<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>RE: [AG-TECH] Firewall and unicast questions</TITLE>
</HEAD>
<BODY>
<DIV id=idOWAReplyText74777 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>For those of us who are not living in a
network dreamland, a feasible solution is to focus on the trusted IPs of
the unicast bridges instead of the UDP port range. This is what we did here at
OU and it works great for us. While for a small entity it may fly to open UDP
ports 30K - 60K (if their ISP does not get a heart attack when you ask), a
larger entity (University) may rather want to allow incoming packets
through by allowing the distinct IPs of the unicast bridges in the
firewall. This is a much better solution. If you use regular PIX firewalls and
want to use e.g. the NCSA rooms, the next statement should be added to your
firewall protocols:</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2><FONT face=Arial color=navy size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">object-group network
video_allowed_inbound<BR>network-object host 141.142.222.31<BR>network-object
host 141.142.6.17</SPAN></FONT></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2><FONT face=Arial color=#000000 size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2><FONT face=Arial color=#000000 size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><FONT
color=#000000>These IPs are for venuesbridge and roebridge. For new bridges you
will have to ask your IT to add them individually.
</FONT></SPAN></FONT></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2><FONT face=Arial color=#000000 size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2><FONT face=Arial color=#000000 size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><FONT color=#000000>I
hope this will help. </FONT></SPAN></FONT></FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2><FONT face=Arial color=#000000 size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><FONT
color=#000000></FONT></SPAN></FONT></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2><FONT face=Arial color=#000000 size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2><FONT face=Arial color=#000000 size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><FONT
color=#000000>Zsolt</FONT></SPAN></FONT></FONT><FONT face=Arial
size=2></DIV></FONT>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV></DIV>
<DIV id=idSignature1708 dir=ltr>
<DIV><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#000000 size=2>_ _ _</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#000000 size=2>Zsolt Nagykaldi, PhD</FONT></DIV>
<DIV><FONT face=Arial size=2>Research Associate, Clinical IT
Specialist</FONT></DIV>
<DIV><FONT face=Arial size=2>University Of Oklahoma Health Sciences
Center</FONT></DIV>
<DIV><FONT face=Arial size=2>Department Of Family And Preventive
Medicine</FONT></DIV>
<DIV><FONT face=Arial size=2>Oklahoma Center For Family Medicine
Research</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>900 NE 10th Street</FONT></DIV>
<DIV><FONT face=Arial size=2>Oklahoma City, OK 73104</FONT></DIV>
<DIV><FONT face=Arial size=2>Phone: (405) 271-8000 Ext.:1-32212</FONT></DIV>
<DIV><FONT face=Arial size=2>Fax: (405)
271-1682</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> owner-ag-tech@mcs.anl.gov on behalf of
Andrew A Rowley<BR><B>Sent:</B> Fri 4/7/2006 3:00 AM<BR><B>To:</B> Masullo,
Chris F; ag-tech@mcs.anl.gov<BR><B>Subject:</B> RE: [AG-TECH] Firewall and
unicast questions<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>Hi,<BR><BR>I know of various places that are running AG from
behind a firewall using both multicast and unicast. <BR><BR>Using unicast
means that you add strain to the bridge for the venue. However, I have not
seen any bridges fail under strain so far (others may have seen this). The
other problem with unicast and firewalls is the port numbers. The bridges
will be assigned random port numbers within a fixed range, so the only way to
guarantee that you will be able to use the bridge is to open up the entire
range. This range will depend on the venue server. Of course with
dynamic multicast venues, you would have the same problem, however, with static
venues, you could at least open the fixed port numbers in use. AG
Connector can also help with the port number problem, since it only uses a
single fixed port.<BR><BR>The only other problem I have seen with firewalls, is
when the firewall cannot cope with the amount of traffic passing with large AG
meetings. It is worth finding out what bandwidth the firewall can cope
with if you regularly join large meetings.<BR><BR>Andrew
:)<BR><BR>============================================<BR>Access Grid Support
Centre,<BR>RSS Group,<BR>Manchester Computing,<BR>Kilburn
Building,<BR>University of Manchester,<BR>Oxford Road,<BR>Manchester,<BR>M13
9PL,<BR>UK<BR>Tel: +44(0)161-275 0685<BR>Email:
Andrew.Rowley@manchester.ac.uk<BR><BR>> -----Original Message-----<BR>>
From: owner-ag-tech@mcs.anl.gov [<A
href="mailto:owner-ag-tech@mcs.anl.gov">mailto:owner-ag-tech@mcs.anl.gov</A>]
On<BR>> Behalf Of Masullo, Chris F<BR>> Sent: 06 April 2006 17:04<BR>>
To: ag-tech@mcs.anl.gov<BR>> Subject: [AG-TECH] Firewall and unicast
questions<BR>><BR>> Hello All,<BR>><BR>> We currently have our AG
nodes outside our firewall, however cyber<BR>> security<BR>> has told us
that we need to move the systems inside our firewall. The<BR>>
last<BR>> time I brought up this issue a number of years ago I was told
that<BR>> multicast<BR>> would not get past our firewall. I have some
questions regarding this<BR>> issue.<BR>><BR>> Has anyone successfully
placed an AG VTC system behind a Cisco Firewall?<BR>> Are there any issues
using unicast mode for and AG node behind a<BR>> firewall?<BR>> If not
then why not run unicast?<BR>><BR>> I have looked through the mailer
however I do not see any answers to<BR>> these<BR>>
Questions.<BR>><BR>> Thanks in advance<BR>><BR>><BR>><BR>>
Chris
Masullo
Information Technology Division<BR>> Brookhaven National
Laboratory Network Engineering & Operations<BR>> 61
Brookhaven
Ave.
Phone: (631) 344-2326<BR>> Upton, NY
11973
Fax: (631)
344-7688<BR>><BR><BR></FONT></P></DIV>
</BODY>
</HTML>