MGCP Security Rules

You can configure the Security Rule Base so that the gateway allows MGCP calls.

Best practice - Configure anti-spoofing on the Check Point gateway interfaces.

To allow MGCP conversations, create rules that let MGCP control signals through the gateway.
It is not necessary to define a rule that specifies which port to open and which endpoint can talk. The gateway automatically gets this information from the signaling. For VoIP signaling rules, the gateway automatically opens ports for the endpoint-to-endpoint RTP/RTCP media stream connections.
Make sure to check Keep all connections or the firewall drops your connection every time you Install Policy.
1. Double-click your gateway.
  The Check Point Security Gateway window shows.
2. From General Properties > Other > Connection Persistence > Keep all connections > OK.
  Note - Rematch connections is selected by default.

Note – The old policy rules are still intact for calls already in-progress and they will not be dropped.

MGCP-Specific services

These predefined MGCP services are available:

Predefined MGCP-Specific Services

Service	Purpose
UDP:mgcp_CA	Used for MGCP over UDP, for connections using the well-known port is the Call-Agent port 2727.
UDP:mgcp_MG	Used for MGCP over UDP, the well-known port is the Media Gateway port 2427.
Other:MGCP_dynamic_ports	Allows a MGCP connection to be opened on a dynamic port and not on the MGCP well-known port.

MGCP Rules for a Call Agent in the External Network

An MGCP topology with a Call Agent in the external network is shown in the image.

This procedure shows how to:

Allow bidirectional calls between the MGCP phones in the internal network (Net_A) and phones in an external network (Net_B)
Define NAT for the internal phones

VoIP rule for this scenario:

Source	Destination	Services & Applications	Action
MGCP_Call_Agent Net_A	Net_A MGCP_Call_Agent	mgcp_CA or mgcp_MG or mgcp_dynamic_ports	Accept

Define the network objects (nodes or networks) for IP phones managed by the MGCP Call Agent and their calls, subject to gateway inspection.
For the example in the image, these are Net_A and Net_B.
Define the network object for the Call Agent (MGCP_Call_Agent).
Configure the VoIP rule.
To define Hide NAT or Static NAT for the phones in the internal network, edit the network object for Net_A.
- Select the network object and double-click.
- The Network window opens.
- In the NAT tab, select Add Automatic Address Translation Rules, and then the Translation method, Hide or Static.
- Install the security policy.

Defining MGCP Rules for a Call Agent to Call Agent

This illustration shows a Call Agent-to-Call Agent topology with the Call Agents on opposite sides of the gateway.

VoIP rule for this scenario:

Source	Destination	Services & Applications	Action	Comments
Call_Agent_Int Call_Agent_Ext	Call_Agent_Ext Call_Agent_Int	mgcp_CA or mgcp-MG	Accept	Bidirectional calls

Source

Destination

Services & Applications

Action

Comments

Call_Agent_Int

Call_Agent_Ext

Call_Agent_Int

mgcp_CA
or
mgcp-MG

Bidirectional calls

To enable bidirectional calls between phones in internal and external networks:

Define the network object for the Proxy objects (Call_Agent_Int and Call_Agent_Ext).
Configure the VoIP rule.
To define Hide NAT or Static NAT for the phones in the internal network, edit the network object for Net_A.
- Select the network object and double-click.
- The Network window opens.
- In the NAT tab, select Add Automatic Address Translation Rules, and then the Translation method, Hide or Static.
- Install the security policy.

Defining MGCP Rules for a Call Agent in DMZ

The illustration shows an MGCP-based VoIP topology where a Call Agent is installed in the DMZ.

VoIP rule for this scenario:

Source	Destination	Services & Applications	Action	Comments
Net_A Net_B Call_Agent	Net_A Net_B Call_Agent	mgcp_CA or mgcp-MG	Accept	Bidirectional calls

Source

Destination

Services & Applications

Action

Comments

Net_A

Net_B

Call_Agent

Net_A

Net_B

Call_Agent

mgcp_CA
or
mgcp-MG

Bidirectional calls

To enable bidirectional calls between phones in internal and external networks (Net_A and Net_B):

Define the network objects (nodes or networks) for the phones that are permitted to make calls and their calls subject to gateway inspection. In the image, these are Net_A and Net_B.
Define the network object for the Call Agent (Call_Agent).
Define the VoIP rule.
To define Hide NAT or Static NAT for the phones in the internal network, edit the network object for Net_A.
- Select the network object and double-click.
- The Network window opens.
- In the NAT tab, select Add Automatic Address Translation Rules, and then the Translation method, Hide or Static.
- Install the security policy.