Thank you Jan, I appreciate it. Was curious on the cached registrations, but is not a big deal. I saw the reload command in the status port, but didn't know about sending a HUP. That should help.
On NAT, you don't think it's fun dealing with that mess? :)
I tried some additional forwarding of the H245 and Q931 narrow port ranges, but nothing was consistent. I think that part is moot anyway since the Fortigate was automatically opening them on-demand. (tcp/1720,1503 and udp/1719 are the only ones statically forwarded)
I'll keep testing and see how that goes.
On Tue, May 19, 2015 at 2:02 PM Jan Willamowius <jan@xxxxxxxxxxxxxx> wrote:
GnuGk does not cache registrations. Endpoints are only available after
they have actively registered and thats intended.
You can make endpoints available independently from their registration.
GnuGk calls that feature 'permanent endpoints'.
But this is really is a non-issue, because you can make virtually all
configuration changes without restarting GnuGk - you simply reload the
configuration (either via the status port, thats what the GUI does when
you click 'Apply' or by sending the Unix process a HUP signal).
Running Gnugk inside a VM is fine. Just make sure it has enough CPU
power so the VM doesn't introduce additional latency when it proxies your
RTP media streams.
Running any H.323 device behind a NAT is very tricky. Look at the
configuration for your V2IU: It has direct connectivity to the internet
(it _is_ the firewall). You can do exactly that with GnuGk, too and it
will work fine.
If you want to use a dedicated firewall, put GnuGk _outside_ the
firewall, no need to open any ports and let the H.460 NAT traversal
protocols handle all the tunneling issues.
GnuGk also supports running behind firewalls and NAT using port
forwarding etc., but its hard to get right. These setups tend to work
a little right from the start and fail in strange not until you get it
right. I configure such configurations when I get paid, but not for
Jan Willamowius, Founder of the GNU Gatekeeper Project
EMail : jan@xxxxxxxxxxxxxx
Relaxed Communications GmbH
Geschäftsführer: Jan Willamowius
HRB 125261 (Amtsgericht Hamburg)
Robert Edeker wrote:
> First off it's been great to find a project like this, am hoping this will
> assist us in enhancing our video connectivity.
> While I realize that placing the GK behind a firewall is not ideal that's
> what I'm looking to do at this time to reduce other infrastructure changes
> and allow us to use our fiber connection. Below is where I'm at which is
> basically working well except for calls from Polycom CMA Desktop devices.
> Our other goal is to possibly replace an old V2IU or have GNUGK as a
> neighbor gatekeeper for redundancy. (neighbor dialing from gnugk to v2iu is
> working great, but not the other way around)
> Before the network part, some unrelated questions:
> 1) Does gnugk save/cache registrations? Say I restart the server and
> someone calls before the endpoint re-registers. (TTL is 300, but still)
> 2) Any concerns using this on a VM? testing with 3.5.0 on a ubuntu VM.
> Plan to upgrade to 3.8.0 soon. We only have about 15 endpoints and most of
> the calls are to external entities. Maybe 3-4 concurrent calls are
> average, but this is becoming an issue with the V2IU bandwidth especially
> as we use video more.
> // Network
> T1/Cable Internet ---- V2IU WAN (embedded gatekeeper) --- LAN ---- Polycom
> HDX endpoints
> We've outgrown the T1, cable isn't reliable all the time and we're bumping
> up on a 3Mbps throttle that the V2IU is enforcing.
> Fiber Internet ---- Fortigate Firewall ---- VIP (Destination NAT) --- LAN
> V2IU or GNUGK ---- Polycom HDX
> Outbound from HDX's or GNUGK NAT's with the public VIP we're using.
> I've setup the VIP policies on the Fortigate with h323 and ras session
> helpers to dynamically open the pinhole ports needed.
> This works with both the V2IU and GNUGK when calling in from most devices.
> (Other HDX's, Lifesize, etc..) When calling from CMA I keep getting Q931
> errors on both. I suppose this points to something on the firewall, though
> it seems I'll have more options with gnugk. Am not sure what to try next.
> Sample call output is below. I've been through various iterations of
> settings without any success. At the moment it's basically just
> GKRouted=1. h245Routed, proxy mode and all kinds of port settings have
> been tried as well.
> ProxyChannel.cxx(1723) Q931s Received: Setup CRV=10425 from
> singleton.cxx(24) Create instance: PreliminaryCallTable(9)
> RasTbl.cxx(4640) CallTable::Insert(CALL) Call No. 1, total sessions
> : 1
> gkacct.cxx(964) GKACCT Successfully logged event 1 for call no. 1
> ProxyChannel.cxx(4606) Q931s Call 1 is NAT type 0
> ProxyChannel.cxx(1519) Call 1: h245Routed=0 proxy=0
> ProxyChannel.cxx(7389) Q931d Could not open/connect Q.931 socket at
> GNUGK.LAN.IP:0 - error 9/110: Connection timed out
> ProxyChannel.cxx(6997) Q931 EXTERNAL.FIBER.IP:1720 DIDN'T ACCEPT THE
> RasTbl.cxx(5114) CDR ignore not connected call
> gkacct.cxx(964) GKACCT Successfully logged event 2 for call no. 1
> yasocket.cxx(821) Q931d Delete socket EXTERNAL.FIBER.IP:1720
> yasocket.cxx(821) Q931s Delete socket EXTERNAL.CMA-IP:14712
> RasTbl.cxx(2667) Gk Delete Call No. 1
> Thank You,
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________________ Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/