- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Messenger audio & video (how)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 05-03-2004 06:10 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Messenger audio & video (how)
Hello All !
First of all i' m new here (and in firewall management) so i hope i didn' t missed another topic where my problem was solved.
I have a 50a installed on a 5 machines network. The company uses messenger for download small files from external and for video conferences.
I have set a policy to allow file transfer (virtual IP port 6891) throught messenger. But this is ok for one machine only.
A/ How do i set several messenger transfer files host as the external messenger will use the same port ?
For video and audio, i have read that msn is using UPnP and that it should be able to open several port...
The actual Real-time Transport Protocol (RTP) streams are sent using dynamically allocated UDP ports in the range of 5004–65535. Without a way to open these UDP ports on any firewall in the path dynamically, the streams fail to reach their destination.[link=]http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/worki01.mspx#XSLTsection125121120120[/link] Well i don' t realy get it all and i' d be happy to find teh proper solution to authorize Video and Audio throught messenger. B/ How do i authorize video and audio connection with msn ?
7 REPLIES 7
Not applicable
Created on 05-07-2004 03:31 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok well it may take a bit of tinkering but do this. create a new service.
title it NetWrk-msn tcp/udp
tcp 1 - 65535 6891 - 6900 (this is for file transfers if you want to allow more the 10 at a time increase the high number)
udp 1 - 65535 6891 - 6900
tcp 1 - 65535 3389 - 3389
tcp 1 - 65535 5060 - 5060
tcp 1 - 65535 1503 - 1503
Now i could be wrong with the TCP and udp but microsoft was not intirely clear with this or i just (glazed) through it too fast. Make sure that you create a deny policy to be the last in the chain for INT-EXT with deny and logging this way you will know if you need to change the ports to udp. just watch the logs. Its always a good thing to do anyway.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello and thanks FreEx for your time,
Well our service " NetWrk-msn_tcp/udp" is ok.
Let see our policy.
External_All | Internal_All | Always | NetWrk-msn_tcp/udp | ACCEPT | (NAT on)
There is no need for port forwarding (virtual IP) or whatever to guide the packet to the final machine ?
If no great !
Cause i though i have to define a " virtual IP" , port forwarding and then assign a port (6891 for exemple) to a SINGLE machine.
Or i miss an important point somewhere :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
port 3389 is used for Windows Terminal Server.
Ok well it may take a bit of tinkering but do this. create a new service. title it NetWrk-msn tcp/udp tcp 1 - 65535 6891 - 6900 (this is for file transfers if you want to allow more the 10 at a time increase the high number) udp 1 - 65535 6891 - 6900 tcp 1 - 65535 3389 - 3389 tcp 1 - 65535 5060 - 5060 tcp 1 - 65535 1503 - 1503 Now i could be wrong with the TCP and udp but microsoft was not intirely clear with this or i just (glazed) through it too fast. Make sure that you create a deny policy to be the last in the chain for INT-EXT with deny and logging this way you will know if you need to change the ports to udp. just watch the logs. Its always a good thing to do anyway.
Not applicable
Created on 05-13-2004 02:23 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah robbo it is for ternimal service but i belive in the article msn also uses for the remote asistance. I was just listing everying that msn had and how to use it.
Yonni port forwarding is designed more if you have 40 machines in a 192 subnet and only 1 real ip address. the easiest way i can describe it is to think of the firewall as a gate keeper. the incomming packet is routed to the firewall looking for 94.68.21.58 on port 8789 as an http packet.
Now what the gatekeeper here dose is takes that info from the packet and sends it to computer 192.168.54.21:8789 but he will do this only if you have an incomming policy configured for this. Trust me if you ahve the ext to int policy configured routing to the VIP address for the interenal server there should be problem. Only time i have problems with with hardware devices.
Not applicable
Created on 06-11-2004 03:45 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a Frotinet 50a with a basic external 192.168.0.x and internal 192.168.1.x config.
I have tried using the settings as detailed above, but no joy.
I have even tried using both TCP/UDP 1-65535 1-65535 still no joy.
I have added it as both internal-external, ext-int and both simulaneously still no joy.
I know that the service works, as I have had both PCs on the external network and things are fine.
I have not added any IP Pools nor Virtual IP Mapping.
can someone help as I am pulling my hair out.
I did have a 2 site VPN that was working on 50as a while back, but they stopped working earlier this year
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you need a special setup as with H323. When you have a VPN between the two machines that are trying to do video or voice it should be OK as the SIP messages go to MSN' s server to set up the call but the data streams will first try connecting directly, machine to machine. As long as there' s no additional NAT between the two machines it should work. If you don' t have direct communication between the two endpoints i.e. something is doing NAT between them, the Messenger client sends requests to the gateway device using uPnP to open up all the required ports. If like most half decent firewalls it ignores this request then the data connections will most likely fail. I think that some messaging services can get round the problem by proxying the stream via a server that' s accessible by both systems but I don' t think that works for MSN. I have heard that MSN is clever enough to work out if only one machine is NAT' ed and set that machine to open up the channels using normal stateful inspection rules.
Bottom line, if both clients are behind NAT routers/firewall that don' t understand or obey uPnP requests then you' ve either got to restrict it to one machine and kill your security by opening loads of ports or live without it.
More extravagent solutions involve setting up your own messenger server using expensive MS software.
The only light at the end of the tunnel may be a feature I' ve noticed in a 2.8 beta. There is a command line setting for ' config system session-helper' which suggests that you can create your own helper rules where normal stateful inspection and or NAT bugger up applications.
A typical application that goes wrong through NAT is PPTP and some implemetations of IPSec vpns. This is because the application opens up several sessions and not all of them are initiated using the same tcp/udp port combo or from behind the NAT in question.
Consider PPTP: User behind NAT device with a PPTP client trys to VPN into his/her office. The laptop initiates a tcp connection using dest port of 1723. The vpn server than replies with a GRE tunnel - protocol 47. The NAT device is not expecting this apparently random GRE tunnel so it blocks it because it does not know that the initial tcp port 1723 connection is related as it doesn' t understand PPTP.
Same applied to MSN. Video and voice conversations are setup using SIP I believe but this does not carry the actual data. The data streams try to get set up but because the NAT device doesn' t expect it the traffic is blocked. Hopefully, using this session-helper function we should be able to teach the FGs to understand more applications and allow the appropriate data channels to be set up once it sees the SIP traffic, in this case.
Bit of luck they might have one pre-programmed!!!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There' s hope!
on 2.8 machine CLI:
(session-hel.)# show
config system session-helper
edit 1
set name " pptp"
set port 1723
set protocol 6
next
edit 2
set name " h323"
set port 1720
set protocol 6
next
edit 3
set name " ras"
set port 1719
set protocol 17
next
edit 4
set name " tns"
set port 1521
set protocol 6
next
edit 5
set name " ident"
set port 21
set protocol 6
next
edit 6
set name " ident"
set port 23
set protocol 6
next
edit 7
set name " ident"
set port 25
set protocol 6
next
edit 8
set name " tftp"
set port 69
set protocol 17
next
edit 9
set name " rtsp"
set port 554
set protocol 6
next
edit 10
set name " rtsp"
set port 7070
set protocol 6
next
edit 11
set name " ftp"
set port 21
set protocol 6
next
edit 12
set name " mms"
set port 1863
set protocol 6
next
end
I still can' t see how these inform the FG of what to do but this is a list of common applications that can have problems with a basic NAT implementation. The interesting bit in this case is the last one called " mms" that uses port 1863 and protocol 6 which translates into SIP and TCP - messenger call signalling.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Enterprises Class Fortinet Switch's. 285 Views
- YouTube keeps loading and the video... 814 Views
- Forticam-MB40 RTSP URI String 398 Views
- Milan Highend AV support, AVB IEEE... 452 Views
- Inspection of ISDB used by Forticlient... 527 Views
Labels
-
FortiGate
7,162 -
FortiClient
1,414 -
5.2
801 -
5.4
639 -
FortiManager
620 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
373 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1062 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.