatekeeper. The StarLeaf Portal provides you with this hostname when you configure the endpoint on the Portal. Some older endpoints require this to be entered as a dotted decimal IP address, and will not accept a DNS hostname. In this case, ping <your organization name>.call.sl to find out the IP address that it resolves to. This IP address can occasionally change for StarLeaf operational reasons, so you should advise StarLeaf Support if you have to enter the IP address so that we can let you know if we ever have to change it
  • In any H.323 endpoint or firewall configuration where you need to specify your StarLeaf gatekeeper, use its DNS name if possible, and not its IP address. This is because the DNS name never changes but, as described above, the IP address to which it resolves can change from time to time for StarLeaf operational reasons. Some devices only allow you to enter the IP address. In this case, inform StarLeaf Support so that we can advise you whenever it changes
  • The StarLeaf gatekeeper ports to which your H.323 endpoints connect are listed in the table below. If in doubt, simply allow outbound connections to all TCP and UDP ports on your StarLeaf gatekeeper
  Source Host Source Port Destination Host Destination Port Description
H.323 Room systems

Polycom Series endpoints

Cisco Series endpoints

>1024

 

<example>.call.sl

Routed publicly: 46.235.173.64/27

Routed via HSCN: 212.196.252.224/29

UDP 1719 H.225 RAS (Registration, Admission, and Status)
TCP 1720 H.225 call signaling
TCP 1721 H.225 call signaling
UDP 1722 H.225 RAS (Registration, Admission & Status)
TCP 10,00 – 10,199 H.245 call signaling
UDP 16384 – 24576 RTP Media
  • H.323 endpoints should have any NAT settings (where you enter the public IP address of your gateway onto the endpoint itself) disabled. The purpose of these settings is to assist firewall traversal, but they can interfere with proper operation of the H.460 protocol
  • Firewalls should have any H.323-aware mode (ALG/Application-layer gateway for H.323) disabled. For more information on ALGs and how to disable them, refer to Disabling ALGs
  • The StarLeaf directory service ports to which your H.323 endpoints connect are listed in the table below. If in doubt, simply allow outbound connections to all TCP and UDP ports at directory.starleaf.com. You will only need to open one of TCP 389 or TCP 636; this is endpoint specific. For Poly endpoints, the server port is 389; for Lifesize endpoints it is 636

directory.starleaf.com is a public address and not hosted on HSCN

Source host Source port Destination host Destination port Description
Internal H.323 endpoint Ephemeral directory.starleaf.com TCP 80 HTTP directory sync
TCP 443 HTTPS directory sync
TCP 389 LDAP directory sync
TCP 636 LDAP directory sync

StarLeaf support

StarLeaf is only able to provide support and guidance for the StarLeaf elements of this service: StarLeaf hardware, software apps, meetings, and H.323 endpoint registration.

StarLeaf is not able to support and provide guidance for the scenarios listed in the table below. External help, such as contacts suggested, must be sought for these.

Issue type Possible scenario Suggested contact
Local network issues Packet loss or unstable connection seen to either of the StarLeaf Border Controllers
  • Local network provider or NHS Digital
User unable to use third-party H.323 endpoint User does not know how to use a third-party H.323 system, i.e. Cisco, Tandberg or Polycom, to connect to a call or meeting
  • StarLeaf reseller
  • Original provider of the H.323 endpoint
  • Manufacturer of the H.323 endpoint
Administrator unable to login to H.323 endpoint Administrator wishes to register the H.323 endpoint to StarLeaf
  • StarLeaf reseller
  • Original provider of the H.323 endpoint
  • Manufacturer of the H.323 endpoint
Administrator unfamiliar with how to change settings on an H.323 endpoint Administrator wishes to register the H.323 endpoint to StarLeaf and change other settings such as NAT rules or H.460 firewall traversal settings
  • Local IT/network team
  • StarLeaf reseller
  • Original provider of the H.323 endpoint
  • Manufacturer of the H.323 endpoint
Cannot connect to third-party conferencing provider User is provided with dial in details for a third-party conferencing provider who support H.323 and SIP dial-in via the public internet
  • Meeting organizer
  • Support team of the third-party conferencing provider