CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 9 of 9

Thread: PolyCom VSX 7000 Video Conferencing Units

  1. #1
    Join Date
    2005-10-03
    Posts
    1
    Rep Power
    0

    Default PolyCom VSX 7000 Video Conferencing Units

    Hi,

    I have a checkpoint HA pair running NGX R61 and I cannot get these Polycom units to work.

    Basically I have opened all the ports that the documentation states yet the firewall doesn't match them to a rule so they therefore get dropped by the the old faithful cleanup rule.

    Can anyone help me?

    Thanks in advance

  2. #2
    Join Date
    2006-08-22
    Posts
    58
    Rep Power
    14

    Default Re: PolyCom VSX 7000 Video Conferencing Units

    I also have the same problem. I use Polycom VSX 8.5 and Checkpoint NGAI R55 and I can't make call successfully.

    Polycom - Firewall - ISP

    If I put Polycom VSX in front of Checkpoint, I make call successful, and I put Polycom behind Checkpoint, it is not OK

    If you know the answer, please answer me early because I am ISP and I must provide service for customers.

    Thank you very much.

  3. #3
    Join Date
    2007-03-13
    Posts
    11
    Rep Power
    0

    Default Re: PolyCom VSX 7000 Video Conferencing Units

    I have had a call open with CheckPoint Support for over a month now and they have finally escalated this to the R&D area. They still have no idea why a call cannot be successfuly made.

    If I get an answer on how to resolve my issue from CP Support I will gladly post the results.

  4. #4
    Join Date
    2007-04-10
    Posts
    2
    Rep Power
    0

    Default Re: PolyCom VSX 7000 Video Conferencing Units

    Here's what I'd suggest, based on my experiences with VSX-8000s, an iPower, and their PVX software:

    1) Make sure the VSX is static NATted--the Polycom connections are not exactly stateful, so Hide NAT won't work for this.

    2) Make sure you have AES encryption set to Disabled or Off in the VSX's settings; if it's set to On or Auto, the connection will fail.

    3) Create a TCP service called "Polycom" (or similar) that uses a range of ports, and a UDP service that uses the same range of ports. (I left them with the "Match for 'Any'" box checked, and they seem to work.) I think Polycoms like to have ~30 ports available, and I think the VSXes default to ports 3230-3269 (TCP and UDP).

    4) Create a rule pair, allowing those two new sets of Polycom ports out from your VSX and in to your VSX. You'll probably also want to add SIP (TCP and UDP) and T.120 to these rules.

    5) Push policy.

    6) Go into the Polycom setup and tell it you're behind a NAT firewall, but not one that handles H.323 translation, and tell it to use the range of ports you created above. I always have the Polycom unit determine its NATted address, and it does a pretty good job of it.

    Hopefully, that will help. As I mentioned, that's what I use on my Polycom equipment, and it has worked for all of them.

  5. #5
    Join Date
    2006-08-22
    Posts
    58
    Rep Power
    14

    Default Re: PolyCom VSX 7000 Video Conferencing Units

    Create H.323 new. You will now have a tab called something like 'additional adjustments' - there unmark 'any' and leave protocoll type empty. Dont set it to 'none' - should be nothing selected.
    Note: it is not(!) working if you create a rule where your videoconferencing device is allowed to do everything ('any' to 'any').

    That works.

  6. #6
    Join Date
    2006-05-08
    Posts
    113
    Rep Power
    14

    Default Re: PolyCom VSX 7000 Video Conferencing Units

    I've also found a Polycom 4000 behind a firewall does not seem to work with these ports open:

    H323
    H323_ras (port 1719)
    LDAP
    T.120 (port 1503)
    MS_NETMEETING (port 1731)
    TCP-3603
    TCP3230-3235
    UDP3230-3235

    I'll try to remove the "Any" checkmark from the H323 port and maybe increase the range on up to 3269 on the TCP and UDP ports
    Last edited by mcarey; 2007-08-08 at 14:08. Reason: explain defined ports

  7. #7
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: PolyCom VSX 7000 Video Conferencing Units

    Be careful of the version of Check Point you are running. You want R60_HFA04(or 5) AND VOIP_Hotfix_2

    ---OR---

    R65

    R61 and R62 do NOT have all the VOIP fixes in them

  8. #8
    Join Date
    2006-05-08
    Posts
    113
    Rep Power
    14

    Default Re: PolyCom VSX 7000 Video Conferencing Units

    More information on my issue. I found that if my firewall is running in Routed Mode, creating a rule that allows H323_ANY and H323_RAS_ONLY, in and out from the Polycom works fine.

    However, when my firewall is in transparent mode, the call never connects. I see the H323_ANY, and then the H323_RAS_ONLY with call setup, but never get anything back from the Polycom behind the firewall.


    I've opened a case with Checkpoint on this. What did you mean by R62 not having all the VOIP fixes in them?

  9. #9
    Join Date
    2010-07-31
    Posts
    1
    Rep Power
    0

    Default Re: PolyCom VSX 7000 Video Conferencing Units

    I have polycom VSX7000e and checkpoint R65.
    I can able to call outside the world and its working very fine.
    But when someone tries to call me it only rings, call is not landing up.
    When put this device in front of firewall it works fine.
    but behind firewall it wont.
    please suggest.

Similar Threads

  1. FDE Video
    By JuniorMember in forum Full Disk Encryption (FDE) (Formerly Pointsec)
    Replies: 0
    Last Post: 2010-06-02, 10:38
  2. Connectra LDAP with two LDAP account units
    By loudermi in forum Mobile Access Blade (Formerly Connectra)
    Replies: 1
    Last Post: 2009-12-13, 19:59
  3. Polycom H323 Disconnect(s) after 2Hrs ~12min. - HELP
    By wanmonkey in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 1
    Last Post: 2008-11-12, 14:21
  4. Video Conferencing H.225 containing 'internal' address
    By dtonkin in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 0
    Last Post: 2007-09-27, 10:57
  5. Malformed H.225 message from video conferencing
    By aallsopp in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 3
    Last Post: 2006-03-22, 13:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •