You can use the Barracuda NG Firewall as a gatekeeper for an H.323 network. The media stream of the calls that are established by the firewall gatekeeper are redirected to a local address of the Barracuda NG Firewall and forwarded to the receiver of the stream. In this case, special handling for network address translation or firewall traversal is not required. The H.323 endpoints that are in direct contact with the gatekeeper can be registered with H.225 RAS or provisioned in the firewall configuration. Several gatekeepers can be clustered together to handle calls for endpoints with the same prefix, which are distributed over several locations. This is called a neighbor configuration. You can use the following gatekeepers in neighbor configurations:
- GNU gatekeeper
- Cisco gatekeeper
- Clarent gatekeeper
- Glonet gatekeeper
Step 1. Configure the H.323 Neighbor Gatekeeper
H.323 is configured on the Firewall Forwarding Settings page.
- Open the Firewall Forwarding Settings page (Config > Box > Virtual Servers > <your virtual server> > Assigned Services > Firewall > Firewall Forwarding Settings).
- In the left navigation pane, expand Configuration and click VoIP/H.323.
- Click Lock.
Edit the H.323 settings.
Enable H.323 Gatekeeper
Enables or disables the firewall gatekeeper. To enable the gatekeeper, select yes.
The H.323 alias name of the firewall gatekeeper.
Gatekeeper Listen IP
Specifies which IP addresses the gatekeeper uses. An explicit IP address can also be entered by selecting the Other check box.
Enables the sending of H.225 broadcast gatekeeper discovery packets. This is useful for phones that automatically detect the gatekeeper.
The password that neighbor gatekeepers must provide in order to enable neighbor cluster calls.
H.323 Neighbors List of H.323. neighbors. When you add an H.323 neighbor, you can specify the following settings:
The H.323 alias of the neighbor gatekeeper.
The vendor of the neighbor gatekeeper (GnuGK, CiscoGK, ClarentGK, or GlonetGK).
The hostname of the IP address of the neighbor gatekeeper.
The H.225 port number of the neighbor gatekeeper.
The password that is used to log into the neighbor gatekeeper for neighbor clustering support.
Neighbor Timeout (sec.)
The timeout of Location Request (LRQ) messages for browsing the neighbor cluster.
H.323 Endpoints List of endpoints that are permanently registered at the gatekeeper. This is useful for interfaces that do not support H.225 RAS. When you add an endpoint, you can specify the following settings: H.323 Alias The H.323 alias of the permanent endpoint.
The hostname or IP address of the endpoint. Endpoints with dynamic IP addresses must use H.225 registration to connect to the firewall gatekeeper.
All calls with this number or prefix are routed to this endpoint.
List of prefixes that are used for call redirects. When you add a call redirect, you can specify the following settings: Original Prefix All calls with this prefix are rerouted.
The prefix that replaces the original prefix.
RAS authentication method. You can select one of the following options: None Allows all H.225 RRQ (Registration Requests).
Registers the username at a radius server.
Uses the Cisco Access Token in the RRQ message for registration at a radius server.
The IP address or hostname of the radius server. An optional port number may be specified after a colon (:). <hostname>[:<port]
- Click Send Changes and Activate.
Step 2. Create Firewall Rules to Allow H.323 Traffic
To enable communication between the H.323 equipment and the Barracuda NG Firewall gatekeeper, create local firewall rules that allow incoming and outgoing H.323 connections from networks with H.323 nodes that directly communicate with the Barracuda NG Firewall gatekeeper. For more information on creating firewall rules, see: Firewall Access Rules.