The Basics of Getting Real Time Video Through a Firewall
I don’t know how many times have I been preparing for a live event and have been anxiously awaiting discussions between my team and the IT department of the host venue on finding holes in the firewall to accommodate real time video.
It doesn’t matter – hotels, corporate offices, conference centers, universities – they all have groups and systems designed to protect internal IT systems. If you don’t seek collaboration between event AV/IT staff and the IT department in advance, you will put your video streaming capability seriously at risk. Read on to learn the basics of firewall traversal and some special technology from Haivision that can help you along the way.
Here are the basics
Let’s go into the basics and understand the dynamics of the firewall to figure out how we can work with it and save you a few frustrations and potential failures as you stream live video. The firewall guards the LAN to WAN border and prevents the outside world from accessing internal IT systems without authorization. Firewalls are one of the many lines of defense that keep company information in, and prying eyes out.
Without it, anyone could readily gain access to company networks. The basic firewall task is simple. It knows that any exchange is bidirectional transmissions of information between systems, from basic web surfing, to file transfer, to calling and conferencing, and video streaming. The firewall effectively does not let any communication happen that is not initiated from within.
At a basic level, unless otherwise provisioned, all systems within the firewall must initiate communications (let’s call them a “caller”). When a “caller” reaches out to a “listener” (a system that’s outside the firewall across the internet) a bi-directional transmission (“communication”) is allowed.
The Firewall Challenge
When streaming real time video, without the assistance of an intermediary system, standard protocols such as RTMP make getting across firewalls a bit tricky. They have rigid definitions of callers/listeners with video destinations typically behaving as “callers,” pulling the video from the source.
Of course a cloud-based streaming server trying to pull video out of an event facility may be blocked by most firewalls. To enable the video streaming, you’ll need to start negotiation with IT. The “caller” needs to be specifically included as a trusted external party (IP address) and the communication path between the specific internal IP address and the external IP address (port number) needs to be opened on the firewall.
The internal IP address must often be pre-established before programming the firewall – with another difficult task being the discovery and accommodation of IP address mapping within a facility. With all of this in mind, yes, collaborate with IT well in advance.
SRT Firewall Traversal
At Haivision, we built our SRT (Secure Reliable Transport) protocol, although fundamentally designed for packet loss recovery and security, to assist in firewall traversal for the types of applications I mention above. It’s a feature that was actually championed by Haivision sales engineers who were faced with firewall traversal on almost a daily basis.
With SRT you can set any Haivision endpoint into caller, listener, or rendezvous mode. Caller and listener modes are described above, with callers behind unknown firewalls to establish bidirectional data flows without the need for an IT administrator to open a port.
Even if there is no rule to explicitly allow an SRT destination device to communicate with the outside world, its control packets will nonetheless be able to return to the SRT source device (through the created firewall “hole”) because of the “connection tracking” feature of stateful firewalls. Rendezvous mode is special in that it can create paths between two unknown firewalls or be used in the cloud (with Haivision Media Gateway) as a central transfer node for SRT traffic.
Ready to learn more about how Haivision’s SRT allows for simple firewall traversal? Contact us to get your copy of our SRT Deployment Guide where we dive into the technical details of SRT’s capabilities.