Showing results for 
Show  only  | Search instead for 
Did you mean: 

Web Gateway: Flash Video Won't Stream (RTMP)

What is RTMP?

Real Time Messaging Protocol is a proprietary protocol developed by Macromedia, now owned by Adobe, for streaming media over the internet using a flash player and server. Note: not all flash video uses RTMP. For example, youtube and many other sites don't. However, some do and this is to help you understand why RTMP may not stream in your environment.


Why Won't Flash Videos Play In My Environment?

The answer actually has two parts:

    1. When streaming using RTMP, Flash Player does not honor browser proxy settings and will attempt to connect to the server directly. It will first attempt to connect on port 1935, which is most commonly blocked in a corporate environment. It does have the ability to downgrade to RTMPT (RTMP Tunneled) which uses RTMP data encapsulated in HTTP on port 80, but will often still attempt to connect directly to the server. In our experience, most servers don't seem to be configured to allow this fallback over ports 80 or 443. The best solution is to allow port 1935
    2. Since this is a proprietary protocol, and is not HTTP, you can not simply port forward this traffic over to the Web Gateway. The Web Gateway is an HTTP proxy and will respond with a '400 Bad Request' if the traffic if it does not receive valid HTTP.



How Can I Tell if the Video is Using RTMP?

The easiest way is to run Wireshark on the client while you attempt to stream the video and use the filter "tcp.port eq 1935". I am using a video from for my example.



If you don't see any traffic on port 1935, there's a good chance that the site is first negotiating the connection directly over port 80 and or 443. Again, this connection does not honor browser settings so it may fail if you block users from connecting directly out on these ports. Similarly, if you are in a transparent environment, such as WCCP, and forward port 80 and 443 traffic to the Web Gateway this negotiation will fail as it is not valid HTTP traffic. Notice the lack of HTTP headers in the following screenshot:



Unfortunately, there is no way to make this work with the Web Gateway as it is not HTTP.


Tunneling RTMP in a Transparent Setup

It is possible to tunnel RTMP traffic through the Web Gateway in a transparent setup. When tunneling the traffic, Web Gateway is only able to provide basic security controls (like URL Filtering). An example of this can be found in this Community discussion:



Hopefully, you have a starting point to troublshooting flash video errors now. You will typically need to open up port 1935 outbound on your firewall for your users if you wish to allow RTMP in your environment when using direct proxy or find a way to make the traffic go direct if in a transparent environment.

Labels (1)

From my experience - if ports 1935, 80 & 443 are closed for client applications, then player is usually switched to RTMP-over-HTTP, and is detected by Streaming Detector. The main sign of RTMP-over-HTTP are requests & responses with 'application/x-fcs' Content-Type header...


Hi Alex,

While that is built in to the spec, I personally have not seen an example of this occurring. Of course, support doesn't get calls when things are working. However, we do get get calls virtually every day from customers who can't stream a video because they have port 1935 blocked on the firewall.



Hi Alex and Patrick.

I have to agree with Alexott - we have 80,443, and 1935 blocked directly, but do have 1935 working over HTTP via Proxy - example of a streaming media request is below.

[20/May/2013:13:43:42 +1000]|\||200|POST HTTP/1.1|Internet Services|Minimal Risk||1|0|334|272|Shockwave Flash|application/x-fcs||

However it is my understanding that the host provider end of the RTMP product can control how the media can be access - and I suspect that some providers do not allow RTMP-over-HTTP

- Andrew from Tassie


Hi Andrew,

This is an example of RTMP over HTTP on port 1935. When native RTMP traffic goes on port 1935 it is not enacapsulated in HTTP headers as you can see in the screenshots above. Therefore, you could not just simply re-direct port 1935 to the proxy and have it work. You understanding of provider support is spot on.


Version history
Revision #:
2 of 2
Last update:
‎03-20-2018 01:25 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community