none
Restrict MOC 2007 R2 client mediaports via GPO RRS feed

  • Question

  • We have a scenario where its necessary to restrict the UDP & TCP mediaports used in MOC-MOC calls for a specific group of users, the rest of the users using the same front end server does not require any media port restrictions.

     

    We can restrict the ports using the portrange (MaxMediaPort & MinMediaPort) GPO setting for this specific group but what happens when a non-restricted user calls a user with restricted mediaports? Does the MOC clients negotiate the ports based on the MOC client with the more restricted port settings or will the call just fail?

    Tuesday, May 4, 2010 1:49 PM

Answers

  • Hi,

    According to Elan Shunow's excellent blog post, you need to have the ports set on both caller and callee for the setting to take effect. In that case, I'm pretty sure they will just use the regular non-restricted port range. And if you are blocking most of those ports, the call will likely fail.

    I'd recommend setting the port range on one client to some small (50 ports) range and then run a wireshark capture on both clients to see what happens.

    Regards,

    Matt

     


    Matt McGillen, PointBridge - https://blogs.pointbridge.com/Blogs/mcgillen_matt/default.aspx
    • Proposed as answer by Ben-Shun Zhu Wednesday, May 5, 2010 10:14 AM
    • Marked as answer by Ben-Shun Zhu Friday, May 14, 2010 8:33 AM
    Tuesday, May 4, 2010 8:20 PM
  • I don't see a reason why you shouldn't limit all users instead of just your specific group. In my opinion you should restrict everyone based on the specific group restriction, or else they will use any port from 1024 to 65535. Hard to manage sometimes.

    Just make sure you let enough ports open, see here:

    http://technet.microsoft.com/en-us/library/dd425164%28office.13%29.aspx

    Configuring a minimum of 40 ports will enable the client to evaluate the candidate transport addresses that it can use to stream audio, video, and data to another client, as described in the IETF Interactive Connectivity Establishment (ICE) protocol. Candidate addresses include local addresses and an address on the A/V Access Edge server. A minimum of 40 ports in the port range will also accommodate any escalations from a peer-to-peer call to a conference. (An escalation of a peer-to-peer call to a conference triggers a temporary doubling of the ports in use.)


    Hugo Picão MCSE / MCTS http://hpicao.blogspot.com/
    • Proposed as answer by Ben-Shun Zhu Thursday, May 6, 2010 7:52 AM
    • Marked as answer by Ben-Shun Zhu Friday, May 14, 2010 8:33 AM
    Wednesday, May 5, 2010 12:54 PM
  • Thanks for your response, we will most probably restrict all users to 500 ports, this should be enugh for most usage scenarios.

    Decided just out of curiosity to restrict the ports on one MOC client and calling another client with no restrictions. The calls worked (two-way audio) and the restricted client used source ports in the restricted range (UDP/6500-6999) and rhe non restricted client used any high port randomly as source port.

    MOC_A -> MOC_B communicator call with MOC_A ports restricted to 6500-6999.
    Src:192.168.0.50(MOC_A) Dst:192.168.0.78(MOC_B) UDP Source port: 6540,  Destination port: 23035
    Src:192.168.0.78(MOC_B) Dst:192.168.0.50(MOC_A) UDP Source port: 23035,  Destination port: 6540

    MOC_B -> MOC_A communicator call with MOC_A ports restricted to 6500-6999.
    Src:192.168.0.78(MOC_B) Dst:192.168.0.50(MOC_A) UDP Source port: 21832,  Destination port: 6886
    Src:192.168.0.50(MOC_A) Dst:192.168.0.78(MOC_B) UDP Source port: 6886,  Destination port: 21832

     

    • Marked as answer by Ben-Shun Zhu Friday, May 14, 2010 8:33 AM
    Thursday, May 6, 2010 9:54 AM

All replies

  • Hi,

    According to Elan Shunow's excellent blog post, you need to have the ports set on both caller and callee for the setting to take effect. In that case, I'm pretty sure they will just use the regular non-restricted port range. And if you are blocking most of those ports, the call will likely fail.

    I'd recommend setting the port range on one client to some small (50 ports) range and then run a wireshark capture on both clients to see what happens.

    Regards,

    Matt

     


    Matt McGillen, PointBridge - https://blogs.pointbridge.com/Blogs/mcgillen_matt/default.aspx
    • Proposed as answer by Ben-Shun Zhu Wednesday, May 5, 2010 10:14 AM
    • Marked as answer by Ben-Shun Zhu Friday, May 14, 2010 8:33 AM
    Tuesday, May 4, 2010 8:20 PM
  • I don't see a reason why you shouldn't limit all users instead of just your specific group. In my opinion you should restrict everyone based on the specific group restriction, or else they will use any port from 1024 to 65535. Hard to manage sometimes.

    Just make sure you let enough ports open, see here:

    http://technet.microsoft.com/en-us/library/dd425164%28office.13%29.aspx

    Configuring a minimum of 40 ports will enable the client to evaluate the candidate transport addresses that it can use to stream audio, video, and data to another client, as described in the IETF Interactive Connectivity Establishment (ICE) protocol. Candidate addresses include local addresses and an address on the A/V Access Edge server. A minimum of 40 ports in the port range will also accommodate any escalations from a peer-to-peer call to a conference. (An escalation of a peer-to-peer call to a conference triggers a temporary doubling of the ports in use.)


    Hugo Picão MCSE / MCTS http://hpicao.blogspot.com/
    • Proposed as answer by Ben-Shun Zhu Thursday, May 6, 2010 7:52 AM
    • Marked as answer by Ben-Shun Zhu Friday, May 14, 2010 8:33 AM
    Wednesday, May 5, 2010 12:54 PM
  • Thanks for your response, we will most probably restrict all users to 500 ports, this should be enugh for most usage scenarios.

    Decided just out of curiosity to restrict the ports on one MOC client and calling another client with no restrictions. The calls worked (two-way audio) and the restricted client used source ports in the restricted range (UDP/6500-6999) and rhe non restricted client used any high port randomly as source port.

    MOC_A -> MOC_B communicator call with MOC_A ports restricted to 6500-6999.
    Src:192.168.0.50(MOC_A) Dst:192.168.0.78(MOC_B) UDP Source port: 6540,  Destination port: 23035
    Src:192.168.0.78(MOC_B) Dst:192.168.0.50(MOC_A) UDP Source port: 23035,  Destination port: 6540

    MOC_B -> MOC_A communicator call with MOC_A ports restricted to 6500-6999.
    Src:192.168.0.78(MOC_B) Dst:192.168.0.50(MOC_A) UDP Source port: 21832,  Destination port: 6886
    Src:192.168.0.50(MOC_A) Dst:192.168.0.78(MOC_B) UDP Source port: 6886,  Destination port: 21832

     

    • Marked as answer by Ben-Shun Zhu Friday, May 14, 2010 8:33 AM
    Thursday, May 6, 2010 9:54 AM