School solves videoconferencing puzzle

School solves the problem of passing video traffic through firewalls

Five years ago, the Imperial County Office of Education in El Centro, Calif., had a vision to put videoconferencing into every classroom in its 56 schools, but it wasn’t until last year that it solved a key problem: getting the video traffic to go through firewalls easily.

Now, with the installation of gear from Ridgeway Systems, traffic can pass through the firewalls that protect the independent networks at each of the 17 school districts within the county. This might prove to be the last major obstacle to video deployment, says Alan Phillips, the district’s videoconferencing specialist.

“We were close to being dead with IP video,” he says, because of unforeseen problems getting firewalls properly configured to allow incoming video calls. And, given the high cost of ISDN as an alternative, IP was the only economically feasible answer.

One problem wasn’t technical; it had to do with jurisdiction. Phillips was in charge of a countywide teleconferencing project to be run over an evolving Gigabit Ethernet fiber ring that the schools lease from the local water district. Each school district is connected to the ring, and each district’s network is run autonomously. So Phillips had no authority to choose a standard firewall between each district and the common WAN or to order that the various installed firewalls be set to accept incoming video calls.

Initiating a videoconference requires the calling machine to connect with the receiving machine. But if firewalls are in between, they can cause problems in two ways. First, the firewall protecting the machine being called will block the initial incoming message as unsolicited traffic. Second, both firewalls might be translating private LAN IP addresses into public IP addresses, which can create discrepancies between packets’ internal and header addresses, causing them to be dropped. IP voice creates similar problems.

Even in trials with Polycom ViewStation FX videoconferencing units in which Phillips controlled the firewalls, configuring the firewalls was tricky. Although he set his Cisco PIX firewalls to allow the video traffic in and out, performance glitches arose. Sometimes, just audio would get through, but no video. He tried installing an Accord videoconferencing bridge to traverse the firewall, but that required a more complicated dialing plan that end users could not adapt to, he says. It required them to figure out what network the receiving machine resided on and to use the appropriate prefixes.

Another way around the problem was dedicating a physical port on each district’s WAN switch to videoconferencing, but that would have been too much work and burned the port for other uses, Phillips says.

When he heard about Ridgeway, he set up a demonstration of its IPFreedom software between a PC in his office that was equipped with Polycom’s ViaVideo gear and a PC at Ridgeway’s office. He downloaded a Ridgeway client to his PC and says that in minutes he set up a videoconference with the Ridgeway representative.

Ridgeway gear consists of client software called IPFreedom Client, which runs on PCs or servers behind firewalls, and IPFreedom Server, which oversees all the clients in a user’s network. The clients establish persistent TCP sessions with a central Ridgeway IPFreedom Server. The videoconferencing gear at each site is pointed at the local device running the Ridgeway software, and the clients and server in tandem act as a proxy to get traffic through the firewalls.

Because they have an established TCP session, their call notifications can get through the firewalls without being blocked. Once a call is in progress, the equipment uses just two firewall ports to shuttle traffic through. The software has the intelligence to translate IP addresses.

About 100 ViaVideo units are distributed among the Imperial County schools, and the schools have bought Ridgeway server software for about $65,000. The clients are free and are installed on servers inside district firewalls. Server capacity is priced by the number of endpoints it supports – $150 for an IP voice-only endpoint and $300 for a video endpoint, the company says.