solution

There are two call scenarios:

Outbound Calls

In this scenario, the call origination party is behind NAT. For outbound calls to support two-way audio, the following conditions must be met:

1 The H.323 origination endpoint (IP Phone, Soft Phone, etc.) must use the same port to send and receive RAS messages. The default port for RAS communication is 1719.

2 The H.323 origination endpoint (IP Phone, Soft Phone, etc.) must use the same port to send and receive RTP/RTCP voice data packets. If the send and receive ports are different - the connection will support one-way audio only.

Inbound Calls

In this scenario, the calls are originated from outside the NAT firewall and terminated into the endpoint which is behind the NAT firewall. Unfortunately, due to the fact that the call must be established outside the NAT firewall it will be dropped by the firewall unless one of the following methods is used:

1 NAT Traversal - this is special software that runs on the endpoint and on the gatekeeper that supports permanent socket connection between them to transfer call data. Since the socket is established and supported from the endpoint (behind NAT) to the gatekeeper (outside the NAT) this connection is constantly available and can be used to make a successful inbound call.

2Bi-directional NAT Firewall - this is a special NAT firewall that will translate outside connection into inside port number or IP address.

3DMZ NAT Firewall - some firewall allow DMZ settings that allow direct packet routing to particular IP address that represents the endpoint behind the NAT firewall.

1 2

NAT TRAVERSAL SOLUTION

N A T T R A V E R S A L S O L U T I O N

H.323 NAT Technology

problems

Usage of private IP addresses and NAT firewall to prevent connections to be established to devices behind the NAT firewall.

H.323 protocol uses three types of network connections for a VoIP call. Any problem that causes the loss or inability to establish any of these three connections will result in H.323 call failure.

Call Signal (Q.931/H.245) is a TCP network connection that can not be established from outside the NAT firewall.

Call Setup (RAS) is a UDP network connection that may have different send and receive ports.

Call Voice Data (RTP/RTCP) is a UDP network connection that may have different send and receive ports.

Gatekeeper

NAT Firewall

IP phone

port 7010 tunnels

RTP/RTCP RTP/RTCP RTP/RTCP RTP/RTCP

originationendpoint

terminationendpoint

IP phoneGatekeeper

NAT Firewall

IP phone

H.225H.245Q.931

H.225H.245Q.931

H.225H.245Q.931

H.225H.245Q.931

originationendpoint

terminationendpoint

IP phone

problem solution

2 2

S ome companies use S TUN servers to facilitate connections of endpoints behind NAT, but these servers are usually used for endpoints that do not comply with universal requirements . However, most contemporary endpoints including all C isco S IP P hones allow TTL and port setting to accommodate the NAT.

N A T T R A V E R S A L S O L U T I O N

S IP N A T T e c h n o lo g y

p r o b le m s

Usage of private IP addresses and NAT firewall to prevent connections to be established to devices behind the NAT firewall.

S IP protocol uses two types of network connections to complete a VoIP call. Any problem that causes the loss or inability to establish any of these two connections will result in S IP call failure.

C all Message is a TC P or UDP network connection that can not be established from outs ide the NAT firewall.

C all Voice Data (R TP /R TC P ) is a UDP network connection that may have different send and receive ports .

s o lu tio n

Inbound C alls

In this scenario, the calls are originated from outs ide the NAT firewall and terminated into the endpoint which is behind the NAT firewall. Due to the nature of the S IP protocol, inbound calls behind NAT are poss ible if the following conditions are met:

1 The R egistrar and the proxy S IP S erver must res ide on the same network server (have the same IP address). The fact that the endpoint sends UDP registration call messages according to its TTL (time-to-live) parameter to the S IP R egistrar, allows the NAT firewall to maintain an open port from the internal endpoint (IP P hone, S oft P hone, etc.) to the S IP R egistrar/P roxy. This open firewall port is used by the P roxy to send inbound C all Messages to the endpoint (usually on port 5060).

2 Low TTL (time-to-live) setting on the endpoint (usually 60 seconds) needs to be less than the corresponding TTL parameter for connection pers is tency on the NAT firewall.

3 The endpoint must send and received C all Messages on the same port (default 5060).

4 The endpoint must send and receive R TP voice data on the same port (other than 5060). Once the C all Message is received by the endpoints , it opens an UDP sess ion to the S IP P roxy to allow R TP voice data transfer.

s o lu tio n

Outbound C alls

In this scenario, the call origination party is behind NAT. For outbound calls to support two-way audio, the following conditions must be met:

1 The S IP origination endpoint (IP P hone, S oft P hone, etc.) must use the same port to send and receive C all Messages . The default port for C all Message communication is 5060.

2 The S IP origination endpoint (IP P hone, S oft P hone, etc.) must use the same port to send and receive R TP /R TC P voice data packets . If the send and receive ports are different then the connection will support one-way audio only.

G atekeeper

NAT F irewall

IP phone

S IP C ontrol Mes s gaes

R T P /R T C P R T P /R T C P

originationendpoint

terminationendpoint

IP phone G atekeeper

NAT F irewall

IP phone

5060S IP C ontrol Mes s gaes

R T P /R T C P R T P /R T C P

originationendpoint

terminationendpoint

IP phone

p ro b le m s o lutio n

Notice to Recipient: All information contained herein and all referenced documents (the "Documents") are provided subject to the Terms of Service Agreement (the "Terms") found on SysMaster website http://www.sysmaster.com (The "Site"), which location and content of Terms may be amended from time to time, except that for purposes of this Notice, any reference to Content on the Site shall also incorporate and include the Documents . The Recipient is any person or entity who chooses to review the Documents. This document does not create any express or implied warranty by SysMaster, and all information included in the Documents is provided for informational purposes only and SysMaster provides no assurances or guarantees as to the accuracy of such information and shall not be liable for any errors or omissions contained in the Documents, beyond that provided for under the Terms. SysMaster's sole warranty is contained in the written product warranty for each product. The end-user documentation shipped with SysMaster products constitutes the sole speci�cations referred to in the product warranty. The Recipient is solely responsible for verifying the suitability of SysMaster's products for its own use. Speci�cations are subject to change without notice.

© 2007 SysMaster. All rights reserved. SysMaster, SysMaster's product names and logos are all trademarks of SysMaster and are the sole property of Sysmaster.

SysMaster2700 Ygnacio Valley Rd, Suite 210Walnut Creek, CA 94598United States of America

Email: sales@sysmaster.comWeb site: www.sysmaster.com