Admins – Firewall Configuration for VidyoDesktop and VidyoRoom Endpoints

Vidyo works well with a range of network scenarios, but best results are obtained when the necessary ports on the organisation’s firewall are open as described below. Vidyo can be switched to work via its built in VidyoProxy, in which case all traffic is tunnelled on HTTP Port 443, but this will impact on performance.

Here is Len Lotz, TENET’s Executive Officer: Technology and Operations discussing the ports that need to be opened and other network considerations.

Open the ports

To work most efficiently, the VidyoDesktop and Room Systems need some ports on your firewall to be open to allow communication with the TENET Vidyo set up. These requirements are something that it should be possible for organisations to cater for. The diagram below shows the essential elements of the Vidyo call flow.

To register to the Vidyo Portal and place calls, the client side connection must be open to the VidyoPortal on these TCP/UDP ports:

Port What for Device information Function
TCP Port 80 HTTP: Outbound to Portal xxx-vc.tenet.ac.za Client to Portal authentication
and GUI
TCP Port 443 HTTPS: Outbound to Portal
(optional) <196.
xxx-vc.tenet.ac.za Optional for SSL connection to
Portal
TCP Port 17992 EMCP: Outbound to Portal xxx-vc.tenet.ac.za Client connection to VidyoManager
TCP Port 17990 SCIP: Outbound to Portal xxx-vc.tenet.ac.za Client connection to VidyoRouter
UDP Ports 50,000 – 65,535 RTP/sRTP/RTCP: Bi-Directional
to/from VidyoRouter
Audio and Video Media from
participants (6 ports per participant). RTP and RTCP pair for each
audio, video, and data collaboration stream
UDP Timeout Change from Default (i.e.
0:02:00 2 minutes) to something larger (i.e. 3:00:00 – 3 hrs) to avoid
call timeouts

For the correct substitution for the xxx-vc part of the URLs above please refer to the list of VidyoPortals.

NOTES:

  1. TENET has set up the Vidyo system for South African higher education and research with ‘Tenant’ areas for each supported organisation. Each organisation has its own VidyoPortal address that can be found here. However, note that all the VidyoPortal addresses resolve to 196.24.243.133.
  2. Some Firewalls have a UDP default timeout. On the Cisco PIX Firewall, for example, if the UDP timeout is not changed then the call will drop in exactly 2 minutes and the Vidyo client(s) would have to reconnect.
  3. Many newer Consumer home Firewalls have SPI (Statefull Packet Inspection) active by Default. This may need to be disabled for performance reasons.

If your firewall cannot be opened (or in the meantime your are waiting for it to be opened)

If the firewall cannot be opened, Vidyo should work if you force the use of the Vidyo proxy. In the VidyoDesktop client (or Mobile client), go to Configuration -> Network and tick “always use VidyoProxy”. Please note this option slightly decreases the quality of the connection, and using it by default risks of overloading the available proxy servers. Properly opening the firewall ports should remain the priority option. Opening the ports in this way will help your users have the best Vidyo experience possible.

USe Proxy

Web Proxy

Using a Web proxy with Vidyo will usually impact on the quality of the call. To avoid performance issues due to Web Proxies inspecting media packets, it is highly recommended to create exceptions (e.g. Bluecoat) or allow DIRECT connections to the Vidyo infrastructure (see details above), bypassing the Web Proxy. In many cases this can be accomplished by simply editing the PAC script.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s