Voice and Video

Reply
Frequent Contributor I

Apple FaceTime with Aruba Firewalls

Thought I'd share...
Anyone have any suggestions?




netservice svc-facetime-udp udp 16399 16472
netservice svc-facetime-tcp-5223 tcp 5223
netservice svc-facetime-tcp-4080 tcp 4080
!
ip access-list session "Apple Facetime"
any any svc-facetime-udp permit disable-scanning queue high tos 63 dot1p-priority 7
any any svc-facetime-tcp-5223 permit disable-scanning queue high tos 63 dot1p-priority 7
any any svc-facetime-tcp-4080 permit disable-scanning queue high tos 63 dot1p-priority 7
!
user-role authenticated
session-acl "Apple Facetime"
session-acl allowall
ipv6 session-acl v6-allowall
!
(Aruba5000) # show rights authenticated

Derived Role = 'authenticated'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 56/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 Apple Facetime
2 allowall
3 v6-allowall

Apple Facetime
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-facetime-udp permit High 63 7 Yes
2 any any svc-facetime-tcp-5223 permit High 63 7 Yes
3 any any svc-facetime-tcp-4080 permit High 63 7 Yes
allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any any permit Low
v6-allowall
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any any permit Low

Expired Policies (due to time constraints) = 0
Frequent Contributor I

TCP = Signaling?

I was thinking about turning scanning back on during TCP port usage as i think that's only for signalling, and disabling scanning with only the udp voice/video ports. Just not sure yet...
Guru Elite

Start with Allow All

You should start with "Allow all" and make sure that works. You can then do "show datapath session table " to see what traffic is being sent.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

allowall doesn't belong at the start

if i started with an allowall, my voip/video taffic would never get to my rules to boost the priority
Guru Elite

Priority

The allowall would only be temporary to ensure that the application would work, and to observe the traffic that was passed. When you found out what traffic was being passed, then you would construct your rules with priority.

It would be great if Apple used a standards-based protocol so that Aruba could dynamically open and close ports, and prioritize with a single permit statement with the built-in Application Layer Gateway.

THIS JUST IN: If you have nobody to test facetime with, you can always call Apple and they will be happy to help you test it: 1-888-FACETIME

FYI, the protocols for which Aruba is application-aware are:

(Aruba651) (config) #netservice svc-test tcp 80 alg ?
dhcp Service is DHCP
dns Service is DNS
ftp Service is FTP
h323 Service is H323
noe Service is Alcatel NOE
rtsp Service is RTSP
sccp Service is SCCP
sip Service is SIP
sips Service is Secure SIP
svp Service is SVP
tftp Service is TFTP
vocera Service is VOCERA


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: Apple FaceTime with Aruba Firewalls

Did you get his issue resolved?

-Mike
Aruba Employee

FaceTime Protocol Info

FYI, according to this series of articles http://www.packetstan.com/2010/07/special-look-face-time-part-3-call.html
by the legendary Joshua Wright, FaceTime does use SIP and STUN to initiate the session. As such ArubaOS should be able to recognize the session setup.

-J
Occasional Contributor II

not working here

ANy updates to get Facetime working?:confused:
Guru Elite

Facetime

Does anyone have "allow all" and it is not working? What is the problem, then?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

NAT issue

Could the issue be a NAT problem? we have issues with facetime on the same wireless network. both users are on the same network, the call goes through to the second user and when they accept the facetime call they are disconnected with a facetime failed error. we tried allow all and still seeing the issue.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: