Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

MGCP-Based VoIP

In This Section:

Introduction to MGCP

MGCP Supported Deployments and NAT Support

Rule Base Configuration for MGCP

Introduction to MGCP

MGCP is a protocol for controlling telephony gateways from external call control devices called Call Agents (also known as Media Gateway Controllers).

MGCP is a master-slave protocol, with the Call Agent as master and endpoints as slaves. (SIP and H.323 are peer-to-peer protocols.)

The MGCP protocol assumes call control devices, or Call Agents, synchronize with each other to send commands to the devices (Media Gateways) they control. Call Agents also connect directly to IP Phones. The Media Gateways or IP Phones are run commands sent by the Call Agents. The figure shows the MGCP elements and call control actions.

Media Gateways and MGCP IP phones usually support features such as conference calls, 3-way brokering and supervisor inspection.

MGCP Supported Deployments and NAT Support

The Security Gateway supports the MGCP deployments listed in the table. It is possible to configure NAT (Hide or Static) for the phones in the internal network.

NAT is not supported on IP addresses behind an external Security Gateway interface.

The SmartDashboard configuration depends on the topology.

Supported MGCP Topology

No NAT

NAT for Internal Phones -
Hide/Static NAT

Call Agent in external network

Yes

Yes

Call Agent in DMZ

Yes

No

Call Agent to Call Agent

Yes

No

Call Agent in external network

The IP Phones use the services of a Call Agent on the external side of the gateway. This topology enables using the services of a Call Agent that is maintained by another organization. It is possible to configure Hide NAT (or Static NAT or no NAT) for the phones on the internal side of the gateway.

 

Call Agent in the DMZ

The same Call Agent controls both endpoint domains. This topology makes it possible to provide Call Agent services to other organizations.

Call Agent to Call Agent

Each Call Agent controls a separate endpoint domain.

 

Where there is one or more Call Agents, the signaling passes through each Call Agent. Once the call has been set up, the media can pass endpoint to endpoint.

Additional Conditions for Using NAT in MGCP Networks

You can use MGCP with Network Address Translation (NAT), but:

  • Manual NAT rules are not supported. Use Automatic NAT.
  • Calls cannot be made from an external source to two endpoints on the trusted side of a gateway if one of the endpoints is NATed and the other is not.
  • Bidirectional NAT of VoIP calls is not supported.

    Important - Hide NAT can be used for all types of calls (incoming, outgoing, internal and external). For security reasons, when using Hide NAT for incoming calls, the Destination of the VoIP call in the Rule Base cannot be Any.

Hide NAT for MGCP traffic

Enabling the Hide NAT changes source port for MGCP option configures the gateway to do Hide NAT on the:

  • IP address of the MGCP endpoint phones
  • Source port of the MGCP endpoint phones.

Find the option on the:

IPS tab > Protections > By Type > Engine Settings > MGCP - General Settings Protection Details > General tab.

With this option disabled, the gateway performs Hide NAT only on the IP address of the MGCP endpoint phones. This option must be selected in environments where:

  • The gateway is configured (in SmartDashboard) to do Hide NAT on the internal IP addresses of the endpoints.
  • The MGCP server can register only one endpoint with a given IP address and port combination.

MGCP Packet before NAT

The packet capture shown here shows an MGCP packet from a phone with IP address 194.90.147.53, and source port 2427 (the default MGCP port).

Packet after Hide NAT when Option is Disabled

The packet capture shown here shows the MGCP packet after Hide NAT, with the Hide NAT changes source port for MGCP option disabled. The IP address is translated to the Hide NAT address of 194.90.147.14, but the source port 2427 is unchanged.

In this environment, all the internal phones are registered with the same Source IP (for example 194.90.147.14) and the default MGCP source port (2427).

Some MGCP servers can register a phone with only one IP address and port combination. As a result, only one of the phones behind that IP address will be registered successfully on the server.

Packet after NAT when Option is Enabled

This packet capture shows the MGCP packet after Hide NAT, with the option enabled.

  • The IP address is translated to the Hide NAT address of 194.90.147.14.
  • The source port is also translated to an allocated port of 10416.

In this environment, a different port is allocated for each internal phone. All phones are registered with a different Source IP: port combination. For example:

  • One phone with source IP 194.90.147.14 and source port 10416 (as shown in the packet capture), and
  • Another phone with source IP 194.90.147.14 and source port 10417.

As a result, all internal phone are registered successfully on the server.

Rule Base Configuration for MGCP

This section explains how to configure Security Rule Base Rules so that the gateway allows MGCP calls.

  • It is recommended to configure anti-spoofing on the Check Point gateway interfaces.
  • To allow MGCP conversations, create rules that let MGCP control signals through the gateway.

    It is not necessary to define a rule that specifies which ports to open and which endpoints can talk. The gateway derives this information from the signaling. For VoIP signaling rules, the gateway automatically opens ports for the endpoint-to-endpoint RTP/RTCP media stream.

  • When configuring a security rule, if you want calls that are in progress not to be dropped during Install Policy, make sure to select Keep connections open after Policy has been installed in the Service Properties dialog box.

    Note – even if the new policy does not allow calls like those in progress, they will not be dropped during Install Policy.

MGCP-Specific services

These predefined MGCP services are available:

Predefined MGCP-Specific Services

Service

Purpose

UDP:mgcp_CA

Used for MGCP over UDP, for connections using the well known port is the Call-Agent port (2727).

UDP:mgcp_MG

Used for MGCP over UDP, and whose well known port is the Media Gateway port (2427).

Other:MGCP_dynamic_ports

Allows a MGCP connection to be opened on a dynamic port and not on the MGCP well-known port.

MGCP Rules for a Call Agent in the External Network

An MGCP topology with a Call Agent in the external network is shown in the figure.

This procedure shows how to:

  • Allow bidirectional calls between the MGCP phones in the internal network (Net_A) and phones in an external network (Net_B)
  • Define NAT for the internal phones

VoIP rule for this scenario:

Source

Destination

Service

Action

MGCP_Call_Agent
Net_A

Net_A
MGCP_Call_Agent

mgcp_CA or mgcp_MG or mgcp_dynamic_ports

Accept

To define an MGCP rule for a call agent in the external network:

  1. Define the network objects (Nodes or Networks) for IP Phones managed by the MGCP Call Agent, and their calls subject to gateway inspection.

    For the example in the figure, these are Net_A and Net_B.

  2. Define the network object for the Call Agent (MGCP_Call_Agent).
  3. Configure the VoIP rule.

    To define Hide NAT (or Static NAT) for the phones in the internal network, edit the network object for Net_A.

    1. On the NAT tab, select Add Automatic Address Translation Rules.
    2. Select the Translation method (Hide or Static).
  4. Install the security policy.

MGCP Rules for Call Agent in DMZ

The illustration shows an MGCP-based VoIP topology where a Call Agent is installed in the DMZ.

VoIP rule for this scenario:

Source

Destination

Service

Action

Comment

Net_A

Net_B

Call_Agent

Net_A

Net_B

Call_Agent

mgcp_CA
or
mgcp-MG

Accept

Bidirectional calls.

To enable bidirectional calls between phones in internal and external networks (Net_A and Net_B):

  1. Define the Network objects (nodes or networks) for the phones that are permitted to make calls, and their calls subject to gateway inspection. In the figure, these are Net_A and Net_B.
  2. Define the Network object for the Call Agent (Call_Agent).
  3. Configure the VoIP rule.
  4. Install the security Policy.

MGCP Rules for Call Agent to Call Agent

This illustration shows a Call Agent-to-Call Agent topology with the Call Agents on opposite sides of the gateway.

VoIP rule for this scenario:

Source

Destination

Service

Action

Comment

Call_Agent_Int

Call_Agent_Ext

Call_Agent_Ext

Call_Agent_Int

mgcp_CA
or
mgcp-MG

Accept

Bidirectional calls.

To enable bidirectional calls between phones in internal and external networks:

  1. Define the Network object for the Proxy objects (Call_Agent_Int and Call_Agent_Ext).
  2. Configure the VoIP rule.
  3. Install the security Policy.
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print