This article describes firewall configuration for calling to the StarLeaf platform from H.323 endpoints that are not registered with StarLeaf. If your endpoint is registered to StarLeaf, refer to Firewall configuration for H.323 endpoints registered to StarLeaf.

Firewall traversal

To call a StarLeaf endpoint from your H.323 endpoint, the H. 323 endpoint needs to be able to call outside of your network. There are several ways this can happen:

  • The endpoint is registered to a network device such as a Cisco VCS
  • The endpoint is registered to a H.323-aware firewall that has an ALG/application-layer gateway for H.323
  • The endpoint is on a public IP address

Calling from an unregistered H.323 endpoint on a private IP address is not supported.

The ports you need to open on your firewall are shown in this table:

Source hostSource portDestination hostDestination portDescription
Internal H.323 endpointEphemeral<example> UDP 1719H.225 RAS (Registration, Admission, and Status)
TCP 1720 H.225 call signaling
TCP 1721H.225 call signaling
UDP 1722H.225 RAS (Registration, Admission, and Status)
TCP 10000-10199H.245 call signaling
UDP 16384-24576RTP media