Shulou(Shulou.com)06/01 Report--

Why review the issue of network firewall traversing today? Because in the daily project work and operation and maintenance encountered problems related to network crossing, such as Huawei office telephone system external network mobile terminal access to open video conference and make phone calls, Huawei high-definition video conference system external network terminal access to open video conference, these scenarios can not be achieved without one thing-public network and private network crossing! This article briefly reviews and summarizes the background, principles and solutions of network firewall traversing. The mind map is as follows.

Review of firewall knowledge, what is a firewall?

Firewall refers to a protective barrier composed of software and hardware devices and constructed on the interface between intranet and extranet, private network and public network. It is a combination of computer hardware and software to establish a secure gateway (Security Gateway) between Internet and Intranet, thus protecting the intranet from illegal users. The firewall is mainly composed of four parts: service access rules, verification tools, packet filtering and application gateway.

What is network firewall traversal?

As the name implies, it is necessary to pass through the firewall normally (not illegally). For the sake of network security, some large enterprises will deploy a large number of firewalls, NAT (network address translation, internal network terminal access to external network, need to carry out address translation), security detection and other equipment at the exit of each link of the internal and external network, while some applications are special, these devices can not meet the communication conditions of these applications, resulting in unavailability. At this time, it is necessary to have such a device behind the firewall device. Undertake these special functions to help the information flow of the external network smoothly pass through the firewall and communicate successfully with the internal network equipment.

Why firewall traversing?

The above has basically talked about the meaning of firewall traversing, and now explains why it is necessary to carry out firewall traversing from the perspective of multimedia communication.

Usually, NAT/ firewall devices only translate the address and port number of IP and UDP/TCP headers (the so-called network layer), but not the media connection information (application layer) in the message body. As a result, NAT/ firewall does not support the effective transmission of IP communication protocols such as SIP/H.323/H.248/MGCP (today's multimedia communication protocols are mainly SIP and H.323).

For example, the private network address will be recorded on the call control device after the external network terminal user registers. When the private network terminal calls the public network terminal, although the private network terminal can obtain the IP address of the public network terminal from the registered gateway, when the video and audio RTP stream is limited by the H.323 protocol, its respective RTP receiving port and sending port are different, as shown in the following figure. The RTP code stream sent by the private network terminal to the public network terminal (public network IP) can be received by the public network terminal, but when the RTP code stream sent by the public network terminal to the private network terminal (the public network address mapped by its NAT) passes through the NAT device, the IP address will not be converted, resulting in the code stream cannot pass through the NAT device. A single pass occurs.

When the public network terminal calls the private network terminal, because the address of the call is directly the public network address mapped by the private network terminal, the NAT device does not support H.323 protocol conversion, so the call can not be established.

How to get through the firewall?

Static NAT: for each terminal in the private network, make a static NAT on the firewall NAT, that is, an one-to-one mapping between the private network address and the public network address.

NAT devices that support H.323 protocol; firewall devices that dynamically support H.323 protocol NAT, which can directly understand the content of H.323 protocol, and can directly convert the IP code stream of H.323 protocol, so that the terminals on the internal local area network of the enterprise can be placed on the public network, so that the internal terminals of the enterprise can communicate with the external terminals without obstacles.

H.323 proxy traverses public and private networks: that is, a PC is used as a proxy device for firewall exit. In this way, an H.323 proxy needs to be placed behind each firewall, and the proxy needs to be assigned a public IP address.

Industry solutions and products

What I know so far is the fast SBC series-SX1000,SX300; Huawei SE2000,SwitchCenter (SC).

For video conferencing, we use Huawei SC, which is organized as follows:

Networking instructions:

1. SC is placed in the DMZ area of the firewall, and the NAT is configured to map to the public network.

two。 The terminal registers to the SC through the private network address / public network address of SC.

3. You need to define a local private network, which is used to set the call address for SC.

4. The terminal registers with SC using H.323 or SIP protocol, and SC is responsible for the entire call control (signaling processor media stream forwarding).

Thinking and summing up?

Through this review, we have a basic understanding of the multimedia communication scenario-video conference external network access. Multimedia communication depends nothing more than: signaling flow to complete terminal registration, connection establishment and maintenance; media stream (or code stream) transmission; signaling transmission problems, it will lead to registration exception, call can not be initiated, code stream anomaly will lead to no voice or no video. In the daily troubleshooting, we first need to have an understanding of the communication protocol, and then through the packet analysis of the specific implementation process. Then we will discuss the multimedia communication protocol-H.323 and SIP communication mechanism!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.