[AG-TECH] Firewall and unicast questions

Fri Apr 7 12:35:52 CDT 2006

Hi Zsolt (and other people with port/firewall concerns):

I've expected this to be the workable solution for most institutions,
so now I have a follow-up question.  I elaborated previously in
a separate thread the addresses and ports that need to be open for media,
basically:

udp to/from multicast address range 224.2.128.0-224.2.255.254 , ports 49152 to 
65535

udp to/from bridge host(s), ports 49152 to 65535

I'd expect admins who understand multicast to accept opening the multicast
address range.  As for bridges, each institution can decide whether to trust
the bridge host and open the firewall for traffic from it.  IMHO, the only
remaining concern may be that the port range is so wide.  Is that an issue
for you still?  Do you have other concerns in this space?

I'd be happy to narrow the default port range for bridges, if that would help.

Tom

On 4/7/06 11:25 AM, Nagykaldi, Zsolt F. (HSC) wrote:
>  
> For those of us who are not living in a network dreamland, a 
> feasible solution is to focus on the trusted IPs of the unicast bridges 
> instead of the UDP port range. This is what we did here at OU and it 
> works great for us. While for a small entity it may fly to open UDP 
> ports 30K - 60K (if their ISP does not get a heart attack when you ask), 
> a larger entity (University) may rather want to allow incoming packets 
> through by allowing the distinct IPs of the unicast bridges in the 
> firewall. This is a much better solution. If you use regular PIX 
> firewalls and want to use e.g. the NCSA rooms, the next statement should 
> be added to your firewall protocols:
>  
> object-group network video_allowed_inbound
> network-object host 141.142.222.31
> network-object host 141.142.6.17
>  
> These IPs are for venuesbridge and roebridge. For new bridges you will 
> have to ask your IT to add them individually.
>  
> I hope this will help.
>  
>  
> Zsolt
>  
>  
> _ _ _
>  
> Zsolt Nagykaldi, PhD
> Research Associate, Clinical IT Specialist
> University Of Oklahoma Health Sciences Center
> Department Of Family And Preventive Medicine
> Oklahoma Center For Family Medicine Research
>  
> 900 NE 10th Street
> Oklahoma City, OK 73104
> Phone: (405) 271-8000 Ext.:1-32212
> Fax:     (405) 271-1682
> 
> ------------------------------------------------------------------------
> *From:* owner-ag-tech at mcs.anl.gov on behalf of Andrew A Rowley
> *Sent:* Fri 4/7/2006 3:00 AM
> *To:* Masullo, Chris F; ag-tech at mcs.anl.gov
> *Subject:* RE: [AG-TECH] Firewall and unicast questions
> 
> Hi,
> 
> I know of various places that are running AG from behind a firewall 
> using both multicast and unicast. 
> 
> Using unicast means that you add strain to the bridge for the venue.  
> However, I have not seen any bridges fail under strain so far (others 
> may have seen this).  The other problem with unicast and firewalls is 
> the port numbers.  The bridges will be assigned random port numbers 
> within a fixed range, so the only way to guarantee that you will be able 
> to use the bridge is to open up the entire range.  This range will 
> depend on the venue server.  Of course with dynamic multicast venues, 
> you would have the same problem, however, with static venues, you could 
> at least open the fixed port numbers in use.  AG Connector can also help 
> with the port number problem, since it only uses a single fixed port.
> 
> The only other problem I have seen with firewalls, is when the firewall 
> cannot cope with the amount of traffic passing with large AG meetings.  
> It is worth finding out what bandwidth the firewall can cope with if you 
> regularly join large meetings.
> 
> Andrew :)
> 
> ============================================
> Access Grid Support Centre,
> RSS Group,
> Manchester Computing,
> Kilburn Building,
> University of Manchester,
> Oxford Road,
> Manchester,
> M13 9PL,
> UK
> Tel: +44(0)161-275 0685
> Email: Andrew.Rowley at manchester.ac.uk
> 
>  > -----Original Message-----
>  > From: owner-ag-tech at mcs.anl.gov [mailto:owner-ag-tech at mcs.anl.gov] On
>  > Behalf Of Masullo, Chris F
>  > Sent: 06 April 2006 17:04
>  > To: ag-tech at mcs.anl.gov
>  > Subject: [AG-TECH] Firewall and unicast questions
>  >
>  > Hello All,
>  >
>  > We currently have our AG nodes outside our firewall, however cyber
>  > security
>  > has told us that we need to move the systems inside our firewall.  The
>  > last
>  > time I brought up this issue a number of years ago I was told that
>  > multicast
>  > would not get past our firewall. I have some questions regarding this
>  > issue.
>  >
>  > Has anyone successfully placed an AG VTC system behind a Cisco Firewall?
>  > Are there any issues using unicast mode for and AG node behind a
>  > firewall?
>  > If not then why not run unicast?
>  >
>  > I have looked through the mailer however I do not see any answers to
>  > these
>  > Questions.
>  >
>  > Thanks in advance
>  >
>  >
>  >
>  > Chris Masullo                     Information Technology Division
>  > Brookhaven National Laboratory    Network Engineering & Operations
>  > 61 Brookhaven Ave.                Phone:  (631) 344-2326
>  > Upton, NY 11973                   Fax:    (631) 344-7688
>  >
> 