Got it
Huawei Enterprise Support Community
Community Forums Intelligent Collaboration
How Do I Configure Firewa...

How Do I Configure Firewall Ports During Traversal Between Private and Public Networks?

Latest reply: Feb 7, 2019 10:10:24 989 5 2 0 1
View the author 1#

Hi, dear!

This topic describes how to config firewall ports during traversal between private and public networks.


Q: How to Configure Firewall Ports During Traversal Between Private and Public Networks?

A: For more information about the networking schemes of traversal between private and public networks and corresponding firewall port configurations, see the Configuration for Traversal Between Private and Public Networks at http://support.huawei.com/enterprise/en/doc/EDOC1000092357.


What's Traversal Between Private and Public Networks?

To ensure network security, enterprises usually deploy their private networks to separate from public network (Internet) and deploy a firewall at the network border to protect the enterprise private networks from external attacks and intrusions.


The firewall at the network border implements the following isolation functions:

  • Prevent various attack packets from passing through the network.

  • Allow normal communication packets to pass through the network.


During enterprise network planning, different levels of security zones are configured on the firewall. Each security zone corresponds to the actual network through an interface, enabling the firewall to differentiate and separate different networks. The firewall conducts security check when packets are transmitted between different security zones. Enterprise firewalls are divided into three security zones: Trust zone, Demilitarized Zone (DMZ), and Untrust zone, as shown in Figure 1-1.

Figure 1-1 Division of firewall security zones

Figure 1-1 Division of firewall security zones


  • Trust zone: Networks in this zone are highly trusted. Networks in this zone usually refer to networks where internal users are located.

  • DMZ: Networks in this zone are moderately trusted. Networks in this zone usually refer networks where an internal server is located. The internal server needs to provide services for external users, such as SC and RSE6500.

  • Untrust zone: Networks in this zone are untrusted. Networks in this zone are insecure networks, such as the Internet.


During deployment of an enterprise videoconferencing system, it is recommended that the core server for service management and media processing be deployed on the enterprise private network and the SC and RSE6500 be deployed in the DMZ. When communication ports are enabled on the enterprise firewall, devices on the public network and private network can communicate with each other.


How does a firewall implement message exchange?

  • Messages transmitted between different zones must pass through a firewall. The firewall provides the Local zone, which indicates the firewall itself. All messages sent by the firewall are considered messages sent from the Local zone. All messages that need to be responded and processed by the firewall are considered messages received by the Local zone.

  • When a message moves from a lower-level security zone to a higher-level security zone, the message is transmitted in the inbound direction. When a message moves from a higher-level security zone to a lower-level security zone, the message is transmitted in the outbound direction. When messages move in the preceding two directions, different security checks are triggered


How Do I Configure Firewall Ports?

  • If H.323 devices are deployed on the network:

    • If the H.323 devices do not support H.460 media port multiplexing, ports required for the following services will be enabled: RTP media traversal, H.323 over UDP/TCP signaling traversal, SiteCall initiated by extranet terminals, extranet access to the RSE6500 web interface, communication between the SC and SIP devices that are not registered on the extranet, communication between the SC and neighbor registration servers, and SMC2.0's management over the SC and RSE6500 (standalone SC used).

    • If the H.323 devices on the public network all support H.460 media port multiplexing, only the H.460 media multiplexing ports of the H.323 devices need to be configured.

  • If SIP devices are deployed on the network, ports required for the following services will be enabled: RTP media traversal, H.323 over UDP/TCP signaling traversal, SiteCall initiated by extranet terminals, extranet access to the RSE6500 web interface, communication between the SC and SIP devices that are not registered on the extranet, communication between the SC and neighbor registration servers, and SMC2.0's management over the SC and RSE6500 (standalone SC used).

  • If the SIP devices in the network need to make ICE traversal calls, you also need to configure ICE traversal call ports.

    • Configure all rules if both H.323 devices and SIP devices are deployed on the network.

    • If the USM-EUA and SC are co-deployed, configure the SMC2.0's port for managing the EUA (standalone SC used) and LDAP listening port.


For more information about the rules for enabling firewall ports, see section "Data Planning" in the Configuration for Traversal Between Private and Public Networks at http://support.huawei.com/enterprise/en/doc/EDOC1000092357.

Like (2) Dislike (0) Favorite(1) Share Report
Previous: Distinctive Ring Tone {{{ The distinctive ring tone feature allows a user to set a specific ring tone for a calling party so that the calling party ca
Next: Initiating a call to a temporary group in SoftConsole
(0) (0)
2#
gululu
Created Sep 5, 2018 00:33:25

How Do I Configure Firewall Ports During Traversal Between Private and Public Networks?-2742915-1very useful
View more
  • x
  • convention:
(0) (0)
3#
Alexandru_Ghita
Created Sep 10, 2018 12:36:47

Very well explained case!
View more
  • x
  • convention:
(0) (0)
4#
Mostafa.hussein
Created Feb 7, 2019 06:22:45

useful
View more
  • x
  • convention:
(0) (0)
5#
Amr.Adel
Created Feb 7, 2019 09:48:45

useful information
View more
  • x
  • convention:
(0) (0)
6#
Nasr
HCIE Created Feb 7, 2019 10:10:24

thanks for this information
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.