Appendix: Firewalls and NAT

Using Marratech or Marratech Manager on your network is both simple and secure. Our software is designed with firewalls and Network Address Translation (NAT) in mind. This appendix describes how to configure your firewall to allow e-meeting traffic to pass through it. You should be familiar with how IP traffic works and how to set up a network to understand this document properly.

This appendix applies to Marratech Manager from versions 3.0 to 3.5.

Hint The Marratech Manager and Marratech are both fully compatible with IPSec VPNs (Virtual Private Networks) When using a VPN there is no need to configure or modify your firewall or network. Simply keep in mind that VPNs may require extra bandwidth and processor power.

divider

Client access through a firewall
Allowing a client to connect to a Marratech Manager is very easy. Only two steps are needed. First, the client must be allowed to connect to the HTTP and the HTTPS ports defined in the Manager. If the Manager runs on the standard web ports (TCP 80 and TCP 443), this is usually already set up in some way.

The client can use a web proxy server, but this has to be defined manually in the client settings.

Second, the client must be allowed to send traffic to all UDP data ports defined in the Manager AND it must also receive the resulting returning traffic.

As the client will initiate all connections, both of these rules can be set up using a Dynamic State rule. (Dynamic State rules are also called Allow Return or Keep State)

divider

Manager on a DMZ with public addresses
No special configuration is needed in the Marratech E- meeting Manager to run on a DMZ with public addresses. Only the firewall needs to be configured.

If a small number of users are connecting from the outside, you can set up dynamic state rules in the same way as above, with the exception that they are inbound towards the Manager server.

However, if you are going to run a large amount of users, who will access the Manager through the firewall, using dynamic states may overload the firewall. In these cases, it might be better to set up two rules for the UDP data traffic, one inbound which allows sending to the specified data ports, and one outbound which allows the Manager to send traffic to any ports with the data ports as sending ports. You may also set up the same kind of rule for the TCP traffic.

divider

Setting up a Manager with a Port mapping/Port forwarding firewall
If the Manager is set up on a DMZ or internal network with private addresses, some configuration of the Manager is required, as well as setting up the port mapping and access rules in the firewall.

The port mapping must be set up for the web and data ports defined in the Manager. You must use the same ports in the firewall as on the Manager configuration, both for HTTP/HTTPS web and for UDP data.

In some firewalls, you have to set up access rules separately from the port mapping, and in others the access rules are implied by adding the port mapping.

You have to check your firewall manual to see how your firewall operates. If you need to set them up separately, see the above step.

Finally, some configuration of the Manager is required, as it needs to know the external IP address that will be used. As of Manager 2.0, this is easily done.

  1. Login in to your Manager with a user that has administrative rights.
  2. Click on the Administration link.
  3. Click on the Network link.
  4. On top of the page, select the Details link for more detailed info on the network settings.

In the Extra Address #1 field under the Session Engine header, add in the external IP address used to access the Manager from outside the Port mapping/Port forwarding firewall.

Hint There is no more need to distribute an internal URL and an external URL to users located behind and outside the firewall. The Manager and the client will automatically choose the proper address required to join.
Hint As the server actually has two addresses, using port mapping will make an SSL-certificate only work for one of the addresses. The other users will receive a warning about wrong host address.

divider

Setting up extra nodes
A Remote Node is useful to reduce network load. See the chapter Using Nodes for information.

divider

Direct call
The Marratech client software has an option to run directly towards another Marratech client. This presents some limitations: It does not support NAT and can't be used with dynamic state rules in the firewall. You might be able to get it to work with one machine by setting up port forwarding for the UDP ports used (50500-50511). However, running Direct Call through NAT or a firewall is not a supported scenario.

divider

PORT USAGE

Default ports
The default web ports used by the Manager are TCP ports 8000 for HTTP and 8001 for HTTPS. If these ports are taken, the Manager will find an available port to use and modify the Manager.html shortcut accordingly.

The reason for using these ports is to avoid conflict with other running web servers. If you want you can change to the standard ports for HTTP and HTTPS (80 and 443 respectively).

The default data ports are UDP ports 52000 to 52999. Every active e-meeting room uses 12 ports selected randomly within this span.

For most installations, this is a large span of ports. Limiting them is a viable option, but always allow at least 20 ports for each possible active e-meeting room as some ports could in theory be used by other applications on the server.

divider

Timeouts
The client will periodically send packets on the UDP data ports to keep any dynamic states in the firewall open. The default timeout is five seconds. We recommend that NAT and firewall rules use a timeout of at least one minute to enable e-meetings.

divider

Connection scheme
This part is included to give better understanding about how Marratech software works "under the surface" when the client connects to the Manager.

First, a client will connect with HTTP. The user will surf around and receive web pages. The web server is HTTP 1.1 compatible.

When the user clicks to enter an e-meeting room, a request will be sent to the Manager, which will set up the 12 UDP ports needed (two for each media: one for data and one for statistics) and return these to the client.

The client will in turn connect to the 12 UDP ports and authorize itself.

Data will be sent on the UDP ports in both directions when necessary.

Periodically, every five seconds, there will be keepalive messages sent on the UDP ports to keep the NAT/firewall states active.

Periodically, every 20 seconds, the client will connect to the Manager on HTTP or HTTPS and send an alive message, then shut down.

divider

GLOSSARY

DMZ A DMZ (Demilitarized Zone) is a special part of a network where you put servers that should be accessible both internally and from the outside. It can be implemented both with private and public IP addresses. If using private addresses, setting up a server inside the DMZ will require port mapping in the firewall.
Dynamic state A special kind of rule that "remembers" which packets was allowed to go through the firewall, and will allow packets returning on the same port pair. Makes for a very secure solution, as no ports will be open when no e-meeting is in progress. Also known as "Keep-state", "Allow-return" and other names depending on the firewall vendor.
Firewall A program or piece of hardware that allows certain kind of network traffic and disallows other depending on the policy set up by the administrator. A firewall can be set up in many ways, ranging from blocking external traffic to internal addresses (common in small to medium enterprises) to blocking everything both ways except the traffic passing through a Proxy server. A firewall usually includes NAT functionality as well.
NAT (Network Address Translation) As IP addresses became scarcer in the 1990's, Network Address Translation became more popular and is today used virtually everywhere. Using NAT means a large range of IP addresses (usually private) will be translated into a smaller range of public addresses, sometimes only one address. NAT in itself also gives simple firewall functionality as it will work in the same way as setting up a Dynamic State for all outbound traffic.
Port mapping or Port forwarding When you have NAT using private addresses, you might still want to present some services. Port mapping means you will set up a certain address and port in the firewall to be forwarded to a specific machine inside the firewall. Also known as port forwarding.
Private IP addresses Defined in RFC 1918. A private address starts with 10.x.x.x, 192.168.x.x or 172.16.x.x through 172.31.x.x. Private addresses are not routed on the Internet and have to be translated through NAT.
Proxy server A proxy server can be used for many kinds of traffic, though the most popular one is for web traffic. Instead of connecting to a web site, your web client tells the proxy server to go get it for you. A proxy server can then perform certain tasks on the web page before sending it to you. Some common tasks are virus scanning and removal, parental control and similar policy based censoring before, or it can simply cache often accessed pages to reduce download times and network use.

 


    forum    support Copyright © 1998-2006 Marratech AB