As the Antenna-gate controversy raged and finally subsided, the team here was busy enhancing our App-ID technology to identify Apple’s new video calling feature – FaceTime. It is essentially the audio-video chat functionality of Apple's iChat for desktops, but tied to the iPhone4 device. From our analysis of the network traffic of FaceTime, we discovered that it uses SIP, the industry standard protocol for VoIP telephony, STUN for NAT traversal, and XMPP over SSL for authentication with Apple.
Since it relies on Wi-Fi connectivity, corporate networks will have to carry this traffic as employees begin to use it inside the Enterprise. For enterprises that do not want to install and manage their own SIP network, it serves as an out-of-the-box mobile video calling solution.
However, some security admins are wary about the numerous ports that must be opened in their firewalls to allow FaceTime calling. Apple’s note on their support site states:
If the Wi-Fi network router that you are connected to uses a firewall or security software to restrict Internet access, contact the network administrator and reference this technical article. To use FaceTime on a restricted Wi-Fi network, port forwarding must be enabled for ports 80, 443, 3478, 4080, 5223, and 16393-16402 (UDP).
We say, you can have your cake and eat it too! App-ID technology allows admins to identify and control the traffic based on the specific applications and not just ports and protocols. So to permit FaceTime calling, you only need to create a policy in the firewall to allow the facetime App-ID. And if not already allowed, you are alerted to allow the applications it depends on: sip, stun, ssl, jabber (xmpp), and ichat-av.
Instead of manually opening the entire suggested ephemeral UDP port range, the built-in SIP application-level gateway (ALG) dynamically opens media ports for RTP/RTCP. And when using NAT, it ensures proper translation of addresses and ports in the SIP payloads.
If Apple's goals of shipping tens of millions of FaceTime devices this calendar year and making FaceTime an open standard are indeed realized, we can expect to see a lot of this traffic on corporate networks in the near future.