Unreliable Content Sharing on an unregistered H323 endpoint behind a Palo Alto Networks Firewall

The issue of unreliable content sharing behaviour has been observed in some enterprise network environments on purpose-built video endpoint systems, using the H323 signalling protocol, that are not registered to any gatekeeper.

This behaviour may include an inability to receive or initiate content share soon after the video call is connected, to either a VMR or in a point-to-point call.

Symptoms: content on the affected endpoint is never being received (even after starting and stopping the content stream by this endpoint - a feature known as firewall pinhole and specifically NAT hole punching).

Solution: Configuration change of the Palo Alto firewall rules and the configuration change of the endpoint.

  1. On the Palo Alto Firewall: add a rule allowing H.323, H.225, and H.245 traffic, and the UDP ports 10000-65535 (outbound direction for the established connections).
  2. On the Video Endpoints: disable the media static ports.
Was this article helpful?
1 out of 2 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.