Beruflich Dokumente
Kultur Dokumente
and firewall
considerations
Network Adminis trator
Direc tory Adminis trator • Works with Medias ite Adminis trator to
• Works with Medias ite Adminis trator configure firewall and network s witches
to configure external directories • Works with Mediasite Adminis trator to
s et up Medias ite on the D MZ
(D e‐militarized Z one)
DNS setup
The Domain Name Service (DNS) entries for the servers used by Mediasite must be properly
configured for Mediasite to operate successfully. The fully qualified domain name (FQDN) of the
web and media servers should be used when configuring the Mediasite Server software. These
FQDNs are used in the Mediasite application to specify the location of slide images and video
playlists to viewers.
When using Mediasite in a network that implements NAT to map internal private IP addresses to
publicly accessible addresses, the DNS names of the servers used by Mediasite should resolve to
the appropriate public or private IP address.
Example
Figure 1: Network with a firewall between the servers and the public internet
The Mediasite Server is assigned the private IP address 10.10.10.50, the media server is assigned
10.10.10.51, and the database server is assigned 10.10.10.52. A firewall between the servers and
the public Internet maps 10.10.10.50 and 10.10.10.51 to the public addresses 128.1.1.60 and
128.1.1.61, respectively. The DNS names chosen for the servers are mediasiteweb.example.com
and mediasitevideo.example.com. The Mediasite Server communicates with the database server
on the internal network so the database server does not need a public address.
The external viewer should resolve the names mediasiteweb.example.com to 128.1.1.60 and
mediasitevideo.example.com to 128.1.1.61. However, a viewer on the internal network should
resolve the names to 10.10.0.50 and 10.10.0.51, respectively.
The DNS administrator of the domain in question should be contacted to properly register the
DNS entries on the internal and external DNS servers for the Mediasite Server and the media
server.
In most networks using NAT, this setup will require a DNS server on the internal network. If an
internal DNS server does not exist, connection attempts from internal viewers to the public IP
addresses of the Mediasite Server and the media server should be tested. Often, this type of
traffic is not permitted due to anti-spoofing rules on firewalls.
Firewall setup
Several ports must be opened on the firewalls that control traffic between the components of a
Mediasite system. The following table outlines the ports that are used by Mediasite and the
purpose of each. Depending on the intended use of Mediasite in a specific network, some entries
may not be necessary or may be modified to further restrict the source and destination. It is
possible to change all the port numbers to non-standard ports by modifying settings in the
Mediasite applications, IIS servers, and Windows Media Server.
Mediasite Directory LDAP or TCP 389 or 636 LDAP (389) or LDAP over
Server Server LDAP over (In/Out) SSL (636) for access to
SSL Active Directory or an
LDAP directory
Media Server Recorder HTTP TCP 8080 (In) Media streaming when
performing a live broadcast
with pull distribution
System Directory LDAP or TCP 389 or 636 LDAP (389) or LDAP over
Manager Server LDAP over SSL (636) for access to
(In/Out)
SSL Active Directory or an
LDAP directory
Login Form Mediasite HTTPS TCP 443 Log into Mediasite Server
Server (In/Out) using login credentials
mode, the Recorder requests the Mediasite Server to create a publishing point. The web service
installed as part of the Mediasite Server forwards this request to the Media Server Control Service
running on the media server. By default, this is accomplished through a web service connection
from the Recorder to the Mediasite Server on TCP port 80 and a web service connection from the
Mediasite Server to the media server on TCP port 8090. The publishing point on the media server
establishes a connection with the Recorder on port 8080 to obtain the live stream.
This two-way communication requires that both the Recorder and the media server can reach
each other. If these components connect over the Internet, then each component must have a
public IP address. The web service on the Mediasite Server automatically detects the public IP
address of a Recorder that is behind a NAT device when the Recorder registers with the
Mediasite Server.
However, if needed, the IP address used to connect to the Recorder can be set manually. The
address must be set manually when the Mediasite Server and Recorder are on the same network
using NAT while the media server is on a different network. Otherwise, the media server will fail
to connect to the stream because the Mediasite Server will register the Recorder’s private IP
address. The IP address used to register a live publishing point is set from the Recorder
application’s toolbar under Tools > Options > Broadcast.
Windows 2003 Server and Windows 2008 Server support “Pull distribution” as described above
as well as “Push distribution” to get the encoder stream to the media server. When “Push
distribution” is used, it is not necessary for the Recorder to have a public IP address or to use the
Media Server Control Service because a connection is made directly from the Recorder to the
media server.
You must add firewall rules to allow communication between components depending on where
the physical machine is placed in a network and the ports on which the software components are
configured to listen on.
The standard setup has the Mediasite Server, database server, and the media server running on
separate physical servers. The Mediasite directory shipped with the Mediasite Server resides on
the same physical server as the Mediasite Server. However, an organization wide directory
service like Active Directory or an LDAP based directory is set up to run on a separate physical
server. The appropriate firewall rules must be added to allow communication between the
external audience and the servers as specified in “Firewall setup” on page 5.
Assumptions
No network connection is needed at the venue of the recording.
The presentation is not aired live.
Operation
1. Record a presentation with the Mobile Unit at the venue.
2. Once finished, connect the Mobile Unit back to the local area network where the Mediasite
Server is installed.
3. Create a presentation on the Mediasite Server to use for this recording.
4. Open the Recorded Presentation Manager on the Mobile Unit.
5. Select the recorded presentation and select File > Publish To Server.
6. Select the presentation created in step 3 and upload the locally recorded presentation to the
Mediasite Server.
Figure 3: Mobile Recorder communicating with servers through a firewall via a VPN tunnel
Assumptions
A network connection with high speed Internet access is available at the venue of the
recording.
The presentation is aired live as it is being recorded.
The Mobile Unit has a public IP address and the TCP port 8080 is accessible from the media
server if using pull distribution.
The Mobile Unit authenticates itself with the network where the Mediasite Server resides.
This authentication is possible through a secure channel running over an Internet connection.
A good example is a VPN connection setup between the Mobile Unit and the network where
the Mediasite Server resides.
Operation
1. Prepare a new presentation on the Mediasite Server.
2. If the Recorder is behind a NAT device, manually set the broadcast IP address to the assigned
public IP address, if needed, from the Recorder application’s toolbar under Tools > Options >
Broadcast.
3. Select “Open Scheduled Presentation” for the new presentation on the Mobile Unit.
4. Begin recording the presentation.
5. Stream the presentation to the media server for airing live.
6. Publish the presentation after the live broadcast if the presentation will be accessed for on-
demand viewing. Whether a presentation is automatically uploaded (auto-published) for on-
demand viewing or not can be configured when the presentation is prepared.
Assumptions
A network connection with high speed Internet access is available at the venue of the
recording.
The servers used by Mediasite are accessible from the public Internet.
The presentation is aired live as it is being recorded.
The Mobile Unit has a public IP address and the TCP port 8080 is accessible from the media
server if using pull distribution.
Operation
1. Prepare a new presentation on the Mediasite Server.
2. If the Recorder is behind a NAT device, manually set the broadcast IP address to the assigned
public IP address, if needed, from the Recorder application’s toolbar under Tools > Options >
Broadcast.
3. Select “Open Scheduled Presentation” for the new presentation on the Mobile Unit.
4. Begin recording the presentation.
5. Stream the presentation to the media server for airing live.
6. Publish the presentation after the live broadcast if the presentation will be accessed for on-
demand viewing. Whether a presentation is automatically uploaded (auto-published) for on-
demand viewing or not can be configured when the presentation is prepared.