Ann would like to deploy H.323 with a gatekeeper and gateway on her internal network. This
network is behind a VPN-1/FireWall-1 Enforcement Module. Which of the following objects is NOT
required to configure VPN-1/FireWall-1 for H.323 in this scenario?

A.
Address Range representing internal IP-addressed phones

B.
Gatekeeper Node Object

C.
Address range of external IP-addressed phones

D.
Voice over IP (VoIP) Gateway Node Object

E.
Voice over IP (VoIP) Domain Object

Explanation:

Configuring FireWall-1 and VoIP with H.323
Analog (conventional) telephones and digital (soft) telephones can be used in
conjunction with a H.323-based VoIP solution. Conventional phones do not
have IP addresses but can be connected to a H.323 gateway which converts
the analog signal to digital so that it can participate in VoIP. Digital phones
can be either a physical telephone that has an IP address or a computer with
the appropriate software that enables it to act as a telephone. Both of these
configurations are referred to as “soft phones.”
The IP addresses of the gateway (if necessary) and the soft phones should
be their own subnet along with the H.323 gatekeeper computer.
The gatekeeper H.323 component is the focal point for all calls within a
VoIP network. It provides important services such as addressing, authorization,
and authentication for the gateway and the IP phones behind it. The
gatekeeper can also provide bandwidth management, accounting, billing,
charging, and call-routing services.
The first step in configuring the firewall to inspect VoIP traffic is to define
host node and/or network objects that represent the IP phones, the gateway
computer (optional) and the gatekeeper computer. The gatekeeper and the
gateway should be created as host objects. Each IP phone can be a host node
object as well or you could create a network object that represents the IP
address range of your VoIP network. The only portion of the H.323 architecture
in which you do not have to create objects is the analog phones. Since they
don’t have IP addresses, they are represented by the gateway object. If you do
not have analog phones then you have no need to create a gateway object.
Creating the Gateway
If you have analog phones in your VoIP network you must create a VoIP
Domain H.323 Gateway object as outlined in the following steps:
1.
Go to Manage _
Network Objects and choose New _
VoIP Domains _
VoIP Domain H.323 Gateway.
2.
In the General tab, define the gateway’s Name, Comment, and Color.
Choose the network object that represents the IP addresses of your
VoIP subnet in the Related Endpoints Domain pull-down menu. Keep
in mind that if different H.323 protocols are carried on different interfaces,
then a separate host node object has to be created to represent
each interface. These host node objects should then be grouped
together and defined in the VoIP Installed field. If there is a single
interface carrying the protocols that make up H.323 then only one
host node object (which represents the H.323 gateway) should be
defined in the VoIP Installed At field.

3.
In the Routing Mode tab, you’ll see two options: the Call Setup and
Call Setup And Call Control. Call Setup (Q.931) handles the setup and
termination of the calls whereas Call Setup And Call Control does that
as well as negotiating the parameters necessary for multimedia. At
least one of the choices must be checked, depending on the VoIP product
that you are using.
Most people are not familiar with the H.323 protocol but have experienced
using it if they’ve ever used Microsoft’s NetMeeting product.
Creating the Gatekeeper
The gatekeeper object must be created to securely pass H.323 traffic through
your firewall. To create a gatekeeper object, follow these steps:
1.
Go to Manage _
Network Objects Go to the Network Objects window
and choose New _
VoIP Domains _
VoIP Domain H.323 Gatekeeper.
2. In the General tab, shown in Figure below, define the gatekeeper’s Name,
Comment, and Color. The network object or address range object that
represents your soft phones subnet and/or the object that represents
your gateway (if you’re using analog phones) should be defined in the
Related Endpoints Domain field. If you are using a combination of
analog and digital phones then combine the gateway and the network
range in a Simple Group and define it here. The host node object that
represents your H.323 gatekeeper machine should be defined in the
VoIP Installed At field.

3. Under the Routing Mode tab of the gatekeeper properties, you can
choose from three allowed routing modes. This option identifies
which connections will be rerouted from your VoIP gatekeeper to the
VoIP gatekeeper on the other end. At least one of the following choices
must be checked depending on the VoIP equipment that is being utilized:
Direct The H.225 and Q.931 protocols, which allow gatekeeper to
gatekeeper communication and call setup and breakdown respectively,
are rerouted if this check box is selected.
Call Setup (Q.931) H.245 which is the control protocol used by H.323
for multimedia communication will be rerouted from gatekeeper to gatekeeper
along with the Q.931 protocols.
Call Setup (Q.931) and Call Control (H.245) Connections that deal
with video, audio and controls connections associated with video and
audio will be rerouted gatekeeper to gatekeeper.
VoIP is a large set of protocols that are not easily understood. A good resource
to learn more about VoIP is http://www.voip-calculator.com/.

Configuring Global Properties
In the VoIP page of the Global Properties window, shown in Figure below, you
can change the VoIP parameters from their default settings. If the Log VoIP
Connection option is checked, every VoIP (SIP and H.323) connection will
be logged including the telephone number information. Under the H.323
section, Allow to Re-direct Connections is a H.323 function that allows call
forwarding and call waiting to occur. Disallow Blank Source Phone Numbers
is what we commonly know as blocking CallerID. Enable Dynamic T.120
enables the T.120 protocol which most recognize as the whiteboarding feature
of NetMeeting.

Configuring the Rule Base
Now that you have created your network objects and configured your VoIP
global parameters, it’s time to configure the rule base to filter H.323 traffic.
The concept in creating the rule is to allow traffic to pass from gatekeeper to
gatekeeper or from gateway to gateway using the H.323 service. You have
more than one H.323 service to choose from: H.323_any provides all the
required services for VoIP, and H.323_ras includes only the RAS part of the
H.323 protocol. If you wish to use more than just H.323_ras then you will
have to define additional services for this rule or create additional rules to
allow the other protocols (e.g. T.120 orH.450) necessary for the call to be
completed.
For our purposes in this book, Figure below displays a good example of an
H.323 VoIP rule. The gatekeepers of Detroit and Madrid are listed in both
the Source and Destination columns of the rule. The Service is H.323_any,
and the Action is Accept.

You now have an understanding of how to configure the firewall for
H.323-based VoIP systems. Now look at the next section where you will

learn how to configure SIP-based VoIP systems.