Your firewall must be RealPlayer-aware. If it is not, RealNetworks has a free RTSP proxy service which includes source code and specifications for building your own proxy. It's simple and easy to set up. To get your copy, send an e-mail request.
Most major firewall vendors support RealPlayer. If your firewall vendor is not listed as supporting RealPlayer, ask your firewall representative to contact us about joining our firewall developers program.
Network-level Firewalls
Network-level firewalls, such as packet filters, use access control lists to allow traffic destined for some ports to pass from the
Internet to the organization's internal network and to block packets for other ports. To allow any version of RealAudio Player or RealPlayer to play correctly, it is only necessary for the router to allow packets to pass to the inner network that are bound for the following range of ports:
- TCP port 7070 for connecting to pre-G2 RealServers
TCP port 554 and 7070 for connecting to G2 RealServers - UDP ports 6970 - 7170 (inclusive) for incoming traffic only
The TCP port is used by RealPlayer to initiate a conversation with an external RealServer, to authenticate RealPlayer to the server, and to pass control messages during playback (such as pausing or stopping the stream). RealSystem G2 uses two TCP protocols for conversations between Players and Servers.
For an even safer firewall, configure the router's access control list to allow TCP connections on port 7070 and/or port 554 to be initiated from the inside network exclusively. Incoming traffic, on the other hand, should only be allowed if it is part of an ongoing connection. This is assured by requiring incoming TCP packets to have the ACK bit set in the TCP header carried by every packet. The syntax for setting the ACK bit varies with the kind of router you own. For Cisco routers the flag "ESTABLISHED" can be put at the end of the line in an access rule to specify that an incoming packet must be part of an ongoing conversation.
The range of UDP ports, on the other hand, carries the incoming stream. These ports begin to carry traffic only after RealPlayer and RealServer have performed the authentication routine, and should be enabled only for incoming traffic.
You may also want to use a proxy server in conjunction with a network-level firewall.
When RealPlayer versions G2, 7, or 8 are in use:
Do one of the following:
- Open ports 6970 - 7170 in your firewall for UDP.
- Open ports 7070 - 7071 and 554 in your firewall for TCP and instruct RealPlayers to use TCP for all content. Playback quality will not be as good with this option.
- Configure your firewall to receive UDP through only one port and instruct Players to use UDP with the port you chose.
- Tell users to configure RealPlayer to request that RealServer send all media in HTTP format. This creates more overhead on your network than any of the other options.
When RealPlayer versions 4.0 or 5.0 are in use:
Do one of the following:
- Open ports 6970 - 7170 in your firewall for UDP.
- Open ports 7070 - 7071 in your firewall for TCP and instruct RealPlayers to use TCP for all content. Playback quality will not be as good with this option.
- Configure your firewall to receive UDP through only one port and instruct Players to use UDP with the port you chose.
- Tell users to configure RealPlayer to request that RealServer send all media in HTTP format. This creates more overhead on your network than any of the other options.
When RealAudio Player version 3.0 is in use:
Do one of the following:
- Open ports 6770 - 7170 in your firewall for UDP.
- Open ports 7070 - 7071 in your firewall for TCP and instruct RealPlayers to use TCP for all content. Playback quality will not be as good with this option.
- Configure your firewall to receive UDP through only one port and instruct RealPlayers to use UDPwith the port you chose.