Helping FaceTime coexist with your firewall

Here's a solid explanation of how FaceTime works. https://twitter.com/mattgemmell/status/17006724831

As for firewall isssues… those of us behind tightly controlled, corporate ones are probably out of luck.

I haven't read much on FaceTime's protocols nor do I have an iPhone 4, but based on my experience with firewalling and NAT, Facetime uses some sort of "STUN" to establish its video calling.

http://en.wikipedia.org/wiki/Session_Traversal_Utilities_for_NAT

Doesn't the iPhone support IPv6? Doesn't AT&T's 3G?

OSX on the Mac supports IPv6 beautifully -- so does the Airport Extreme Base Station.

Avoiding this sort of problem an ideal application for IPv6.

This is fine and dandy and all....

except my iPhone 4 camera refuses to work half the time. It gets stuck on the virual shutter. When that happens, you cant take pictures or videos. And if someone facetimes you, they can't see your face (yes, I'm on wifi).

Resetting the phone sometimes works, but....c'mon.

Just more of a clarification on the ports:

After monitoring the firewall logs (with UPnP turned to watch the iPhone 4 handle the traffic), this is what I have discovered regarding the port requirements:

Outbound (established by the iPhone):

TCP 53 (DNS)
TCP 80 (HTTP)
TCP 443 (HTTPS)

Inbound/Outbound (Constant 2-way communication):
TCP 4080 (P2P Communication)
TCP 5223 (SSL XMPP)
UDP 16393-16472 (Looks like a random port is used within the range - Mostly Audio and Video traffic)

So, from what I can gather, the DNS, HTTP, and HTTPS ports are used primarily for establishing communication and the remaining ports are used by what Facetime actually does... face to face virtual communication.

Wow.. this feature is total junk if it requires that many ports to be forwarded to a phone. This would mean that you couldn't support multiple FaceTime clients behind a single NAT gateway if they have to own all of those, not to mention that you couldn't actually host any of those services on your network directly. I sure hope that this is a poorly worded article that's really trying to say that you need to have OUTBOUND access via those ports rather than INBOUND access.

I am just curious why they need ports 53 (DNS), 80 (HTTP) and 443 (HTTPS) to be forwarded. What purpose would those services have in this, and why would Apple use those ports? That would almost completely cripple FaceTime on any corporate network (yes, I understand most IT depts would have those services running on separate networks, but you get what I am saying).

The only thing stopping facetime over 3g is Apple and AT&T, their network can't handle the extra bandwidth needed. And yes, they can do point to point as every device on their network has an id, just like the internet.

This is another reason why FaceTime over 3G would be very difficult ... It's pretty much impossible to make a peer-to-peer connection between two iPhones over 3G, and you don't have access to AT&T's routers to forward the ports.

They could have a "one user can be on 3G but the other must be on WiFi" implementation, because that is what we essentially do with iCam to make the peer-to-peer connections.

Apple would have to have servers in place to basically act as a proxy for all of those 3G-to-3G FaceTime calls.