You can use the Barracuda CloudGen Firewall as a gatekeeper for an H.323 network. The media stream of the calls that are established by the firewall gatekeeper are redirected to a local address of the Barracuda CloudGen Firewall and forwarded to the receiver of the stream. In this case, special handling for network address translation or firewall traversal is not required. The H.323 endpoints that are in direct contact with the gatekeeper can be registered with H.225 RAS or provisioned in the firewall configuration. Several gatekeepers can be clustered together to handle calls for endpoints with the same prefix, which are distributed over several locations. This is called a neighbor configuration. You can use the following gatekeepers in neighbor configurations:
- GNU gatekeeper
- Cisco gatekeeper
- Clarent gatekeeper
- Glonet gatekeeper
Step 1. Configure the H.323 Neighbor Gatekeeper
H.323 is configured on the Firewall Forwarding Settings page.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Settings.
- In the left navigation pane, expand Configuration and click VoIP/H.323.
- Click Lock.
Edit the H.323 settings.
Setting | Description |
---|
Enable H.323 Gatekeeper | Enables or disables the firewall gatekeeper. To enable the gatekeeper, select yes. To enable communication between the H.323 equipment and the Barracuda CloudGen Firewall gatekeeper, create local firewall rules that allow incoming and outgoing UDP and TCP IP ports from networks with H.323 nodes that directly communicate with the Barracuda CloudGen Firewall gatekeeper. For more information on creating firewall rules, see: Access Rules. |
Gatekeeper Name | The H.323 alias name of the firewall gatekeeper. |
Gatekeeper Listen IP | Specifies which IP addresses the gatekeeper uses. An explicit IP address can also be entered by selecting the Other check box. |
Broadcast RAS | Enables the sending of H.225 broadcast gatekeeper discovery packets. This is useful for phones that automatically detect the gatekeeper. |
Gatekeeper Password | The password that neighbor gatekeepers must provide in order to enable neighbor cluster calls. The password can consist of small and capital characters, numbers, and non alpha-numeric symbols, except the hash sign (#). |
H.323 Neighbors
| List of H.323. neighbors. When you add an H.323 neighbor, you can specify the following settings: |
Gatekeeper Name | The H.323 alias of the neighbor gatekeeper. |
Gatekeeper Type | The vendor of the neighbor gatekeeper (GnuGK, CiscoGK, ClarentGK, or GlonetGK). |
Gatekeeper Hostname | The hostname of the IP address of the neighbor gatekeeper. |
Gatekeeper Port | The H.225 port number of the neighbor gatekeeper. |
Gatekeeper Password | The password that is used to log into the neighbor gatekeeper for neighbor clustering support. |
Neighbor Timeout (sec.) | The timeout of Location Request (LRQ) messages for browsing the neighbor cluster. |
H.323 Endpoints | List of endpoints that are permanently registered at the gatekeeper. This is useful for interfaces that do not support H.225 RAS. When you add an endpoint, you can specify the following settings: |
H.323 Alias | The H.323 alias of the permanent endpoint. |
Gateway Hostname/IP | The hostname or IP address of the endpoint. Endpoints with dynamic IP addresses must use H.225 registration to connect to the firewall gatekeeper. |
Prefix | All calls with this number or prefix are routed to this endpoint. |
Call Redirect | List of prefixes that are used for call redirects. When you add a call redirect, you can specify the following settings: |
Original Prefix | All calls with this prefix are rerouted. |
New Prefix | The prefix that replaces the original prefix. |
RAS Authentication | RAS authentication method. You can select one of the following options: |
None | Allows all H.225 RRQ (Registration Requests). |
Radius | Registers the username at a radius server. |
Radius+CAT | Uses the Cisco Access Token in the RRQ message for registration at a radius server. |
Radius Server | The IP address or hostname of the radius server. An optional port number may be specified after a colon (:). [: |
- Click Send Changes and Activate.
Step 2. Create Firewall Rules to Allow H.323 Traffic
To enable communication between the H.323 equipment and the Barracuda CloudGen Firewall gatekeeper, create local firewall rules that allow incoming and outgoing H.323 connections from networks with H.323 nodes that directly communicate with the Barracuda CloudGen Firewall gatekeeper. For more information on creating firewall rules, see: Access Rules.