H.323-Based VoIP

Introduction to H.323

H.323 is an International Telecommunication Union (ITU) standard that specifies the components, protocols and procedures that provide multimedia communication services, real-time audio, video, and data communications over packet networks, including IP based networks.

H.323 registration and alternate communication occurs on UDP port 1719, and H.323 call signaling occurs on TCP port 1720. H.323 is a peer-to-peer protocol.

The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. supports these H.323 architectural elements:

• IP phones

  Devices that:

  • Handle signaling (H.323 commands)

  • Connect to an H.323 Gatekeeper

  IP phones are Configured in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., usually as a network of IP phones. It is usually not necessary to Configure Network Objects for individual IP Phones.

• Standard telephones

  Connect to an H.323 gateway. These are not IP devices. It is not necessary to Configure them in SmartConsole.

• Gatekeeper

  Manages a collection of H.323 devices, such as phones. A Gatekeeper converts phone numbers to IP addresses and can provide Security Gateway services as well.

• Gateway

  Provides interoperability between different networks. The Gateway translates between the telephony protocol and IP.

H.323 Specific Services

These preconfigured H.323 services are available:

Service	Purpose
TCP:H323	Allows a Q.931 to be opened (and if needed, dynamically opens an H.245 port), and dynamically opens ports for RTP/RTCP or T.120.
UDP:H323_ras	Allows a RAS port to be opened, and then dynamically opens a Q.931 port (an H.245 port if needed). Also dynamically opens and RTP/RTCP and T.120 ports.
UDP:H323_ras_only	Allows only RAS ports. Cannot be used to make calls. If this service is used, no Application Intelligence Checks (payload inspection or modification as NAT translation) are made. Do not use if you want to perform NAT on RAS messages. Do not use in the same rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. as the H323_ras service.
TCP:H323_any	Applies only to Security Gateways R75.40 and lower: Similar to the H323 service, but also allows the Destination in the rule to be ANY rather than a Network Object Logical object that represents different parts of corporate topology - computers, IP addresses, traffic protocols, and so on. Administrators use these objects in Security Policies.. Only use H323_any if you do not know the VoIP topology, and are not enforcing media admission control (formerly known as Handover) using a VoIP domain. Do not use in the same rule as the H.323 service.

Note - Make sure to use the H.323 and H.323_ras services in H.323 Security Gateways rules.

Supported H.323 Deployments and NAT

For complete information on NAT configuration, see the R81 Security Management Administration Guide.

Supported H.323 deployments are listed the table. Hide NAT, or Static NAT can be configured for the phones in the internal network, and (where applicable) for the gatekeeper.

• NAT is not supported on IP addresses behind an external Check Point Security Gateway interface.

• Manual NAT rules are only supported in environments where the Gatekeeper is in the DMZ.

  Supported H.323 Topology	Supports No NAT	Supports NAT for Internal Phones - Hide/Static NAT	Supports NAT for Gatekeeper - Static NAT	Description
  H.323 Endpoint to Endpoint (see Sample H.323 Rules for an Endpoint-to-Endpoint Topology)	Yes	Static NAT only	N/A	The IP Phones communicate directly, without a Gatekeeper or an H.323 gateway. Static NAT can be configured for the phones on the internal side of the Security Gateway.
  H.323 Gatekeeper/Gateway in External Network (see Sample H.323 Rules for a Gatekeeper (or H.323 Gateway) in an External Network)	Yes	Yes	N/A	The IP phones use the services of a Gatekeeper or H.323 gateway on the external side of the Security Gateway. This topology enables the use of the services of a Gatekeeper or an H.323 gateway that is maintained by another organization.
  H.323 Gatekeeper/Gateway to Gatekeeper/Gateway (see Sample H.323 Rules for a Gatekeeper-to-Gatekeeper (or H.323 Gateway) Topology)	Yes	Yes	Yes	Each Gatekeeper or H.323 gateway controls a separate endpoint domain. Static NAT can be configured for the internal Gatekeeper. For the internal phones, Hide NAT or Static NAT can be configured.
  H.323 Gatekeeper/Gateway in DMZ (see Defining H.323 Rules for a Gatekeeper in DMZ Topology)	Yes	Yes	Yes	The same Gatekeeper or H.323 gateway controls both endpoint domains. This topology makes it possible to provide Gatekeeper or H.323 gateway services to other organizations. Static NAT or No-NAT can be configured for the Gatekeeper or H.323 gateway. Hide NAT or Static (or no NAT) can be configured for the phones on the internal side of the Security Gateway.