The video conferencing device will not work when sitting behind the firewall. This was despite all the necessary TCP ports being forwarded to the unit.

It is possible to see that the user can dial the VC but it would just ring and never make the connection. 

In the debug log it is possible to observe the below message.

id=13 trace_id=74 msg="vd-root received a packet(proto=6, x.x.x.x:aaa->x.x.x.x:aaa) from lan."
id=13 trace_id=74 msg="Find an existing session, id-x, reply direction"
id=13 trace_id=74 msg="SNAT x.x.x.x->x.x.x.x:aaa"
id=13 trace_id=74 msg="run helper-h323(dir=reply)" 

The 'run helper' sequence kicked in as soon as one attempted to pick up the call on the VC.   

Disabling the h323 session-helper could help in this scenario.

1. From the CLI, execute '# show system session-helper'. It will give the following output (below is redacted).

    edit 2
        set name h323
        set port 1720
        set protocol 6
    next

2. Delete the H323 helper by executing the following CLI commands.

config system session-helper
delete 2
end

Note: In multi-vdom setups, this is a global setting and disabling the session-helper affects all VDOMs. To disable in one VDOM, the following setting can be used:

config vdom

    edit <vdom_name>

        config firewall service custom

            edit <service_name>

                set tcp-portrange 1719-1720

                set helper disable

            end

        end

After this change, H323 traffic using TCP port 1720 will not be inspected by the FortiGate session-helper anymore.