CHAPTER
8
SECURE CLIENTS TO USE H.323 GATEKEEPER
H.323 Gatekeeper facilitates conference calling on your network and allows you to conduct
real-time sessions through the ISA Server firewall. You need to register H.323 clients,
such as Microsoft NetMeeting 3.0, with H.323 Gatekeeper in order to take advantage
of its service.
H.323 Protocol
The H.323 standard is a set of protocols developed by the ITU or International
Telecommunications
networking environments.
It can also bridge audio and video sessions from packet-switched networks, such as
an intranet or the Internet, to circuit-switched and cell-switched networks such as the
Integrated Service Digital Network (ISDN) networks, ATM and PSTN or POTS.
H.323 defines four major components for a network-based conferencing system:
terminals, gateways, gatekeepers, and multipoint control units (MCUs).
A gatekeeper acts as the central point for conference calls and provides control services
and call routing to registered endpoints. The MCU supports conferences between three
or more endpoints. Can communicate across poor quality lines.
Overview of H.323 Gatekeeper
As the focal point of the H.323 network, ISA Server’s H.323 Gatekeeper works with
the H.323 protocol filter to provide registered clients with address resolution, call
authentication, and call routing. Clients registered with H.323 Gatekeeper can use its
services to participate in video, audio, and data conferences, in LANs, in WANs, across
multiple firewalls and over the Internet.
Video streaming uses
multicast and broadcasts at 60 frames/second
in the Network.
=====================================================================
winisa8.html PAGE 2 2002/05/29
H.323 Gatekeeper Snap-in
Whenever you perform a full installation of ISA Server, the H.323 Gatekeeper node
appears in the console tree of ISA Management, but you must still add a gatekeeper
before you can begin using the service.
All users are able to call each other using the called party’s well-known alias or phone
number. Users are able to user audio, video, and T.120 (multipoint) data and application
sharing.
Inter-Enterprise Conference Call Scenario
In this scenario, numerous users within the organization use applications that are compliant
with H.323 Gatekeeper, such as NetMeeting 3.0 or later. Users are then able to use audio,
video, and T.120 data and application sharing. For example, User 1 can communicate with
User 4 by typing User4@organization B.Microsoft.com in the NetMeeting 3.0 Place A Call
dialog box and then clicking the Call button.
** See page 311 **
PSTN Call Scenario
The PSTN is a circuit-switched network that is optimized for real-time voice communication.
You will need a video card, microphone, and be ready to pay some high fees at the local
PSTN.
Registering Clients with H.323 Gatekeeper
Every H.323 transaction has two endpoints, an origination endpoint and a destination
endpoint. An endpoint can be an H.323 client (for example, a terminal running NetMeeting),
a proxy server (such as an ISA Server computer running the Web Proxy service), or a
gateway.
NOTE: Statically registered clients cannot accept inbound calls.
H.323 Gatekeeper supports the following three types of H.323
RAS addressing:
=====================================================================
winisa8.html PAGE 3 2002/05/29
Endpoint Attributes
When an endpoint is registered through H.323 RAS, the following attributes are specified:
The Q932 address for the endpoint. For H.323 calls, this address consists of a combination
of the IP address of the endpoint and the port used for H.323 communication (by default,
1720). For example, 192.169.0.2:1720 and 10.0.0.5:1720 both constitute Q931 addresses.
NOTE: The Q.931 protocol is connection-control protocol for establishing connections and
framing data. Roughly comparable to TCP, the Q.931 protocol is used to manage connection
setup and breakdown for H.323 calls.
The RAS address for the endpoint. This address consists of an IP address and a distinct port
number used for RAS communications. A unique RAS ID number is also assigned to each
registered terminal.
List of aliases.
NOTE: UDP is a transport protocol and it is connectionless, and IP is connectionless
and it is used to get out on the internet.
=====================================================================
winisa8.html PAGE 4 2002/05/29
ALIASES
An alias consists of two fields, a type and name, where the type would be E164, H323-ID,
or Email-ID.
For example, when you register a NetMeeting client with H.323 Gatekeeper, (page 314) the
account name text box is registered in H.323 Gatekeeper as an H323-ID alias, and the phone
number as an E164 alias.
NOTE: H.323 Gatekeeper enforces unique Q931 addresses, but it does not enforce unique
aliases. Allowing multiple instances of an alias registration with a unique Q931 address enables
the client to register at multiple terminals. Only the most recent registration for an alias is active
for resolving alias requests.
Client Address Translation
Any client who wants to be available through a well-known alias must register with H.323
Gatekeeper. A well-known alias can be an e-mail address, such as someone@micorosoft.com.
In addition, clients must register with H.323 Gatekeeper if they use translation services when
placing outbound calls, for example, if they use NetMeeting 3.0 or later to place a call to a
PSTN device.
NOTE: Outbound calls that do not require translation services may be placed without H.323
Gatekeeper.
From Within your Company
NetMeeting 3.0 connects with your in-house H.323 Gatekeeper.
The H.323 Gatekeeper does not recognize Microsoft.com as an internal address and
forwards the call to the ISA Server computer within your company.
ISA Server looks up at the address for Microsoft.com and makes the query over the
Internet to Microsoft.com
At the Destination
someone@microsoft.com, it contacts the internal H.323 Gatekeeper at
Microsoft.com to obtain the correct in-house address.
address for ISA Server.
Server at your company and establishes the connection.
holds open the link established by H.323 Gatekeeper.
IP address, and the address will remain hidden from other endpoints by
the ISA Server. This is because the H.323 Gatekeeper performs address
translation for the internal client.
You can set restrictions within the ISA Server H.323 Filter application filter to permit or deny
video, audio, T.120 data, and application sharing. You can also set time restrictions to limit the
hours available for H.323-compliant communications.
=====================================================================
winisa8.html PAGE 5 2002/05/29
Installing H.323 Gatekeeper
H.323 Gatekeeper installation is performed automatically when the Full Installation option is
selected during ISA Server installation. However, H.323 Gatekeeper can be installed at any
time. This can be done through the Control Panel manually if required.
Before Installing H.323 Gatekeeper consider the following:
running
have installed the ISA Server and H.323 Gatekeeper Administration Tools.
each Q931 address must be unique.
ISA Server.
Transport Protocol (RTP) audio and video media while making calls across ISA
Server using NetMeeting 3.0 or later.
Lesson Summary:
videoconferencing for a wide range of network environments.
address must register with H.323 Gatekeeper. Clients typically register automatically
with H.323 Gatekeeper by using the H.323 Registration, Admission, and Status
(H.323 RAS) protocol. You can also use the H.323 Gatekeeper snap-in to add
a static registration to endpoints that do not support H.323 RAS registration.
H.323-ID addressing (open syntax allowing e-mail addresses, DNS strings,
account names, and machine names), and Email-ID addressing.
option is selected during ISA Server installation. However, H.323 Gatekeeper can
be installed at any time.
=====================================================================
winisa8.html PAGE 6 2002/05/29
Lesson 2:
Routing Conference Calls with H.323 Gatekeeper
H.323 clients such as NetMeeting 3.0 register with H.323 gatekeepers by using an alias such
as a user name or e-mail address that is easier to remember than an IP address.
Call Routing Rules
H.323 call routing rules specify a destination and parameters to match part or all of a requested
alias. When a unique Q931 address is not included in a call request, H.323 Gatekeeper
tries to match each H.323 routing rule that has been configured with the requested alias.
The default call routing rule that H.323 Gatekeeper includes resolve all requested destinations
within the local registration database or on the local network.
Phone Number Rules
Phone number (E164) rules specify the parameters. The item names in parentheses are those
given to parameters in the New Routing Rule wizard when those parameter names differ
from the corresponding column names in the details pane of the ISA Management.
**** See the chart
page 324 *****
H.323 Gatekeeper determines which rules match the alias in the call request. A phone
number alias can use the numbers 0-9 and the number sign #, * and comma ,.
Example. Suppose that a caller requests translation for the phone number 95551234#3344.
H.323 Gatekeeper attempts to match the digits up to the first special character or the end
of the string, if there is no special character. In the phone number 95551234#3344, the
alias used for rule matching is 95551234.
NOTE: A prefix type is configured in a phone number rule when you leave the Route
All Phone Numbers Using This Prefix check box selected. When you clear the check
box, the pattern is configured as an exact type.
=====================================================================
winisa8.html PAGE 7 2002/05/29
Phone Number Rule Pattern Examples – Matching
=====================================================================
Pattern Matching Parameter
Value
=====================================================================
Prefix
Prefix
95551234 Exact (must match exactly the alias number)
[empty] Prefix (any alias will match an empty pattern)
=====================================================================
IP Address Rules
IP Address rules apply only to requests for translation of IP address strings that take the form
of a.b.c.d., for example 192.168.154.13.
When a specified pattern matches and the IP address rule affects a given call, the call is routed to
the destination specified in the IP address rule. The destination types for IP address rules you can
select are the following:
None (no destination). The call is disconnected.
Gateway/proxy. The call is forwarded to the selected H.323 Gateway, Proxy server or
Internet firewall.
Gatekeeper. The call is forwarded to the gatekeeper residing in a different zone.
Multicast gatekeeper. The call is forwarded to a group of multicast gatekeepers.
Local networks. The called party resides in the same network as the caller. The call is
returned to the callee to resolve.
IP Address Rule Restoration Example.
Once H.323 Gatekeeper has established which routing rules match, the routing rules are
sorted for additional processing according to the following requirements.
over rules with fewer bits in the subnet mask. For example, an IP address
string of 192.168.154.13, with a subnet mask of 255.255.255.192, would
has a higher number of bits then an IP address string of 192.168.154.13
with a subnet mask of 255.255.255.0.
=====================================================================
winisa8.html PAGE 8 2002/05/29
precedence over a rule with matching type prefix.
with a lower metric number assigned to it has precedence over a rule
with a higher metric number.
E-Mail Address Rules
E-mail address rules specify the parameters shown, page 327. The item names in
parentheses are those given to parameters in the New Routing Rule wizard when those
parameter names differ from the corresponding column names in the details pane of ISA
Management.
H.323 Gatekeeper attempts to match the domain portion of the
e-mail alias with the rules.
NOTE: The alias accounting 1 is an example of what is known as a dotless alias, which is
not a standard alias format.
If a call request contains the e-mail address someone@micorosoft.com the domain
portion is Microsoft.com.
TABLE 8.7 page 329 for request someone@microsoft.com, the domain portion is
Microsoft.com.
=====================================================================
Pattern Matching
Parameter Value
=====================================================================
Com Suffix
Microsoft.com Suffix
Microsoft.com Exact
[empty] Suffix
=====================================================================
The 1st .com is specified as the suffix type. This matches the alias someone@microsoft.com because
the alias does end in the letters “com”. In the 2nd example Microsoft.com is specified as the suffix type.
This pattern matches the alias someone@micorsoft.com because this alias includes the string
“Microsoft.com” as the suffix. The 3rd example shows that the pattern “Microsoft.com” will
match the alias someone@microsoft.com when this pattern is specified as an exact type. This is
because what is being matched in email address rules is not the entire user alias but only the domain
portion of the user alias. This is in fact the only pattern of type exact that will match the alias
someone@microsoft.com. Finally, the 4th shows a blank pattern of suffix type will match the
given alias; in fact it will match every email alias. The default e-mail address rule uses a blank
pattern of suffix type.
=====================================================================
winisa8.html PAGE 9 2002/05/29
Sample Non-Matching Patterns for E-mail Address Rule
=====================================================================
Pattern Matching Parameter Value
=====================================================================
Com Exact
[empty] Exact
=====================================================================
If a call request alias contains someone and the domain portion is an empty string, the only rules
that match this domain portion are those shown below:
Dotless Alias Matches for an E-mail Address Rule
=====================================================================
Pattern Matching Parameter Value
=====================================================================
[empty] Exact
[empty] Suffix
=====================================================================
After H.323 Gatekeeper has established which routing rules match, the routing rules are sorted
for additional processing according to the following conditions:
· Rules with patterns containing more domain elements have precedence over
rules with patterns containing fewer domain elements.
· If two rules contain the same pattern, a rule with the matching type exact
has precedence over a rule with the matching type suffix.
· If two rules contain the same pattern and the same matching type, a rule
with a lower metric number has precedence over a rule with a higher metric number.
Rule Processing and Destinations
Each rule can specify one of the nine destination types described below. If you want to make a
particular gateway/proxy, Internet Locator Service (ILS) server, gatekeeper, or multicast group
available for selection in a routing rule, you must first run the Add Destination wizard.
=====================================================================
winisa8.html PAGE 10 2002/05/29
None
This destination stops rule processing. Even if there are other matching rules having lower
metric values following the None rule, H.323 Gatekeeper rejects the request and returns the
message “Cannot be resolved.”
Gateway/Proxy
This destination specifies a particular H.323 proxy, or gateway, and lists an IP, DNS, or
NetBIOLS address. H.323 gateways are required if you want to route your call through
the PSTN. (ISA Server does not include an H.323 gateway).
Internet Locator Service (ILS)
This destination specifies a Microsoft Site Server computer running Internet Locater Service
(ILS) for name resolution. It works for the e-mail address namespace queries. It is an
uncommon format that is used to support backward compatibility.
Gatekeeper
This destination specifies the IP, DNS, or NetBIOS address of another H.323 Gatekeeper.
The local H.323 Gatekeeper conducts name resolution to determine the IP address of the
destination h.323 Gatekeeper.
Multicast Gatekeeper
The destination type specifies that the destination is a multicast group. The H.323 Gatekeeper
sends a location request message using the multicast protocol.
DNS
This destination type can only be used by E-Mail address queries. The H.323 Gatekeeper
resolves the domain of the alias using DNS, regardless of the user portion of the alias.
=====================================================================
winisa8.html PAGE 11 2002/05/29
Active Directory Directory Services
Active Directory can be specified as a rule destination for e-mail address rules. When Active
Directory is configured as the destination, the Active Directory store is queried for the ipPhone
attribute of the matching user object, and the call is routed to this IP phone number.
Local Network
This destination type is valid only for IP aliases. H.323 Gatekeeper returns the address represented
by the alias. Because a resolution or translation is not required and the destination is directly
reachable, the IP address that is represented by the requested alias can be used as the query
address.
Applying Rules to Calls
Inbound Calls. When H.323 Gatekeeper receives an inbound query, it identifies the type of alias
request, whether it is an E164, H.323-ID, or Email-ID. H.323 Gatekeeper then compares this
alias to the list of configured rules, compiles the matching rules, and sorts them by placing those
rules with the lowest metric values highest on the list.
An admission request is sent to H.323 Gatekeeper for someone@microsoft.com. H.323
Gatekeeper searches the rules list, which would consist of the rules on page 333. If the registration
exists, H.323 Gatekeeper returns a confirmation along with the address to the origination client.
If no address is returned, H.323 Gatekeeper continues looking, going to the second rule,
Gatekeeper “otherzone” for resolving the request. H.323 Gatekeeper works its way down
the rule list until an address is returned or until it gets to the None rule. When the None rule is
encountered, the query fails and the “Cannot be resolved” message is sent. Once the None
rule has been reached, no other rules are processed, regardless of their weighted metric value.
Outbound Calls. When a registered client places an outbound call, an admission request is
sent to the H.323 Gatekeeper. An outbound request to another domain will be forwardable
to the remote ISA Server and resolved.
Lesson Summary:
requested alias.
request, whether it is an E164, H.323-ID, or E-Mail. H.323 Gatekeeper then
compares the alias to the list of configured rules.