This article describes firewall configuration for calling to and from H.323 endpoints that are registered to the StarLeaf Cloud.

Firewall traversal

If the endpoint is on a private IP network (behind NAT), it must use the H.460 protocol to traverse its firewall and connect to the StarLeaf Cloud. Some endpoints use H.460 automatically, while others only do when they have been configured to do so. H.460 allows multiple H.323 endpoints to connect to the Cloud from behind a single NAT gateway and provides an excellent firewall traversal solution for audio, video, and content channels, but there are some other network conditions that have to be met for it to work properly. Here are the key points to check:

  • The firewall needs to allow outbound connections from all your H.323 endpoints to the DNS host name of your StarLeaf Cloud gatekeeper. The StarLeaf Portal provides you with this hostname when you configure the endpoint on the Portal. Some older endpoints require this to be entered as a dotted decimal IP address, and will not accept a DNS hostname. In this case, ping <your organization name>.call.sl to find out the IP address that it resolves to. This IP address can occasionally change for StarLeaf operational reasons, so you should advise StarLeaf Support if you have to enter the IP address so that we can let you know if we ever have to change it
  • In any H.323 endpoint or firewall configuration where you need to specify your StarLeaf Cloud gatekeeper, use its DNS name if possible, and not its IP address. This is because the DNS name never changes but, as described above, the IP address that it resolves to can change from time to time for StarLeaf operational reasons. Some devices only allow you to enter the IP address. In this case, inform StarLeaf Support so that we can advise you whenever it changes
  • The StarLeaf Cloud gatekeeper ports to which your H.323 endpoints connect are listed in the table below. If in doubt, simply allow outbound connections to all TCP and UDP ports on your StarLeaf Cloud gatekeeper
    Source hostSource portDestination hostDestination portDescription
    Internal H.323 endpointEphemeral<example>.call.slUDP 1719H.225 registration
    TCP 1720H.225 call signaling
    TCP 1721H.225 call signaling
    UDP 1722H.225 registration
    TCP 10000-10199H.245 call signaling
    UDP 16384-24576RTP media
  • H.323 endpoints should have any NAT settings (where you enter the public IP address of your gateway onto the endpoint itself) disabled. The purpose of these settings is to assist firewall traversal, but they can interfere with proper operation of the H.460 protocol
  • Firewalls should have any H.323-aware mode (ALG/Application-layer gateway for H.323) disabled. For more information on ALGs and how to disable them, refer to Disabling ALGs.
  • The StarLeaf Cloud directory service ports to which your H.323 endpoints connect are listed in the table below. If in doubt, simply allow outbound connections to all TCP and UDP ports at directory.starleaf.com. You will only need to open one of TCP 389 or TCP 636; this is endpoint specific. For Polycom endpoints, the server port is 389; for Lifesize endpoints it is 636
Source host Source port Destination host Destination port Description
Internal H.323 endpoint Ephemeral directory.starleaf.com TCP 80 HTTP directory sync
TCP 443 HTTPS directory sync
TCP 389 LDAP directory sync
TCP 636 LDAPS directory sync