UDP/RTSP Traffic Is Blocked by Most Firewalls
Most firewalls block UDP/RTSP traffic, as shown in Figure 25.
Figure 25
UDP/RTSP Traffic Is Blocked by Most Firewalls
HTTP-tunneled requests, on the other hand, pass through most firewalls as shown in Figure 26.
Figure 26
HTTP-Tunneled Traffic Passes Through Most Firewalls
Figure 26 illustrates why HTTP tunneling is widely used for QuickTime streaming on the Web. The HTTP packets pass through most firewalls, and the RTSP data embedded in the packets lets the QuickTime players communicate with the streaming servers.
Excelerator can be configured to either process and actively fill HTTP tunneled requests or to simply pass them through to the origin streaming servers. Table 5 summarizes the differences and trade-offs of having HTTP tunnel support enabled and disabled.
Table 5. QuickTime HTTP Tunnel Options
If you don't want to cache QuickTime HTTP tunneled streams, appliance setup is very simple. You must only ensure that the QuickTime HTTP Tunnel Enable option is not checked in the Streaming Tab.
After that, any HTTP tunneled requests that come through a forward and/or transparent streaming proxy service defined on the appliance will be passed through to the origin streaming server and the returned streaming data will not be cached.
Because HTTP-tunneled traffic generally passes through firewalls, the location of the appliance in relation to the players is not a critical issue.
On the other hand, if you want to cache QuickTime HTTP tunneled streams, you have several options for overcoming firewall limitations.
This section outlines three simplified configuration scenarios for getting QuickTime streaming content through firewalls. The first scenario works only for HTTP tunneled player requests. The other two scenarios work for both HTTP tunneled requests and RTSP requests.
If you place the appliance outside the firewall, the QuickTime players can use HTTP tunneled requests to go through the firewall to the appliance. The appliance can then use UDP/RTSP to communicate with the origin streaming server, as shown in Figure 27.
Figure 27 
In this scenario, all appliance IP addresses, the default gateway, and the DNS server would be on subnets outside the firewall.
NOTE: This approach does not apply to players configured to use the UDP/RTSP transport option.
If you place the appliance inside a firewall or behind a network address translator, you will need a way to get the UDP/RTSP packets through the firewall or translator to the origin streaming server.
Some firewalls and translators have an RTSP proxy feature that is designed for this purpose.
If your firewall or translator has an RTSP proxy feature, you can configure the IP address and port number of the RTSP proxy service on the firewall or translator as an upstream proxy to the appliance. (For more information, see Configuring an Upstream Proxy for the Appliance.)
The appliance can then use the UDP and RTSP protocols to communicate with the origin streaming server through the firewall or translator, as shown in Figure 28.
Figure 28 
In this scenario, the appliance IP addresses, the default gateway, the DNS server, and the RTSP proxy service on the firewall or network address translator would all be on subnets inside the firewall.
If neither of the previous two options is possible for your network, you can configure the appliance as a firewall component by doing the following:
Figure 29 illustrates this scenario.
Figure 29 
In this scenario, the appliance IP addresses would be both inside and outside the firewall, depending on the network cards to which they were assigned. The default gateway and the DNS server would be on subnets outside the firewall.