There are 2 reasons H.323 and firewalls don't get along:
1 - The traffic requires a negotiated 'connection' on an unspecified high
UDP port. So a firewall might have to be configured to allow any UDP traffic
above port 1024. This is not good, obviously, from a security standpoint
2 - H.323 records the hosts' IP address in the payload of the packet. This
causes big problems if NAT is involved, since the H.323 packets will contain
the private IP and not the translated public IP.
Luckily, FW-1 can handle both of these problems by via the process noted
below:
We have been using h323 with success over 4.1 sp3, but we had to do the
following:
1 - Don't use the predefined h323 service, use your own, (e.g 'h323_new'):
match: tcp,dport=1720
Pre-match: h323_prematch_new
Prolog: h323_prolog_new
This could also require alteration of the file FWDIR\lib\h323.def, but the
service packs took care of this for us. Check the CP knowledge base for
details (10043.0.749) if you aren't at SP3 yet. The h323.def
file must contain the proper code for the h323_prematch_new and
h323_prolog_new functions.
2 - make sure the traffic is being allowed by a rule that specifically names
the 'h323_new' (or whatever you called it) service. Rules that allow the
initial connection via an 'any' condition will fail, since they can't hande
the dynamically assigned high UDP port.
3 - Do not use the custom h323_new service and the predefined h323 service
in the same policy.
4 - If you are using NAT, you must use static one to one NAT for H.323
traffic if incoming connections are required.
-----Original Message-----
From: Young, Roger [mailto:[email protected]]
Sent: Thursday, November 08, 2001 1:17 AM
To: [email protected]
Subject: Re: [FW-1] H323 and Checkpoint FW
We would also like to understand the issues. We're looking at building an
internal IP-based video conferencing network, but having this traffic
separate from the data network. The ISP and the equipment vendor actually
have published documentation saying that H323 traffic does not like
firewalls. They go one to recommend either a separate Internet connection
for video conferencing traffic or putting this traffic on the outside of
the firewall. We need to pursue with them the REASONS why... Having a
separate high speed network for VC traffic may be OK for a video
conferencing center, but what about people with desktop cameras that want
to participate on their regular data network using H323? We'll be digging
deeper into this.
At 09:19 AM 11/2/01 -0500, Nooman wrote:
>I am even having problem with SP2, the firewall rejects the packet trying
to
>open tcp port 3230 which we allow for our Video Cameras at different sites.
>It says rule 0 is responsible for this "reason: tried to open port x,
>port:x"
>Do any one have any idea?
>
>Nooman Elahi Siddiqi
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:[email protected]]On Behalf Of
>Christophe Barberet
>Sent: Friday, November 02, 2001 5:17 AM
>To: [email protected]
>Subject: [FW-1] H323 and Checkpoint FW
>
>
>Hi everybody,
>
>Has anyone heard of a problem with H323 service on ChechPoint FW-1 SP4
>?
>I doesn't work with my MCU Radvision.
>
>Christophe Barberet
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
