Chapter 7 H.323 GATEKEEPER 213 á Second, if translation services are needed to place outgoing calls. Translation services provide the capability to reference H.323 services that may not have a registered DNS address. For example, a personal email address, a Plain Old Telephone System (POTS) device phone number, and so on. Think of this powerful capability as a sort of name resolution for the rest of us. Here’s how it works: 1. You use NetMeeting 3.0 to place a call to me at roberta@peachweaver.com. Neither one of us has a valid, Internet routable IP address, nor will our internal addresses be exposed on the Internet. 2. NetMeeting connects with your in-house H.323 Gatekeeper. 3. The Gatekeeper knows that peachweaver.com is not an inter- nal address and so forwards the request to ISA Server. 4. ISA Server looks up the address for peachweaver.com and sends the query over the Internet to peachweaver.com . 5. The ISA Server at peachweaver.com receives the request for roberta@peachweaver.com and contacts its internal H.323 Gatekeeper. 6. The H.323 Gatekeeper translates the alias into a network address. 7. The ISA Server at peachweaver.com sends notice to your ISA Server and creates the connection. 8. The ISA Server holds the link open. Restrictions can be set within the ISA Server Gatekeeper to prevent or allow video, audio, T120 data (real-time multipoint data connec- tions and conferencing standard), and application sharing and to limit the hours this service is available. These restrictions are set on the Property pages for the H.323. Gatekeeper. Registration Admission and Status H.323 communications are origination end-point to destination end-point (usually client). These end-points should be registered with the Gatekeeper using the H.323 Registration, Admission and 10 mcse CH07 6/5/01 12:03 PM Page 213 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 214 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES Status (H.323 RAS) protocol. Although you can add static registra- tions (always active and cannot receive inbound calls) using the H.323 Gatekeeper, you should only do this for those endpoints that cannot use the H.323 RAS protocol. H.323 RAS alias addressing supported by the H.323 Gatekeeper is of three types from two versions of the protocol (see Table 7.1). Aliases consist of a type and a name. TABLE 7.1 H.323 RAS A LIAS A DDRESSING Types Format H.323 RAS Version E-Mail-ID Internet type email addressing Two H.323-ID DNS strings, email addresses, One account names, computer names E164 Phone number addressing— One characters 0–9 An example of some of these types of addresses can be seen by right- clicking the Properties page of the active terminal in the ISA Management Console and displaying the Properties page (see Figure 7.1). The Registration Process Endpoints can be a H.323 client, such as a Proxy server (ISA Server), or a client running NetMeeting, or a H.323 gateway. Registration includes: á Endpoint Q931 (IP address plus port) addressees á H.323 RAS addresses for the endpoint á List of aliases Client registration to the database is often done by simply entering the Gatekeeper IP address in the client application. For example, in Microsoft NetMeeting, the Tools, Options, Advanced Calling dialog box has a place to enter registration information (see Figure 7.2). The H.323 protocol then contacts the H.323 Gatekeeper and regis- ters the client automatically. FIGURE 7.1 Example of H.323 RAS alias address types. 10 mcse CH07 6/5/01 12:03 PM Page 214 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 7 H.323 GATEKEEPER 215 Rule Processing—What Happens When a Request Is Received? You must define Gatekeeper rules in the ISA Server Gatekeeper ser- vice management snap-in. To do so, you first define destinations, and then phone, email, and IP address rules. Each type of request, either inbound call or outbound call, follows its own processing algorithm. Inbound Calls When an inbound call is received, the following processing takes place: 1. The type of alias is identified (email, H.323, or E164). 2. The alias is compared to its rule database. 3. Rules matching the pattern are added to an ordered rule list. 4. Rules are then sorted by metric from lowest to highest. 5. The rules are processed until the request either is resolved or fails. 6. A confirmation or rejection is sent to the requesting client. Outbound Calls Outbound calls are calls that are received by the H.323 Gatekeeper from internal clients. They might be resolvable to other internal client addresses or to other domains. When outbound calls are made to the local domain, the following processing takes place: 1. A registered client places an outbound call. 2. An admission request is sent to the H.323 Gatekeeper and includes the destination alias. 3. If the Gatekeeper finds an address for the destination alias, an admission confirmation is sent to the client that includes the destination address. 4. If the Gatekeeper does not find and address for the destination alias, it continues to process it rules to attempt a resolution. 5. If no resolution is found, the request fails. FIGURE 7.2 Registering the NetMeeting client. FIGURE 7.3 H.323 Gatekeeper active terminal. 10 mcse CH07 6/5/01 12:03 PM Page 215 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 216 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES If the request is for another domain the H.323 Gatekeeper searches its list of rules and returns a weighted list. The list is processed until it finds either a specific rule for that domain or, if none exists, a rule to manage all other domains (the domain identification information is empty). (Domain specific rules may simply contain the fully quali- fied domain name for an alias.) The ISA Server will use DNS to find the IP address of the domain. H.323 Gatekeeper Limitations and Other Considerations While the features and services provided by the H.323 Gatekeeper service are awesome, you should also be aware of some of its limita- tions and issues: á No security features are provided by the H.323 protocol. However, features included in the ISA Server H.323 Gatekeeper service can be used to reduce the risk incurred by allowing the use of this protocol through a firewall. Allowing audio, video, and data conferencing through a firewall requires the opening of multiple ports. The H.323 application filter manages dynamic opening and closing of these ports, which is preferable to static packet filters. However, ports are still opened. Gatekeeper rules are routing rules, not security rules. However, you can configure the H.323 filter to limit the types of H.323 communications, such as data, and this may primar- ily be used to limit bandwidth requirements. It will also reduce vulnerability by reducing the range of ports that are open. Ports used in H.323 communications are listed in Table 7.2. á Clients internal to an H.323 Gatekeeper cannot register with an H.323 Gatekeeper on the Internet. (No signaling, or the transfer of RAS style H.323 registration, is supported across an ISA server.) á Uniqueness of aliases in general is not enforced; however, Q931 addresses must be unique. á An H.323 Gatekeeper running on an internal network cannot exchange location messages with one running on the Internet. (No signaling is supported across ISA server.) NOTE Use Rules as Tools Create rules for foreign domains to make their use easier for internal clients. For example, the fully qualified domain name of an ILS server can be quite long, such as ils.public.techtopics. Microsoft.mythoughts.peachweaver.co m . Quite a mouthful, or should I say handful, to be typed. Instead, create a rule for the domain MStopics or some other useful acronym) that will then resolve to the FQDN. Users need only to type in “MStopics” to reach the ILS server. 10 mcse CH07 6/5/01 12:03 PM Page 216 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 7 H.323 GATEKEEPER 217 á Clients may register using one alias from multiple locations because the Gatekeeper uses the most recently active terminal for an alias. TABLE 7.2 H.323 P ORTS Port Use 1720 (TCP) H.323 call setup 1731 (TCP) Audio call control Dynamic (TCP) H.323 call control Dynamic (RTP over UDP) H.334 streaming 389 (TCP) Internet Locator Server 522 (TCP) User Location Service 1503 (TCP) T.120 H OW TO A DD AN H.323 G ATEKEEPER TO ISA Not every ISA Server will want to serve as an H.323 Gatekeeper. The H.323 Gatekeeper can be added during installation or at a later time. To add a H.323 Gatekeeper to ISA, follow these steps: 1. Enable and configure H.323 protocol access. 2. Configure DNS. 3. Add H.323. Gatekeeper to ISA Server. 4. Enable fast kernel mode. 10 mcse CH07 6/5/01 12:03 PM Page 217 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 218 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES Enabling and Configuring H.323 Protocol Access Before you can use the H.323 Gatekeeper service, you must enable and configure H.323 protocol access. The first step in doing this is to enable H.323. You will also want to fine-tune this access by creat- ing protocol rules. Enabling H.323 Protocol Access An application filter for H.323 is provided with ISA Server. This is separate from the H.323 Gatekeeper service and is used to filter the H.323 protocol. H.323 protocol access is disabled by default on an ISA Server that is installed without the H.323 Gatekeeper service. (When the H.323 Gatekeeper service is installed, protocol access is enabled. ) Because the Gatekeeper service may not be installed on every ISA Server, but you may want to pass H.323 traffic through other ISA Servers in your enterprise, you will want to enable H.323. protocol access on these ISA Servers. If the Gatekeeper service was not installed, use Step by Step 7.1 to enable the filter. In addition, you will want to select appropriate call access control. STEP BY STEP 7.1 Enable the H.323 Protocol Rule 1. In the ISA Management Console Internet Security and Acceleration Server/Servers and Arrays/name/Extensions/Application Filters, right-click H.323 filter and click Properties. 2. On the General tab (see Figure 7.4), click Enable This Filter. 3. On the Call control tab (see Figure 7.5), make the selec- tions to configure the type of overall control you desire. Granular control over access is accomplished by using pro- tocol rules. Table 7.3 lists the overall options and explains them. Click OK. FIGURE 7.4 Enable this filter. FIGURE 7.5 Configuring call control. 10 mcse CH07 6/5/01 12:03 PM Page 218 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 7 H.323 GATEKEEPER 219 TABLE 7.3 C ONFIGURING H.323 C ALL C ONTROL Option Explanation Use this Gatekeeper Specify a Gatekeeper to use. Enter the FQDN of the ISA Server that hosts the service. Call direction Indicate direction of call allowed. Allow incoming calls People from other organizations will be allowed to call your people. Allow outgoing calls People in your organization will be allowed to call other people over the Internet. Use DNS Gatekeeper lookup Look up aliases using the Gatekeeper. and LRQs for alias resolution Media Control Control the type of media allowed. Allow audio Allow audio. Allow video Allow video. Allow T120 and Allow this protocol. application sharing Establishing Protocol Rules To fine-tune the access to the H.323 services, write protocol rules. Step by Step 7.2 describes the process. STEP BY STEP 7.2 Creating H.323 Protocol Rules 1. If necessary, create policy elements, such as schedule, before creating the rule. 2. In the ISA Management console, right-click Protocol Rules and select New Rule. 3. Enter a name for the rule and click Next. 4. Select the Allow or Deny check box and click Next. 5. On the New Protocol Rule Wizard/Protocols page in the Apply This Rule To drop-down box, select Selected Protocols. Then use the Protocols drop-down box to select the H.323 protocol, and click Next (see Figure 7.6). FIGURE 7.6 Select the H.323 protocol. continues 10 mcse CH07 6/5/01 12:03 PM Page 219 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 220 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES 6. On the New Protocol Rule Wizard/Schedule page, use the drop down box to select the schedule that represents the hours and days you will allow or deny protocol access (see Figure 7.7) and click Next. 7. On the New Protocol Rule Wizard/Client type page select whether to grant or deny access to clients by IP address, user name, or group, then click Next. 8. Review configuration and click Finish. Configuring DNS In order for H.323 proxies outside your organization to locate the ISA Server, which hosts the H.323 Gatekeeper service, you must configure a DNS service location resource record. Instructions follow (see Step by Step 7.3) for creating this record on a Windows 2000 DNS Server. To create these records in other DNS systems, follow the instructions for creating resource records in those systems. STEP BY STEP 7.3 Creating a DNS Service Location Resource Record 1. From Start, Programs, Administrative Tools, select DNS. 2. In the DNS console select dnsserver/Forward Lookup Zones/the zone the ISA server is in. 3. Right-click the zone and choose Other New Records. 4. In the Resource Record Type dialog box, click on a resource record type, and then select Service Location. 5. Click the Create Record button (see Figure 7.8). 6. On the New Resource Record/Service drop-down box, select or type Q931. FIGURE 7.7 Select the schedule for allowed access. FIGURE 7.8 Configuring the resource record. continued 10 mcse CH07 6/5/01 12:03 PM Page 220 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 7 H.323 GATEKEEPER 221 7. In the Protocol box, select _tcp. 8. In Port Number, type 1720. 9. In Host Offering This Service, type the external FQDN of the ISA Server Computer that hosts the H.323 service (see Figure 7.9). 10. Click OK. Click Done. The Resource record is added to the _tcp folder of the forward lookup zone (see Figure 7.10). Click Done and close the DNS Console. Adding the H.323 Gatekeepers When the Gatekeeper service is installed a local Gatekeeper is added to the ISA Server. If you want to manage Gatekeepers from this server, you can add them by right-clicking the H.323 Gatekeeper folder, selecting Add Gatekeeper, and choosing the target machine by entering the FQDN of the other system. FIGURE 7.9 Configuring the resource record. FIGURE 7.10 Resource record location. 10 mcse CH07 6/5/01 12:03 PM Page 221 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 222 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES Enabling Fast Kernel Mode and Data Pumping Several protocols require secondary connections. H.323 is one of them. Because ISA Server maintains and processes this information as part of NAT, there is some delay while the access rights of the sec- ondary connection are processed. However, in most cases, this extra permission check is really unnecessary, as the secondary connection is never initialized until the primary connection has been accom- plished. If the primary connection is approved, there is no need to perform secondary authorization for the secondary connection. You can allow ISA Server to skip this step and therefore improve throughput by enabling IP routing. This process is known as fast kernel mode or data pumping. Because data on secondary connections is maintained for NAT clients in kernel mode performance, gains can be significant. While caution would seem to indicate that one should not allow IP routing on a firewall, IP routing in ISA Server is not allowed unless packet filtering is enabled. By first enabling packet filtering, no pack- ets that are not allowed via a packet-filtering rule will be routed. An application filter for the protocol must be installed on the server. To enable fast kernel mode, open the Properties page of the IP Packet Filter folder and on the General tab check boxes for Enable Packet Filtering and Enable IP Routing. Gatekeeper Administration In addition to establishing the Gatekeeper and identifying call con- trol, an administrator can restrict its usage by creating Gatekeeper rules (see the section, “Configure Gatekeeper Rules” later in this chapter), and by setting parameters in the Gatekeeper Property pages, as defined in Table 7.4. 10 mcse CH07 6/5/01 12:03 PM Page 222 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... on ISA Server A You want to conference between employees in New York and Boston Choose the operations to perform from the list that follows A Enable the H.323 protocol filter on ISA Server A B Enable the H.323 protocol filter on ISA Server B C Install and configure the H.323 Gatekeeper Service on ISA Server C D Enable the H.323 protocol filter on ISA Server C E Enable the H.323 protocol filter on ISA Server. .. E B Configure a call routing rule on ISA Server A to route all communications received for external clients to the H.323 Gatekeeper on ISA Server B C Configure a call routing rule on ISA Server D to route all communications received for external clients to the H.323 Gatekeeper on ISA Server B D Configure a Routing rule to route all internal destinations to the ISA Server B Answers to Review Questions... firewalls First: When should I use ISA Server and when should I use Routing and Remote Access Services? Second: Should routing be enabled on a firewall? These questions have a simple answer: First: Always use ISA Server if ISA Server can do the job Second: Never configure IP routing on the ISA Server unless packet filtering is enabled This chapter explains how to: á Use ISA Server to set up dial-up connections... Servers B and C The Gatekeeper Service needs to be installed on ISA Server C The Gatekeeper service is not running on ISA Server D, so all clients will be registered in the database on Server C There is no need to enable the protocol filter on ISA Server D See the section, “Registration Admission and Status.” 5 A The H.323 Gatekeeper on ISA Server B has most likely been configured to only route requests... routed For example, all requests with the prefix 9 (a common prefix to obtain an outside line) might be routed to an ISA Server on a perimeter network Further routing rules on this ISA Server might route specific requests to an ISA Server Gatekeeper service at another location When the ISA Server Gatekeeper service at that location received the call, it might route it by using its local registration database... H.323 Gatekeeper to ISA. ” 2 A, B, D Now you need the H.323 filter See the section, “How to Add an H.323 Gatekeeper to ISA. ” 3 A, B ,C Now you need the gateway See the sections “How to Add an H.323 Gatekeeper to ISA and “What’s the Difference Between a Gatekeeper and a Gateway?” 4 A, B, C, D ISA Server B is the perimeter server/ firewall The filter needs to be enabled here and on ISA Servers B and C The... backup route To configure ISA Server to dial this service on demand, complete the following steps: 1 Configure network and dial-up connections NOTE 11 mcse CH08 239 Upstream Server? As you may recall from Chapter 5, “Outbound Internet Access,” linking ISA Servers like this is called firewall, or hierarchical chaining You can find more information in Chapter 12, “Managing ISA Servers and Chains.” 2 Create... Management Console from a Remote Computer Using Terminal Services to Manage ISA Server 253 253 254 Chapter Summary 256 243 Troubleshooting ISA Server Dial-Up Connections 243 Routing and Remote Access Service Versus ISA Server 245 Routing Connecting Remote Clients Static Routes 255 Apply Your Knowledge Managing and Limiting ISA Dial-Up Connections Exercises Review Questions Exam Questions Answers to... on www.verypdf.com to remove this watermark 256 256 258 261 262 11 mcse CH08 6/5/01 12:05 PM Page 237 S T U DY S T R AT E G I E S Get it clear: When Routing and Remote Access and ISA Server offer similar services (VPN, dialon-demand, packet filtering) you need to use ISA Server Configure dial-up access to the Internet and configure ISA Server for dial-on-demand Even if you can perfectly follow instructions,... those that cannot conference are registered in the ISA Server A registration database You must do the following to correct the problem A Configure a call routing rule on ISA Server A to route all communications received for external clients to the H.323 Gatekeeper on ISA Server B Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 10 mcse CH07 6/5/01 12:04 PM Page 233 Chapter 7 H.323 . request to ISA Server. 4. ISA Server looks up the address for peachweaver.com and sends the query over the Internet to peachweaver.com . 5. The ISA Server. a network address. 7. The ISA Server at peachweaver.com sends notice to your ISA Server and creates the connection. 8. The ISA Server holds the link open.