H.323 uses a single fixed TCP port (1720) to start a call using the H.225 protocol (defined by H.323 spec) for call control. Once that protocol is complete, it then uses a dynamic TCP port for the H.245 protocol (also defined by the H.323 spec) for caps and channel control. Finally, it opens up 2 dynamic UDP ports for each type of media that was negotiated for the call (audio, video, far-end camera control). This first port carries the RTP protocol data (defined by the H.225 spec) and the second one carries the RTCP data (defined by the H.225 spec).

As per TCP/IP standards, ports are divided into 3 sections: 0-1023 (privileged ports), 1024-49151 (registered ports) and 49152-65535 (dynamic ports). H.323 specifies the dynamic ports in the dynamic range are open. Polycom has added a feature to its product line that allows the ports to use a fixed ports (instead of dynamic ports) so that it can more easily traverse a firewall. Only the system behind the firewall need to turn on this feature, since the firewall will prevent the audio/video/FECC from the outside to come in unless this is enabled.

You must forward the traffic to and from the video endpoint through the firewall using the specified port numbers and protocol types for outgoing calls. To receive incoming calls, your must forward traffic using the 1720 TCP port.

The following are details on port forwarding assignments for various products:

Polycom Port Forwarding

For Polycom products, the following ports must be opened in the firewall and assigned to the IP address of videoconferencing endpoints (e.g. a video endpoint could be at 192.168.0.109):
· Port 389 (TCP): For ILS registration
· Port 1503 (TCP): Microsoft NetMeeting T.120 data sharing
· Port 1718 (UDP): Gatekeeper discovery
· Port 1719 (UDP): Gatekeeper RAS (Must be bi-directional)
· Port 1720 (TCP) H.323 Call setup (Must be bi-directional)
· Port 1731 (TCP): Audio call control (Must be bi-directional)
· Ports 3230-3235 (TCP): Signaling and control for audio, call, video and data/FECC
· Ports 3230-3253 (UDP): Signaling and control for audio, call, video and data/FECC
· Port 3603 (TCP): ViaVideo Web interface (ViaVideo users only)

So, a typical H.323 ViewStation call would use 2 TCP fixed ports (3230-3231) and 6 UDP fixed ports (3230-3235).

Polycom GMS Ports:
· 21 (FTP) – Software Updates & Provisioning
· 80 (HTTP) – Pulling ViewStation/VS4000 info
· 3601 (Proprietary) (Data Traffic) – GAB data
· 3603 – TCP – Pulling ViaVideo info (since might be non-web server PC)
· 389 (LDAP and ILS)
· 1002 (ILS)

GMS listens for connections on ports 80 and 3601 (GAB) and in the future will listen on port 3604 (ViaVideo) and other potentials later.

H.323 Ports (IP based video conferencing):
· 80 – Static TCP – HTTP Interface (optional)
· 389 – Static TCP – ILS Registration (LDAP)
· 1503 – Static TCP – T.120
· 1718 – Static UDP – Gatekeeper discovery (Must be bidirectional)
· 1719 – Static UDP – Gatekeeper RAS (Must be bidirectional)
· 1720 – Static TCP – H.323 call setup (Must be bidirectional)
· 1731 – Static TCP – Audio Call Control (Must be bidirectional)
· 8080 – Static TCP – HTTP Server Push (optional)

· 1024-65535 Dynamic TCP H245
· 1024-65535 Dynamic UDP – RTP (Video data)
· 1024-65535 Dynamic UDP – RTP (Audio data)
· 1024-65535 Dynamic UDP RTCP (Control Information)

These ports can be set to “Fixed Ports” on Polycom systems, as opposed to dynamic.

Other Polycom ViewStation Ports:
· 21 (FTP) – Software Updates & GMS Provisioning
· 23 (Telnet) – For Diagnostics & API Control
· 3220 to 3225 – TCP Ports
· 3230 to 3247 – UDP Ports

Other ViaVideo Ports:
· 3604 (GMS Server Discovery) (Used by ViaVideo) (Broadcast)

Accord (Polycom Network Systems) Additional Ports:
· 5001 – Static TCP – MGC Manager (5003 can be chosen instead within MGC)
· 21 – Static TCP – FTP (retrieve MGC config. Files etc.)

RADVision Additional:
· 1820 – Gateway Signaling/Call Setup
· 2720 – MCU Signaling/Call Setup

d-Link DVC-1000 Ports:
The port 1720 (TCP) and the 6 ports 15328-15333 (TCP and UDP) need to be forwarded. d-Link indicates that NetMeeting and the H.323 cannot co-exist behind the same router simultaneously.

More From pstilgoe

• Typical ports used for video conferencing
• FA opts for Sharepoint 2010 to improve communication
• TIFF or PDF for your document imaging needs ?

Typical ports that need to be opened on the firewall:

80 (TCP)
HTTP
Optional for external administration

389 (TCP)
LDAP
ILS registration

1503 (TCP)
T.120

1720 (TCP)
H.323
H.323 call setup

1731 (TCP)
H.323
H.323 audio call control

1024-65535 (UDP)
H.245, RTP, RTCP
Various audio/video controls

As the above list shows, opening the required ports can leave a number of large “holes” in the firewall. Polycom and Tandberg video conference units do give you the option to set a predetermined range instead of opening up the entire range of 1024-65535 (UDP). However, there is one caveat with this: Whatever port range is chosen, it must be set to exactly the same range on both units that are connecting. This can be a challenge especially when both devices are not managed by the same department or organization. Additionally, some devices will not work with the manual configuration of ports (especially if they are from different manufacturers). That being said, the recommended configuration is to open up the full port range (1-65535) for TCP and UDP.

More From pstilgoe

• How to configure Kerberos for SharePoint / MOSS 2007
• Error: Cannot retrieve the information for application credential key
• Want extra money for Christmas ?