Manualshelf

Technical information

ManualsBrandsApple ManualsSoftwareQuickTime
31323334353637383940
Chapter 3 Managing Your QuickTime Streaming Server 33
Security and Access
A certain level of security is inherent in real-time streaming, since content is delivered
only as the client needs it and no files remain afterward, but you may need to address
some security issues.
The streaming server uses the IETF standard RTSP/RTP protocols. RTSP runs on top of
TCP, while RTP runs on UDP. Many firewalls are configured to restrict TCP packets by
port number, and are very restrictive on UDP.
There are three options for streaming through firewalls with the streaming server.
These options are not mutually exclusive. Typically one or more are used to provide the
most flexible setup. The three configurations outlined below are for clients behind a
firewall.
Stream via port 80. This option enables the streaming server to encapsulate all RTSP
and RTP traffic inside TCP port 80 packets. Because this is the default port used for
HTTP-based web traffic, it gets through most firewalls. However, encapsulating the
streaming traffic lowers performance on the network and requires faster client
connections to maintain streams. It also increases load on the server.
Open the appropriate ports on the firewall. This option allows the streaming server
to be accessed via RTSP/RTP on the default ports, and provides better use of network
resources, lower speeds for client connections, and less load on the server. The ports
that need to be open for unrestricted streaming include:
TCP port 80: Used for signalling and streaming RTSP/HTTP (if enabled on server)
TCP port 554: Used for RTSP
UDP ports 6970–9999: Used for UDP streaming (a smaller range of UDP ports,
typically 6970-6999, can usually be used)
TCP port 7070: Optionally used for RTSP (Real Server uses this port; QTSS/Darwin
can also be configured to use this port)
TCP ports 8000 and 8001 can be opened for Icecast MP3 streaming.
Also see the port information in the table on page 62.
Set up a streaming proxy server. The proxy server is placed in the network DMZ—an
area on the network that is between an external firewall to the Internet and an
internal firewall between the DMZ and the internal network. Using firewall rules,
packets with the ports defined above are allowed from the proxy server to clients
through the internal firewall, and also between the proxy server and the Internet via
the external firewall. However, clients are not allowed to make direct connections to
external resource over those ports. This approach ensures that all packets bound for
the internal network come through the proxy server, providing an additional layer of
network security.