ISA Server 2004 with a Polycom 7000e VSX
I have a customer who recently replaced a braindead port-filtering NAT "firewall" with a real firewall, namely an HP ProLiant DL320 ISA Server 2004 Appliance (purchased from Business Smarts). Because ISA Server 2004 is an intelligent firewall which actually looks at application traffic, if an application protocol tries to be too intelligent itself, it can cause problems.
This was the case with this customer, and their Polycom 7000e VSX videoconferencing unit. The Polycom is a SIP-compliant and H.323-compliant unit which allows for point-to-point or streaming videoconferencing in a compact unit. It's actually quite a nice unit for what it is.
Anyway, to make a long story and a Microsoft PSS call short, it turns out that the Polycom was trying too hard to cope with being in a NAT setup, and as a result, it was "outsmarting" our attempts to get it to work. So, for the sake of documentation for all, here is what we did to get this to work, copied from my summary message to Microsoft:
- Disabled the H.323 Filter globally under “Add-ins”.
- The Polycom 7000e VSX should be set with:
- NAT disabled (strange but true!)
- H.323 knowledge of NAT disabled
- Fixed ports (TCP 3230-3235, UDP 3230-3253; only the starting ports can be changed by the administrator)
- Public address set to manual with the appropriate address; “auto” uses the default external card on the ISA server which may not be the correct address and may change [I don’t think this setting means anything with NAT disabled, but just in case...]
- Public address published in the global directory [Again, I think this is ignored with NAT disabled…]
- The LAN IP settings should include the ISA server as the external gateway (directly or indirectly through other routers).
- We created three server publishing protocol definitions – ports are clear from the names, UDP is receive/send:
- Polycom Inbound TCP 1720
- Polycom Inbound TCP 3230-3235
- Polycom Inbound UDP 3230-3253
- Created publishing rules for each of the protocol definitions, publishing the internal Polycom IP, and setting the publishing rule to look like the traffic is coming from the ISA server, NOT the original client.
- Created a web publishing rule to aid in administration of the Polycom (port 80). This is not necessary, but is nice when troubleshooting and testing.
- Created a client protocol definition, “Polycom Outbound”, TCP 3230-3235 and UDP 3230-3258 Send. [This second one probably should just go to 3253, but I don’t want to risk breaking what’s working.]
- Created an outbound rule called “Videoconferencing Outbound” for the “H.323 Protocol” protocol and the “Polycom Outbound” protocol from “Internal” to “External” for “All Users”. [This is probably unnecessary in our case as the ISA server has a wide-open outbound policy, but it matched the earlier prescription.]
- Testing was done using NetMeeting and a webcam with a true public IP address on the NetMeeting machine (to ensure no NAT issues at the other side). There is a Diagnostics page in the Polycom admin pages which allows for viewing the local video and remote video, so you can remotely see the full call traffic on both sides (NetMeeting for the remote view, the admin pages for the local view).
So that is it in a nutshell. Now you know.