- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-22-2014 04:37 PM
Ok. So, I'm running the 5.0.10 PAN. We are in the middle of a Polycom installation. Internal traffic within the polycom system is working fine (since no FW is in place). The problem is of course the outside users. We are using NAT for external stuff. I created a single Inbound rule (Untrust->trust) to the RPAD server. No Applications selected. Instead I specified all the port numbers as custom services and attached them to the rule.
When a user tries to connect, the call is connected and the user is registered. However, no media/content would go through. As a side note, SIP works external, but not H.323.
Any ideas?
-Frank - West Chester University
01-23-2014 08:46 AM
So, we got it working. Application Override is where we had to go. We setup an application "Polycom" and put ALL the tcp/udp ports required to connect to the RPAD system. Then I put 4 application over-ride policies in place. 2 for Outbound from the RPAD (TCP/UDP) and 2 for Inbound (TCP/UDP) both pointing to the "Polycom" application Object I made earlier.
I then had connections made and verified through the traffic log that the inbound/outbound traffic was being IDed as "Polycom" not H323, SIP, etc... Dials were made and media was connected.
01-22-2014 05:06 PM
Hello Sir,
Is your end device Call server/PBX is NAT aware..? Is there a predict session available from the signaling session...?
I would suggest you to enable packet capture for ingress and egress on the PAN firewall just to see, the Layer-7 Payload and how it modified by PAN.
Please find below few related discussions:
Thanks
01-23-2014 08:46 AM
So, we got it working. Application Override is where we had to go. We setup an application "Polycom" and put ALL the tcp/udp ports required to connect to the RPAD system. Then I put 4 application over-ride policies in place. 2 for Outbound from the RPAD (TCP/UDP) and 2 for Inbound (TCP/UDP) both pointing to the "Polycom" application Object I made earlier.
I then had connections made and verified through the traffic log that the inbound/outbound traffic was being IDed as "Polycom" not H323, SIP, etc... Dials were made and media was connected.
01-23-2014 09:44 AM
Thanks for your update here. If app-override solved the problem here, it means the PAN FW was changing the payload information from the layer-7 which was not acceptable for your end server. Hence, your end server/call manager/PBX is a NAT aware box.
This type of situation could handle in 2 ways:
a. Make the end system, NAT aware and create an application-override in PAN firewall for signaling and media traffic.
OR
b. Make the server as a legacy device (no NAT aware) and do the pinholing at the PAN firewall.
Hope this helps
Thanks
01-24-2014 12:13 PM
The real question is, why would PAN be modified the payload of layer-7 during the App-ID phase?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!