More and more people are listening to audio and watching video files found at sites on the Internet. As with other protocols, access to these files is not without risk. They require logging and access control, as with other services.
There are a number of protocols that allow people to listen to audio material and view video material. The Gauntlet Firewall includes multimedia proxies that securely handle requests for the following formats:
NetShow
RealPlayer (RealAudio and RealVideo)
StreamWorks
VDOLive
The Gauntlet Firewall also includes a MediaBase proxy, which is described in chapter 23 of this manual. This chapter discusses the concepts behind the multimedia proxies and explains how they work and how to configure and use them. The chapter contains the following sections:
The Gauntlet multimedia proxies are application level proxies that provide configurable access control. The proxy, which runs on the firewall, passes client requests through the firewall, using rules you supply. You can configure the multimedia proxies to allow connections based on:
source hostname
source IP address
destination hostname
destination IP address
service port number
Using these options, you can configure the firewall to allow clients on the inside network to access audio or video servers on the outside network. You can also limit the sites users can access from systems on the inside network. The multimedia proxies also log all successful and unsuccessful connection attempts and the amount of data transferred.
You cannot configure the multimedia proxies to allow access to servers on the inside network.
These access controls allow you to have more control over the connections to and from your system than without a firewall. The logging capabilities are also more extensive.
The firewall runs different instances of the multimedia proxy on the appropriate ports for NetShow (TCP port 1755), RealAudio and RealVideo (TCP port 7070), and VDOLive (TCP port 7000). The firewall also runs the StreamWorks proxy as a daemon listening for requests on the StreamWorks XDMA port (UDP port 1558).
When the firewall receives requests for services on this port, the proxy checks its configuration information and determines whether the initiating host has permission to use the requested service. If the host has permission, the proxy logs the transaction and passes the request to the outside host. The proxy remains active until either side closes the connection.
The default service group and rules allow all inside hosts to use the multimedia proxies without authenticating. Multimedia services are included in the trusted service group, allowing users on the trusted network to view and access multimedia content from outside hosts. The default configuration does not allow outside hosts to connect to multimedia servers inside the perimeter.
This prohibits running multimedia servers on the firewall itself. Because the proxies are running on the default ports for these services on the firewall, all requests to these ports access the proxy. There is no way to start the server daemons needed for these multimedia requests.
To access the NetShow proxy configuration:
From within the Gauntlet Firewall Manager, select Services.
Click the NetShow tab.
The NetShow window displays.
To access the proxy configuration for RealAudio and RealVideo (RealPlayer):
From within the Gauntlet Firewall Manager, select Services.
Click the RealAudio tab.
The RealPlayer window displays.
To access the StreamWorks proxy configuration:
From within the Gauntlet Firewall Manager, select Services.
Click the StreamWorks tab.
The StreamWorks window displays.
To access the VDOLive proxy configuration:
From within the Gauntlet Firewall Manager, select Services.
Click the VDOLive tab.
The VDOLive window displays.
Configuring the Gauntlet Firewall involves planning, configuring the proxies to enforce company security policy, and enabling the proxy.
When planning the Firewall for multimedia services:
Determine which of the multimedia services you wish to allow.
Determine if individual access controls will be applied to specific hosts or subnets. Obtain the hostname or IP address information of the allowed or restricted clients. If you choose to do this, plan to create specific service groups and rules for these activities. Alternatively, unrestricted access may be allowed.
Determine if individual access controls to external servers will be applied, limiting those external sources users may access. Obtain hostname or IP address information for each server. If you choose to do this, plan to create destination access rules to deny these sites. Alternatively, unrestricted external server access may be allowed.
Determine if you need to use non-default ports on the firewall for handling requests.
Determine how many users of each proxy service are allowed to go through the firewall at the same time.
Configure the multimedia proxies to enforce company security policies.
To configure Multimedia proxy settings, you can provide optional information about configuration settings for the multimedia proxy. Refer to the online help for specific information about the available settings.
Even though the multimedia proxy services understand several different protocols, you do not need to enable all of them. For example, you can enable the RealPlayer proxy, and leave the NetShow and VDOLive proxies disabled.
To enable the proxy service:
In the appropriate multimedia configuration tab, click Enabled.
Add the proxy configuration to the service groups that you want to allow use of the proxy.
Before exiting the Gauntlet Firewall Manager, save and apply your changes.
The firewall enables the proxy.
Most users and most sites do not need to change the way they access NetShow files after installing the proxy.
If the firewall uses transparency (the default configuration), you do not need to change the way you access NetShow files. As you did before, simply access the site and listen to audio files and view video files.
If the firewall does not use transparency, you can still access NetShow files. The NetShow player does not support NetShow proxies. However, it does support HTTP proxies. If you are not using transparency, you can access NetShow files by passing these files through the HTTP proxy.
To configure the NetShow player:
From within the NetShow player, select File.
Select Properties.
Select the Advanced tab.
The Advanced tab displays.
Enter information about the HTTP proxy:
Click OK.
Most users and most sites do not need to change the way they access RealPlayer files after installing the proxy.
If you are using transparency on the firewall (the default configuration) and you have installed the RealPlayer proxy on the default player port (TCP port 7070), you do not need to change the way you access RealPlayer (RealAudio and RealVideo) files. As you did before, simply access the site and listen to audio files and view video files.
If you are not using transparency, you need to configure RealPlayer to know about the proxy.
From within the RealPlayer, click View.
Select Preferences.
Click Proxy.
The Proxy tab displays.
Check the Use Proxy box.
Enter information about the RealPlayer proxy.
RealPlayer Proxy
Host name or IP address of the inside interface of the firewall.
Port
Port number on which the proxy is running. This is usually 7070.
Click OK.
The StreamWorks proxy does not support transparency; therefore, you need to configure the StreamWorks player to know about the proxy.
To configure the StreamWorks player:
Select Network.
The StreamWorks Player Network Settings window displays.
Check Use Proxy (Application) Firewall.
Enter information about the StreamWorks proxy:
Proxy Host
Host name or IP address of the inside interface of the firewall.
Port
Port number on which the proxy is running. This is generally 1558.
Click OK.
Now, when you point your Web browser or StreamWorks player at a StreamWorks file, it will use the proxy.
Most users and most sites do not need to change the way they access VDOLive files after installing the proxy.
If you are using transparency on the firewall (the default configuration) and you have installed the VDOLive proxy on the default player port (TCP port 7000), you do not need to change the way you access VDOLive files. Access and use the VDOLIve files as you did before.
If you are not using transparency, you need to configure the VDOLive player to know about the proxy.
To configure the VDOLive player:
From within the player, click Setup.
Click Settings.
The Setup tab displays.
Check Use Proxy Firewall.
Enter information about the VDOLive proxy:
Proxy Server Port
Port number on which the proxy is running; usually 7000.
Proxy Server Address
Host name or IP address of the inside interface of the firewall.
Click OK.
