Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jarry
New Contributor

Video Conferencing Setup

We have a Fortigate 80E firewall in our environment. We recently acquired a LifeSize Express 220 video conferencing unit that I need to setup. I am newbie at configuring firewalls so my question is the following. Should I setup the video conferencing device on the DMZ port or is hook up to an available port on the internal network?  

7 REPLIES 7
mjcrevier
New Contributor III

If you're using the default internal interface "lan", you can connect to any of the internal ports.

Dave_Hall
Honored Contributor

Hi Jerry.

 

Glancing at a general VC unit setup (was not able to locate a PDF manual for the model in question, though) from LifeSize's support site, it seems you can set up the VC unit on the DMZ, assuming you have a public IP or on the LAN via port forwarding.  (The LAN/Port forwarding seems to be more complicated in making out bound calls, though.)

 

Your best bet maybe to contact LifeSize's support and/or consult their setup guide on what is required for setting up the VC unit behind a router.  I was able to find this guide, but don't know how useful it would be.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
jarry

I placed the VC unit on the DMZ and the unit still fails to register. I am not sure if I am missing a policy or if I even created the correct policies. This is what I did.

 

For the DMZ interface I gave it an ip of 192.168.5.1

DHCP Server range - 192.168.5.2 - 192.168.5.5

The VC unit picked up ip 192.168.5.2

 

Inbound rule

Incoming Interface - Centurlyink (wan1)

Outgoing Interface - DMZ (dmz)

Source All - (for now to test then I want to restrict it to what is only needed)

Destination - LIfesize Express 

Schedule - Always

Service - All

 

Internal rule

Incoming Interface - Internal (lan)

Outgoing Interface - DMZ (dmz)

Source - DMZ(dmz)

Destination - Centurylink (wan1)

Schedule Always

Service All

 

 

These are the other docs that lifesize sent me. 

 https://www.lifesize.com/en/help/admin-console/get-started/configure-firewall/open-ports

 

https://www.lifesize.com/~/media/Documents/Product%20Documentation/Video%20Systems/Guides%20and%20Re...

Pages 39-42

Dave_Hall
Honored Contributor

Sticking the VCU on the DMZ is fine, but what you are trying to do is pretty much NAT - you will need to set up port forwards (from WAN to DMZ).  In Fortinet speak, this is called VIPs.  Also you really do not want to send any/all traffic hitting the WAN port and directing it to the DMZ port.

 

An example of port forwards is this old Polycom list from about eight years ago, on an 80CM running old firmware - the VCU was assigned a static IP 192.168.93.40.   These VIPS were then placed in a group and used in the dest address of a WAN to LAN firewall rule.

 

 

 

The above was only used once and had we so much problems that we just ended up installing a small switch between the ISP gateway device and fgt and giving the VCU a "public IP" and connecting it to this switch.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
jarry

Thank you, I will try this.

Dave_Hall
Honored Contributor

The example I have provided is for an older Polycom unit - you have to consult the Lifesize Express manual(s) to see what ports you need to open/forward if decide to go that route.  Also be mindful on port security (as indicated in that manual).  

 

jarry wrote:

Thank you, I will try this.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
jarry

Will do,

 

Thanks again

Labels
Top Kudoed Authors