You are on page 1of 12

Network setup

and firewall
considerations

Technical planner: TP-01


© 2010 Sonic Foundry, Inc. All rights reserved. No part of this document may be copied and/or
redistributed without the consent of Sonic Foundry, Inc. Additional copies may be obtained by
contacting Sonic Foundry. Sonic Foundry, the Sonic Foundry logo, Mediasite, and the Mediasite
logo are registered trademarks of Sonic Foundry, Inc. All other trademarks are the property of
their respective owners.

Sonic Foundry, Inc.


222 W. Washington Avenue
Madison WI 53703
877-783-7987 toll free from the US and Canada
608-443-1600

Sonic Foundry. Since 1991.

For more information, please contact mediasite@sonicfoundry.com

Revision: 5.3, January 2010

Sonic Foundry, Inc. Page 2 of 12


Table of contents
Overview ....................................................................................................................................................... 4
DNS setup .............................................................................................................................................. 4
Example ........................................................................................................................................... 5
Firewall setup................................................................................................................................................ 5
Media Server Control Service ..................................................................................................................... 8
Common server deployment scenarios ..................................................................................................... 9
Common Recorder deployment scenarios .............................................................................................. 10
Live broadcast is not required ........................................................................................................... 10
Assumptions ................................................................................................................................. 10
Operation ...................................................................................................................................... 11
Live broadcast is required and a secure communication channel is available ........................... 11
Assumptions ................................................................................................................................. 11
Operation ...................................................................................................................................... 11
Live broadcast is required and a secure communication channel is not available .................... 12
Assumptions ................................................................................................................................. 12
Operation ...................................................................................................................................... 12

Sonic Foundry, Inc. Page 3 of 12


Overview
The default Mediasite installation can have up to six discrete network components, including
web, streaming media, database, and directory servers, a Mediasite Recorder, and end users
machines used for presentation playback.
While it is possible to combine all servers on one machine, thus simplifying network and
firewall setup, it will cause performance issues.
You must configure firewalls between these individual network components to allow traffic to
flow so that Mediasite may function properly. In addition, DNS entries that provide name
resolution to the Mediasite Server and media server must exist. Network address translation
(NAT) is fully supported in Mediasite if the required entries are created on the public and private
DNS servers providing split DNS resolution.
This document discusses the most common issues when installing and running Mediasite in an
existing network and describes how to configure the primary network components when using
the Mediasite system for live broadcasting, publishing recorded presentations, and viewing live
and on-demand presentations. The intended audience for this document is the network
administrator responsible for deploying Mediasite in networks with firewalls and NAT.

Medias ite Adminis trator P ower Us ers


• Works  with directory adminis trator to add external • Manage acces s  to pres entations ,
directories   folders , presentation templates ,
• Adds  relevant roles  to Medias ite from external s chedules , and pres enters  they own 
directories • Manage acces s  to pres entations ,
• Manages  users  and groups  in Medias ite directory folders , presentation templates ,
• Adds  roles  for us ers  in Medias ite directory s chedules , and pres enters  that they
• S ets  up s ys tem policies have write‐acces s  to
• S ets  up acces s  control for root folder
• S ets  up acces s  control for operations
• S ets  up acces s  control for Management P ortal acces s IT Adminis trator
• Manages  acces s  to s ys tem res ources , s treaming • Works  with Mediasite Adminis trator
profiles , s erver groups , viewers , and recorders to s et up s treaming servers
• Manages  acces s  to presentations , folders ,  • Works  with Mediasite Adminis trator
presentation templates , s chedules , and pres enters to s et up permis s ions on network
• Works  with IT  Adminis trators  to set up content s hares  where s lides , media and
s ervers  for media s treaming and s lides , and to s et up Medias ite data is  s tored 
Medias ite data location for viewer, and catalog graphics • S ets  up S erver topology for
• S pecifies  content s ervers  for media s treaming and  Medias ite (e.g. High Availability)
s lides  us ing S ys tem Manager • S ets  up the databas e for Mediasite
• S ets  up F ile S ervers , F T P  S erver
and Web S erver for Medias ite

Network Adminis trator
Direc tory Adminis trator • Works  with Medias ite Adminis trator to
• Works  with Medias ite Adminis trator  configure firewall and network s witches  
to configure external directories   • Works  with Mediasite Adminis trator to
s et up Medias ite on the D MZ  
(D e‐militarized Z one)

DNS setup
The Domain Name Service (DNS) entries for the servers used by Mediasite must be properly
configured for Mediasite to operate successfully. The fully qualified domain name (FQDN) of the
web and media servers should be used when configuring the Mediasite Server software. These

Sonic Foundry, Inc. Page 4 of 12


Technical Planner: TP-01 Mediasite Network Setup and Firewall Considerations

FQDNs are used in the Mediasite application to specify the location of slide images and video
playlists to viewers.
When using Mediasite in a network that implements NAT to map internal private IP addresses to
publicly accessible addresses, the DNS names of the servers used by Mediasite should resolve to
the appropriate public or private IP address.

Example

Figure 1: Network with a firewall between the servers and the public internet
The Mediasite Server is assigned the private IP address 10.10.10.50, the media server is assigned
10.10.10.51, and the database server is assigned 10.10.10.52. A firewall between the servers and
the public Internet maps 10.10.10.50 and 10.10.10.51 to the public addresses 128.1.1.60 and
128.1.1.61, respectively. The DNS names chosen for the servers are mediasiteweb.example.com
and mediasitevideo.example.com. The Mediasite Server communicates with the database server
on the internal network so the database server does not need a public address.
The external viewer should resolve the names mediasiteweb.example.com to 128.1.1.60 and
mediasitevideo.example.com to 128.1.1.61. However, a viewer on the internal network should
resolve the names to 10.10.0.50 and 10.10.0.51, respectively.
The DNS administrator of the domain in question should be contacted to properly register the
DNS entries on the internal and external DNS servers for the Mediasite Server and the media
server.
In most networks using NAT, this setup will require a DNS server on the internal network. If an
internal DNS server does not exist, connection attempts from internal viewers to the public IP
addresses of the Mediasite Server and the media server should be tested. Often, this type of
traffic is not permitted due to anti-spoofing rules on firewalls.

Firewall setup
Several ports must be opened on the firewalls that control traffic between the components of a
Mediasite system. The following table outlines the ports that are used by Mediasite and the
purpose of each. Depending on the intended use of Mediasite in a specific network, some entries
may not be necessary or may be modified to further restrict the source and destination. It is
possible to change all the port numbers to non-standard ports by modifying settings in the
Mediasite applications, IIS servers, and Windows Media Server.

Sonic Foundry, Inc. Page 5 of 12


Technical Planner: TP-01 Mediasite Network Setup and Firewall Considerations

Source Destination Application Protocol Port Purpose


Protocol

Mediasite Database - TCP 3306 or Database connection for


Server Server 1433 MySQL server (3306) or
(In/Out) SQL Server (1433)

Mediasite Directory LDAP or TCP 389 or 636 LDAP (389) or LDAP over
Server Server LDAP over (In/Out) SSL (636) for access to
SSL Active Directory or an
LDAP directory

Mediasite Active GC or GC TCP 3268 or Global Catalog LDAP


Server Directory over SSL 3269 (3268) or Global Catalog
(Global (In/Out) LDAP (3269) over SSL for
Catalog) access to an Active
Directory set up as a Global
Catalog

Recorder Mediasite HTTPS TCP 443 Web service connections to


Server (In/Out) broadcast live/publish on-
demand presentations

Recorder Media and FTP or TCP 21 or 22 Passive FTP (21) or SFTP


Mediasite SFTP (22) to upload slide images
Server and on-demand media files

Mediasite Media HTTP TCP 8092 Web service connection for


Server Server (In/Out) creating publishing points
with pull distribution

Recorder Media HTTP TCP 80 (Out) Media streaming when


Server performing a live broadcast
with push distribution

Media Server Recorder HTTP TCP 8080 (In) Media streaming when
performing a live broadcast
with pull distribution

Media Server Mediasite HTTPS TCP 443 Web service connections to


Server (In/Out) update media logs and
verify playback ticket

Players Mediasite HTTP TCP 80 (In / Watching presentation


Server Out) playback, browsing a
catalog and managing
presentations and the
Mediasite System

Players Media MMS TCP 1755 Deliver media stream using


Server (In/Out) MMS over TCP and accept
incoming client connections

Sonic Foundry, Inc. Page 6 of 12


Technical Planner: TP-01 Mediasite Network Setup and Firewall Considerations

Source Destination Application Protocol Port Purpose


Protocol

Players Media MMS UDP 1755 Receive packet loss


Server (In/Out) information and
synchronization
information using MMS
over UDP

Players Media MMS UDP 1024-5000 Deliver media stream using


Server (Out) MMS over UDP

Players Media HTTP TCP 80 Deliver media stream using


Server (In/Out) HTTP over TCP and accept
incoming client connections

Players Media RTSP TCP 554 Deliver media stream using


Server (In/Out) RTSP over TCP and accept
incoming RTSP connections

Players Media RTSP UDP 5004 Deliver media stream using


Server (Out) RTSP over UDP

Players Media RTSP UDP 5005 Receive packet loss


Server (In/Out) information and
synchronization
information using RTSP
over UDP

System Database - TCP 3306 or Database connection for


Manager Server 1433 MySQL server (3306) or
(In/Out) SQL Server (1433)

System Mediasite HTTPS TCP 443 Web service connections to


Manager Server (In/Out) log in and obtain database
connection settings

System Media and FTP or TCP 21 or 22 Passive FTP (21) or SFTP


Manager Mediasite SFTP (22) to upload slide images
Server and on-demand media files,
Presentation import and
export

System Directory LDAP or TCP 389 or 636 LDAP (389) or LDAP over
Manager Server LDAP over SSL (636) for access to
(In/Out)
SSL Active Directory or an
LDAP directory

System Active GC or GC TCP 3268 or Global Catalog LDAP


Manager Directory over SSL 3269 (3268) or Global Catalog
(Global LDAP (3269) over SSL for
(In/Out)
Catalog) access to an Active
Directory set up as a Global
Catalog

Sonic Foundry, Inc. Page 7 of 12


Technical Planner: TP-01 Mediasite Network Setup and Firewall Considerations

Source Destination Application Protocol Port Purpose


Protocol

Management Recorder HTTP TCP 8093 Web service connection for


Portal (In/Out) Recorder control service

Management Recorder HTTP TCP 8090 Web interface connection


Portal (In/Out) for Recorder

Podcast Mediasite HTTPS TCP 443 Web service connection to


Server (In/Out) access on-demand
presentations

Podcast Media FTP or TCP 21 or 22 Passive FTP (21) or SFTP


Server SFTP (22) to get on-demand
media files for processing

Podcast Mediasite FTP or TCP 21 or 22 Passive FTP (21) or SFTP


Server SFTP (22) to post mp3 files

Publish to go Mediasite HTTPS TCP 443 Web service connection to


Server (In/Out) access on-demand
presentations to be
published as portable
presentations

Publish to go Mediasite FTP or TCP 21 or 22 Passive FTP (21) or SFTP


Server SFTP (22) to get standalone
player packages and slides
as well as post updated
publish to go packages

Publish to go Media FTP or TCP 21 or 22 Passive FTP (21) or SFTP


Server SFTP (22) to get on-demand
media files

Editor Mediasite HTTPS TCP 443 Web service connection to


Server (In/Out) access on-demand
presentations for editing

Editor Mediasite FTP or TCP 21 or 22 Passive FTP (21) or SFTP


Server SFTP (22) to get and update slides

Editor Media FTP or TCP 21 or 22 Passive FTP (21) or SFTP


Server SFTP (22) to get and update
media files

Login Form Mediasite HTTPS TCP 443 Log into Mediasite Server
Server (In/Out) using login credentials

Table 1: Ports used by Mediasite

Media Server Control Service


To stream a live broadcast, the media server must be able to receive a live video stream from the
Recorder and redistribute the stream. When a live presentation is started in “Pull distribution”

Sonic Foundry, Inc. Page 8 of 12


Technical Planner: TP-01 Mediasite Network Setup and Firewall Considerations

mode, the Recorder requests the Mediasite Server to create a publishing point. The web service
installed as part of the Mediasite Server forwards this request to the Media Server Control Service
running on the media server. By default, this is accomplished through a web service connection
from the Recorder to the Mediasite Server on TCP port 80 and a web service connection from the
Mediasite Server to the media server on TCP port 8090. The publishing point on the media server
establishes a connection with the Recorder on port 8080 to obtain the live stream.
This two-way communication requires that both the Recorder and the media server can reach
each other. If these components connect over the Internet, then each component must have a
public IP address. The web service on the Mediasite Server automatically detects the public IP
address of a Recorder that is behind a NAT device when the Recorder registers with the
Mediasite Server.
However, if needed, the IP address used to connect to the Recorder can be set manually. The
address must be set manually when the Mediasite Server and Recorder are on the same network
using NAT while the media server is on a different network. Otherwise, the media server will fail
to connect to the stream because the Mediasite Server will register the Recorder’s private IP
address. The IP address used to register a live publishing point is set from the Recorder
application’s toolbar under Tools > Options > Broadcast.
Windows 2003 Server and Windows 2008 Server support “Pull distribution” as described above
as well as “Push distribution” to get the encoder stream to the media server. When “Push
distribution” is used, it is not necessary for the Recorder to have a public IP address or to use the
Media Server Control Service because a connection is made directly from the Recorder to the
media server.

Common server deployment scenarios


A Mediasite Server installation comprises the following software components that can be
installed on one or more physical machines:
 Web Server
 FTP Server
 Media Server
 Database Server
 Directory Service
 Mediasite Server Software

You must add firewall rules to allow communication between components depending on where
the physical machine is placed in a network and the ports on which the software components are
configured to listen on.
The standard setup has the Mediasite Server, database server, and the media server running on
separate physical servers. The Mediasite directory shipped with the Mediasite Server resides on
the same physical server as the Mediasite Server. However, an organization wide directory
service like Active Directory or an LDAP based directory is set up to run on a separate physical
server. The appropriate firewall rules must be added to allow communication between the
external audience and the servers as specified in “Firewall setup” on page 5.

Sonic Foundry, Inc. Page 9 of 12


Technical Planner: TP-01 Mediasite Network Setup and Firewall Considerations

Figure 2: The standard setup of the Mediasite system in a network

Common Recorder deployment scenarios


The Mediasite system has a distinct server side and a distinct recorder side. The Mediasite
Recorder is used to record rich media presentations. The Recorder comes in two form factors – a
Mobile Unit and a Rack Mount Unit. The Rack Mount Unit is well-suited for a room-based
system and is placed in a fixed location. This location is often within the same local area network
as the servers used by Mediasite. Conversely, the Mobile Unit is the best choice for a
transportable system that can be taken to different locations to record rich media presentations.
There are limited risks when using the mobile Mediasite Recorder on a public or un-trusted
network. While all database communication with the Mediasite Server is encrypted by the
underlying web service, FTP transfers are inherently done in plain text. This introduces the
possibility of a third party intercepting the FTP traffic between the Recorder and the servers and
obtaining the username and passwords used for transferring slides and video files.
There are several methods that can be used to record presentations depending on the type of
broadcast and the level of security required:
1. Live Broadcast is not required.
2. Live Broadcast is required and a Secure Communication Channel is available.
3. Live Broadcast is required and a Secure Communication Channel is not available.

Live broadcast is not required


This is the most secure solution. In this scenario, a presentation does not need to be aired live
while it is being recorded. The presentation will be published on the Mediasite Server for on-
demand playback at a later time.

Assumptions
 No network connection is needed at the venue of the recording.
 The presentation is not aired live.

Sonic Foundry, Inc. Page 10 of 12


Technical Planner: TP-01 Mediasite Network Setup and Firewall Considerations

Operation
1. Record a presentation with the Mobile Unit at the venue.
2. Once finished, connect the Mobile Unit back to the local area network where the Mediasite
Server is installed.
3. Create a presentation on the Mediasite Server to use for this recording.
4. Open the Recorded Presentation Manager on the Mobile Unit.
5. Select the recorded presentation and select File > Publish To Server.
6. Select the presentation created in step 3 and upload the locally recorded presentation to the
Mediasite Server.

Live broadcast is required and a secure communication channel is available


This scenario is very similar to a Mediasite presentation being recorded and aired live within a
local area network (LAN). However, a VPN tunnel must be established between the Mobile
Recorder and the servers used by Mediasite. In this setup, all communication between the
Recorder and the servers is encrypted using a third party VPN solution.

Figure 3: Mobile Recorder communicating with servers through a firewall via a VPN tunnel

Assumptions
 A network connection with high speed Internet access is available at the venue of the
recording.
 The presentation is aired live as it is being recorded.
 The Mobile Unit has a public IP address and the TCP port 8080 is accessible from the media
server if using pull distribution.
 The Mobile Unit authenticates itself with the network where the Mediasite Server resides.
This authentication is possible through a secure channel running over an Internet connection.
A good example is a VPN connection setup between the Mobile Unit and the network where
the Mediasite Server resides.

Operation
1. Prepare a new presentation on the Mediasite Server.
2. If the Recorder is behind a NAT device, manually set the broadcast IP address to the assigned
public IP address, if needed, from the Recorder application’s toolbar under Tools > Options >
Broadcast.

Sonic Foundry, Inc. Page 11 of 12


Technical Planner: TP-01 Mediasite Network Setup and Firewall Considerations

3. Select “Open Scheduled Presentation” for the new presentation on the Mobile Unit.
4. Begin recording the presentation.
5. Stream the presentation to the media server for airing live.
6. Publish the presentation after the live broadcast if the presentation will be accessed for on-
demand viewing. Whether a presentation is automatically uploaded (auto-published) for on-
demand viewing or not can be configured when the presentation is prepared.

Live broadcast is required and a secure communication channel is not available


This scenario requires the use of the public Internet for the Recorder to communicate with the
servers used by Mediasite when a VPN tunnel is not available. In this setup, database
communication between the Recorder and the servers is encrypted using web service security,
but FTP traffic is transmitted in plain text.

Assumptions
 A network connection with high speed Internet access is available at the venue of the
recording.
 The servers used by Mediasite are accessible from the public Internet.
 The presentation is aired live as it is being recorded.
 The Mobile Unit has a public IP address and the TCP port 8080 is accessible from the media
server if using pull distribution.

Operation
1. Prepare a new presentation on the Mediasite Server.
2. If the Recorder is behind a NAT device, manually set the broadcast IP address to the assigned
public IP address, if needed, from the Recorder application’s toolbar under Tools > Options >
Broadcast.
3. Select “Open Scheduled Presentation” for the new presentation on the Mobile Unit.
4. Begin recording the presentation.
5. Stream the presentation to the media server for airing live.
6. Publish the presentation after the live broadcast if the presentation will be accessed for on-
demand viewing. Whether a presentation is automatically uploaded (auto-published) for on-
demand viewing or not can be configured when the presentation is prepared.

Sonic Foundry, Inc. Page 12 of 12