Eyeball Any-™ Technology

VoIP, video telephony, and the industry’s highest call completion rate

www.eyeball.com Copyright 2005

Seamless VoIP and Video Telephony

Internet-based VoIP and video telephony is poised for phenomenal growth in both consumer and enterprise markets. VoIP and video telephony services provide the following advantages over traditional PSTN systems: • Richer communication experience using voice, video, presence, and text • Robust feature set, including 3-way calls, call hold, call transfer, click-to-call, unified messaging etc. • Mobility - seamless access of unified service from anywhere, anytime • Potentially higher voice quality compared to PSTN • Better price

Communication features such as voice calls, video calls, unified messaging, video conferencing and collaboration may be accessed from broadband or Wi-Fi phones, PCs, PDAs, mobile handsets, set-top-boxes or enterprise-class dedicated video conference endpoints.

The widespread use of the Internet has spurred the growth of VoIP and video telephony services. Data transmission for voice and video between computers on the Internet is problematic, to say the least, as most end-points are protected by firewalls and other security aids. Firewalls block incoming packets from unknown sources and prevent reliable, on-the-fly communications. Since not all incoming calls can be from known, pre-established calling parties – a means to ensure successful calls given the realities of the Internet must be implemented.

A critical issue for VoIP and video telephony communications is whether data packets can traverse NATs, firewalls, and proxies and connect callers using different firewall products and configurations, with zero intervention required by the calling parties. Regardless of the reason, calls blocked by firewalls translate into subscriber frustration, increased support costs, subscriber churn, and missed revenue opportunities.

Unlike expensive, labor-intensive, and/or modest technical workarounds that often fail to work with all standard firewalls, or deliver a reliable call completion rate, Eyeball Networks’ exclusive Any-Firewall™ Technology provides the industry’s highest call completion rate regardless of firewalls traversed by all parties in a call. Any-Firewall™ Technology ensures that Internet calls can effectively traverse through firewalls, NAT (Network Address Translation), PAT (Port Address Translation), and proxy configurations without subscriber interaction or firewall reconfiguration.

Critical advantages of Any-Firewall™ Technology include:

□ Delivers the industry’s highest call completion rate □ Voice and video calls are completed regardless of the firewall product and network connection being used □ Interoperable with all standard firewall, NAT, PAT, and proxy products □ Connects callers even if they are using different firewall products (as well as modems, routers, proxies, NATs and PATs) □ Does not require any specific port or ports to remain open (a serious security breach), nor does it require any other firewall modifications

Page 2 Eyeball Any-Firewall™ Technology

□ Is fully compatible with IETF standards and drafts, including STUN, TURN and ICE as well as HTTP tunneling, each of which provide a limited means of enabling call completion □ Has been successfully tested against a complete range of NATs, firewalls, and proxies □ Requires no knowledge of firewalls □ Makes anywhere, any time VoIP and video telephony calling a reality

Firewalls, IP Addresses, and Voice/Video Telephony

Firewalls Firewalls protect computers and networks from intruders and potentially harmful network traffic. Firewalls typically sit at the border between one and another, or, in the case of products, they protect individual computers from harm. Although there are several different types of firewalls, the most common one is based on "packet filtering". This type of firewall examines network traffic at the packet level, deciding whether or not to let the packet enter or leave a network. If a packet passes a firewall's pre-defined filtering rules, it is forwarded on to its intended destination. If it doesn’t pass, the packet is simply discarded.

Firewalls play a key role in voice/video telephony because of their ability to block data packets and because they can make changes to the IP addresses and port numbers contained in those packets.

Global vs. Virtual IP Addresses Every computer connected to the Internet is assigned an IP address so that it can be uniquely identified. IP addresses are normally “global”, meaning that the address can be understood by any other computer on the Internet. However, on local area networks, or LANs, organizations may choose to use private, or virtual, IP addresses. Virtual IP addresses are not global, and can only be understood by other computers and components attached to the same LAN.

Virtual IP addresses help alleviate the growing problem of insufficient IP address spaces to meet demand. Virtual IP addresses are important to Internet-based communications because connection problems can arise when one or users in a session are using a virtual IP address.

NAT/PAT Firewalls Computers on a LAN normally cannot communicate with systems on the Internet directly because they have not been assigned global IP addresses. Network Address Translation (NAT) and Port Address Translation (PAT) are specifications that enable computers using virtual IP addresses on a LAN to access the public Internet. This technique in effect allows an organization to share one or more global IP addresses among many computers that each use virtual IP addresses. NAT/PAT is supported by many common enterprise and personal firewalls in use today.

Page 3 Eyeball Any-Firewall™ Technology

NAT/PAT firewalls use multiple IP addresses, both internal and external, to communicate with computers on the LAN and the Internet. The firewall performs the function of mapping each virtual IP address to one or more global IP addresses.

Network packets have headers containing network information, including the source IP address and port number as well as the destination IP address and port number of the packet. Packets that are sent through NAT/PAT firewalls will have the source IP address and port number altered by the firewall. This process is also known as port masquerading.

Figure 1: VoIP packets passing through NAT/PAT firewalls have the source IP address altered before being routed to their destination.

Figure 1 above highlights what happens when a LAN user with a virtual IP address tries to communicate with another user on the Internet. Outgoing packets sent by the LAN user are modified by the NAT/PAT firewall so that the virtual IP address and port number are replaced with a global IP address and port number. The same process also happens in reverse, with incoming packets having their destination IP address and port number modified to the virtual IP address of the LAN user. If the firewall of the LAN user were to forward outgoing packets without modifying the header, incoming packets for the LAN user would be incorrectly addressed to the virtual IP address. The firewall would filter these packets out because it will only forward packets addressed to the LAN user’s global IP address. This causes the call to fail.

Network and port address translation techniques have a direct impact on whether two or more users are able to connect for voice/video calls. A communications solution that is not designed to account for the effects of NAT/PAT will not consistently connect calls.

Page 4 Eyeball Any-Firewall™ Technology

Why VoIP Data Packets Get Blocked by Firewalls There are numerous reasons why VoIP calls may not be able to pass through a firewall. Sometimes callers are behind firewalls that explicitly block any type of connection that isn’t simply a request for a web page. Or, the VoIP endpoint may use proprietary protocols that require special support from a firewall before functioning correctly. Both of these situations require firewall configuration by administrators, which is not always possible or desirable when VoIP and video calls take place amongst a wide-ranging Internet population.

Figure 2: Connection failure for voice and video call resulting from a NAT/PAT firewall.

Another common reason data packets are blocked is that an endpoint is unable to determine the correct “global” IP address and port number of the other endpoint because of the use of NAT/PAT firewalls and virtual IP addresses. Figure 2 illustrates this problem using a scenario where two participants try to connect for a call with endpoints and server software that do not incorporate Any-Firewall™ Technology.

In this scenario both users are on LANs using virtual IP addresses and both are behind NAT/PAT firewalls. When users login to the video communications server, the server takes note of each endpoint’s public IP address and TCP port number. If a user tries to call another user, the server informs each endpoint of the other’s IP address and port number so the endpoints know where they should try to connect. In this example, the data packets sent by user A are altered by the NAT/PAT firewall and user A’s internal IP address and port number are replaced by a public IP address and port number. User B’s firewall will reject the packet because it is being sent unsolicited to user B’s internal IP address and port number. The same process happens in reverse when user B tries to send a packet to user A. The end result is that neither user is able to connect because each is unable to send packets to the right destination port number because of port masquerading by the firewall. Again the call fails.

Page 5 Eyeball Any-Firewall™ Technology

Solving NAT/PAT Issues Some video communications solutions and protocols address such port masquerading problems by requiring certain firewall conditions be met before calls can be completed. A common solution is that the video software or protocol will require specific port numbers be left “open” in the firewall. Leaving a port open means that the firewall will not inspect or attempt to control traffic that flows through it. This approach introduces a security hazard because an intruder with knowledge of this open port can create malicious programs to take advantage of the fact that the firewall is letting traffic through an open port. Leaving ports open therefore defeats the reason for installing a firewall in the first place.

Another problem with opening ports is that it requires manual configuration by either the end-user or a network administrator. A home-based user may simply lack the technical knowledge to correctly make this adjustment, or even may be unable to do so if their firewall product is controlled by their ISP, as is the case with certain cable and DSL service providers. For LAN users, their network administrator may also be unable, or more likely unwilling, to open the required ports the video communications software needs to function correctly. Either way, users are required to take extra steps to enable video communications and, more often than not, will give up in frustration. It was for these reasons that Eyeball Networks developed our patent-pending Any-Firewall™ Technology.

Eyeball Any-Firewall™ Technology Any-Firewall™ Technology is exclusive to Eyeball Networks and ensures that users can connect to each other regardless of the firewall products and configurations being used. Figure 3 highlights the same basic scenario as Figure 2 depicts, except in this case the Eyeball Communications Server with Any-Firewall™ Technology are being used.

Figure 3: Successful voice/video call using Any-Firewall™ Technology.

Page 6 Eyeball Any-Firewall™ Technology

When user A, above, tries to connect to user B the Eyeball Communications Server automatically determines the correct global IP address and port number of each user and communicates that to user A and B respectively. When user A tries to connect to user B, video data packets will be sent to the correct port number of user B and will therefore be accepted by user B’s firewall. The same process happens in reverse when user B sends video data packets to user A. The end result is that both users are able to connect to each other because each is able to send packets to the right destination port number. This produces a successful call.

Any-Firewall™ Technology in Action

Any-Firewall™ Technology works by enabling a computer (or other video telephony device) behind a firewall to send a UDP stream to another device(s), also behind a firewall, using peer-to-peer data transfer. The result is consistent service reliability – and the industry’s highest call completion rate.

Step-by-Step: Suppose computer C1 wants to send a UDP packet stream to computer C2. Any- Firewall™ Technology enables this using the following eight steps:

Figure 4: Eyeball Any-Firewall™ Technology steps.

1. Computer C1 sends a UDP packet U1 to server S1. C1 initiates the transmission from its internal IP address and UDP port (H1:h1). Firewall FW1 translates the IP address and port to F1:f1. 2. When it receives packet U1 from F1:f1, S1 can identify F1 and f1 as the external IP address and external port from which FW1 will send the UDP data stream originating with C1.

Page 7 Eyeball Any-Firewall™ Technology

3. C2 sends a UDP packet U2 to server S1. C2 initiates the transmission from its internal IP address and UDP port (H2:h2). Firewall FW2 translates the IP address and port to F2:f2. 4. When it receives packet U2 from F2:f2, S1 can identify F2 and f2 as the external IP address and external port at which FW2 will receive the UDP data stream to be transmitted from C1 to C2. 5. S1 tells C2 that F1:f1 are the external IP address and port from which FW1 will send the UPD data stream. 6. S2 tells C1 that F2:f2 are the external IP address and port to which the UDP data stream destined for C2 should be sent. 7. C2 sends a UDP packet U3 to F1:f1, using its internal port h2. Firewall FW2 will send the packet from F2:f2. This packet will be blocked by firewall FW1. However, as described in step (8), it will prompt firewall FW2 to pass subsequent packets sent by C1 destined for C2. 8. When C1 subsequently sends a data stream consisting of UDP packets destined for C2, firewall FW1 will send them from F1:f1 to F2:f2. Because of the packet sent in step (7), firewall FW2 recognizes F1:f1 as an address and port to which it has recently sent a packet from F2:f2. Accordingly, it permits packets sent from F1:f1 to F2:f2 to pass through the firewall, and forwards them to H2:h2, the internal IP address and port for C2.

Similar steps, in reverse, will permit UDP data stream originating with C2 to pass through firewall F1, to C1. Thus, C1 and C2 can utilize applications which depend on two-way transmission of UDP data streams, such as video chat, video conferencing and video instant messaging.

For multiple clients, C1,…,CN, it will permit many-to-one or many-to-many transmission of UDP data streams through all standard NAT/PAT/firewalls. In fact, Any-Firewall™ Technology traverses firewalls by automatically identifying the firewall type and predicting the appropriate port.

Field Proven Any-Firewall™ Technology supports users with private, virtual, or public IP addresses using any combination of Network Address Translation (NAT) and Port Address Translation (PAT) firewall products. This interoperability allows an organization to reach the maximum number of users possible for video communications. Eyeball SDK and Soft Client software with Any-Firewall™ Technology has been successfully tested ‘out-of- the-box’ with nearly all configurations of firewall products, as well as NAT devices, proxies, softswitches and routers, including all those listed in the table below.

Page 8 Eyeball Any-Firewall™ Technology

Firewall or NAT Device Type Supported Products Windows-based/Personal Personal Firewall ZoneLabs ZoneAlarm SyGate Personal Firewall McAfee Personal Firewall BlackIce Defender Symantec Personal Firewall

Windows Software Proxy Servers MS Internet Connection Sharing (ICS) MS Internet Security & Acceleration (ISA) MS Proxy Server SyGate Home Network Ositis WinProxy

Cable or DSL modems/routers with D-Link cable/DSL routers firewall and/or NAT 3Com modems Linksys cable/DSL routers Melco Wireless LAN Router Motorola SURFBoard cable modem NEC ADSL router (WB65DSL)

Unix Firewalls and Proxies ipfwadm Linux Linux

Hardware Firewalls and Others Cisco PIX firewalls CheckPoint NetScreen firewalls SonicWALL firewalls Symantec VelociRaptor Watchguard Firebox Table 1: Firewalls and NAT devices that support Eyeball VoIP and video telephony clients.

Fallback to TCP or HTTP To work out-of-the-box, Any-Firewall™ Technology requires only that a firewall permit outgoing UDP and TCP traffic. This condition is met with the majority of firewall configurations. For these firewalls or NAT devices, Any-Firewall™ Technology provides highest peer-to-peer UDP call completion between callers and callees. However there are some more “restrictive” firewalls that do not pass UDP at all.

Enterprise firewalls are the kind most commonly configured with restrictive settings. These settings block all traffic that doesn’t use either TCP ports 80 (used for ‘http’ connections) or 443 (used for secure ‘https’ connections). When a user connects through a restrictive firewall, it is not possible to complete the call using peer-to-peer UDP data transport, and in that case, Any-Firewall™ Technology falls back to using server-based data transport using TCP connections between clients and server.

In some cases, firewalls/proxies may only allow transport of HTTP data. In these cases, Any-Firewall™ Technology uses HTTP encapsulation or tunneling between clients and server. Clients send voice and video data as payload of an HTTP POST messages, and

Page 9 Eyeball Any-Firewall™ Technology

receives data as HTTP response messages. This also enables successful voice and video calls through Internet proxies.

Dynamic or Static Port Compatibility Eyeball endpoints can be configured to use either dynamic or static ports for video telephony. Using dynamic port numbers helps guarantee that a port number used by an Eyeball endpoint does not conflict with other applications on the same system. No firewall configuration is required for Eyeball video clients to use dynamic port numbers. If required, Eyeball clients can also be configured to use static port numbers.

Summary VoIP and video telephony are poised for mass adoption. Internet-based voice and video telephony delivers a level of communications, interactivity and productivity not possible with traditional voice-only communications. Connecting subscribers requires a solution that can handle the complexities of firewalls, virtual IP addresses, port masquerading and other secure configurations. Eyeball Networks’ exclusive Any-Firewall™ Technology was designed to address these issues while connecting users reliably and cost- effectively.

Standards and Codecs A key to Eyeball’s success in providing the industry’s highest call completion is the intelligence at the endpoints which discovers the type of firewall(s) in use and for smart prediction of address and ports that can be used to complete a VoIP or video call.

Eyeball endpoint and server software is fully compliant with IETF standards and drafts such as SIP and SIMPLE. Eyeball Any-Firewall™ Technology uses standard protocols including STUN, TURN and ICE for exchanging connection information (such as address and port options) for completion of voice and video calls.

RFC 3261 (SIP: Session Initiation Protocol) RFC 3665 (SIP Basic Call Flow) RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication) [for SIP] RFC 3428 (SIP Extension for Instant Messaging) RFC 3263 (Locating SIP Servers) RFC 2327 (SDP: Session Description Protocol) RFC 2787 (DNS SRV) RFC 2190 (RTP Payload for H.263 Video Streams) RFC 3264 (Offer/Answer Model with SDP) RFC 3550 (RTP Protocol for Real-Time Applications) RFC 2833 (RTP Payload for DTMF Digits, Signals)

Page 10 Eyeball Any-Firewall™ Technology

RFC 3489 (STUN - Simple Traversal of Through Network Address Translators) RFC 3920 (Extensible Messaging and Presence Protocol (XMPP): Core) RFC 3921 (Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence)

Voice codecs: G.711, G.729A, GSM 6.10, iLBC, Speex, Speex-wb Video codecs: H.263, H.264, MPEG-4 and EyeStream

About Eyeball Networks Eyeball Networks is a world leader in VoIP and video telephony software for service providers and device manufacturers.

Eyeball's patented Any-Bandwidth™ Technology and Any-Firewall™ Technology guarantee the best possible voice and video quality for every subscriber, over any Internet connection, across any firewall, and on any device.

Eyeball's endpoint and server software supports more than 6 million VoIP and video telephony subscribers and 10 billion call minutes for more than 100 service providers in North America, Europe and Asia. Our customers include many of the world's largest Internet and VoIP service providers, and device and chipset manufacturers.

Founded in 2000, Eyeball Networks is a privately-held company headquartered in Vancouver, British Columbia.

Worldwide Offices

Corporate Headquarters Japan Eyeball Networks Inc. Tamachi East 803 500 - 100 Park Royal 2-16, Shibaura West Vancouver, B.C. V7T 1A2 3-chome, Minato-ku Phone: 604.921.5993 Tokyo Fax: 604.921.5909 Phone: +81 (3) 5440-4533 Fax: +81 (3) 5440-4533

USA United Kingdom 451 37th Street 1A Orton Lane New York, NY 10016 Wombourne Phone: 646.428.5383 Wolverhampton WV5 9AN Phone: +44 (0) 560 043 3364 Fax: +44 (0) 870 762 6001

Page 11 Eyeball Any-Firewall™ Technology

Contact Eyeball Networks today for a live demonstration of our soft phones and servers. See and hear how Eyeball’s patented Any-Bandwidth™ Technology and Any-Firewall™ Technology guarantees your subscribers the best possible audio and video quality anywhere, any time.

Sales: [email protected] Support: [email protected]

Page 12 Eyeball Any-Firewall™ Technology