Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

H.323-Based VoIP

In This Section:

Introduction to H.323

Supported H.323 Deployments and NAT Support

H.323 Security Rule Base Configuration

Introduction to H.323

H.323 is an ITU (International Telecommunication Union) standard that specifies the components, protocols, and procedures that provide multimedia communication services over packet networks (including IP based networks).

The Security Gateway supports these H.323 architectural elements:

  • IP phones

    Devices that:

    • Handle signaling (H.323 commands)
    • Connect to an H.323 gatekeeper

    IP Phones are defined in SmartDashboard, usually as a network of IP Phones. Usually it is not necessary to define Network objects for individual IP Phones.

  • Standard telephones that connect to an H.323 gateway

    These are not IP devices. It is not necessary to define them in SmartDashboard

  • A Gatekeeper that manages a collection of H.323 devices, such as phones

    Gatekeepers convert phone numbers to IP addresses. A Gatekeeper usually provides gateway services as well.

  • A Gateway that provides interoperability between different networks

    The gateway translates between the telephony protocol and IP.

Supported H.323 Deployments and NAT Support

Supported H.323 deployments are listed the Table. NAT (Hide or Static) can be configured for the phones in the internal network, and (where applicable) for the Gatekeeper.

  • NAT is not supported on IP addresses behind an external Check Point gateway interface
  • Manual NAT rules are only supported in environments where the gatekeeper is in the DMZ

 

No NAT

NAT for Internal Phones —
Hide/Static NAT

NAT for Gatekeeper —
Static NAT

Endpoint to Endpoint

Yes

Static NAT only

Not applicable

Gatekeeper/Gateway in External

Yes

Yes

Not applicable

Gatekeeper/Gateway to Gatekeeper/Gateway

Yes

Yes

Yes

Gatekeeper/Gateway in DMZ

Yes

Yes

Yes

Endpoint-to-Endpoint Communication

The IP Phones communicate directly, without a Gatekeeper or an H.323 Gateway. Static NAT can be configured for the phones on the internal side of the gateway.

Gatekeeper or H.323 Gateway in External Network

The IP Phones use the services of a Gatekeeper or H.323 Gateway on the external side of the gateway. This topology enables using the services of a Gatekeeper or an H.323 Gateway that is maintained by another organization. It is possible to configure Hide NAT (or Static NAT or no NAT) for the phones on the internal side of the gateway.

H.323 Gatekeeper/Gateway to Gatekeeper/Gateway

Each Gatekeeper or H.323 Gateway controls a separate endpoint domain. Static NAT can be configured for the internal Gatekeeper. For the internal phones, Hide NAT (or Static NAT) can be configured.

Gatekeeper or H.323 Gateway in the DMZ

The same Gatekeeper or H.323 Gateway controls both endpoint domains. This topology makes it possible to provide Gatekeeper or H.323 Gateway services to other organizations. Static NAT (or no NAT) can be configured for the Gatekeeper or H.323 Gateway. Hide NAT (or Static or no NAT) can be configured for the phones on the internal side of the gateway.

H.323 Security Rule Base Configuration

This section explains how to configure rules that allow H.323 calls through the gateway.

H.323 Specific Services

These predefined H.323 services are available:

Service

Purpose

TCP:H323

Allows a Q.931 to be opened (and if needed, dynamically opens an H.245 port), and dynamically opens ports for RTP/RTCP or T.120.

UDP:H323_ras

Allows RAS port to be opened, and then dynamically opens a Q.931 port (an H.245 port if needed). Also dynamically opens and RTP/RTCP and T.120 ports.

UDP:H323_ras_only

Allows only RAS. Cannot be used to make calls. If this service is used, no Application Intelligence checks (payload inspection or modification as NAT translation) are made. Do not use if you want to perform NAT on RAS messages. Do not use in the same rule as the H323_ras service.

TCP:H323_any

Relevant only for versions prior to R75.40VS:

Similar to the H323 service, but also allows the Destination in the rule to be ANY rather than a Network object. Only use H323_any if you do not know the VoIP topology, and are not enforcing media admission control (formerly known as Handover) using a VoIP domain. Do not use in the same rule as the H.323 service.

Note - In general, use the H.323 and H.323_ras services in H.323 Security Rule Base rules.

General Guidelines for H.323 Security Rule Configuration

  • It is recommended to configure anti-spoofing on the Check Point gateway interfaces.
  • To allow H.323 traffic, create rules let H.323 control signals through the gateway.

    It is not necessary to define a rule that specifies which ports to open and which endpoints can talk. The gateway derives this information from the signaling. For a given H.323 signaling rule (with RAS and/or H.323 services), the gateway automatically opens ports for the H.245 connections and RTP/RTCP media stream connections.

    Dynamic ports will only be opened if the port is not used by a different service. For example: if the Connect message identifies port 80 as the H.245 port, the port will not be opened. This prevents well-known ports from being used illegally.

  • To allow H.323 traffic in the Security Rule Base, use regular Network objects. It is not necessary to define special Network objects.
  • When using Hide NAT for H.323, include the hiding IP address in the destination of the H.323 rule. This allows the initiation of a TCP handshake from the external network to the hiding IP.
  • When configuring a security rule, if you want calls that are in progress not to be dropped during Install Policy, make sure to select Keep connections open after Policy has been installed in the Service Properties dialog box.

    Note – even if the new policy does not allow calls like those in progress, they will not be dropped during Install Policy.

H.323 Rule for an Endpoint-to-Endpoint Topology

An endpoint-to-endpoint topology is shown in the figure, with Net_A and Net_B on opposite sides of the gateway. This procedure explains:

  • How to allow bidirectional calls between the phones in the internal network (Net_A) and phones in an external network (Net_B)
  • How to define NAT for the internal phones

    No incoming calls can be made when Hide NAT is configured for the internal phones.

VoIP rule for this scenario:

Source

Destination

Service

Action

Net_A

Net_B

Net_B

Net_A

H323

Accept

To define an H.323 rule for endpoint-to-endpoint topology:

  1. Configure the VoIP rule.
  2. Define Hide NAT (or Static NAT) for the phones in the internal network.

    Do this by editing the network object for the internal network (Net_A):

    1. In the NAT tab, select Add Automatic Address Translation Rules
    2. Select the Translation method (Hide or Static)

    If you define Hide NAT, add a Node object (with the Hide NAT IP address) to the Destination of the rule(s) defined in step 1.

  3. Install the security policy.

H.323 Rules for a Gatekeeper-to-Gatekeeper Topology

A Gatekeeper-to-Gatekeeper topology is shown in the figure, with Net_A and Net_B on opposite sides of the gateway. This procedure shows you how to:

  • Allow bidirectional calls between the phones in the internal network (Net_A) and phones in an external network (Net_B)
  • Define NAT for the internal phones and the internal Gatekeeper (GK_A)

VoIP rule for this scenario:

Source

Destination

Service

Action

Comment

GK_A

GK_B

GK_B

GK_A

H323

H323_ras

Accept

Bidirectional calls.

To define an H.323 rule for gatekeeper-to-gatekeeper topology:

  1. Define the network objects (Nodes or Networks) for
    • Phones that use the Gatekeeper for registration
    • Allowed to make calls and their calls tracked by the gateway.

    In the figure, these are Net_A and Net_B.

  2. Define the Network object for the Gatekeeper objects (GK_A and GK_B)
  3. Define the VoIP rule.
  4. Define Hide NAT (or Static NAT) for phones in the internal network.

    Do this by editing the network object for the internal network (Net_A):

    1. On the NAT tab, select Add Automatic Address Translation Rules
    2. Select the Translation method (Hide or Static).
  5. To define Static NAT for the Gatekeeper or Gateway in the internal network: do step 4 again.
  6. Make the time-out of the H323_ras service equal to or greater than the Gatekeeper registration time-out.

    Configure the time-outs in the Advanced Properties window of the Service object.

  7. Install the security policy.

H.323 Rules for a Gateway-to-Gateway Topology

The illustration shows a Gateway-to-Gateway topology, with Net_A and Net_B on opposite sides of the gateway.This procedure shows you how to:

  • Allow bidirectional calls between phones in the internal network (Net_A), and phones in an external network (Net_B)
  • Define NAT for the internal phones and the internal gateway (GW_A).

VoIP rule for this scenario:

Source

Destination

Service

Action

Comment

GW_A

GW_B

GW_B

GW_A

H323

Accept

Bidirectional calls.

To define an H.323 rule for gateway-to-gateway topology:

  1. Define the network objects (Nodes or Networks) for phones that are allowed to make calls and their calls tracked by the gateway.

    For this example, these are Net_A and Net_B.

  2. Define the network object for the gateway objects (GW_A and GW_B)
  3. Define this VoIP rule.
  4. Define Hide NAT (or Static NAT) for the phones in the internal network.

    Do this by editing the network object for the internal network (Net_A):

    1. On the NAT tab, select Add Automatic Address Translation Rules
    2. Select the Translation method (Hide or Static).
  5. To define Static NAT for the Gatekeeper/Gateway in the internal network, do step 4 again for the Gatekeeper/Gateway object (GK_A).
  6. Install the security policy.

H.323 Rules for a Gatekeeper in the External Network

This figure shows a H.323 topology with a Gatekeeper in the Internet, with Net_A and Net_B on opposite sides of the gateway.This procedure explains how to:

  • Allow bidirectional calls between the phones in the internal network (Net_A) and phones in an external network (Net_B)
  • Define NAT for the internal phones

VoIP rule for this scenario:

Source

Destination

Service

Action

Comment

Net_A

Net_B

GK_B

GK_B

Net_A

H323_ras
H323

Accept

Bidirectional calls.

To define an H.323 rule for a gatekeeper in the external network:

  1. Define the network objects (Nodes or Networks) for the phones that:
    • Use the Gatekeeper for registration
    • Are allowed to make calls and their calls tracked by the gateway

    In the figure, these are Net_A and Net_B.

  2. Define the network object for the Gatekeeper (GK_B)
  3. Configure the VoIP rule.
  4. Define Hide NAT (or Static NAT) for the phones in the internal network.

    Do this by editing the network object for the internal network (Net_A):

    1. On the NAT tab, select Add Automatic Address Translation Rules
    2. Select the Translation method (Hide or Static)

      If you define Hide NAT, add a Node object (with the Hide NAT IP address) to the Destination of the rule(s) configured in step 3.

  5. Make the time-out of the H323_ras service greater or equal to the Gatekeeper registration time-out. Configure the time-outs in the Advanced Properties window of the Service object.
  6. Install the security policy.

H.323 Rules for a Gateway in the External Network

The figure shows an H.323 topology with a Gateway in the Internet, with Net_A and Net_B on opposite sides of the gateway. This procedure shows you how to:

  • Allow bidirectional calls between phones in the internal network (Net_A) and phones in an external network (Net_B)
  • Define NAT for the internal phones

VoIP rule for this scenario:

Source

Destination

Service

Action

Comment

Net_A

Net_B

GW_B

GW_B

Net_A

H323

Accept

Bidirectional calls.

To define an H.323 rule for a gateway in the external network:

  1. Define network objects (Nodes or Networks) for phones that are allowed to make calls, and their calls tracked by the gateway.

    For the example, these are Net_A and Net_B.

  2. Define the network object for the Gateway (GW_B)
  3. Define the VoIP rule.
  4. Define Hide NAT (or Static NAT) for the phones in the internal network.

    Do this by editing the object for the internal network (Net_A):

    1. On the NAT tab, select Add Automatic Address Translation Rules,
    2. Select the Translation method (Hide or Static).

      If using Hide NAT, add a Node object (with the Hide NAT IP address) to the Destination of the rule(s) defined in step 3.

  5. Install the security policy.

H.323 Rules for a Gatekeeper in DMZ Topology

The figure shows a H.323-based VoIP topology where a Gatekeeper is installed in the DMZ. This procedure explains how to:

  • Allow bidirectional calls between the phones in the internal network (Net_A) and phones in an external network (Net_B)
  • Define NAT for the internal phones and the Gatekeeper in the DMZ (GK_DMZ)

VoIP rule for this scenario:

Source

Destination

Service

Action

Comment

GK_DMZ

Net_A

Net_B

Net_A

Net_B

GK_DMZ

H323

H323_ras

Accept

Bidirectional calls.

Static NAT rules for the Gatekeeper in the DMZ:

Original

Translated

Comment

Source

Destination

Service

Source

Destination

Service

GK_DMZ

Net_B

*Any

GK_DMZ:
Static

=

=

Outgoing calls

Net_B

GK_DMZ_NATed

*Any

=

GK_DMZ:
Static

=

Incoming calls

To define an H.323 rule for a gatekeeper in the DMZ:

  1. Define the network objects (Nodes or Networks) for the phones:
    • That use the Gatekeeper for registration
    • Are allowed to make calls and their calls tracked by the gateway

    In the figure, these are Net_A and Net_B.

  2. Define the network object for the Gatekeeper (GK_DMZ).
  3. Define the VoIP rule.
  4. Define Hide NAT (or Static NAT) for the phones in the internal network.

    Do this by editing the network object for Net_A:

    1. In the NAT tab, select Add Automatic Address Translation Rules
    2. Select the Translation method (Hide or Static).

      If using Hide NAT:

      (i) Select the Hide behind IP address option.

      (ii) Enter the IP address of the Hiding address of the phones in the internal network.

      (iii) Add a Node object with the Hide NAT IP address to the Destination of the rule(s) defined in step 3.

  5. Define Static NAT for the Gatekeeper in the DMZ:
    1. Create a Node object for the Static address of the Gatekeeper (for example: GK_DMZ_NATed).
    2. Define the manual static NAT rules:
    3. Configure proxy-ARPs.

      You must associate the translated IP address with the MAC address of the gateway interface that is on the same network as the translated addresses. Use the arp command in UNIX or the local.arp file in Windows.

      The command fw ctl arp displays the ARP proxy table on gateways that run on Windows. On UNIX, use the arp -a command.

  6. Make the time-out for the H.323_ras service greater than or equal to the Gatekeeper registration time-out. Configure the time-outs in the Advanced Properties window of the Service object.
  7. Install the security policy.

H.323 Rules for a Gateway in DMZ Topology

The figure shows a H.323-based VoIP topology where a Gateway is installed in the DMZ. This procedure shows you how to:

  • Allow bidirectional calls between the phones in the internal network (Net_A) and phones in an external network (Net_B)
  • Define NAT for the internal phones and the Gateway in the DMZ (GW_DMZ)

VoIP rule for this scenario:

Source

Destination

Service

Action

Comment

GW_DMZ

Net_A

Net_B

Net_A

Net_B

GW_DMZ

H323

Accept

Bidirectional calls.

Static Nat rule for the Security Gateway in the DMZ:

Original

Translated

Comment

Source

Destination

Service

Source

Destination

Service

GW_DMZ

Net_B

*Any

GW_DMZ:
Static

=

=

Outgoing calls

Net_B

GW_DMZ_NATed

*Any

=

GW_DMZ:
Static

=

Incoming calls

To define an H.323 rule for a gateway in the DMZ:

  1. Define network objects (Nodes or Networks) for phones that are allowed to make calls and their calls tracked by the gateway.

    In the figure, these are Net_A and Net_B.

  2. Define the network object for the Gateway (GW_DMZ).
  3. Define the VoIP rule:
  4. Define Hide NAT (or Static NAT) for the phones in the internal network.

    Edit the network object for Net_A:

    1. On the NAT tab, select Add Automatic Address Translation Rules
    2. Select the Translation method (Hide or Static).

      If using Hide NAT:

      (i) Select the Hide behind IP address.

      (ii) Enter the IP address of the Hiding address of the phones in the internal network.

      (iii) Add a Node object with the Hide NAT IP address to the Destination of the rule(s) defined in step 3.

  5. Define Static NAT for the Gateway in the DMZ, add manual NAT rules:
    1. Create a Node object for the Static address of the Gateway (for example: GW_DMZ_NATed).
    2. Define these manual NAT rules:
    3. As for all manual NAT rules, configure proxy-arps.

      You must associate the translated IP address with the MAC address of the Check Point Gateway interface that is on the same network as the translated addresses. Use the arp command in UNIX or the local.arp file in Windows.

      The command fw ctl arp displays the ARP proxy table on gateways that run on Windows. On UNIX, use the arp -a command.

  6. Install the security policy.
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print