Hi Jan,
thanks for the quick reply. The usecase here is different; this is to allow an external, Internet-based Endpoint to register with a central gatekeeper located in a DMZ. So for the purposes of firewall configuration, it's an inbound connection that needs to be clearly defined.
What is the minimum actual port list that you would recommend for the various parameters?
By default, with EnableH46018=1 and RTPMultiplexing=1, gnugk will use:
UDP 1719 (H.225 RAS)TCP 1720 (H.225 CS)UDP 3000 (RTP)UDP 3001 (RTCP)
However, if you specify things yourself, you can change things to act more like a Tandberg VCS:
UDP 1719 (H.225 RAS)TCP 2776 (H.225 CS)UDP 2776 (RTP)UDP 2777 (RTCP)
Like this:
[Gatekeeper::Main]UnicastRasPort=1719[RoutedMode]CallSignalPort=2776EnableH46018=1[Proxy]Enable=1RTPMultiplexing=1RTPMultiplexPort=2776RTCPMultiplexPort=2777
The key thing that cannot be changed is that 1719, unless you specify DNS SRV records, and have endpoints and gateways that honor them.
If your endpoint and other neighboring gatekeepers honor DNS SRV records, you can change the 1719 above and below as well:
_h323rs._udp.yourserver.yourdomain.com. IN SRV 0 0 1719 yourserver.yourdomain.com._h323ls._udp.yourserver.yourdomain.com. IN SRV 0 0 1719 yourserver.yourdomain.com._h323cs._tcp.yourserver.yourdomain.com. IN SRV 0 0 2776 yourserver.yourdomain.com.
Note: You are only specifying the destination ports here. The source ports used by your endpoint on the source side depend on whether the endpoint supports bi-directional multiplexing (Tandberg (Cisco) endpoints do not, but Spranto does, for example).
Most firewalls typically only concern themselves of destination ports and allowing the establishment of new stateful streams based solely on those destination ports. Beyond that point, they retain TCP handshaking state and remember UDP "pinhole" state to allow return traffic.
Some firewalls, particularly Juniper, act more like ACLs, and admins typically restrict source ports as well as destination
ports on those.
When you talk with a Juniper firewall administrator, it is important that you also specify the source port range that your endpoints may use to originate ephemeral ports for TCP connections and UDP streams.
For example, Tandberg (Cisco) phones typically use a different source port range when configured as "static" vs "dynamic":
Dynamic:
The system will allocate which ports to use when opening a TCP connection. The reason for doing this is to avoid using the same ports for subsequent calls, as some firewalls consider this as a sign of attack. When Dynamic is selected, the H.323 ports used are from 11000 to 20999. Once 20999 is reached they restart again at 11000. For RTP and RTCP media data, the system is using UDP ports in the range 2326 to 2487. Each media channel is using two adjacent ports, ie 2330 and 2331 for RTP and RTCP respectively. The ports are automatically selected by the system within the given range. Firewall administrators should not try to deduce which ports are used when, as the allocation schema within the mentioned range may change without any further notice.
Because of this, it is critical to discuss both "direction" and "source" or "destination" with respect to ports, or confusion will arise.
- Ian Blenke <ian@xxxxxxxxxx> http://ian.blenke.com
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________________ Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/
