<!-- function MM_swapImgRestore() { //v3.0 var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc; } function MM_preloadImages() { //v3.0 var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array(); var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++) if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}} } function MM_swapImage() { //v3.0 var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3) if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];} } function MM_showHideLayers() { //v3.0 if (!(document.all)) return; var i,p,v,obj,args=MM_showHideLayers.arguments; for (i=0; i<(args.length-2); i+=3) if ((obj=MM_findObj(args[i]))!=null) { v=args[i+2]; if (obj.style) { obj=obj.style; v=(v=='show')?'visible':(v='hide')?'hidden':v; } obj.visibility=v; } } function MM_nbGroup(event, grpName) { //v3.0 var i,img,nbArr,args=MM_nbGroup.arguments; if (event == "init" && args.length > 2) { if ((img = MM_findObj(args[2])) != null && !img.MM_init) { img.MM_init = true; img.MM_up = args[3]; img.MM_dn = img.src; if ((nbArr = document[grpName]) == null) nbArr = document[grpName] = new Array(); nbArr[nbArr.length] = img; for (i=4; i < args.length-1; i+=2) if ((img = MM_findObj(args[i])) != null) { if (!img.MM_up) img.MM_up = img.src; img.src = img.MM_dn = args[i+1]; nbArr[nbArr.length] = img; } } } else if (event == "over") { document.MM_nbOver = nbArr = new Array(); for (i=1; i < args.length-1; i+=3) if ((img = MM_findObj(args[i])) != null) { if (!img.MM_up) img.MM_up = img.src; img.src = (img.MM_dn && args[i+2]) ? args[i+2] : args[i+1]; nbArr[nbArr.length] = img; } } else if (event == "out" ) { for (i=0; i < document.MM_nbOver.length; i++) { img = document.MM_nbOver[i]; img.src = (img.MM_dn) ? img.MM_dn : img.MM_up; } } else if (event == "down") { if ((nbArr = document[grpName]) != null) for (i=0; i < nbArr.length; i++) { img=nbArr[i]; img.src = img.MM_up; img.MM_dn = 0; } document[grpName] = nbArr = new Array(); for (i=2; i < args.length-1; i+=2) if ((img = MM_findObj(args[i])) != null) { if (!img.MM_up) img.MM_up = img.src; img.src = img.MM_dn = args[i+1]; nbArr[nbArr.length] = img; } } } function MM_openBrWindow(theURL,winName,features) { //v2.0 window.open(theURL,winName,features); } //--> Collaboration vs. Newtork Address Translation
Software evaluation program
Home : Support : Resources : NAT-related issues
 
Technical documentation
Frequently Asked Questions
Glossary of terms
On-line Customer Support
set up your live on-line system demonstration
 


Collaborative Services vs. Network Address Translation

What do you need to know if you intend to provide collaborative services?

CollabWorx collaborative framework is by far the most tolerant collaboration system when it comes to dealing with firewalls and private networks. Still, there are certain minimal requirements that site networking infrastructure must fulfill to be able to provide collaboration services.

The biggest obstacle in providing collaboration services is use of the so-called "NATted networks". What is a NAT gateway? NAT stands for Network Address Translation. In a nutshell, NAT is a concept that allows re-use of IP addresses.

Before we go into technical discussion of NAT, please, note the following:

  1. It is a common misconception that NAT is an Internet standard. It is not. NAT is described in IETF RFC 1631. The 1st paragraph of this documents states:

     "This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind."

  2. NAT has a number of very serious drawbacks. Among others, it severely limits modern security solutions such as VPNs. It breaks many network application, including conferencing tools. We again quote from the original document:

     " Conclusions: NAT may be a good short term solution to the address depletion and scaling problems. This is because it requires very few changes and can be installed incrementally. NAT has several negative characteristics that make it inappropriate as a long-term solution, and may make it inappropriate even as a short-term solution. Only implementation and experimentation will determine its appropriateness.

    The negative characteristics are:

    • It increases the probability of misaddressing.
    • It breaks certain applications (or at least makes them more difficult to run).
    • It hides the identity of hosts. While this has the benefit of privacy, it is generally a negative effect.
    • Problems with SNMP, DNS, ... you name it."
  1. As we see from the above, NAT was never intended to become widespread industry-strength solution. Yet, the ISPs have started using it to increase their customer base and revenue, trading quality of service for quantity. As explained below, all ISP services entirely based on NAT are sub-standard. In particular, if your ISP service is entirely NAT based (see below for definition), you won't be able to support any collaborative activates served from your location.

 
Network setup for a provider of collaborative services

The figure above illustrates the minimal requirements for your network setup. These requirements are not related to bandwidth but rather to the logical architecture of the network. The setup depicted above is almost a "canonical" blueprint for most of the well-designed corporate sites.

The critical elements of the setup are as follows:

  1. There is a main router connected to ISP link. The link can be anything - a cable, a DSL, or a T1. Either the router itself has appropriate interface card, or there is a link-specific modem or DSU in front of the router. The router uses public Internet addresses (see below) for all of its interfaces.

  2. There is firewall behind the router. This is an optional element, and it is also possible that the main router itself implements firewall functionality.

  3. Behind the firewall, there is a semi-secure network segment known as "Demilitarized Zone" (DMZ). This segment also uses public IP addresses. Typically, companies place just a few machines on the network, sometimes just one - the company public Web server.

    If you plan to provide services based on TI, DMZ is the location for all TI services such as meeting engine, instant messaging server, and optional audio/video re-transmitter. None of these services can run on a machine using private IP address!!! However, it is possible to install these services on the hardware running company web server.

  4. Connected to the far end of the DMZ segment is another firewall. This is optional, but recommended. Behind internal firewall there is a NAT gateway. This is optional as well, but shortage of the IP addresses makes it often unavoidable. The 2nd interface of NAT gateway uses a private IP address (see below), and so do all the machines connected to the network segment behind NAT gateway.
Private vs. public IP addresses

In principle, every machine connected to Internet should have a unique IP address. However, due to the rather wasteful way of assigning IP addresses to organizations (at least in the early stages of Internet), there is acute shortage of addresses. Facing this problem, IETF designated three blocks of addresses that can only be used on private networks. The address blocks are:

10.0.0.0 - 10.255.255.255 
172.16.0.0 - 172.31.255.255 
192.168.0.0 - 192.168.0.0

If your machine uses an address in this range, it uses a private IP address. This means that even if you seem to have access to Internet, your machine is not visible to any of the Internet routers. There may be any number of machines using the same IP address in other companies. You should also understand that even if an Internet router learns about your machine in some way, it would not propagate this information to any other router, as it would do with a public address.

If your private machine seems to have access to Internet browsing, or you can receive e-mail, this is probably because your company has either a proxy server, or a NAT gateway. With either of this solutions, you must understand and remember one important fact: if one particular Internet service works over NAT, it does not give you any assurances whatsoever that any other service will work as well! This is because the proxies are usually applications-specific, and the NAT gateways tend to disrupt many network services even if they are carefully configured. Hence, you may be able to browse Internet but you will probably not have ICQ access, etc.

NAT gateways vs. firewalls

NAT gateways provide certain level of security by hiding machines with private IP addresses. This is essentially "security by obscurity", a very dangerous and unprofessional approach. NAT gateways are not real firewalls and were never designed to be.

From end-user perspective, there is additional difference regarding use of networked applications. Some firewalls (i.e. Checkpoint) take benevolent attitude of "anything that is not explicitly forboidden is allowed". NAT gateway default attitude is "anything that is not explicitly allowed is forbidden". In other words, to enable specific applications, NAT gateway has to explicitly install special port mappings.

As a rule of thumb, you should assume that if you are behind NAT gateway, you will only have access to a very limited selection of networked applications. Collaboration services are among those, which are disrupted first.

 
An example of unacceptable Internet service


The figure above is an example an unacceptable ISP service. In this example, the provider assigns just one public IP address to the customer. This address is used by the Internet-side interface of the company router. The router acts as a NAT gateway and (possibly) as a firewall. All company machines are using private network addresses.

Such a service only supports the most rudimentary applications, such as Wen browsing and, with some effort, a Web server. This is achieved by concurrent customized configuration of the router, DNS, and NAT service. Addition of any collaborative services requires elaborate modifications to the router, DNS, and NAT setup.

NAT impact on CollabWorx clients.

Unlike many others conferencing systems, TI framework allows clients to be located behind a NAT gateway. However, certain limitations created by NAT gateway may cause problems with two applications: audio/video and screen sharing. The nature of the NAT-related limitations is as follows:

  • For application modules where multiple application instances used the same port to receive information, only one such instance can be located behind the NAT gateway. The reason for this is the NAT gateway algorithm, not TI software.

  • For screen sharing, only one participating machine can be located behind NAT gateway.  It is not possible to use screen-sharing applications between two NATted machines if each machine is behind different NAT gateway.
Networking requirements for service receiver

Networking requirements for customer receiving collaboration services are less stringent. The only limitation is that if the customer also uses a NAT gateway, only one workstation on the customer site will be able to receive audio and video streams if UDP-based transport is being used. This restriction does not apply to the reflector-based audio/video sessions.

 

[Home] [About Us] [Products] [Downloads] [Search]

Copyright © 2000 - 2008 CollabWorx, Inc. All Rights Reserved
Privacy Policy | Contact CollabWorx