SlideShare uma empresa Scribd logo

H323 support.docx

Transferir como DOCX, PDF
Thái Trương Đình
Thái Trương Đình

This document discusses H.323 support in PAN-OS firewalls. It provides an overview of the H.323 protocol and describes several supported scenarios for direct H.323 calls between terminals with and without NAT. It also covers calls that involve an H.323 gatekeeper, noting that PAN-OS supports direct calls signaled through a gatekeeper but not gatekeeper-routed calls or multi-gatekeeper topologies. The document concludes by mentioning that H.323 calls across an IPSec VPN tunnel are supported without NAT.

Dados e análise
1 de 9
H323 support in PAN-OS Tech Note PAN-OS 4.1
[2] Revision 1.0 ©2011, Palo Alto Networks, Inc. Contents OVERVIEW................................................................................ 3 H.323 OVERVIEW.......................................................................... 3 H323 SUPPORT IN PAN-OS.................................................................. 3 SUPPORTED SCENARIOS-DIRECT CALLS........................................................ 4 CASE 1: VWIRE AND LAYER2 MODE ............................................................................. 4 CASE 2: LAYER3 MODE........................................................................................ 4 CASE 3: LAYER3 MODE WITH NAT .............................................................. 5 CASE 4: LAYER3 MODE WITH BI-DIRECTIONAL STATIC NAT ............................................ 5 CASE 5: H323 TERMINALS ACROSS IPSEC TUNNEL ............................................................... 5 SUPPORTED SCENARIOS-CALLS WITH GATEKEEPER............................................... 6 GATEKEEPER ROUTED CALLS..................................................................................... 6 DIRECT CALLS................................................................................................ 6 OUTGOING CALLS: LAYER3 MODE WITH NAT........................................................ 7 INCOMING CALLS: LAYER3 MODE WITH NAT........................................................ 7 REVISION HISTORY........................................................................ 9
[3] Revision 1.0 ©2011, Palo Alto Networks, Inc. Overview This document details H323 and SIP support in PAN-OS. It also discusses the tested and supported topologies with PAN-OS firewalls and H323 and SIP capable devices H.323 overview H.323 is a recommendation from the ITU Telecommunication Standardization Sector (ITU-T) that defines the protocols to provide audio-visual communication sessions on any packet network. The H.323 standard addresses call signaling and control, multimedia transport and control, and bandwidth control for point-to-point and multi-point conference H.323 is an umbrella standard composed of protocols and frameworks such as:  H.225  H.245 for call control and capability negotiation  H.235 security framework  RTP, the Real Time Protocol defined by IETF, used to transmit audio/video streams  Q.931, used for call signaling  H.450.x for supplementary services such as call transfer, forwarding, call offering, call intrusion and more H.323 protocol requires the use of specific static ports as well as a number of dynamic ports within the range 1024-65535. For the H.323 protocol to cross a firewall, the specific static ports and all ports within the dynamic range must be opened for all traffic causing a security issue that could render a firewall ineffective A typical H323 network includes all or some of these entities  H323 terminals- Endpoints that enable real time voice or video communication  MCU/MP/MC- It is a device that is used for multiparty conferencing. It consists of two function blocks, a Multipoint Controller (MC) and Multipoint Processor (MP) where the latter is responsible for mixing the audio/video channels for the conference  Gateways- Enable communication between legacy switched circuit networks to IP networks  Gatekeepers- H323 gatekeepers are optional component in a H323 network. They provide services like address translation , H.323 IDs such as blah@domain.com and E.164 numbers -standard telephone numbers, to endpoint IP addresses) and network access control for H.323 terminals, gateways, and MCUs, bandwidth management, accounting, and dial plans. H323 support in PAN-OS PAN-OS offers support for the following applications H.245, and H.225. In order allow H323 between terminals, the security policy must include all of these applications. The media sessions, RTP and RTCP are predicted and dynamic pinholes are created in the firewall to allow these sessions
[4] Revision 1.0 ©2011, Palo Alto Networks, Inc. Supported scenarios-Direct calls In these scenarios, the H323 terminals can initiate and respond to calls directly between each other without the H323 gatekeeper. The following scenarios for direct calls are tested and supported in PAN-OS version 4.1. Case 1: Vwire and Layer2 mode In this scenario, both the terminal can initiate calls to each other. Case 2: Layer3 mode In this scenario, both the terminal can initiate calls to each other. The security policy for the above two scenarios is shown below. The internal terminal and the external terminals are not registered with a gatekeeper; the internal terminal calls the external terminal by calling its IP address directly.
[5] Revision 1.0 ©2011, Palo Alto Networks, Inc. Case 3: Layer3 mode with NAT A source NAT policy exists for translating all traffic from trust zone to untrust zone. In such a case, the terminal in trust zone can only initiate calls to the terminals in the untrust zone. Case 4: Layer3 mode with bi-directional static NAT A static NAT rule with bi-directional option will enabled the terminal in trust zone to initiate outbound calls, and the terminals on the untrust zone to initiate calls to the terminal 10.1.1.10 to its public IP address 20.1.1.10 Case 5: H323 terminals across IPSec tunnel The terminals on either side of the tunnel can initiate and respond to calls directly without the need of NAT going through the IPSec tunnel. If the IPSec tunnel i.e the tunnel interface is configured in its own zone, VPN zone, the security policies must be configured between the VPN and trust zones respectively
[6] Revision 1.0 ©2011, Palo Alto Networks, Inc. Supported scenarios-Calls with Gatekeeper Before we discuss the gatekeeper supported scenarios, we will cover basic difference in Gatekeeper routed calls and Direct call model. With a gatekeeper in the network, all terminals must register with the gatekeeper. Gatekeeper routed calls In gatekeeper routed calls, the gatekeeper acts as proxy for all signaling messages. In this example when the terminal with number 666 tries to call another terminal at 420, it sends out Admission Request Message (ARQ) to the gatekeeper to find the IP address for the number 420. The gatekeeper responds to this request with Admission Confirm message with the gatekeepers IP address. Gatekeeper then proxy’s all signaling messages. Direct calls In this example when the terminal with number 666 tries to call another terminal at 420, it sends out Admission Request Message (ARQ) to the gatekeeper to find the IP address for the number 420. The gatekeeper responds to this request with Admission Confirm message with the recipient terminals IP address.
[7] Revision 1.0 ©2011, Palo Alto Networks, Inc. Note:  PAN-OS does not support Gatekeeper routed calls  Multi Gatekeeper topologies are not supported Note: There must be a NAT rule in place to translate the source address outbound connections from terminal 666 with IP 10.1.1.10 Note: The private IP address of terminal 666, must be mapped to Public IP address either using static NAT or destination NAT The difference between gatekeeper-signaled and direct-signaled calls is the role of the gatekeeper in the H.225 session. If a gatekeeper involved, then the call is a gatekeeper-signaled call. Outgoing calls: Layer3 mode with NAT In this deployment bi-directional static NAT is used to map the gatekeeper address 10.1.1.100 to 20.1.1.100. All terminals in the trust zone registers with gatekeeper using address 10.1.1.100, and the clients in the untrust zone reach the gatekeeper using the address 20.1.1.100 1. Terminal 666 initiates a call to terminal 420, it sends ARQ message to the gatekeeper 2. Gatekeeper responds with the IP address of 66.220.12.100 3. Terminal 666 and 420 established connection directly Incoming calls: Layer3 mode with NAT 1. Terminal 420 initiates a call to terminal 666, it sends ARQ message to the gatekeeper 2. Gatekeeper responds with the public IP address of terminal 666. 3. Terminal 666 and 420 established connection directly
[8] Revision 1.0 ©2011, Palo Alto Networks, Inc. Calls across IPSec tunnel With a site-to-site IPSec VPN, the all the hosts on either side of the tunnel are reachable using the private IP address. The host registers with the gatekeeper with their real IP addresses. No NAT is required in this scenario. If the IPSec tunnel i.e the tunnel interface is configured in its own zone, VPN zone, the security policies must be configured between the VPN and trust zones respectively
Revision History Date Revision Comment 10/31/2011 1 First published draft www.paloaltonetworks.co m

Recomendados

Cisco Understanding H.323 Gatekeepers
Cisco Understanding H.323 GatekeepersCisco Understanding H.323 Gatekeepers
Cisco Understanding H.323 GatekeepersLong Nguyen
 
Cisco Understanding H.323 Gatekeepers
Cisco Understanding H.323 GatekeepersCisco Understanding H.323 Gatekeepers
Cisco Understanding H.323 GatekeepersLong Nguyen
 
Voip
VoipVoip
VoipMohit Arora
 
H.323 Network Components include H.323 Terminals, Gatekeepers ...
H.323 Network Components include H.323 Terminals, Gatekeepers ...H.323 Network Components include H.323 Terminals, Gatekeepers ...
H.323 Network Components include H.323 Terminals, Gatekeepers ...Videoguy
 
HEAnets' Video Conferencing Service
HEAnets' Video Conferencing ServiceHEAnets' Video Conferencing Service
HEAnets' Video Conferencing ServiceVideoguy
 
IRJET - Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP...
IRJET - Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP...IRJET - Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP...
IRJET - Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP...IRJET Journal
 
Cohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for JuniperCohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for JuniperCohesive Networks
 
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...IRJET Journal
 

Recomendados

Cisco Understanding H.323 Gatekeepers
Cisco Understanding H.323 GatekeepersCisco Understanding H.323 Gatekeepers
Cisco Understanding H.323 GatekeepersLong Nguyen
 
Cisco Understanding H.323 Gatekeepers
Cisco Understanding H.323 GatekeepersCisco Understanding H.323 Gatekeepers
Cisco Understanding H.323 GatekeepersLong Nguyen
 
Voip
VoipVoip
VoipMohit Arora
 
H.323 Network Components include H.323 Terminals, Gatekeepers ...
H.323 Network Components include H.323 Terminals, Gatekeepers ...H.323 Network Components include H.323 Terminals, Gatekeepers ...
H.323 Network Components include H.323 Terminals, Gatekeepers ...Videoguy
 
HEAnets' Video Conferencing Service
HEAnets' Video Conferencing ServiceHEAnets' Video Conferencing Service
HEAnets' Video Conferencing ServiceVideoguy
 
IRJET - Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP...
IRJET - Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP...IRJET - Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP...
IRJET - Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP...IRJET Journal
 
Cohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for JuniperCohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for JuniperCohesive Networks
 
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...
IRJET- Overview of Hole Punching: ICMP Hole Punching, TCP Hole Punching, UDP ...IRJET Journal
 
2014 innovaphone different protocols for different things
2014 innovaphone different protocols for different things2014 innovaphone different protocols for different things
2014 innovaphone different protocols for different thingsVOIP2DAY
 
VoIP and multimedia networking
VoIP and multimedia networkingVoIP and multimedia networking
VoIP and multimedia networkingsangusajjan
 
ip security
ip securityip security
ip securityChirag Patel
 
Presentation of H323 protocol
Presentation of H323 protocolPresentation of H323 protocol
Presentation of H323 protocolMd. Taiseen Azam
 
Bluetooth
BluetoothBluetooth
BluetoothTejaswa Jain
 
Final report firewall reconciliation
Final report firewall reconciliationFinal report firewall reconciliation
Final report firewall reconciliationGurjan Oberoi
 
Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2Kris Mofu
 
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...Matrix Comsec
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga
 
Videoconference
VideoconferenceVideoconference
Videoconferenceeonx_32
 
Firewalls
FirewallsFirewalls
Firewallshemantag
 
Firewalls
FirewallsFirewalls
FirewallsAkhil Sharma
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.pptRaj Kumar
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)Bhargu Bhargavi
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) Mohmed Abou Elenein Attia
 
Internet2 National Video Conferencing Service: Getting ...
Internet2 National Video Conferencing Service: Getting ...Internet2 National Video Conferencing Service: Getting ...
Internet2 National Video Conferencing Service: Getting ...Videoguy
 
Introduction To SIP
Introduction To SIPIntroduction To SIP
Introduction To SIPChris McAndrew
 
Voip basics
Voip basicsVoip basics
Voip basicskrishna112
 
Firewall
FirewallFirewall
FirewallManikyala Rao
 
Voice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyVoice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyChristopher Duffy
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAroojKhan71
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz1
 

Mais conteúdo relacionado

Semelhante a H323 support.docx

2014 innovaphone different protocols for different things
2014 innovaphone different protocols for different things2014 innovaphone different protocols for different things
2014 innovaphone different protocols for different thingsVOIP2DAY
 
VoIP and multimedia networking
VoIP and multimedia networkingVoIP and multimedia networking
VoIP and multimedia networkingsangusajjan
 
Presentation of H323 protocol
Presentation of H323 protocolPresentation of H323 protocol
Presentation of H323 protocolMd. Taiseen Azam
 
Final report firewall reconciliation
Final report firewall reconciliationFinal report firewall reconciliation
Final report firewall reconciliationGurjan Oberoi
 
Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2Kris Mofu
 
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...Matrix Comsec
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga
 
Videoconference
VideoconferenceVideoconference
Videoconferenceeonx_32
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.pptRaj Kumar
 
Internet2 National Video Conferencing Service: Getting ...
Internet2 National Video Conferencing Service: Getting ...Internet2 National Video Conferencing Service: Getting ...
Internet2 National Video Conferencing Service: Getting ...Videoguy
 
Voice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyVoice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyChristopher Duffy
 

Semelhante a H323 support.docx (20)

2014 innovaphone different protocols for different things
2014 innovaphone different protocols for different things2014 innovaphone different protocols for different things
2014 innovaphone different protocols for different things
 
VoIP and multimedia networking
VoIP and multimedia networkingVoIP and multimedia networking
VoIP and multimedia networking
 
ip security
ip securityip security
ip security
 
Presentation of H323 protocol
Presentation of H323 protocolPresentation of H323 protocol
Presentation of H323 protocol
 
Bluetooth
BluetoothBluetooth
Bluetooth
 
Final report firewall reconciliation
Final report firewall reconciliationFinal report firewall reconciliation
Final report firewall reconciliation
 
Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2
 
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
Matrix Telecom Solutions: SETU VGFX - Fixed VoIP to GSM/3G-FXO-FXS Voice Gat...
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; Firewalls
 
Videoconference
VideoconferenceVideoconference
Videoconference
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewalls
FirewallsFirewalls
Firewalls
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.ppt
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
Internet2 National Video Conferencing Service: Getting ...
Internet2 National Video Conferencing Service: Getting ...Internet2 National Video Conferencing Service: Getting ...
Internet2 National Video Conferencing Service: Getting ...
 
Introduction To SIP
Introduction To SIPIntroduction To SIP
Introduction To SIP
 
Voip basics
Voip basicsVoip basics
Voip basics
 
Firewall
FirewallFirewall
Firewall
 
Voice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyVoice Over IP Overview w/Secuirty
Voice Over IP Overview w/Secuirty
 

Último

Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAroojKhan71
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz1
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxolyaivanovalion
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfadriantubila
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
Determinants of health, dimensions of health, positive health and spectrum of...
Determinants of health, dimensions of health, positive health and spectrum of...Determinants of health, dimensions of health, positive health and spectrum of...
Determinants of health, dimensions of health, positive health and spectrum of...shambhavirathore45
 
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecureCall me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecurePooja Nehwal
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxolyaivanovalion
 
VidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxVidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxolyaivanovalion
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Researchmichael115558
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxolyaivanovalion
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxolyaivanovalion
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...amitlee9823
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxolyaivanovalion
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionfulawalesam
 
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779Delhi Call girls
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfMarinCaroMartnezBerg
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...SUHANI PANDEY
 

Último (20)

Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signals
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
Determinants of health, dimensions of health, positive health and spectrum of...
Determinants of health, dimensions of health, positive health and spectrum of...Determinants of health, dimensions of health, positive health and spectrum of...
Determinants of health, dimensions of health, positive health and spectrum of...
 
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecureCall me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
 
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptx
 
VidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxVidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptx
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Research
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptx
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptx
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptx
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdf
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
 

H323 support.docx

  • 1. H323 support in PAN-OS Tech Note PAN-OS 4.1
  • 2. [2] Revision 1.0 ©2011, Palo Alto Networks, Inc. Contents OVERVIEW................................................................................ 3 H.323 OVERVIEW.......................................................................... 3 H323 SUPPORT IN PAN-OS.................................................................. 3 SUPPORTED SCENARIOS-DIRECT CALLS........................................................ 4 CASE 1: VWIRE AND LAYER2 MODE ............................................................................. 4 CASE 2: LAYER3 MODE........................................................................................ 4 CASE 3: LAYER3 MODE WITH NAT .............................................................. 5 CASE 4: LAYER3 MODE WITH BI-DIRECTIONAL STATIC NAT ............................................ 5 CASE 5: H323 TERMINALS ACROSS IPSEC TUNNEL ............................................................... 5 SUPPORTED SCENARIOS-CALLS WITH GATEKEEPER............................................... 6 GATEKEEPER ROUTED CALLS..................................................................................... 6 DIRECT CALLS................................................................................................ 6 OUTGOING CALLS: LAYER3 MODE WITH NAT........................................................ 7 INCOMING CALLS: LAYER3 MODE WITH NAT........................................................ 7 REVISION HISTORY........................................................................ 9
  • 3. [3] Revision 1.0 ©2011, Palo Alto Networks, Inc. Overview This document details H323 and SIP support in PAN-OS. It also discusses the tested and supported topologies with PAN-OS firewalls and H323 and SIP capable devices H.323 overview H.323 is a recommendation from the ITU Telecommunication Standardization Sector (ITU-T) that defines the protocols to provide audio-visual communication sessions on any packet network. The H.323 standard addresses call signaling and control, multimedia transport and control, and bandwidth control for point-to-point and multi-point conference H.323 is an umbrella standard composed of protocols and frameworks such as:  H.225  H.245 for call control and capability negotiation  H.235 security framework  RTP, the Real Time Protocol defined by IETF, used to transmit audio/video streams  Q.931, used for call signaling  H.450.x for supplementary services such as call transfer, forwarding, call offering, call intrusion and more H.323 protocol requires the use of specific static ports as well as a number of dynamic ports within the range 1024-65535. For the H.323 protocol to cross a firewall, the specific static ports and all ports within the dynamic range must be opened for all traffic causing a security issue that could render a firewall ineffective A typical H323 network includes all or some of these entities  H323 terminals- Endpoints that enable real time voice or video communication  MCU/MP/MC- It is a device that is used for multiparty conferencing. It consists of two function blocks, a Multipoint Controller (MC) and Multipoint Processor (MP) where the latter is responsible for mixing the audio/video channels for the conference  Gateways- Enable communication between legacy switched circuit networks to IP networks  Gatekeepers- H323 gatekeepers are optional component in a H323 network. They provide services like address translation , H.323 IDs such as blah@domain.com and E.164 numbers -standard telephone numbers, to endpoint IP addresses) and network access control for H.323 terminals, gateways, and MCUs, bandwidth management, accounting, and dial plans. H323 support in PAN-OS PAN-OS offers support for the following applications H.245, and H.225. In order allow H323 between terminals, the security policy must include all of these applications. The media sessions, RTP and RTCP are predicted and dynamic pinholes are created in the firewall to allow these sessions
  • 4. [4] Revision 1.0 ©2011, Palo Alto Networks, Inc. Supported scenarios-Direct calls In these scenarios, the H323 terminals can initiate and respond to calls directly between each other without the H323 gatekeeper. The following scenarios for direct calls are tested and supported in PAN-OS version 4.1. Case 1: Vwire and Layer2 mode In this scenario, both the terminal can initiate calls to each other. Case 2: Layer3 mode In this scenario, both the terminal can initiate calls to each other. The security policy for the above two scenarios is shown below. The internal terminal and the external terminals are not registered with a gatekeeper; the internal terminal calls the external terminal by calling its IP address directly.
  • 5. [5] Revision 1.0 ©2011, Palo Alto Networks, Inc. Case 3: Layer3 mode with NAT A source NAT policy exists for translating all traffic from trust zone to untrust zone. In such a case, the terminal in trust zone can only initiate calls to the terminals in the untrust zone. Case 4: Layer3 mode with bi-directional static NAT A static NAT rule with bi-directional option will enabled the terminal in trust zone to initiate outbound calls, and the terminals on the untrust zone to initiate calls to the terminal 10.1.1.10 to its public IP address 20.1.1.10 Case 5: H323 terminals across IPSec tunnel The terminals on either side of the tunnel can initiate and respond to calls directly without the need of NAT going through the IPSec tunnel. If the IPSec tunnel i.e the tunnel interface is configured in its own zone, VPN zone, the security policies must be configured between the VPN and trust zones respectively
  • 6. [6] Revision 1.0 ©2011, Palo Alto Networks, Inc. Supported scenarios-Calls with Gatekeeper Before we discuss the gatekeeper supported scenarios, we will cover basic difference in Gatekeeper routed calls and Direct call model. With a gatekeeper in the network, all terminals must register with the gatekeeper. Gatekeeper routed calls In gatekeeper routed calls, the gatekeeper acts as proxy for all signaling messages. In this example when the terminal with number 666 tries to call another terminal at 420, it sends out Admission Request Message (ARQ) to the gatekeeper to find the IP address for the number 420. The gatekeeper responds to this request with Admission Confirm message with the gatekeepers IP address. Gatekeeper then proxy’s all signaling messages. Direct calls In this example when the terminal with number 666 tries to call another terminal at 420, it sends out Admission Request Message (ARQ) to the gatekeeper to find the IP address for the number 420. The gatekeeper responds to this request with Admission Confirm message with the recipient terminals IP address.
  • 7. [7] Revision 1.0 ©2011, Palo Alto Networks, Inc. Note:  PAN-OS does not support Gatekeeper routed calls  Multi Gatekeeper topologies are not supported Note: There must be a NAT rule in place to translate the source address outbound connections from terminal 666 with IP 10.1.1.10 Note: The private IP address of terminal 666, must be mapped to Public IP address either using static NAT or destination NAT The difference between gatekeeper-signaled and direct-signaled calls is the role of the gatekeeper in the H.225 session. If a gatekeeper involved, then the call is a gatekeeper-signaled call. Outgoing calls: Layer3 mode with NAT In this deployment bi-directional static NAT is used to map the gatekeeper address 10.1.1.100 to 20.1.1.100. All terminals in the trust zone registers with gatekeeper using address 10.1.1.100, and the clients in the untrust zone reach the gatekeeper using the address 20.1.1.100 1. Terminal 666 initiates a call to terminal 420, it sends ARQ message to the gatekeeper 2. Gatekeeper responds with the IP address of 66.220.12.100 3. Terminal 666 and 420 established connection directly Incoming calls: Layer3 mode with NAT 1. Terminal 420 initiates a call to terminal 666, it sends ARQ message to the gatekeeper 2. Gatekeeper responds with the public IP address of terminal 666. 3. Terminal 666 and 420 established connection directly
  • 8. [8] Revision 1.0 ©2011, Palo Alto Networks, Inc. Calls across IPSec tunnel With a site-to-site IPSec VPN, the all the hosts on either side of the tunnel are reachable using the private IP address. The host registers with the gatekeeper with their real IP addresses. No NAT is required in this scenario. If the IPSec tunnel i.e the tunnel interface is configured in its own zone, VPN zone, the security policies must be configured between the VPN and trust zones respectively
  • 9. Revision History Date Revision Comment 10/31/2011 1 First published draft www.paloaltonetworks.co m