H.323-Based VoIP

Introduction to H.323

H.323 is an International Telecommunication Union (ITU) standard that specifies the components, protocols and procedures that provide multimedia communication services, real-time audio, video, and data communications over packet networks, including IP based networks.

H.323 registration and alternate communication occurs on UDP port 1719, and H.323 call signaling occurs on TCP port 1720. H.323 is a peer-to-peer protocol.

The Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. supports these H.323 architectural elements:

H.323 Specific Services

These preconfigured H.323 services are available:

Service

Purpose

TCP:H323

Allows a Q.931 to be opened (and if needed, dynamically opens an H.245 port), and dynamically opens ports for RTP/RTCP or T.120.

UDP:H323_ras

Allows a RAS port to be opened, and then dynamically opens a Q.931 port (an H.245 port if needed).

Also dynamically opens and RTP/RTCP and T.120 ports.

UDP:H323_ras_only

Allows only RAS ports. Cannot be used to make calls. If this service is used, no Application Intelligence Checks (payload inspection or modification as NAT translation) are made.

Do not use if you want to perform NAT on RAS messages. Do not use in the same ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. as the H323_ras service.

TCP:H323_any

Applies only to Security Gateways R75.40 and lower:

Similar to the H323 service, but also allows the Destination in the rule to be ANY rather than a Network ObjectClosed Logical object that represents different parts of corporate topology - computers, IP addresses, traffic protocols, and so on. Administrators use these objects in Security Policies..

Only use H323_any if you do not know the VoIP topology, and are not enforcing media admission control (formerly known as Handover) using a VoIP domain.

Do not use in the same rule as the H.323 service.

Note - Make sure to use the H.323 and H.323_ras services in H.323 Security Gateways rules.

Supported H.323 Deployments and NAT

For complete information on NAT configuration, see the R80.40 Security Management Administration Guide.

Supported H.323 deployments are listed the table. Hide NAT, or Static NAT can be configured for the phones in the internal network, and (where applicable) for the gatekeeper.

  • NAT is not supported on IP addresses behind an external Check Point Security Gateway interface.

  • Manual NAT rules are only supported in environments where the Gatekeeper is in the DMZ.

    Supported H.323 Topology

    Supports No NAT

    Supports NAT for Internal Phones - Hide/Static NAT

    Supports
    NAT for Gatekeeper - Static NAT

    Description

    H.323 Endpoint to Endpoint

    (see Sample H.323 Rules for an Endpoint-to-Endpoint Topology)

    Yes

    Static NAT only

    N/A

    • The IP Phones communicate directly, without a Gatekeeper or an H.323 gateway. Static NAT can be configured for the phones on the internal side of the Security Gateway.

    H.323 Gatekeeper/Gateway in External Network

    (see Sample H.323 Rules for a Gatekeeper (or H.323 Gateway) in an External Network)

    Yes

    Yes

    N/A

    • The IP phones use the services of a Gatekeeper or H.323 gateway on the external side of the Security Gateway.

    • This topology enables the use of the services of a Gatekeeper or an H.323 gateway that is maintained by another organization.

    H.323 Gatekeeper/Gateway to Gatekeeper/Gateway

    (see Sample H.323 Rules for a Gatekeeper-to-Gatekeeper (or H.323 Gateway) Topology)

    Yes

    Yes

    Yes

    • Each Gatekeeper or H.323 gateway controls a separate endpoint domain.

    • Static NAT can be configured for the internal Gatekeeper. For the internal phones, Hide NAT or Static NAT can be configured.

    H.323 Gatekeeper/Gateway in DMZ

    (see Defining H.323 Rules for a Gatekeeper in DMZ Topology)

    Yes

    Yes

    Yes

    • The same Gatekeeper or H.323 gateway controls both endpoint domains. This topology makes it possible to provide Gatekeeper or H.323 gateway services to other organizations.

    • Static NAT or No-NAT can be configured for the Gatekeeper or H.323 gateway.

    • Hide NAT or Static (or no NAT) can be configured for the phones on the internal side of the Security Gateway.