Firewall configuration for H.323 endpoints registered to the StarLeaf Cloud
Managing Cloud Firewall and bandwidth informationLast updated September 22, 2017
This article describes firewall configuration for calling to and from H.323 endpoints that are registered to the StarLeaf Cloud.
If the endpoint is on a private IP network (behind NAT), it must use the H.460 protocol to traverse its firewall and connect to the StarLeaf Cloud. Some endpoints use H.460 automatically, while others only do when they have been configured to do so. H.460 allows multiple H.323 endpoints to connect to the Cloud from behind a single NAT gateway and provides an excellent firewall traversal solution for audio, video, and content channels, but there are some other network conditions that have to be met for it to work properly. Here are the key points to check:
- The firewall needs to allow outbound connections from all your H.323 endpoints to the DNS host name of your StarLeaf Cloud gatekeeper. The StarLeaf Portal provides you with this hostname when you configure the endpoint on the Portal. Some older endpoints require this to be entered as a dotted decimal IP address, and will not accept a DNS hostname. In this case, ping <your organization name>.call.sl to find out the IP address that it resolves to. This IP address can occasionally change for StarLeaf operational reasons, so you should advise StarLeaf Support if you have to enter the IP address so that we can let you know if we ever have to change it
- In any H.323 endpoint or firewall configuration where you need to specify your StarLeaf Cloud gatekeeper, use its DNS name if possible, and not its IP address. This is because the DNS name never changes but, as described above, the IP address that it resolves to can change from time to time for StarLeaf operational reasons. Some devices only allow you to enter the IP address. In this case, inform StarLeaf Support so that we can advise you whenever it changes
- The StarLeaf Cloud gatekeeper ports to which your H.323 endpoints connect are listed in the table below. If in doubt, simply allow outbound connections to all TCP and UDP ports on your StarLeaf Cloud gatekeeper
Source host Source port Destination host Destination port Description Internal H.323 endpoint Ephemeral <example>.call.sl UDP 1719 H.225 RAS (Registration, Admission, and Status) TCP 1720 H.225 call signaling TCP 1721 H.225 call signaling UDP 1722 H.225 RAS (Registration, Admission, and Status) TCP 10000-10199 H.245 call signaling UDP 16384-24576 RTP media
- H.323 endpoints should have any NAT settings (where you enter the public IP address of your gateway onto the endpoint itself) disabled. The purpose of these settings is to assist firewall traversal, but they can interfere with proper operation of the H.460 protocol
- Firewalls should have any H.323-aware mode (ALG/Application-layer gateway for H.323) disabled. For more information on ALGs and how to disable them, refer to Disabling ALGs.
- The StarLeaf Cloud directory service ports to which your H.323 endpoints connect are listed in the table below. If in doubt, simply allow outbound connections to all TCP and UDP ports at directory.starleaf.com. You will only need to open one of TCP 389 or TCP 636; this is endpoint specific. For Polycom endpoints, the server port is 389; for Lifesize endpoints it is 636
|Source host||Source port||Destination host||Destination port||Description|
|Internal H.323 endpoint||Ephemeral||directory.starleaf.com||TCP 80||HTTP directory sync|
|TCP 443||HTTPS directory sync|
|TCP 389||LDAP directory sync|
|TCP 636||LDAPS directory sync|