H.323-Based VoIP

In This Section: Introduction to H.323 H.323 Specific Services Supported H.323 Deployments and NAT Important Information about Creating H.323 Security Rules

Introduction to H.323

H.323 is an International Telecommunication Union (ITU) standard that specifies the components, protocols and procedures that provide multimedia communication services, real-time audio, video, and data communications over packet networks, including IP based networks.

H.323 registration and alternate communication occurs on UDP port 1719, and H.323 call signaling occurs on TCP port 1720. H.323 is a peer-to-peer protocol.

The Security Gateway supports these H.323 architectural elements:

• IP phones

  Devices that:

  • Handle signaling (H.323 commands)
  • Connect to an H.323 Gatekeeper

  IP phones are Configured in SmartConsole, usually as a network of IP phones. It is usually not necessary to Configure Network Objects for individual IP Phones.

• Standard telephones

  Connect to an H.323 gateway. These are not IP devices. It is not necessary to Configure them in SmartConsole.

• Gatekeeper

  Manages a collection of H.323 devices, such as phones. A Gatekeeper converts phone numbers to IP addresses and can provide gateway services as well.

• Gateway

  Provides interoperability between different networks. The gateway translates between the telephony protocol and IP.

H.323 Specific Services

These preconfigured H.323 services are available:

Service	Purpose
TCP:H323	Allows a Q.931 to be opened (and if needed, dynamically opens an H.245 port), and dynamically opens ports for RTP/RTCP or T.120.
UDP:H323_ras	Allows a RAS port to be opened, and then dynamically opens a Q.931 port (an H.245 port if needed). Also dynamically opens and RTP/RTCP and T.120 ports.
UDP:H323_ras_only	Allows only RAS ports. Cannot be used to make calls. If this service is used, no Application Intelligence Checks (payload inspection or modification as NAT translation) are made. Do not use if you want to perform NAT on RAS messages. Do not use in the same rule as the H323_ras service.
TCP:H323_any	Relevant only for versions prior to R75.40VS: Similar to the H323 service, but also allows the Destination in the rule to be ANY rather than a Network Object. Only use H323_any if you do not know the VoIP topology, and are not enforcing media admission control (formerly known as Handover) using a VoIP domain. Do not use in the same rule as the H.323 service.

Note - Make sure to use the H.323 and H.323_ras services in H.323 Security Gateways rules.

Supported H.323 Deployments and NAT

For complete information on NAT configuration, see the R80.30 Security Management Administration Guide.

Supported H.323 deployments are listed the table. Hide NAT, or Static NAT can be configured for the phones in the internal network, and (where applicable) for the gatekeeper.

• NAT is not supported on IP addresses behind an external Check Point gateway interface.
• Manual NAT rules are only supported in environments where the Gatekeeper is in the DMZ.

  Supported H.323 Topology	Supports No NAT	Supports NAT for Internal Phones - Hide/Static NAT	Supports NAT for Gatekeeper - Static NAT	Description
  H.323 Endpoint to Endpoint	Yes	Static NAT only	N/A	The IP Phones communicate directly, without a Gatekeeper or an H.323 gateway. Static NAT can be configured for the phones on the internal side of the gateway.
  H.323 Gatekeeper/Gateway in External Network	Yes	Yes	N/A	The IP phones use the services of a Gatekeeper or H.323 gateway on the external side of the gateway. This topology enables the use of the services of a Gatekeeper or an H.323 gateway that is maintained by another organization.
  H.323 Gatekeeper/Gateway to Gatekeeper/Gateway	Yes	Yes	Yes	Each Gatekeeper or H.323 gateway controls a separate endpoint domain. Static NAT can be configured for the internal Gatekeeper. For the internal phones, Hide NAT or Static NAT can be configured.
  H.323 Gatekeeper/Gateway in DMZ	Yes	Yes	Yes	The same Gatekeeper or H.323 gateway controls both endpoint domains. This topology makes it possible to provide Gatekeeper or H.323 gateway services to other organizations. Static NAT or No-NAT can be configured for the Gatekeeper or H.323 gateway. Hide NAT or Static (or no NAT) can be configured for the phones on the internal side of the gateway.