H.323-Based VoIP
Introduction to H.323
H.323 is an International Telecommunication Union (ITU) standard that specifies the components, protocols and procedures that provide multimedia communication services, real-time audio, video, and data communications over packet networks, including IP based networks.
H.323 registration and alternate communication occurs on UDP port 1719, and H.323 call signaling occurs on TCP port 1720. H.323 is a peer-to-peer protocol.
The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. supports these H.323 architectural elements:
-
IP phones
Devices that:
-
Handle signaling (H.323 commands)
-
Connect to an H.323 Gatekeeper
IP phones are Configured in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., usually as a network of IP phones. It is usually not necessary to Configure Network Objects for individual IP Phones.
-
-
Standard telephones
Connect to an H.323 gateway. These are not IP devices. It is not necessary to Configure them in SmartConsole.
-
Gatekeeper
Manages a collection of H.323 devices, such as phones. A Gatekeeper converts phone numbers to IP addresses and can provide Security Gateway services as well.
-
Gateway
Provides interoperability between different networks. The Gateway translates between the telephony protocol and IP.
H.323 Specific Services
These preconfigured H.323 services are available:
Service |
Purpose |
---|---|
|
Allows a Q.931 to be opened (and if needed, dynamically opens an H.245 port), and dynamically opens ports for RTP/RTCP or T.120. |
|
Allows a RAS port to be opened, and then dynamically opens a Q.931 port (an H.245 port if needed). Also dynamically opens and RTP/RTCP and T.120 ports. |
|
Allows only RAS ports. Cannot be used to make calls. If this service is used, no Application Intelligence Checks (payload inspection or modification as NAT translation) are made. Do not use if you want to perform NAT on RAS messages. Do not use in the same rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. as the |
|
Applies only to Security Gateways R75.40 and lower: Similar to the H323 service, but also allows the Destination in the rule to be ANY rather than a Network Object Logical object that represents different parts of corporate topology - computers, IP addresses, traffic protocols, and so on. Administrators use these objects in Security Policies.. Only use Do not use in the same rule as the |
|
Note - Make sure to use the |
Supported H.323 Deployments and NAT
For complete information on NAT configuration, see the R80.40 Security Management Administration Guide.
Supported H.323 deployments are listed the table. Hide NAT, or Static NAT can be configured for the phones in the internal network, and (where applicable) for the gatekeeper.
-
NAT is not supported on IP addresses behind an external Check Point Security Gateway interface.
-
Manual NAT rules are only supported in environments where the Gatekeeper is in the DMZ.
Supported H.323 Topology
Supports No NAT
Supports NAT for Internal Phones - Hide/Static NAT
Supports
NAT for Gatekeeper - Static NATDescription
H.323 Endpoint to Endpoint
(see Sample H.323 Rules for an Endpoint-to-Endpoint Topology)
Yes
Static NAT only
N/A
-
The IP Phones communicate directly, without a Gatekeeper or an H.323 gateway. Static NAT can be configured for the phones on the internal side of the Security Gateway.
H.323 Gatekeeper/Gateway in External Network
(see Sample H.323 Rules for a Gatekeeper (or H.323 Gateway) in an External Network)
Yes
Yes
N/A
-
The IP phones use the services of a Gatekeeper or H.323 gateway on the external side of the Security Gateway.
-
This topology enables the use of the services of a Gatekeeper or an H.323 gateway that is maintained by another organization.
H.323 Gatekeeper/Gateway to Gatekeeper/Gateway
(see Sample H.323 Rules for a Gatekeeper-to-Gatekeeper (or H.323 Gateway) Topology)
Yes
Yes
Yes
-
Each Gatekeeper or H.323 gateway controls a separate endpoint domain.
-
Static NAT can be configured for the internal Gatekeeper. For the internal phones, Hide NAT or Static NAT can be configured.
H.323 Gatekeeper/Gateway in DMZ
Yes
Yes
Yes
-
The same Gatekeeper or H.323 gateway controls both endpoint domains. This topology makes it possible to provide Gatekeeper or H.323 gateway services to other organizations.
-
Static NAT or No-NAT can be configured for the Gatekeeper or H.323 gateway.
-
Hide NAT or Static (or no NAT) can be configured for the phones on the internal side of the Security Gateway.
-