On Fri, May 4, 2012 at 12:07 PM, Florian von Kurnatowski <
[email protected]> wrote:
> Hi Jan,
>
> thanks for the quick reply. The usecase here is different; this is to
> allow an external, Internet-based Endpoint to register with a central
> gatekeeper located in a DMZ. So for the purposes of firewall configuration,
> it's an inbound connection that needs to be clearly defined.
>
> What is the minimum actual port list that you would recommend for the
> various parameters?
>
By default, with EnableH46018=1 and RTPMultiplexing=1, gnugk will use:
UDP 1719 (H.225 RAS)
TCP 1720 (H.225 CS)
UDP 3000 (RTP)
UDP 3001 (RTCP)
However, if you specify things yourself, you can change things to act more
like a Tandberg VCS:
UDP 1719 (H.225 RAS)
TCP 2776 (H.225 CS)
UDP 2776 (RTP)
UDP 2777 (RTCP)
Like this:
[Gatekeeper::Main]
UnicastRasPort=1719
[RoutedMode]
CallSignalPort=2776
EnableH46018=1
[Proxy]
Enable=1
RTPMultiplexing=1
RTPMultiplexPort=2776
RTCPMultiplexPort=2777
The key thing that cannot be changed is that 1719, unless you specify DNS
SRV records, and have endpoints and gateways that honor them.
If your endpoint and other neighboring gatekeepers honor DNS SRV records,
you can change the 1719 above and below as well:
_h323rs._udp.yourserver.yourdomain.com. IN SRV 0 0 1719
yourserver.yourdomain.com.
_h323ls._udp.yourserver.yourdomain.com. IN SRV 0 0 1719
yourserver.yourdomain.com.
_h323cs._tcp.yourserver.yourdomain.com. IN SRV 0 0 2776
yourserver.yourdomain.com.
Note: You are only specifying the destination ports here. The source ports
used by your endpoint on the source side depend on whether the endpoint
supports bi-directional multiplexing (Tandberg (Cisco) endpoints do not,
but Spranto does, for example).
Most firewalls typically only concern themselves of destination ports and
allowing the establishment of new stateful streams based solely on those
destination ports. Beyond that point, they retain TCP handshaking state and
remember UDP "pinhole" state to allow return traffic.
Some firewalls, particularly Juniper, act more like ACLs, and admins
typically restrict source ports as well as destination
ports on those.
When you talk with a Juniper firewall administrator, it is important that
you also specify the source port range that your endpoints may use to
originate ephemeral ports for TCP connections and UDP streams.
For example, Tandberg (Cisco) phones typically use a different source port
range when configured as "static" vs "dynamic":
*
*
*Dynamic:*
The system will allocate which ports to use when opening a TCP connection.
The reason for doing this is to avoid using the same ports for subsequent
calls, as some firewalls consider this as a sign of attack. When Dynamic is
selected, the H.323 ports used are from 11000 to 20999. Once 20999 is
reached they restart again at 11000. For RTP and RTCP media data, the
system is using UDP ports in the range 2326 to 2487. Each media channel is
using two adjacent ports, ie 2330 and 2331 for RTP and RTCP respectively.
The ports are automatically selected by the system within the given range.
Firewall administrators should not try to deduce which ports are used when,
as the allocation schema within the mentioned range may change without any
further notice.
*Static:* When set to Static the ports are given within a static predefined
range [5555-6555].
Because of this, it is critical to discuss both "direction" and "source" or
"destination" with respect to ports, or confusion will arise.
--
- Ian Blenke <[email protected]> http://ian.blenke.com
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________________
Posting: mailto:[email protected]
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users
Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users
Homepage: http://www.gnugk.org/
