Forums/General Support Resources/Frequently Asked Questions
How to Open Firewalls for Fuze traffic
Khara M
posted this on May 25, 2011 09:57
How to open firewall for Fuze traffic
IMPORTANT NOTE: It should not be necessary to open specific ports for Fuze although doing so may improve performance. Fuze has intelligent firewall traversal in the application that should detect blocked traffic and reroute over port 80/443. If you are seeing situations where our traffic is still getting blocked, please report the specifics to our support team.
Bigger corporations and government institutions may have restrictive firewalls that will inspect and block Fuze video or VoIP traffic. If firewall traversal fails or you want better performance, your company IT department can use this information to enable our traffic through their firewall.
Fuze Box operates the majority of Fuze Meeting core services for Flash based web clients on a dedicated block of address space that we have acquired directly from ARIN which is 206.81.176.0/20 (that is, all address space in the range from 206.81.176.0 through 206.81.191.255). As we add capacity and new sites and servers to continue scaling up our infrastructure, we intend to do that work within this block. For proper Fuze Meeting operation, customers should allow their meeting participants' workstations to access our servers in this network block on the following ports: 80, 443, 843, 3478 (VoIP) and 5060 (VoIP). In addition, Fuze Meeting Video Conferencing will attempt to use UDP on 50,000-60,000, however, this traffic will be routed over port 443, if blocked. Following are a few notes about these specific ports:
- Port 80: http, http-like transactions, or custom TCP that is using this port to allow egress from customer sites with strict outbound policies. Traffic to these ports from your clients to our network blocks should not be proxied, cached, or rejected by deep packet inspection just because it doesn't always strictly look like HTTP.
- Port 443: https, tunneled RTMP, custom TCP, and other TLS encrypted traffic. Packet inspection firewalls should not discard packets to these ports in our network blocks even if the connections do not appear to use TLS.
- Port 843: custom TCP traffic, Flash policy
- Port 3478: UDP/TCP for STUN support
- Port 5060: UDP for SIP support
- Ports 50,000-60,000: UDP supporting video conferencing. Enable for best video performance. If blocked, this traffic will be routed over port 443.
In addition to the core services that we operate on our ARIN block, Fuze Box also has the ability to instantiate some of our services into the Amazon AWS cloud to support quick scale up of certain resources that support Fuze Meeting as demand requires. Currently this means that client workstations should be allowed to connect to port 80, 443 and 50,000-60,000 for *.amazonaws.com servers.
In this type of environment where NAT is typically used, the intervening firewall must maintain UDP associations to support audio streams as well as server initiated SIP transactions. Stateful SIP aware firewalls should work fine and even most simpler NAT firewalls will work fine with this feature as long as outbound UDP is permitted along with its return traffic and the firewall does not time out those associations too aggressively (less than a minute is too aggressive).
Optionally, if clients plan to use Skype as a client to connect to the audio portion of a meeting then access to Skype's services must also be allowed. Also, if there are pre-meeting checklist failures, verify whether the user is a personal firewall (Windows firewall, Barracuda, etc.), on their machine and verify whether they are using an anti-virus software on their machine.
Comments
Quick question:
Is the range from 206.81.176.0 to 206.81.176.20? or 206.81.176.0 to 206.81.191.255?
Thanks!
Hi Xavier!
The range is from 206.81.176.0 through 206.81.191.255.
All The Best,
Khara
Hi Khara,
The article said the connections should use port 80, 443 and 50,000-50,500 for *.amazonaws.com servers. Does the Ip range include *.amazonaws.com ? If no, how can I know it?
Thanks!
Gloria
Greetings Gloria,
No, this is not included. Only IP range from 206.81.176.0 through 206.81.191.255.
Kind regards,
Jesse
Just want to make a general comment and recommendation.
Every time something goes wonky with Fuze (eg. "Videoconference Error", "Fuze taking too long to load", etc), even if the problem is happening on a straightforward home internet connection with no complicated firewall barriers, Fuze Support tends to always recommend the source of problem is either:
1) Check your internet connection, or
2) Check your firewall, linking to this page
This might be fine if there was some diagnostic rigour to these suggestions, i.e. logs are checked, diagnostic test results are requested, questions are asked, etc, but Fuze Support seems to have a tendency to just throw it out there immediately, whatever the situation.
This practice in my experience will lead to a lot of misdiagnoses, wasting of time and makes improving our ability as hosts to fix problems ourselves impossible. Hope this makes sense.
Thanks.
Hi Lionel,
We have found that many home internet connections have become fairly complex.
https://www.fuzemeeting.com/files/ookla/PROD/Detector.html
Thanks Thu.
>We have found that many home internet connections have become fairly comple
I appreciate that. Nevertheless, human support jumping to those two suggestions with no other information gathered does seem to be a bit of a waste of having human support in the first place. Surely the advantage of having human support (vs just a flow chart) is the ability to test things so that suggestions have a higher chance of being the case in any individual case.
For example, when I do report a problem, I have never, never been asked to try the pre-meeting diagnostics. But now that you have mentioned it, can you tell me if it is definitive, i.e. if the test does not show any firewall problems, then we can be sure to look somewhere else?
You should have attendees run the pre-meeting diagnostics pre-emptively, prior to experiencing the problem. Yes, the test is definitive. If you see cases where the tests pass but Fuze still fails, we'll see if we can enhance the tool.
That's handy to know Thu, I will do this in future. Thank you!
Thu, me again... another quick question.
Can you tell me if the diagnostic test will also tell you if you are using the version of Mac Leopard that gives the flash installation error described here?
http://support.fuzemeeting.com/entries/20490423-why-am-i-prompted-to-install-adobe-flash-when-i-launch-fuze-as-an-application
Thu, I am getting some conflicting information about what you said here:
"You should have attendees run the pre-meeting diagnostics pre-emptively, prior to experiencing the problem. Yes, the test is definitive. If you see cases where the tests pass but Fuze still fails, we'll see if we can enhance the tool."
Jose at support mentioned over the phone that the advanced diagnostic test doesn't actually test for videoconferencing firewall ports, so it is "definitive" but only for everything apart from videoconferencing, which is quite important for at least my usage of Fuze (that's why I am with you and not GoToMeeting). Can you confirm that is right?
Per our Dev Team, the advanced diagnostic test does check for video firewall ports. However, it does not check all 10K ports as this will consume too much time and the user would wait for too long for the check to be completed.
Thanks for that update Thu.
So the upshot here is the possibility of false negatives, rather than false positives for videoconferencing, i.e. it may be the case that the test for firewall ports for videoconferencing fail, but that it will still actually work because the unchecked ports are fine - am I understanding right?
In cases where everything passes on the advanced diagnostic test though, then enough ports should be open for videoconferencing to work as far as firewalls/security etc are concerned.
And that means if everything passes on the advanced diagnostics test, and a "Videoconference Error" occurs from within the Fuze application when trying to join videoconferencing, we should look for a problem APART from firewalls.
Please confirm my logic is right or if I am missing something.
PS. I really really appreciate your help on this, it helps make my life soooo much easier, but the different information from different people in Fuze is a little confusing.
Use simple statements, please. I've been invited as a guest on a Fuze meeting. I do not see the need for you to inform me about dedicated blocks of address space or how home Internet connections have become complex unless you provide a procedure to resolve these issues.
When I connect to Fuze via Firefox, the result is a white screen followed by a window stating "Fuze application is taking too long to load."
My desktop computer has the latest Adobe Flash Player. The computer uses the Windows 64-bit system. The webcam is a high-end Logitech unit. The Java Platform is allowed. All segments of the Fuze troubleshooting feature have passed. Give me a procedure and I'll follow it.
Hi John, I created a support ticket for you regarding this topic. One of our technical support team members will reach out to you soon to help resolve the issues you are experiencing. For future reference, technical inquiries are best handled by opening a support ticket directly, here: http://support.fuzemeeting.com/tickets/new
Thank you for your patience, and we appreciate your feedback.
And here is it the simple version of the above:
**********************************************************
Allow connections to 206.81.176.0/20
Allow connections to ANY IP: Port 50000-60000 UDP
Allow connections to ANY IP: Port 443 TCP
**********************************************************
I hope this helps
Best regards,
Zhivko Valov