A Guide for Network System Administrators


Pitchsmart is a family of technologies which enable people to make presentations over the Internet. Pitchsmart Presenter helps people make real-time presentations to up to one thousand viewers. Pitchsmart Theater provides 24 x 7 access to self-running presentations stored on the Web.

For Network Administrators, Pitchsmart offers a number of advantages. For instance, compared to HTML-published Powerpoint files, Pitchsmart files are smaller and use bandwidth more gracefully. Cached once (not pushed), screen changes, animations, and interactivity are controlled through very small (<500 byte) messages reflected through a network of messaging servers.

While the vast majority of Internet users can view Pitchsmart presentations without problems, some users may not be able to properly connect to our network. This document describes the mechanism used for messaging and suggests solutions for resloving problems.

How Pitchsmart Presenter Works
Pitchsmart presentations are based on Shockwave from Macromedia. These files are delivered from standard web servers using HTTP protocol and incorporate Shockwave's "Safe Player" security model.

During a Pitchsmart Presenter session, these Shockwave files retrieve the domain name of a messaging server using an HTTP POST. Using the domain returned, the Shockwave movie then initiates a connection to messaging servers in the Distributed Netcasting network through TCP port 1626, with a fallback to TCP port 80. Once this persistent connection is established, a presenter (using a control module) can change slides, control animations, and the like.

To check if your firewall is properly configured for Pitchsmart, point your browser to: http://www.pitchsmart.com/areyouready

Firewall issues
Pitchsmart Presenter messaging operates across a connection on an arbitrary TCP port. The current default TCP port is 1626, which is published by IANA as a "registered port" for Shockwave services. (IANA classifies TCP port numbers into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. A listing of all registered port numbers is at http://www.iana.org/assignments/port-numbers.)

Currently, servers on our distributed messaging network also listen on TCP port 80. Our data indicates that listening on these ports results in successful connections for over 98% of user attempts.

If your firewall blocks TCP port 1626 or non-http formatted port 80 traffic, there are several solutions:

1) The easiest solution is to open up traffic on TCP port 1626. Since ALL Pitchsmart-bound port 1626 connections are initiated from inside your network, this DOES NOT represent a security risk. We recommend that you configure your firewall to reject inbound port 1626 connection requests.

2) If you choose to open up port 1626, we can provide a list of IP addresses/domains that make up the messaging servers on our distributed network. You can then use allow/deny to filter traffic for an additional level of security.

3) If we are building a Pitchsmart presentation for your organization, we can configure it to use a TCP port that may already be open through your firewall, such as ports 25, 110, or 554.

4) Since our servers can listen for messaging traffic on any TCP port, we can reconfigure our servers to send traffic on any open port of your choosing.

NAT Issues
Pitchsmart Presenter and Pitchsmart Theater have no problems operating with well-configured NATing. As long as your network provides unique IP address, Pitchsmart presentations operate transparently.

Proxy Issues
Proxy servers can cause problems with Pitchsmart presentations in two ways.

First, Internet Explorer 4 on the MacOS, Shockwave will not properly use the browser's proxy server settings and therefore not be able to perform network operations. The solution is to use IE 5, or any other browser which supports Shockwave.

The more vexing problem is that proxy servers can interfere with communication with our distributed messaging network. Symptoms are similar to those seen when traffic is blocked by firewalls.

We have seen rare proxy server-caused problems, and therefore are continuing to monitor the issue and find resolutions. However, here are some general guidelines.

1) If the problem is port-blocking, implement one of the solutions recommended in the previous firewall discussion.

2) If your proxy server presents a single IP address to the outside world, configure your proxy server to present unique host IP addresses to traffic on port 1626. You can combine this with IP range/domain allow/deny filtering for further security. You should also note that these IP addresses need not be the actual private network addresses on your network, but can be obtained through NAT.

Document ID: PS/TN0001
Author: Tom McCrystal
Revision: 0.9 draft
Revision Date: 15 August 2001