Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PAN with Polycom RPAD (Real Presence)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN with Polycom RPAD (Real Presence)

Ok. So, I'm running the 5.0.10 PAN. We are in the middle of a Polycom installation. Internal traffic within the polycom system is working fine (since no FW is in place). The problem is of course the outside users. We are using NAT for external stuff. I created a single Inbound rule (Untrust->trust) to the RPAD server. No Applications selected. Instead I specified all the port numbers as custom services and attached them to the rule.

When a user tries to connect, the call is connected and the user is registered. However, no media/content would go through. As a side note, SIP works external, but not H.323.

Any ideas?

-Frank - West Chester University

1 accepted solution

Accepted Solutions

So, we got it working. Application Override is where we had to go. We setup an application "Polycom" and put ALL the tcp/udp ports required to connect to the RPAD system. Then I put 4 application over-ride policies in place. 2 for Outbound from the RPAD (TCP/UDP) and 2 for Inbound (TCP/UDP) both pointing to the "Polycom" application Object I made earlier.

I then had connections made and verified through the traffic log that the inbound/outbound traffic was being IDed as "Polycom" not H323, SIP, etc... Dials were made and media was connected.

View solution in original post

4 REPLIES 4

L7 Applicator

Hello Sir,

Is your end device Call server/PBX is NAT aware..? Is there a predict session available  from the signaling session...?

I would suggest you to enable packet capture for ingress and egress on the PAN firewall just to see, the Layer-7 Payload and how it modified by PAN.

Please find below few related discussions:

nat

Polycom Real Presence issue

Thanks

So, we got it working. Application Override is where we had to go. We setup an application "Polycom" and put ALL the tcp/udp ports required to connect to the RPAD system. Then I put 4 application over-ride policies in place. 2 for Outbound from the RPAD (TCP/UDP) and 2 for Inbound (TCP/UDP) both pointing to the "Polycom" application Object I made earlier.

I then had connections made and verified through the traffic log that the inbound/outbound traffic was being IDed as "Polycom" not H323, SIP, etc... Dials were made and media was connected.

Thanks for your update here. If app-override solved the problem here, it means the PAN  FW was changing the payload information from the layer-7 which was not acceptable for your end server. Hence, your end server/call manager/PBX is a NAT aware box.

This type of situation could handle in 2 ways:

a. Make the end system, NAT aware and create an application-override in PAN firewall for signaling and media traffic.

OR

b. Make the server as a legacy device (no NAT aware) and do the pinholing at the PAN firewall.

Hope this helps

Thanks

The real question is, why would PAN be modified the payload of layer-7 during the App-ID phase?

  • 1 accepted solution
  • 4133 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!