Thursday, May 25, 2006

LCS, Audio/video, file transfers and firewalls

I was responding to a question on the ASP.NET forums and thought it would be a good contribution to msgoodies (Almost unedited so maybe I will update it some day to be more thorough ;-)

The question was

What happens when a LCS solution sits behind a firewall/nat?

The answer is -

It is possible to do file transfers and audio/video in a hosted or enterprise LCS environment, where LCS sits behinds a NAT/firewall but it all depends on your configuration of LCS and/or Office Communicator and/or your firewall.

For a start LCS is basically a SIP Server and SIP is of course Session Initiation Protocol. In SIP you use what we refer to as a triangle. User A will initally communicate with User B through the LCS server and SIP, but when a user decides to start a session with e.g. audio/video or file transfers, the server will help the client negotiate the right protocols etc. and when this is in place the clients will communicate directly with each other (Thereby creating the SIP triangle between both User A, User B talking with each other and both talking with the LCS server). So only SIP is passed through the server and the rest is usually done peer to peer.

So why is it not working for you? A lot of reasons for this might apply, which I try to explain in the following -

Office Communicator
Well for one you need to check or set the relevant Group Policies. You can do this by importing the Communicator.adm file in to the Administrative Templates in the Computer Configuration part of the GPO (Or by setting the relevant registry keys manually). The interesting parts here are SIP Security mode, where High Security mode will require encrypted SIP communication but still allow P2P filetransfers and audio/video, but it disables the use of uPnP, which sometimes is necessary if one of the parties involved in the communication is sitting behind e.g. a Wireless ADSL Router/Packet filtering firewall. The other interesting policy is obviously the policy called "Prevent File Transfer".

Server
On the server side IMFilter.am is enabled by default on the Access Proxy and it disables file transfers and URLs in IM's, so instead I would deploy the LCS Intelligent IM Filter which is more configurable in terms of allowing certain file types.
Furthermore if you implement e.g. Sybari Antivirus on the server all file transfers are forced to go through the server (Thereby needing to open the ports used for TFTP through the Service Providers firewall).

Firewall
In the case of file transfers the protocol used is TFTP over TCP and it runs over port 6891-6900 (Allowing for 10 concurrent file transfers). For application sharing T.120 through Port 1503 is used and for audio/video a combination of RTP / RTCP is used. You can find more info in KB 903056 and in the article Windows Messenger in Windows XP (Note that Office Communicator uses the underlying technologies of Windows Messenger and thereby have the same restrictions).

Conclusion
The sum is that in a hosted or enterprise LCS scenario, all audio/video, file transfers and application sharing can work perfectly internally between desktops and mobile devices (Communicator Mobile) at the customer (Assuming they are not firewalling between internal network segments). But when a client needs to communicate with users outside their firewall, the same restrictions apply that apply for companies deploying their own LCS solution. NetMeeting is an old product and just doesn't handle traversing firewalls and NATs very well (even though some workarounds can be made) and this is probably why it is deprecated in Windows Vista (See RTC Client API's and Vista). The next version of LCS called Live Server and Office Communicator will supposedly handle this "in another way" but we will have to wait a couple of months until Microsoft will go public with more info in this product (Launching just after Office 2007).

2 comments:

rajiv said...

dear sir,
i want to know , how to force a file transfer through the server,

now it is done through peer to peer right .
please reply me soon on rajiv_k@asianitg.com
or post here on this page

Dennis Lundtoft Thomsen said...

Hi Rajiv,

There are two default options, either allowing file transfers or not.
There's also the option of enabling SIP High Security Mode that will encrypt P2P file transfers using TLS and installing the Intelligent IM filter to control allowed file extensions - but this is still P2P.
If you want to enforce file transfers through the server, then install a Antivirus product like Sybari Antigen (Now called "Microsoft Antigen for Instant Messaging"), when this is installed (Which a recommdation anyway) it will force file transfers through the server.