Important Information about Creating MGCP Security Rules

You can configure the Security Rule Base so that the gateway allows MGCP calls.

Best practice - Configure anti-spoofing on the Check Point gateway interfaces.

To allow MGCP conversations, create rules that let MGCP control signals through the gateway.
It is not necessary to configure a rule that specifies which port to open and which endpoint can talk. The gateway automatically gets this information from the signaling. For VoIP signaling rules, the gateway automatically opens ports for the endpoint-to-endpoint RTP/RTCP media stream connections.
Make sure to check Keep all connections or the firewall drops your connection every time you Install Policy.
1. Double-click your gateway.
  The Check Point Security Gateway window shows.
2. From General Properties > Other > Connection Persistence > Keep all connections > OK.
  Note - Rematch connections is selected by default.

Note – The old policy rules are still intact for calls already in-progress and they will not be dropped.

MGCP Rules for a Call Agent in the External Network

An MGCP topology with a Call Agent in the external network is shown in the image. You can configure Hide or Static NAT for the phones in the internal network.

In this image, the IP phones use a Call Agent on the external side of the gateway. This topology enables the a Call Agent that is maintained by another organization. It is possible to configure Hide NAT, Static NAT or no-NAT for the phones on the internal side of the gateway.

This procedure shows how to:

Allow bidirectional calls between the MGCP phones in the internal network (Net_A) and phones in an external network (Net_B)
Configure NAT for the internal phones

VoIP rule for this scenario:

Source	Destination	Services & Applications	Action
MGCP_Call_Agent Net_A	Net_A MGCP_Call_Agent	mgcp_CA or mgcp_MG or mgcp_dynamic_ports	Accept

Configure the Network Objects (nodes or networks) for IP phones managed by the MGCP Call Agent and their calls, subject to gateway inspection.
For the example in the image, these are Net_A and Net_B.
Configure the Network Object for the Call Agent (MGCP_Call_Agent).
Configure the VoIP rule.
Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the Network Object. See Setting up your network for Network Address Translation.
Install Policy.

Sample MGCP Rules for a Call Agent in DMZ

In this image, the same Call Agent controls both endpoint domains. This topology makes it possible to provide Call Agent services to other organizations.

VoIP rule for this scenario:

Source	Destination	Services & Applications	Action	Comments
Net_A Net_B Call_Agent	Net_A Net_B Call_Agent	mgcp_CA or mgcp-MG	Accept	Bidirectional calls

Source

Destination

Services & Applications

Action

Comments

Net_A

Net_B

Call_Agent

Net_A

Net_B

Call_Agent

mgcp_CA
or
mgcp-MG

Bidirectional calls

To enable bidirectional calls between phones in internal and external networks (Net_A and Net_B):

Configure the Network Objects (nodes or networks) for the phones that are permitted to make calls and their calls subject to gateway inspection. In the image, these are Net_A and Net_B.
Configure the Network Object for the Call Agent (Call_Agent).
Configure the VoIP rule.
Configure Hide NAT or Static NAT for the phones in the internal network. Do this by editing the Network Object for the internal network (Net_A). See Setting up your network for Network Address Translation.
Install Policy.

Sample MGCP Rules for a Call Agent to Call Agent

In this image, each Call Agent controls a separate endpoint domain. When there are one or more Call Agents, the signaling passes through each Call Agent. Whene the call has been set up, the media passes endpoint to endpoint. Here, a Call Agent-to-Call Agent topology shows Call Agents on opposite sides of the gateway.

VoIP rule for this scenario:

Source	Destination	Services & Applications	Action	Comments
Call_Agent_Int Call_Agent_Ext	Call_Agent_Ext Call_Agent_Int	mgcp_CA or mgcp-MG	Accept	Bidirectional calls

Source

Destination

Services & Applications

Action

Comments

Call_Agent_Int

Call_Agent_Ext

Call_Agent_Int

mgcp_CA
or
mgcp-MG

Bidirectional calls

To enable bidirectional calls between phones in internal and external networks:

Configure the Network Object for the Proxy objects (Call_Agent_Int and Call_Agent_Ext).
Configure the VoIP rule.
To Configure Hide NAT or Static NAT for the phones in the internal network, edit the Network Object for Net_A.
- Select the Network Object and double-click.
- The Network window opens.
- In the NAT tab, select Add Automatic Address Translation Rules, and then the Translation method, Hide or Static.
- Install the security policy.