Aethra Vega X3 User Manual page 98

Because they have private addresses, and are therefore not accessible from outside
the NAT, terminals on the LAN cannot be reached by externally originating calls. Even
if they initiate calls to external terminals, a problem still arises. When the call is
initiated, the IP address of the calling terminal is contained in the payload of the
packet sent. The destination terminal receives call setup packets, examines them and
starts to transmit audio and video towards the terminal from which the call was
received, and from which the IP address was obtained by examining the contents of
the received packets.
If this IP address is private, the router for Internet access discards the audio and
video packets sent from the terminal external to NAT towards the internal terminal
because the packets sent were non-routable. The connection between two terminals
appears to be successful but in reality the NAT-internal terminal never receives the
audio or video from the external terminal.
Solution for the NAT/Firewall Problem
The only equipment that does not create any of the problems described above is a
NAT/firewall H.323-compatible device. Such a firewall does not block the TCP 1720
port and allows access to the other, dynamically-determined H.323 ports.
Videoconferencing systems usually have private IP addresses that are not accessible
from external routers. To allow calls to function properly, the network administrator
can define static NAT (a permanent association between a private IP address and a
public IP address reserved for H.323 videoconferences) for every terminal that must
be accessible from an external connection.
The NAT device substitutes the static IP address in the payload and header setup
packet sent from the internal terminal to the external terminal. The destination
terminal uses that address for addressing the reply packets, which are routed through
the NAT device to the internal terminal.
Firewall ALG
Application Level Gateways (ALGs) are firewalls programmed to recognize specific IP
protocols like H.323. Instead of looking only at the information contained in packet
headers to determine whether to transmit or block packets, ALGs analyze in detail the
data contained in the payload packet. The H.323 protocol inserts important control
information such as audio and video port identification in the payload packets. The
terminal expects to receive audio and video connections from the remote calling
terminal on these ports. By analyzing which port the terminal expects to use, the ALG
dynamically opens only those ports, leaving the others closed to preserve network
security. An example of a firewall ALG follows.
The Aethra Application Level Gateway is present in the Aethra Stargate xDSL Router
and allows any videoconferencing terminal, independent of its manufacturer, resolve
the NAT/firewall problem. The Stargate router is capable of checking every incoming
and outgoing H.323 call and dynamically opening only the ports being used for the
H.323 videoconference.
The Stargate router also supports NAT functionality and is therefore capable of
substituting the public NAT address for the private IP address automatically inserted in
the H.323 payload packets by the internal terminal. When the Aethra ALG functionality
is used with an Aethra videoconferencing system, the "Aethra NAT" function of the
videoconferencing system must be disabled because the network equipment is H.323
compatible.
98