[unisog] [unison] iChat

Oliver, Jeff jeff.oliver at uleth.ca
Fri May 11 18:36:59 GMT 2007

Thanks Kevin (and others),

I have in fact seen this article, and spent some considerable time on
the phone with Apple (who helpfully told me that it is my firewall)
trying to figure out the issues. BTW, the text chat works fine, only the
AV is broken.

There seems to be multiple issues involved, including the security
policy that we have adopted. We do not allow un-solicited traffic
inbound to the desktops.

>From what I have been able to determine, here is the flow of traffic for
an iChat video session:

1. inside m/c "logs in" to server in internet-land
2. outside m/c "logs in" to server in internet-land

3. inside machine sends "VidChat for buddy" request to server
4. server forwards request to buddy on outside machine, which rings.
5. buddy answers, and by doing so, outside machine initiates the SIP
call to inside machine.
6. F/W blocks as the call was not initiated on the inside.

Note that outside to outside works (obviously), but so does inside to

As well, apple's implementation of SIP (which iChat uses) does not
comply to the RFC's and thus Smart-Defense is seeing the packet as a
"Malformed SIP Datagram" even though I have turned off the SD portion of
the firewall and told it not to inspect the SIP packets. I have even
gone so far as to re-define port 5060 so that there is no inspections,
and just let it through.

I think that I will now look into a socks proxy for it?


> Here is a page from Apple's site
> (http://docs.info.apple.com/article.html?artnum=106439). It does not
> specifically reference any single firewall, but it should help in
> configuring
> your Checkpoint. Just search the page for "iChat". So far, it looks
> like
> these ports:
> 5060 UDP, 5190 TCP/UDP, 5222 TCP, 5223 TCP, 5269 TCP, 5297 TCP, 5298
> By chance, what version of Checkpoint are you running? There should be
> a
> couple of default groups (AOL_Messenger, MSN_Messenger, and
> Yahoo_Messenger),
> that utilize some of the base ports that you need. If you still are
> having a
> problem, feel free to contact me off list. I would not mind assisting.
> Kevin D. Butler, MCP
> University of Arkansas for Medical Sciences
> IT Technical Security Department
> 4301 West Markham, Slot 637
> Little Rock, Arkansas 72205
> (501) 526-6391 Wk
> (501) 405-8240 Pgr
> (501) 772-3971 Cell
> "Only those who will risk going
>    too far can possibly find out
>            how far you can go."
>                                      - T.S. Eliot, poet
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Oliver, Jeff
> Sent: Thursday, May 10, 2007 4:01 PM
> To: unisog at lists.dshield.org
> Subject: [unisog] ichat
> Has anyone had success getting iChat through a CP firewall?
> Jeff
> 	I do know everything, just not all at once.
> 	It's a virtual memory problem.
> --
> Jeffrey L. Oliver                      Email: jeff.oliver at uleth.ca
> Network Analyst                        Web:   http://telecom.uleth.ca
> Communication Technologies Unit        H.323: jeff.oliver at uleth.ca
> The University of Lethbridge
> 4401 University Drive
> Lethbridge, Alberta                    Tel:   403.329.5162
> Canada, T1K3M4                         Fax:   403.382.7108
> --
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
> Confidentiality Notice: This e-mail message, including any
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information.  Any unauthorized review,
> disclosure or distribution is prohibited.  If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message.
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list