Caveats Dynamically Open Firewall for UCC Clients using STUN

By vikrams@aruba posted Jun 30, 2014 06:39 AM


Prior to 6.4, administrator had to explicitly add ACLs in the user roles to allow Lync traffic to flow through. Starting 6.4, firewall sessions will be automatically opened up in the datapath for Lync voice and video calls.

"Dynamically Open Firewall for UCC Clients using STUN" is one of the sub feature of UCC and following are the caveats for applying it.

·         Administrator need not explicitly open up a range of UDP sessions for voice and video traffic.
·         This feature will work for both Media classification and Lync SDN API based ALG.
·         Sessions will NOT be dynamically opened in the firewall for Lync desktop sharing and file transfer.
·         Administrator still has to open up the range of TCP ports used by desktop sharing and file transfer in the user role.
·         Feature works by deep inspecting the STUN messages send by the Lync clients during a call.
·         Prior to media transmission, Lync clients initiate STUN connectivity check. This is to check if candidate pairs are reachable or not.
·         Media transmission happens on the candidate pair for which STUN connectivity check has succeeded.
·         Sessions that are created by STUN will be subjected to media classification algorithm.
·         Media classification algorithm will classify the sessions as RTP (voice/video) or non-RTP.
·         RTP sessions will be set with appropriate TOS. Non-RTP sessions will be denied by the firewall.
·         For this feature to work, administrator has to make sure that the ports UDP 3478 and TCP 443 are allowed in the user role. These ports are used by STUN for candidate discovery.