FaceTime Port issues - Common ports blocked?

So I got my FW admin to open the ports listed above. When I try to make a FT call to someone on our network it appears that my call goes out to apple, it then looks at the IP that the receiver is using (which is NATed to an external IP here) and then tells me that external IP as the phone to connect to so the call can connect. My FW people do not want to open the ports listed inbound. It should let me make a direct call when on the same network... Is there any technical documentation out there on this were we can see the details?

Same deal here... I am running a Firebox as a Firewall/DHCP server. I see in the live traffic monitor that the iPhones are trying to use UDP 16384/16385/16386 and they are all blocked because I only opened up 16399-16472.

Not sure what the deal is but thought I would add some input.

Are we saying here that Inbound ports need to be opened? Hmm. Outbound I can understand as it would have to create a connection somehow.

Surely NAT should handle this translation for return traffic, just like Skype?

Well if I am calling someone on my network I get natted out but then the receiver has to get notified of the call coming in from the outside. I know nothing about firewalls BTW. Is my thinking correct?

Still working with this one... I have 2 new 4G phones on the same home network. I am using the Cisco WRT120N router and set the following TCP ports

53
80 (normally open anyway for web)
443
4080
5223

and the following UDP range open as a source or destination.
16399-16472

The setting page asks for a "To IP Address" entry - should this be 250? 0? 100?

I also confirmed that UPnP is active.

Further, when I attempt to make a Face Time call when connected to my WIFI network, the phones attempt to connect then DROP the wireless signal and display they on connected to a 3G network instead of WIFI.

Thanks for any help in advance! I used to say that all Apple products 'just work'

Facetime should work out of the box with most home routers that use NAT and support uPnP. There are various technologies involved that try and get around any firewall or nat setup (see: http://blog.imtc.org/index.php/2010/06/09/the-technology-behind-apples-facetime- standards/)

The problem i had, was that we have 2 different WiFi networks in our office. A private one, which requires a certificate to use, so is not iPhone friendly, and a public one which has a very restricted firewall. Opening the ports outlined above worked when trying to make a FaceTime call between two phones on the public wireless. When i got home, i phoned a friend who was also at home, and it all worked fine without setup.

Im assuming that both inbound and outbound UDP ports need to be opened because there is direct UDP traffic sent between the devices on the external interface because there is some sort of mediation by apples servers. The outbound phone will send some packets to apples servers to indicate it wants to call the inbound phone, indicating a port that its ready to use, then apples servers find the inbound phone, tell it that a call is requested, at which point the inbound phone will have the 'external' ip address and port of the outbound phone, and will try and establish a direct connection. Since communication is going to be both ways on the external ip, the inbound and outbound port range needs to be open.

Skype only works out of the box, because it defaults to port 80 for communication (have you ever tried to run a web server when skype is running!!), which is generally open on most firewalls.

@blackout00 You will either need to allow the 'To Ip Address' to be any ip (probably * or something similar), or you will have to open up the ports for each of your phones specific IP Addresses (assuming they are not going to change).

Bump - Any updates on this?

Do these ports need to be open INBOUND or OUTBOUND?

If INBOUND, then the router will need uPnP.
If OUTBOUND, then 99% of routers will not have any problem.

Thanks for the good info. Most corporate security folks are going to shy away from opeing these ports inbound. We'd like to see some definitive information from Apple on this. From a corporate standpoint our perspective at this point is to have you do it at home, not a work. At least until there is some detailed explanation of access.

DG

I tested this from behind a corporate firewall and finally succeeded doing Facetime with Apple's "Test your FaceTime" number (888-FACETIME).

First of all, we didn't have to open up any inbound ports.

As far outbound ports, we already had 53 (DNS), 80 (HTTP), and 443 (HTTPS) open. Most corporations probably allow this already. I am not really sure why DNS port needs to be open to the outside world if your DNS is served internally. I'd suggest that you don't disturb your current outbound port 53 access on your firewall and try Facetime. If it doesn't work, you can try opening it up.

The other outbound ports we HAD to open are TCP 4080, TCP 5223, and UDP 16384-16403. I know that the UDP port range we opened is slightly different from the earlier posts. We started at 16384 because our firewall logs showed that the phone was trying to send out packets to that port and higher. We capped it at 16403 because we guessed that perhaps the iChatAV range as posted by apple at http://support.apple.com/kb/ts1629 is what applies to Facetime as well. That's just a guess. In any case, Apple should update that article for Facetime.

The way Apple's 888-FACETIME works, the request to start Facetime has to be initiated from their side (or at least that's what the guy told me on the phone). So, I couldn't test initiating the Facetime request from my side. Hopefully that will work as well.

Try going into settings, phone, show my caller id.

This was turned off on my co workers phone and it wouldn't work for several attempts, once he switched it to on it worked 1st try!!

for what its worth the specialist I just got off the phone told me these ports:

TCP
53
80
443
4080
5223

udp 16393-16472 (note this last one is different from the posters above).

I'm heading out to a starbucks(as per their advice) to confirm it works there, if so we'll have confirmation its a port issue(I'm using a Time Capsule directly connected to a modem)

OK I got facetime too work.

I first tried all the ports that were mentioned on this site and that didn't work for me. I then tried to open all the ports to my iPhone from my router (placed iPhone it in the DMZ) and that didn't work either.

I now assumed that it couldn't be the router or the network it had to be something with the phone and maybe the software for facetime. So I did what every good MS Windows user does and rebooted the iPhone, and that WORKED!!

Since my iPhone was still in the DMZ I decided to test my 2Wire router with the default settings so I switch back to what it was before I made any changes and I reboot my iPhone again and that worked!

So in summary - reboot your iPhone if all else fails. I am thinking that it could be they way your iPhone is connected to your network that a reboot can resolve.

Not saying this will work for everyone but it's something else you can try..

Ditch Bauer said:

udp 16393-16472 (note this last one is different from the posters above).

Yes, this is exactly what Apple tech support gave me. But when we looked in our firewall's logs, we found out that the phone was trying 16384 and above. So we set it to 16384 on the lower side.

Please let us know if the settings Apple gave you worked.