[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] H323 and Checkpoint FW
There are 2 reasons H.323 and firewalls don't get along: 1 - The traffic requires a negotiated 'connection' on an unspecified high UDP port. So a firewall might have to be configured to allow any UDP traffic above port 1024. This is not good, obviously, from a security standpoint 2 - H.323 records the hosts' IP address in the payload of the packet. This causes big problems if NAT is involved, since the H.323 packets will contain the private IP and not the translated public IP. Luckily, FW-1 can handle both of these problems by via the process noted below: We have been using h323 with success over 4.1 sp3, but we had to do the following: 1 - Don't use the predefined h323 service, use your own, (e.g 'h323_new'): match: tcp,dport=1720 Pre-match: h323_prematch_new Prolog: h323_prolog_new This could also require alteration of the file FWDIR\lib\h323.def, but the service packs took care of this for us. Check the CP knowledge base for details (10043.0.749) if you aren't at SP3 yet. The h323.def file must contain the proper code for the h323_prematch_new and h323_prolog_new functions. 2 - make sure the traffic is being allowed by a rule that specifically names the 'h323_new' (or whatever you called it) service. Rules that allow the initial connection via an 'any' condition will fail, since they can't hande the dynamically assigned high UDP port. 3 - Do not use the custom h323_new service and the predefined h323 service in the same policy. 4 - If you are using NAT, you must use static one to one NAT for H.323 traffic if incoming connections are required. -----Original Message----- From: Young, Roger [mailto:[email protected]] Sent: Thursday, November 08, 2001 1:17 AM To: [email protected] Subject: Re: [FW-1] H323 and Checkpoint FW We would also like to understand the issues. We're looking at building an internal IP-based video conferencing network, but having this traffic separate from the data network. The ISP and the equipment vendor actually have published documentation saying that H323 traffic does not like firewalls. They go one to recommend either a separate Internet connection for video conferencing traffic or putting this traffic on the outside of the firewall. We need to pursue with them the REASONS why... Having a separate high speed network for VC traffic may be OK for a video conferencing center, but what about people with desktop cameras that want to participate on their regular data network using H323? We'll be digging deeper into this. At 09:19 AM 11/2/01 -0500, Nooman wrote: >I am even having problem with SP2, the firewall rejects the packet trying to >open tcp port 3230 which we allow for our Video Cameras at different sites. >It says rule 0 is responsible for this "reason: tried to open port x, >port:x" >Do any one have any idea? > >Nooman Elahi Siddiqi > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[email protected]]On Behalf Of >Christophe Barberet >Sent: Friday, November 02, 2001 5:17 AM >To: [email protected] >Subject: [FW-1] H323 and Checkpoint FW > > >Hi everybody, > >Has anyone heard of a problem with H323 service on ChechPoint FW-1 SP4 >? >I doesn't work with my MCU Radvision. > >Christophe Barberet > >=============================================== >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >=============================================== > >=============================================== >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >=============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|