Firewall Wizards mailing list archives
FW: Dealing with MS Netmeeting & H.323
From: Hal <hal () mrj com>
Date: Tue, 2 Jun 1998 17:21:16 -0700
Here is some additional information on netmeeting. Port 522 (ULS) is used by version 1, but not version 2.1 (the currently available version) which uses Port 389 (ILS). Open port 1503 (T.120) to enable data conferencing features: white board, chat, file transfer and application sharing. All this is standard TCP. Audio/Video is another story. Also, there's a nasty security problem with the shared application execution facility enabling remote users to execute unintended programs on other participant's workstations. Thanks to (jussi.jaskonaho () digital com) for point out a really great paper on all this. (www.it.hq.nasa.gov/~cshenton/hq/netmeeting) Regards Hal Hal () mrj com ---------- From: Hal[SMTP:hal () mrj com] Sent: Monday, June 01, 1998 1:54 PM To: 'firewall-wizards () nfr com' Subject: Dealing with MS Netmeeting & H.323 I'm wondering if anyone has had much luck securing Microsoft's Netmeeting product? This topic has been discussed here and on other lists. People usually just throw up their hands when dealing with it. What's the best advice In summary here's what I found out about it.. It's based on an H.323. architecture using T.120's transport, the IETF Realtime Protocol/(RTP)/ Real Time Control Protocols (RTCP) for its audio and video feeds and includes a few additional features. Ports: (TCP) 389 - Internet Locator (LDAP), 522- HTTP based User Locator (I think this is a MS proprietary protocol), 1503 -T.124 "media independent transport". 1720- H323 call setup , 1731 H323 audio call setup (not sure what this is for). Here are the zingers: Dynamically assigned TCP and UDP ports in the "ephemeral" range (> 1024) carrying RTP & RTCP (allocated as dynamically assigned even/odd pairs, one pair per direction and media type). RTCP is used for feedback about the real time channel (congestion, quality, etc..) The actual port numbers for these associations are passed in an ASN.1 open local channel request on port 1720. Issues: (1) Router filters control a single port or port range. Dynamic port assignments require the range to be very large defeating the filter's purpose. (2) Network Address Translation. H.323 logical channel open fetches the local client address and passes that bound into an application (session) PDU to the destination causing internal address leakage. (The destination tries to send to the untranslated internal address of the source instead of the translated external address) An H.323 proxy could solve these problems. Firewall-1 states they can handle H.323 and work with Netmeeting (Does anyone have any experience with this?). Guantlet/NT has an H.323. proxy but their administrator's guide, which lists several multimedia applications, does not list NetMeeting. Are there other firewalls that can handle netmeeting? One suggestion I received was to allow just the data portion of Netmeeting by blocking the dynamically assigned ports that carry the audio and video. Difficult to satisfy a customer expecting interactive audio and video. Regards Hal. Hal () mrj com
Current thread:
- Dealing with MS Netmeeting & H.323 Hal (Jun 01)
- Re: Dealing with MS Netmeeting & H.323 Henry Hertz Hobbit (Jun 02)
- Re: Dealing with MS Netmeeting & H.323 Kjell Wooding (Jun 04)
- <Possible follow-ups>
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 02)
- Re: Dealing with MS Netmeeting & H.323 Frederick M Avolio (Jun 02)
- Re: Dealing with MS Netmeeting & H.323 David Bonn (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Rob Poland (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Frederick M Avolio (Jun 02)
- FW: Dealing with MS Netmeeting & H.323 Hal (Jun 02)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 ark (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Bernhard Schneck (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 ark (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Tony Schliesser (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Bob Acosta (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Ryan Russell (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Frederick M Avolio (Jun 05)
- Re: Dealing with MS Netmeeting & H.323 Bob Acosta (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 05)
(Thread continues...)