I have BPOS Live Meeting users sitting behind a TMG 2010 Frontgate server and they are unable to join a Live Meeting video conference. They can connect to the Live Meeting Session, but when they try to share their video, they show connected for a few seconds and then they get a Voice and Video Error Information window that states their audio/video session was unexpectedly disconnected. The TMG server is a Windows 2008 R2 64-bit server and the domain controller is Windows Server 2003. The users are using either Windows 7 or Windows XP.
I have tried setting the Live Meeting client ports in the TMG server per http://technet.microsoft.com/en-us/library/bb870402(office.12).aspx, but I do not understand how to set port 1024-65535 TCP/UDP in the TMG server. I do not have a lot of TMG or ISA server experience, so details of how to set the server to allow these Live Meeting video sessions would be very helpful. All users behind the TMG server are set with allow all users outbound HTTP & HTTPS in the TMG server.
1) Do you see any Deny in live logging. You can filter it by client ip or destination ip as well.
2) To create a protocol object , you can first click on the firewall policy on the left tree. Once you highlight it, then on the far right third pane>click on Toolbox>protocol>click new>protocol. complete the wizard.
1) The only deny rule is the last rule which is the default deny all rule, but I do not have any rule specifying allow live logging. Should I create a logging rule under Logs and Reports?
2) I understand how to create a new protocol, but not one that is for TCP/UDP 1024-65535. First if 1024-65535 means the port range, that seems like an excessive number of ports to open up to me. Second, I do not see any way to do a combined TCP/UDP protocol, only one or the other. So I do not understand how to configure the protocol for TCP/UDP 1024-65535 as listed in the link above.
The video conferenceing server definitely is a port hog, so the numbers are correct. What you need to do is to open port 1024-65535 in a UDP rule and again as a TCP rule. Two rules instead of one combined rule. Some routers allow you to combine them, some don't.
This is not entirely true, you should NOT open all ports as mentioned by ED.
Instead you need to select ports which will fall within the range of ports recommended from either the manufacturer or vendor etc.. For example if you have a LifeSize Conference System and you need to set a rule up on the TMG Server 2010, you will need to select something similar to the following as a small range of ports to allow corresponding connections both for voice and video as this is really what you need. The example below will allow up to an eightway video and audio conference session.... (dont forget you need ports for any presentations)
56 UDP - 60000-60055 (you only need to open 56 ports for UDP to allow an eightway conference session) 14 TCP - 60000-60013 (you only need 14 TCP ports for the eightway conference session)
Note: You need also to allow H.323 if you are using this protocol for your conferences (TCP port 1720), also requires your application filter for H.323. UDP port 5060 for SIP call negotiation and TCP port 5060 if TCP signaling is enabled for SIP calls. You may also need port 5061 if TLS signaling is enabled.
If you are using H.323 make sure you read up about vunerabilities of H.323 and how to stay protected with Gateway requests etc..
I am not an expert on TMG or conference systems by any degree and someone with more knowledge may like to add to what I have written. Or correct me in the case where I am wrong.. One thing is for sure if you were to open the range of Ports as suggested by ED you might not have bothered to purchase a firewall, the idea is to reduce the surfaces available for attack by "would be hackers" and then ensure the ports that are open are well monitored and any suspicious behaviour on your firewall is taken note of and looked into.
Thanks and hope what I have written above is useful! Please propose as answer if you feel this answers your question.
- แก้ไขโดย Flying in the Face of IT 23 พฤศจิกายน 2554 6:07