Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 9 Anzeige

Weitere Verwandte Inhalte

Ähnlich wie H323 support.docx (20)

Anzeige

H323 support.docx

  1. 1. H323 support in PAN-OS Tech Note PAN-OS 4.1
  2. 2. [2] Revision 1.0 ©2011, Palo Alto Networks, Inc. Contents OVERVIEW................................................................................ 3 H.323 OVERVIEW.......................................................................... 3 H323 SUPPORT IN PAN-OS.................................................................. 3 SUPPORTED SCENARIOS-DIRECT CALLS........................................................ 4 CASE 1: VWIRE AND LAYER2 MODE ............................................................................. 4 CASE 2: LAYER3 MODE........................................................................................ 4 CASE 3: LAYER3 MODE WITH NAT .............................................................. 5 CASE 4: LAYER3 MODE WITH BI-DIRECTIONAL STATIC NAT ............................................ 5 CASE 5: H323 TERMINALS ACROSS IPSEC TUNNEL ............................................................... 5 SUPPORTED SCENARIOS-CALLS WITH GATEKEEPER............................................... 6 GATEKEEPER ROUTED CALLS..................................................................................... 6 DIRECT CALLS................................................................................................ 6 OUTGOING CALLS: LAYER3 MODE WITH NAT........................................................ 7 INCOMING CALLS: LAYER3 MODE WITH NAT........................................................ 7 REVISION HISTORY........................................................................ 9
  3. 3. [3] Revision 1.0 ©2011, Palo Alto Networks, Inc. Overview This document details H323 and SIP support in PAN-OS. It also discusses the tested and supported topologies with PAN-OS firewalls and H323 and SIP capable devices H.323 overview H.323 is a recommendation from the ITU Telecommunication Standardization Sector (ITU-T) that defines the protocols to provide audio-visual communication sessions on any packet network. The H.323 standard addresses call signaling and control, multimedia transport and control, and bandwidth control for point-to-point and multi-point conference H.323 is an umbrella standard composed of protocols and frameworks such as:  H.225  H.245 for call control and capability negotiation  H.235 security framework  RTP, the Real Time Protocol defined by IETF, used to transmit audio/video streams  Q.931, used for call signaling  H.450.x for supplementary services such as call transfer, forwarding, call offering, call intrusion and more H.323 protocol requires the use of specific static ports as well as a number of dynamic ports within the range 1024-65535. For the H.323 protocol to cross a firewall, the specific static ports and all ports within the dynamic range must be opened for all traffic causing a security issue that could render a firewall ineffective A typical H323 network includes all or some of these entities  H323 terminals- Endpoints that enable real time voice or video communication  MCU/MP/MC- It is a device that is used for multiparty conferencing. It consists of two function blocks, a Multipoint Controller (MC) and Multipoint Processor (MP) where the latter is responsible for mixing the audio/video channels for the conference  Gateways- Enable communication between legacy switched circuit networks to IP networks  Gatekeepers- H323 gatekeepers are optional component in a H323 network. They provide services like address translation , H.323 IDs such as blah@domain.com and E.164 numbers -standard telephone numbers, to endpoint IP addresses) and network access control for H.323 terminals, gateways, and MCUs, bandwidth management, accounting, and dial plans. H323 support in PAN-OS PAN-OS offers support for the following applications H.245, and H.225. In order allow H323 between terminals, the security policy must include all of these applications. The media sessions, RTP and RTCP are predicted and dynamic pinholes are created in the firewall to allow these sessions
  4. 4. [4] Revision 1.0 ©2011, Palo Alto Networks, Inc. Supported scenarios-Direct calls In these scenarios, the H323 terminals can initiate and respond to calls directly between each other without the H323 gatekeeper. The following scenarios for direct calls are tested and supported in PAN-OS version 4.1. Case 1: Vwire and Layer2 mode In this scenario, both the terminal can initiate calls to each other. Case 2: Layer3 mode In this scenario, both the terminal can initiate calls to each other. The security policy for the above two scenarios is shown below. The internal terminal and the external terminals are not registered with a gatekeeper; the internal terminal calls the external terminal by calling its IP address directly.
  5. 5. [5] Revision 1.0 ©2011, Palo Alto Networks, Inc. Case 3: Layer3 mode with NAT A source NAT policy exists for translating all traffic from trust zone to untrust zone. In such a case, the terminal in trust zone can only initiate calls to the terminals in the untrust zone. Case 4: Layer3 mode with bi-directional static NAT A static NAT rule with bi-directional option will enabled the terminal in trust zone to initiate outbound calls, and the terminals on the untrust zone to initiate calls to the terminal 10.1.1.10 to its public IP address 20.1.1.10 Case 5: H323 terminals across IPSec tunnel The terminals on either side of the tunnel can initiate and respond to calls directly without the need of NAT going through the IPSec tunnel. If the IPSec tunnel i.e the tunnel interface is configured in its own zone, VPN zone, the security policies must be configured between the VPN and trust zones respectively
  6. 6. [6] Revision 1.0 ©2011, Palo Alto Networks, Inc. Supported scenarios-Calls with Gatekeeper Before we discuss the gatekeeper supported scenarios, we will cover basic difference in Gatekeeper routed calls and Direct call model. With a gatekeeper in the network, all terminals must register with the gatekeeper. Gatekeeper routed calls In gatekeeper routed calls, the gatekeeper acts as proxy for all signaling messages. In this example when the terminal with number 666 tries to call another terminal at 420, it sends out Admission Request Message (ARQ) to the gatekeeper to find the IP address for the number 420. The gatekeeper responds to this request with Admission Confirm message with the gatekeepers IP address. Gatekeeper then proxy’s all signaling messages. Direct calls In this example when the terminal with number 666 tries to call another terminal at 420, it sends out Admission Request Message (ARQ) to the gatekeeper to find the IP address for the number 420. The gatekeeper responds to this request with Admission Confirm message with the recipient terminals IP address.
  7. 7. [7] Revision 1.0 ©2011, Palo Alto Networks, Inc. Note:  PAN-OS does not support Gatekeeper routed calls  Multi Gatekeeper topologies are not supported Note: There must be a NAT rule in place to translate the source address outbound connections from terminal 666 with IP 10.1.1.10 Note: The private IP address of terminal 666, must be mapped to Public IP address either using static NAT or destination NAT The difference between gatekeeper-signaled and direct-signaled calls is the role of the gatekeeper in the H.225 session. If a gatekeeper involved, then the call is a gatekeeper-signaled call. Outgoing calls: Layer3 mode with NAT In this deployment bi-directional static NAT is used to map the gatekeeper address 10.1.1.100 to 20.1.1.100. All terminals in the trust zone registers with gatekeeper using address 10.1.1.100, and the clients in the untrust zone reach the gatekeeper using the address 20.1.1.100 1. Terminal 666 initiates a call to terminal 420, it sends ARQ message to the gatekeeper 2. Gatekeeper responds with the IP address of 66.220.12.100 3. Terminal 666 and 420 established connection directly Incoming calls: Layer3 mode with NAT 1. Terminal 420 initiates a call to terminal 666, it sends ARQ message to the gatekeeper 2. Gatekeeper responds with the public IP address of terminal 666. 3. Terminal 666 and 420 established connection directly
  8. 8. [8] Revision 1.0 ©2011, Palo Alto Networks, Inc. Calls across IPSec tunnel With a site-to-site IPSec VPN, the all the hosts on either side of the tunnel are reachable using the private IP address. The host registers with the gatekeeper with their real IP addresses. No NAT is required in this scenario. If the IPSec tunnel i.e the tunnel interface is configured in its own zone, VPN zone, the security policies must be configured between the VPN and trust zones respectively
  9. 9. Revision History Date Revision Comment 10/31/2011 1 First published draft www.paloaltonetworks.co m

×