Security Basics mailing list archives

RE: NetScreen XP and NetMeeting

From: "Sarbjit Singh Gill" <ssgill () gilltechnologies com>
Date: Mon, 16 Dec 2002 01:25:32 +0800


Thanks,

I did enable the H.323 service but somehow nothing seem to work. The
interesting bit is that i am running NAT at the NetScreen. When i tried to
connect to a PC (internal) from another PC on the internet, i could see at
the PC on the internet that i was trying to talk to somebody on 192.168.x.z,
which is actually the internal PC's IP.

If you have used netmeeting before you realize that there will be a window
message on the caller's PCs "Waiting for response from  <ip address>. I was
shocked to the see the internal IP of the internal PC in this window. How
could NetScreen running NAT allow an internal ip (192.168.z.x) "escape" into
the net and be seen by the caller.

Cheers
Gill
-----Original Message-----
From: HOULE, FRANCIS [mailto:francis.houle () bell ca]
Sent: Friday, December 13, 2002 10:01 PM
To: ssgill () gilltechnologies com; 'Rick Darsey';
security-basics () lists securityfocus com
Subject: RE: NetScreen XP and NetMeeting


Hello,

I beleive Netmeeting is using H.323.  There is a support for H.323
sessions in the Netscreen.  If you configure that support you will not
have to open all those dynamic ports.  It will track the session and
allow the ports to be open dynamically.  That way, you are a lot more
secure than openning a range of ports permenently.


--
Francis Houle
Conception Interréseautage
Bell Canada


-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill () gilltechnologies com]
Sent: 12 décembre, 2002 08:59
To: Rick Darsey; security-basics () lists securityfocus com
Subject: RE: NetScreen XP and NetMeeting


Greetings and thanks for the reply.


To give you folks some more details:

The NetScreen 5XP does not support a DMZ:Only trusted and untrusted
interfaces.

I have a ADSL router/modem. There is no NetMeeting server. What my
client would like to do is use the built-in netmeeting client in Windows
to "chat/talk(audio)/see(video)/remote control/share application with
another person on the internet with similar software. I believe this
no-server scenario can hold up 20 people in a single chat session. It is
similar when one stars the netmeeting from MSN Messenger.

Cheers

Gill

-----Original Message-----
From: Rick Darsey [mailto:rdarsey () aims1 com]
Sent: Thursday, December 12, 2002 9:49 PM
To: ssgill () gilltechnologies com
Subject: RE: NetScreen XP and NetMeeting


Gill,


What is the layout of your network. Do you have a router and a firewall,
or is the router acting as the firewall. If you have both, would it be
possible to place the Netmeeting server outside of the firewall, between
it and the router?  Depending on the type of OS, ie Windows 2000 server,
etc., there are some filtering capabilities within the OS that will let
you limit the traffic to the server.

Just an idea.

Rick

-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill () gilltechnologies com]
Sent: Wednesday, December 11, 2002 5:19 PM
To: Rick Darsey
Subject: RE: NetScreen XP and NetMeeting


Greetings Rick,

The NS XP does not support a DMZ.

Gill

-----Original Message-----
From: Rick Darsey [mailto:rdarsey () aims1 com]
Sent: Thursday, December 12, 2002 6:22 AM
To: ssgill () gilltechnologies com; security-basics () lists securityfocus com
Subject: RE: NetScreen XP and NetMeeting


I would think you could setup the NetMeeting server in a DMZ zone
outside of the firewall, and then turn on keep state on the firewall to
allow users within the LAN to connect, but I am not sure about the keep
state part.

Rick Darsey

-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill () gilltechnologies com]
Sent: Wednesday, December 11, 2002 1:37 PM
To: security-basics () lists securityfocus com
Subject: NetScreen XP and NetMeeting


Greetings,

As the subject goes, i need to get net meeting to work via NetScreen. I
found a KB
article(http://support.microsoft.com/default.aspx?scid=kb;en-us;158623)
but it seems to show, i had to open a whole range of ports. I am
skeptical about that!

e.g..
Pass through primary TCP connections on ports 522, 389, 1503, 1720 and
1731. Pass through secondary UDP connections on dynamically assigned
ports (1024-65535).

the above shows a whole range of ports that i have to open. Is there a
work around.

Kind Regards
Gill

Current thread:

RE: NetScreen XP and NetMeeting Sarbjit Singh Gill (Dec 12)
- Re: NetScreen XP and NetMeeting Igor D. Spivak (Dec 13)
- RE: NetScreen XP and NetMeeting HOULE, FRANCIS (Dec 13)
  - RE: NetScreen XP and NetMeeting Sarbjit Singh Gill (Dec 16)
- <Possible follow-ups>
- RE: NetScreen XP and NetMeeting Murat_Korkmaz (Dec 12)
- RE: NetScreen XP and NetMeeting Gunn, Jeff (Dec 13)
  - RE: NetScreen XP and NetMeeting Sarbjit Singh Gill (Dec 16)
  - AW: NetScreen XP and NetMeeting Robert Sieber (Dec 16)
- RE: NetScreen XP and NetMeeting Gunn, Jeff (Dec 16)
- RE: NetScreen XP and NetMeeting Brian Bruns (Dec 17)
  - RE: NetScreen XP and NetMeeting Sarbjit Singh Gill (Dec 18)