quali-H.323 Gatekeeper Limitations and Other Considerations While the features and services provided by the H.323 Gatekeeperservice are awesome, you should also be aware of some of its l
Trang 1á Second, if translation services are needed to place outgoingcalls Translation services provide the capability to referenceH.323 services that may not have a registered DNS address.
For example, a personal email address, a Plain Old TelephoneSystem (POTS) device phone number, and so on
Think of this powerful capability as a sort of name resolution for therest of us Here’s how it works:
1 You use NetMeeting 3.0 to place a call to me atroberta@peachweaver.com Neither one of us has a valid,Internet routable IP address, nor will our internal addresses beexposed on the Internet
2 NetMeeting connects with your in-house H.323 Gatekeeper
3 The Gatekeeper knows that peachweaver.com is not an nal address and so forwards the request to ISA Server
inter-4 ISA Server looks up the address for peachweaver.com andsends the query over the Internet to peachweaver.com
5 The ISA Server at peachweaver.com receives the request forroberta@peachweaver.comand contacts its internal H.323Gatekeeper
6 The H.323 Gatekeeper translates the alias into a networkaddress
7 The ISA Server at peachweaver.comsends notice to your ISAServer and creates the connection
8 The ISA Server holds the link open
Restrictions can be set within the ISA Server Gatekeeper to prevent
or allow video, audio, T120 data (real-time multipoint data tions and conferencing standard), and application sharing and tolimit the hours this service is available These restrictions are set onthe Property pages for the H.323 Gatekeeper
connec-Registration Admission and StatusH.323 communications are origination end-point to destinationend-point (usually client) These end-points should be registeredwith the Gatekeeper using the H.323 Registration, Admission and
Trang 2Status (H.323 RAS) protocol Although you can add static tions (always active and cannot receive inbound calls) using theH.323 Gatekeeper, you should only do this for those endpoints thatcannot use the H.323 RAS protocol
registra-H.323 RAS alias addressing supported by the registra-H.323 Gatekeeper is
of three types from two versions of the protocol (see Table 7.1).Aliases consist of a type and a name
TA B L E 7 1
H 3 2 3 R A S AL I A S AD D R E S S I N G
Types Format H.323 RAS Version
E-Mail-ID Internet type email addressing Two H.323-ID DNS strings, email addresses, One
account names, computer names E164 Phone number addressing— One
characters 0–9
An example of some of these types of addresses can be seen by clicking the Properties page of the active terminal in the ISAManagement Console and displaying the Properties page (see Figure7.1)
right-The Registration ProcessEndpoints can be a H.323 client, such as a Proxy server (ISAServer), or a client running NetMeeting, or a H.323 gateway.Registration includes:
á Endpoint Q931 (IP address plus port) addressees
á H.323 RAS addresses for the endpoint
á List of aliases
Client registration to the database is often done by simply enteringthe Gatekeeper IP address in the client application For example, inMicrosoft NetMeeting, the Tools, Options, Advanced Calling dialogbox has a place to enter registration information (see Figure 7.2).The H.323 protocol then contacts the H.323 Gatekeeper and regis-ters the client automatically
F I G U R E 7 1
Example of H.323 RAS alias address types.
Trang 3Rule Processing—What Happens When a Request Is Received?
You must define Gatekeeper rules in the ISA Server Gatekeeper vice management snap-in To do so, you first define destinations,and then phone, email, and IP address rules Each type of request,either inbound call or outbound call, follows its own processingalgorithm
ser-Inbound CallsWhen an inbound call is received, the following processing takesplace:
1 The type of alias is identified (email, H.323, or E164)
2 The alias is compared to its rule database
3 Rules matching the pattern are added to an ordered rule list
4 Rules are then sorted by metric from lowest to highest
5 The rules are processed until the request either is resolved orfails
6 A confirmation or rejection is sent to the requesting client
Outbound CallsOutbound calls are calls that are received by the H.323 Gatekeeperfrom internal clients They might be resolvable to other internalclient addresses or to other domains
When outbound calls are made to the local domain, the followingprocessing takes place:
1 A registered client places an outbound call
2 An admission request is sent to the H.323 Gatekeeper andincludes the destination alias
3 If the Gatekeeper finds an address for the destination alias, anadmission confirmation is sent to the client that includes thedestination address
4 If the Gatekeeper does not find and address for the destinationalias, it continues to process it rules to attempt a resolution
5 If no resolution is found, the request fails
Trang 4If the request is for another domain the H.323 Gatekeeper searchesits list of rules and returns a weighted list The list is processed until
it finds either a specific rule for that domain or, if none exists, a rule
to manage all other domains (the domain identification information
is empty) (Domain specific rules may simply contain the fully fied domain name for an alias.) The ISA Server will use DNS to findthe IP address of the domain
quali-H.323 Gatekeeper Limitations and Other Considerations
While the features and services provided by the H.323 Gatekeeperservice are awesome, you should also be aware of some of its limita-tions and issues:
á No security features are provided by the H.323 protocol.However, features included in the ISA Server H.323Gatekeeper service can be used to reduce the risk incurred byallowing the use of this protocol through a firewall Allowingaudio, video, and data conferencing through a firewall requiresthe opening of multiple ports The H.323 application filtermanages dynamic opening and closing of these ports, which ispreferable to static packet filters However, ports are stillopened Gatekeeper rules are routing rules, not security rules.However, you can configure the H.323 filter to limit the types
of H.323 communications, such as data, and this may ily be used to limit bandwidth requirements It will also reducevulnerability by reducing the range of ports that are open.Ports used in H.323 communications are listed in Table 7.2
primar-á Clients internal to an H.323 Gatekeeper cannot register with
an H.323 Gatekeeper on the Internet (No signaling, or thetransfer of RAS style H.323 registration, is supported across anISA server.)
á Uniqueness of aliases in general is not enforced; however,Q931 addresses must be unique
á An H.323 Gatekeeper running on an internal network cannotexchange location messages with one running on the Internet.(No signaling is supported across ISA server.)
TE Use Rules as Toolsdomains to make their use easier for internalCreate rules for foreign
clients For example, the fully qualified domain name of an ILS server can be quite long, such as ils.public.techtopics.
Microsoft.mythoughts.peachweaver.co
m Quite a mouthful, or should I say handful,
to be typed Instead, create a rule for the domain MStopics or some other useful acronym) that will then resolve to the FQDN.
Users need only to type in “MStopics” to reach the ILS server.
Trang 5á Clients may register using one alias from multiple locationsbecause the Gatekeeper uses the most recently active terminalfor an alias
389 (TCP) Internet Locator Server
522 (TCP) User Location Service
1503 (TCP) T.120
Not every ISA Server will want to serve as an H.323 Gatekeeper
The H.323 Gatekeeper can be added during installation or at a latertime To add a H.323 Gatekeeper to ISA, follow these steps:
1 Enable and configure H.323 protocol access
2 Configure DNS
3 Add H.323 Gatekeeper to ISA Server
4 Enable fast kernel mode
Trang 6Enabling and Configuring H.323 Protocol Access
Before you can use the H.323 Gatekeeper service, you must enableand configure H.323 protocol access The first step in doing this is
to enable H.323 You will also want to fine-tune this access by ing protocol rules
creat-Enabling H.323 Protocol Access
An application filter for H.323 is provided with ISA Server This isseparate from the H.323 Gatekeeper service and is used to filter theH.323 protocol H.323 protocol access is disabled by default on anISA Server that is installed without the H.323 Gatekeeper service.(When the H.323 Gatekeeper service is installed, protocol access isenabled ) Because the Gatekeeper service may not be installed onevery ISA Server, but you may want to pass H.323 traffic throughother ISA Servers in your enterprise, you will want to enable H.323.protocol access on these ISA Servers If the Gatekeeper service wasnot installed, use Step by Step 7.1 to enable the filter In addition,you will want to select appropriate call access control
S T E P B Y S T E P
7.1 Enable the H.323 Protocol Rule
1 In the ISA Management Console Internet Security andAcceleration Server/Servers and
Arrays/name/Extensions/Application Filters, right-click
H.323 filter and click Properties
2 On the General tab (see Figure 7.4), click Enable ThisFilter
3 On the Call control tab (see Figure 7.5), make the tions to configure the type of overall control you desire.Granular control over access is accomplished by using pro-tocol rules Table 7.3 lists the overall options and explainsthem Click OK
Trang 7TA B L E 7 3
CO N F I G U R I N G H 3 2 3 CA L L CO N T R O L
Option Explanation
Use this Gatekeeper Specify a Gatekeeper to use Enter the FQDN
of the ISA Server that hosts the service.
Call direction Indicate direction of call allowed.
Allow incoming calls People from other organizations will be allowed
to call your people.
Allow outgoing calls People in your organization will be allowed to
call other people over the Internet.
Use DNS Gatekeeper lookup Look up aliases using the Gatekeeper.
and LRQs for alias resolution Media Control Control the type of media allowed.
Allow audio Allow audio.
Allow video Allow video.
Allow T120 and Allow this protocol.
application sharing
Establishing Protocol Rules
To fine-tune the access to the H.323 services, write protocol rules
Step by Step 7.2 describes the process
S T E P B Y S T E P
7.2 Creating H.323 Protocol Rules
1 If necessary, create policy elements, such as schedule,before creating the rule
2 In the ISA Management console, right-click ProtocolRules and select New Rule
3 Enter a name for the rule and click Next
4 Select the Allow or Deny check box and click Next
5 On the New Protocol Rule Wizard/Protocols page in theApply This Rule To drop-down box, select SelectedProtocols Then use the Protocols drop-down box to selectthe H.323 protocol, and click Next (see Figure 7.6)
F I G U R E 7 6
Select the H.323 protocol.
continues
Trang 86 On the New Protocol Rule Wizard/Schedule page, use thedrop down box to select the schedule that represents thehours and days you will allow or deny protocol access (seeFigure 7.7) and click Next.
7 On the New Protocol Rule Wizard/Client type page selectwhether to grant or deny access to clients by IP address,user name, or group, then click Next
8 Review configuration and click Finish
Configuring DNS
In order for H.323 proxies outside your organization to locate theISA Server, which hosts the H.323 Gatekeeper service, you mustconfigure a DNS service location resource record Instructions follow(see Step by Step 7.3) for creating this record on a Windows 2000DNS Server To create these records in other DNS systems, followthe instructions for creating resource records in those systems
S T E P B Y S T E P
7.3 Creating a DNS Service Location ResourceRecord
1 From Start, Programs, Administrative Tools, select DNS
2 In the DNS console select dnsserver/Forward Lookup Zones/the zone the ISA server is in
3 Right-click the zone and choose Other New Records
4 In the Resource Record Type dialog box, click on aresource record type, and then select Service Location
5 Click the Create Record button (see Figure 7.8)
6 On the New Resource Record/Service drop-down box,select or type Q931
Trang 97 In the Protocol box, select _tcp.
8 In Port Number, type 1720
9 In Host Offering This Service, type the external FQDN
of the ISA Server Computer that hosts the H.323 service(see Figure 7.9)
10 Click OK Click Done The Resource record is added tothe _tcp folder of the forward lookup zone (see Figure7.10) Click Done and close the DNS Console
Adding the H.323 Gatekeepers
When the Gatekeeper service is installed a local Gatekeeper is added
to the ISA Server If you want to manage Gatekeepers from thisserver, you can add them by right-clicking the H.323 Gatekeeperfolder, selecting Add Gatekeeper, and choosing the target machine
by entering the FQDN of the other system
Trang 10Enabling Fast Kernel Mode and Data Pumping
Several protocols require secondary connections H.323 is one ofthem Because ISA Server maintains and processes this information
as part of NAT, there is some delay while the access rights of the ondary connection are processed However, in most cases, this extrapermission check is really unnecessary, as the secondary connection
sec-is never initialized until the primary connection has been plished If the primary connection is approved, there is no need toperform secondary authorization for the secondary connection You can allow ISA Server to skip this step and therefore improve
accom-throughput by enabling IP routing This process is known as fast kernel mode or data pumping Because data on secondary connections
is maintained for NAT clients in kernel mode performance, gainscan be significant
While caution would seem to indicate that one should not allow IProuting on a firewall, IP routing in ISA Server is not allowed unlesspacket filtering is enabled By first enabling packet filtering, no pack-ets that are not allowed via a packet-filtering rule will be routed Anapplication filter for the protocol must be installed on the server
To enable fast kernel mode, open the Properties page of the IPPacket Filter folder and on the General tab check boxes for EnablePacket Filtering and Enable IP Routing
Gatekeeper Administration
In addition to establishing the Gatekeeper and identifying call trol, an administrator can restrict its usage by creating Gatekeeperrules (see the section, “Configure Gatekeeper Rules” later in thischapter), and by setting parameters in the Gatekeeper Propertypages, as defined in Table 7.4
Trang 11con-TA B L E 7 4
SE T T I N G GAT E K E E P E R PR O P E R T I E S
Property Page Item Explanation Figure
Network Network Adapters Select the network 7.11
adapters that the Gatekeeper service uses.
Advanced Expiration Times/ Set time limit on the 7.12
Registration registration.
expiration time How long will
registered clients remain in the database?
Expiration Times/ Set time limit on active Active Call calls.
expiration time Registration Configured at Database/Database Gatekeeper creation.
file size Registration Compact database.
database/Compact Database
F I G U R E 7 1 1
Selecting network adapters.
F I G U R E 7 1 2
Advanced features.
Trang 12S T E P B Y S T E P
7.4 The Add Destination Wizard
1 Right-click on the H.323 Gatekeeper/name/Call
Routing/Destinations folder and select Add Destination
2 On the New Destination Wizard/Destination Type page,select one of the options displayed (see Figure 7.13) andclick Next
3 On the New Destination Wizard/Destination Name orAddress page, enter the IP address or DNS name for theGatekeeper to use for this destination (see Figure 7.14)and click Next
4 On the New Destination Wizard/Destination/DestinationDescription page, type a description and click Next
5 Review configuration and click Finish
Configuring Phone Number Rules
Phone number rules provide a way to determine how all requeststhat include a specific prefix on the phone number, or that include aspecific phone number, are routed For example, all requests with theprefix 9 (a common prefix to obtain an outside line) might berouted to an ISA Server on a perimeter network Further routingrules on this ISA Server might route specific requests to an ISAServer Gatekeeper service at another location When the ISA ServerGatekeeper service at that location received the call, it might route it
by using its local registration database Use Step by Step 7.5 to createphone number rules
Trang 13S T E P B Y S T E P
7.5 Creating a Phone Number Rule
1 Right-click the Phone Number Rules folder and selectAdd Routing Rule Click Next
2 Enter a name and description for the rule and click Next
3 Enter a prefix or phone number This routes all callswithin the prefix or for this phone number to a destina-tion If you enter a single phone number, clear the RouteAll Phone Numbers Using This Prefix check box (seeFigure 7.15) Click Next
4 On the New Routing Rule Wizard/Destination Type page,select the destination to be used by this rule Inapplicabledestination types will be grayed out (see Figure 7.16)
Click Next
5 Select the destination name and click Next Destinationsconfigured on this server appear in the Gateways andProxy Servers box
6 On the New Routing Rule Wizard/Change a PhoneNumber page add a prefix or configure to shorten thenumber of digits These operations will be applied to thenumber dialed before it is routed to the destination (seeFigure 7.17) Click Next
7 Enter a metric and click Next Metrics are used to helpISA Server determine the order in which routing rules areapplied For more information see the section, “RuleProcessing” earlier in this chapter
8 Click Finish
Configuring Email Address Rules
The default email address rule is set to refer all addresses to theRegistration database If you add the DNS domain name to berouted, all aliases for this domain will be resolved using the localregistration database You create additional rules to define whererequests with email addresses outside this domain are to be routed
Trang 14(see Step by Step 7.6) For example, you might route all requestswith email addresses that include the domain of a business partner
to a specific ILS server on your business partner’s network
S T E P B Y S T E P
7.6 Creating an Email Address Rule
1 Right-click the Email Address Rules folder and select AddRouting Rule Click Next
2 Enter a name and description for the rule and click Next
3 Enter a Domain Name Suffix To route all calls withinthat DNS domain name suffix check the box route allemail addresses that include this general dns domain name(see Figure 7.18) Click Next
4 On the New Routing Rule Wizard/Destination Type,select the destination to be used by this rule Inapplicabledestination types will be grayed out (see Figure 7.19).Click Next
5 Select the destination name and click Next Destinationsconfigured on this server appear in the Gateways andProxy Servers box Click Next
6 Enter a metric and click Next Metrics are used to helpISA Server determine the order in which routing rules areapplied For more information see the section “RuleProcessing” earlier in this chapter
7 Click Finish
Configure IP Address Rules
Three default IP address rules exist, one for each private addressingrange These rules deny address translation for the private addressranges on the local network (see Figure 7.20) You will define new IPaddress rules (using Step by Step 7.7) to specify how requests with
IP addressing are routed
Trang 15S T E P B Y S T E P
7.7 Creating a New IP Address Rule
1 Right-click on the IP Address Rules folder and select AddRouting Rule Click Next
2 Enter a name and description for the rule and click Next
3 Enter an IP address and network mask to indicate a range of IP addresses (see Figure 7.21) Click Next
4 On the New Routing Rule Wizard/Destination Type page,select the destination to be used by this rule Inapplicabledestination types are grayed out (see Figure 7.22) ClickNext
5 Select the destination name and click Next Destinationsconfigured on this server appear in the Gateways andProxy Servers box Click Next
6 Enter a metric and click Next Metrics are used to helpISA Server determine the order in which routing rules areapplied For more information see the section, “RuleProcessing” earlier in this chapter
7 Click Finish
So, how will you benefit from using the H.323 Gatekeeper service?
There are at least three distinct deployment scenarios, and more narios can be developed by combining these:
sce-á Intra-enterprise Internal users register their NetMeeting (or
other H.323 compliant) software with the H.323 Gatekeeperservice by using an email address (or phone number) Theycan call each other using this alias and participate in audio,video, and data sharing on the internal network H.323 communications outside the network may be blocked
F I G U R E 7 2 0
Default IP address destinations.
F I G U R E 7 2 1
Enter IP address.