https://live.paloaltonetworks.com/t5/general-topics/pan-with-polycom-rpad-real-presence/m-p/2519#M1875 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P>Is your end device Call server/PBX is NAT aware..? Is there a predict session available&nbsp; from the signaling session...?</P><P></P><P>I would suggest you to enable packet capture for ingress and egress on the PAN firewall just to see, the Layer-7 Payload and how it modified by PAN.</P><P></P><P>Please find below few related discussions:</P><P></P><P><A href="https://live.paloaltonetworks.com/message/21721">nat</A></P><P><A href="https://live.paloaltonetworks.com/message/23792">Polycom Real Presence issue</A></P><P></P><P>Thanks</P></BODY></HTML> Thu, 23 Jan 2014 01:06:30 GMT HULK 2014-01-23T01:06:30Z https://live.paloaltonetworks.com/t5/general-topics/pan-with-polycom-rpad-real-presence/m-p/2518#M1874 <HTML><HEAD></HEAD><BODY><P>Ok. So, I'm running the 5.0.10 PAN. We are in the middle of a Polycom installation. Internal traffic within the polycom system is working fine (since no FW is in place). The problem is of course the outside users. We are using NAT for external stuff. I created a single Inbound rule (Untrust-&gt;trust) to the RPAD server. No Applications selected. Instead I specified all the port numbers as custom services and attached them to the rule.</P><P></P><P>When a user tries to connect, the call is connected and the user is registered. However, no media/content would go through. As a side note, SIP works external, but not H.323.</P><P></P><P>Any ideas?</P><P></P><P>-Frank - West Chester University</P></BODY></HTML> Thu, 23 Jan 2014 00:37:55 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-with-polycom-rpad-real-presence/m-p/2518#M1874 FrankPiscitello-WCU 2014-01-23T00:37:55Z https://live.paloaltonetworks.com/t5/general-topics/pan-with-polycom-rpad-real-presence/m-p/2519#M1875 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P>Is your end device Call server/PBX is NAT aware..? Is there a predict session available&nbsp; from the signaling session...?</P><P></P><P>I would suggest you to enable packet capture for ingress and egress on the PAN firewall just to see, the Layer-7 Payload and how it modified by PAN.</P><P></P><P>Please find below few related discussions:</P><P></P><P><A href="https://live.paloaltonetworks.com/message/21721">nat</A></P><P><A href="https://live.paloaltonetworks.com/message/23792">Polycom Real Presence issue</A></P><P></P><P>Thanks</P></BODY></HTML> Thu, 23 Jan 2014 01:06:30 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-with-polycom-rpad-real-presence/m-p/2519#M1875 HULK 2014-01-23T01:06:30Z https://live.paloaltonetworks.com/t5/general-topics/pan-with-polycom-rpad-real-presence/m-p/2520#M1876 <HTML><HEAD></HEAD><BODY><P>So, we got it working. Application Override is where we had to go. We setup an application "Polycom" and put ALL the tcp/udp ports required to connect to the RPAD system. Then I put 4 application over-ride policies in place. 2 for Outbound from the RPAD (TCP/UDP) and 2 for Inbound (TCP/UDP) both pointing to the "Polycom" application Object I made earlier.</P><P></P><P>I then had connections made and verified through the traffic log that the inbound/outbound traffic was being IDed as "Polycom" not H323, SIP, etc... Dials were made and media was connected.</P></BODY></HTML> Thu, 23 Jan 2014 16:46:49 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-with-polycom-rpad-real-presence/m-p/2520#M1876 FrankPiscitello-WCU 2014-01-23T16:46:49Z https://live.paloaltonetworks.com/t5/general-topics/pan-with-polycom-rpad-real-presence/m-p/2521#M1877 <HTML><HEAD></HEAD><BODY><P>Thanks for your update here. If <SPAN class="GINGER_SOFTWARE_mark">app</SPAN>-override solved the problem here, it means the PAN&nbsp; FW was changing the payload information from the layer-7 which was not acceptable for your end server. Hence, your end server/call manager/PBX is a NAT aware box.</P><P></P><P>This type of situation could handle in 2 ways:</P><P>a. Make the end system, NAT aware and create an application-override in PAN firewall for signaling and media traffic.</P><P>OR</P><P>b. Make the server as a legacy device (no NAT aware) and do the pinholing at the PAN firewall.</P><P></P><P>Hope this helps</P><P></P><P>Thanks</P></BODY></HTML> Thu, 23 Jan 2014 17:44:33 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-with-polycom-rpad-real-presence/m-p/2521#M1877 HULK 2014-01-23T17:44:33Z https://live.paloaltonetworks.com/t5/general-topics/pan-with-polycom-rpad-real-presence/m-p/2522#M1878 <HTML><HEAD></HEAD><BODY><P>The real question is, why would PAN be modified the payload of layer-7 during the App-ID phase?</P></BODY></HTML> Fri, 24 Jan 2014 20:13:14 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-with-polycom-rpad-real-presence/m-p/2522#M1878 FrankPiscitello-WCU 2014-01-24T20:13:14Z