On Mon, Jul 20, 2009 at 3:33 PM, Jan Willamowius<jan@xxxxxxxxxxxxxx> wrote: > Robert Kulagowski wrote: >> Internal client, HDX4002 (10.244.22.21) -> firewall 1 -> >> (192.168.5.23)gnugk(204.79.137.23) -> firewall 2 -> Internet. > > H.460.18 support in GnuGk takes care of getting calls through firewall > 1 (in both directions). But firewall 2 still blocks the inbound part of > your calls to the internet. > > You could for example open port ranges on the firewall for Q.931, H.245 > and RTP in firewall 2 and put GnuGk in it's traditional proxy mode. Thanks for the quick response. Since the firewall policy is "deny all, permit by exception", I need to look for the port lists that GnuGK would need opened on firewall 2. I'm assuming that these settings in [RoutedMode] are the ones to look at? # Q931PortRange=20000-20999 Default: N/A (let the OS allocate ports) Specify the range of TCP port number for Q.931 signaling channels. Note the range size may limit the number of concurrent calls. Make sure this range is wide enough to take into account TIME_WAIT TCP socket timeout before a socket can be reused after closed. TIME_WAIT may vary from 15 seconds to a few minutes, depending on an OS. So if for example your range is 2000-2001 and you made two calls, the next two calls can be made after TIME_WAIT timeout elapses and the sockets can be reused. The same applies to H245PortRange and T120PortRange. TIME_WAIT can be usually tuned down on most OSes. # H245PortRange=30000-30999 Default: N/A (let the OS allocate ports) Specify the range of TCP port number for H.245 control channels. Note the range size may limit the number of concurrent calls. See remarks about TIME_WAIT socket state timeout in the Q931PortRange description. and then this in [Proxy] RTPPortRange=50000-59999 Default: 1024-65535 Specify the range of UDP port number for RTP/RTCP channels. Since RTP streams require two sockets, the range has to contain an even number of ports. Note that the range size may limit the number of possible concurrent calls. > The other option would be to place a 2nd gatekeeper without a firewall > on the internet side of firewall 2 and proxy all calls through two > gatekeepers. Yeesh! This is hard enough without adding another layer! So because of this dual-firewall situation, the H460 is only helping on the firewall 1 portion, and not the firewall 2? ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________________ Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/
