Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Inbound Netmeeting with ISA Server 2004

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Installation >> Inbound Netmeeting with ISA Server 2004 Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Inbound Netmeeting with ISA Server 2004 - 13.Jun.2005 4:59:00 PM   
Number51

 

Posts: 35
Joined: 24.May2005
From: Canada
Status: offline 		Been reading lots of articles and such on how to achieve this. The actual, simple details are very
difficult to find. Here is what i had to do to get it working, step by step. Take note, some of the things i list here may not impact my goal, but i did it and the inbound Netmeeting works!

Pc.1, my ISA Server 2004 internet gateway/firewall, dhcp server, dns forwarder
internal ip=192.168.1.2

Pc.2, secondary server with ISA Server 2000 h.323 gatekeeper and manager ONLY, no other ISA 2000
components.
internal ip=192.168.1.10

DNS Manager on Pc.1
Added a "New Other Record" to my "Forward Lookup Zone".
- Resource record: SRV
- Service: Q931
- Protocol: _tcp
- Priority: 0
- Weight: 0
- Port Number: 1720
- Host offering this service: 192.168.1.10
- Delete this record when it becomes stable: No
- Time to live: 0 :1 :0 :0

ISA Server 2004 Manager on Pc.1

Configuration, Addins, H.323 Filter.
- Enable this filter: Yes
- Use this gatekeeper: 192.168.1.10 (pc.2)
- Use DNS gatekeeper lookup and LRQs for alias resolution: Yes
- Allow audio: No
- Allow video: No
- Allow T120 and application sharing: Yes
- Networks: External, Internal

New "Protocol"
- Name: H.225
- Protocol Type: UDP, Direction: Send Receive, Port range From: 1718, Port range To: 1719

New "Protocol"
- Name: H.323
- Protocol Type: TCP, Direction: Inbound, Port range From: 1503, Port range To: 1503
- Protocol Type: TCP, Direction: Inbound, Port range From: 1720, Port range To: 1720
- Protocol Type: TCP, Direction: Inbound, Port range From: 389, Port range To: 389
- Application Filters: H.323 Filter

New "Access Rule"
- Name: H.225
- Enabled: Yes
- Action to take: Allow
- Protocol: H.225
- From: Local Host
- To: 192.168.1.10 (Pc.2)
- Users: All Users
- Schedule: Always
- Content Types: All Content Types

New "Server Publishing Rule"
- Name: H.323
- Enabled: Yes
- Action to take: Allow
- Protocol: H.323
- From: Anywhere
- To: 192.168.1.10 (Pc.2)
- Requests appear to come from the ISA Server computer: Yes
- Networks: External (with the external interface specified)
- Schedule: Always

H.323 Gatekeeper Manager on Pc.2

Properties of local Gatekeeper:
- Network: 192.168.1.10 (the only one anyways)
- Registration Expiration time: 360
- Active Call Expiration Time: 35
- Security: Everyone

New "Destination"
- Address: 192.168.1.10
- Destination Type: Gatekeeper
- Enabled: Yes

New "Destination"
- Address: 192.168.1.2
- Destination Type: Gateway or proxy server
- Enabled: Yes

Site Server ILS Service disabled on both computers.

My internal Netmeeting clients now setup Netmeeting using a Gatekeeper @ 192.168.1.10, logging in with the

phone number, which we fill with any arbitrary number. For example, my registered phone number is 22.

Now clients outside access a simple web-page with calling links in the format:

CallTo:"22+type=phone+Gateway=xxx.xxx.xxx.xxx+secure=false+av=false+h323=false"

replacing the xxx.xxx.xxx.xxx with the external interface of the ISA Server 2004 computer.
Post #: 1
RE: Inbound Netmeeting with ISA Server 2004 - 13.Jun.2005 10:11:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi 51,

Very nice work! This works because you have using ISA 2000 along with 2004. Since 2004 doesn't have a gatekeeper, you must have 2000 to get the gatekeeprs functionality.

Thanks!
Tom

(in reply to Number51)
Post #: 2
RE: Inbound Netmeeting with ISA Server 2004 - 21.Jul.2005 12:49:00 PM   
theonlymikec

 

Posts: 5
Joined: 8.Feb.2005
From: Warren, MI
Status: offline 		I saw this in the newsletter and was wondering if you need a license for ISA2k in order to use the H.323 Gatekeeper in this scenario?

Thanks,
MIKEC

(in reply to Number51)
Post #: 3
RE: Inbound Netmeeting with ISA Server 2004 - 21.Jul.2005 2:19:00 PM   
isawader

 

Posts: 420
Joined: 27.Apr.2005
Status: offline 		Great Work! I myself was looking for a solution to the netmeeting problem. Since I didn't have time, I simply installed the ISA 2000 on a new server and enabled the gatekeeper on it. This server is on the edge and only has gatekeeper component.

I've been told that I can't publish the gatekeeper behind ISA 2004, as the gatekeeper has to be on the edge. Now, I will look into implement your setup. Thanks for posting! [Smile]

[ July 21, 2005, 02:21 PM: Message edited by: ISAwader ]

(in reply to Number51)
Post #: 4
RE: Inbound Netmeeting with ISA Server 2004 - 27.Jul.2005 8:49:00 AM   
Number51

 

Posts: 35
Joined: 24.May2005
From: Canada
Status: offline 		tshinder: Thanks for the props!

Mike: Not too sure about that, probably have to purchase the whole deal. But this scenario should work with any other Gatekeeper. There's a couple fairly cheap out there, as well as one open-source version. It's all about published communications standards, so i see no reason why it wouldn't work. Here's OpenH323 Gatekeeper which is free.

ISAwader: Let me know how it works out for you!

[ July 27, 2005, 08:50 AM: Message edited by: Number51 ]

(in reply to Number51)
Post #: 5
RE: Inbound Netmeeting with ISA Server 2004 - 23.Sep.2005 12:05:00 PM   
Guest
 I have the above setup configured and i am unable to connect to the gateway. I have ISA 2004 as the firewall/gateway and isa 2000 as the gatekeeper.
I am relatively sure the firewall is configured properly - if i start a netmeeting session on the gatekeepeer computer - it connects fine. It is almost as if the gatekeeper is not listening to the proper ports??? I looked at the ISA gatekeeper under "active calls" when connected and the call was not listed - so it is not even hitting the gatekeeper.

I also tried the GNU Gatekeeper - same result.

In both gatekeeper setups i see both the gateway and any netmeeting client(s) listed in the registration database.

On isa firewall Monitoring - if i monitor everything going to the gatekeeper - nothing is rejected.

Any ideas????

(in reply to Number51)
  Post #: 6
RE: Inbound Netmeeting with ISA Server 2004 - 23.Sep.2005 12:07:00 PM   
Guest
 repost --- (first sentence was wrong)

I have the above setup configured and i am unable to connect to the gatekeeper. I have ISA 2004 as the firewall/gateway and isa 2000 as the gatekeeper.
I am relatively sure the firewall is configured properly - if i start a netmeeting session on the gatekeepeer computer - it connects fine. It is almost as if the gatekeeper is not listening to the proper ports??? I looked at the ISA gatekeeper under "active calls" when connected and the call was not listed - so it is not even hitting the gatekeeper.

I also tried the GNU Gatekeeper - same result.

In both gatekeeper setups i see both the gateway and any netmeeting client(s) listed in the registration database.

On isa firewall Monitoring - if i monitor everything going to the gatekeeper - nothing is rejected.

Any ideas????

(in reply to Number51)
  Post #: 7
RE: Inbound Netmeeting with ISA Server 2004 - 26.Sep.2005 3:18:00 PM   
Number51

 

Posts: 35
Joined: 24.May2005
From: Canada
Status: offline 		First, check that the ISA 2004 computer (which i assume is the firewall between your LAN and the internet) is registered under "Active Terminals" on the ISA 2000 pc. The ISA 2004 pc should list as a "Gateway or Proxy" H.323 type. If this entry is not present, first have a look that the H.323 Filter on the ISA 2004 computer is active and setup to point to the ISA 2000 running the H.323 gatekeeper. Also, the event log may contain reasons why the two aren't communicating.

If the "Gateway or Proxy" entry is present in the GateKeeper, launch NetMeeting from the LAN, setup the Advanced Calling to log into the Gatekeeper. With these values in place, again check the "Active Terminals" in the H.323 Gatekeeper. Any netmeeting logged with the Gatekeeper should list and show as a Dynamic "User" type.

(in reply to Number51)
Post #: 8
RE: Inbound Netmeeting with ISA Server 2004 - 26.Sep.2005 3:51:00 PM   
Guest
 I cannot get this to work either, all I recieve is the following error:

"The other party did not accept your call"

And there is never a promt to accept an incoming call on any of the machines.

Here is my config:
Pc.1, my ISA Server 2004 internet gateway/firewall, NOT dhcp server (10.0.0.2/8), NOT dns forwarder (10.0.0.2/8)
internal ip= 10.15.0.1/8

Pc.2, secondary server with ISA Server 2000 h.323 gatekeeper and manager ONLY, no other ISA 2000
components.
internal ip=10.15.0.3/8

DNS Manager on Pc.1
Added a "New Other Record" to my "Forward Lookup Zone".
- Resource record: SRV
- Service: Q931
- Protocol: _tcp
- Priority: 0
- Weight: 0
- Port Number: 1720
- Host offering this service: 10.15.0.3
- Delete this record when it becomes stable: No
- Time to live: 0 :1 :0 :0

ISA Server 2004 Manager on Pc.1

Configuration, Addins, H.323 Filter.
- Enable this filter: Yes
- Use this gatekeeper: 10.15.0.3 (pc.2)
- Use DNS gatekeeper lookup and LRQs for alias resolution: Yes
- Allow audio: No
- Allow video: No
- Allow T120 and application sharing: Yes
- Networks: External, Internal

New "Protocol"
- Name: H.225
- Protocol Type: UDP, Direction: Send Receive, Port range From: 1718, Port range To: 1719

New "Protocol"
- Name: H.323
- Protocol Type: TCP, Direction: Inbound, Port range From: 1503, Port range To: 1503
- Protocol Type: TCP, Direction: Inbound, Port range From: 1720, Port range To: 1720
- Protocol Type: TCP, Direction: Inbound, Port range From: 389, Port range To: 389
- Application Filters: H.323 Filter

New "Access Rule"
- Name: H.225
- Enabled: Yes
- Action to take: Allow
- Protocol: H.225
- From: Local Host
- To: 10.15.0.3 (Pc.2)
- Users: All Users
- Schedule: Always
- Content Types: All Content Types

New "Server Publishing Rule"
- Name: H.323
- Enabled: Yes
- Action to take: Allow
- Protocol: H.323
- From: Anywhere
- To: 10.15.0.3 (Pc.2)
- Requests appear to come from the ISA Server computer: Yes
- Networks: External (with the external interface specified)
- Schedule: Always

H.323 Gatekeeper Manager on Pc.2

Properties of local Gatekeeper:
- Network: 10.15.0.3 (the only one anyways)
- Registration Expiration time: 360
- Active Call Expiration Time: 35
- Security: Everyone

New "Destination"
- Address: 10.15.0.3
- Destination Type: Gatekeeper
- Enabled: Yes

New "Destination"
- Address: 10.15.0.1
- Destination Type: Gateway or proxy server
- Enabled: Yes

Also where do I disable ILS at?

(in reply to Number51)
  Post #: 9
RE: Inbound Netmeeting with ISA Server 2004 - 26.Sep.2005 4:00:00 PM   
Guest
 Nevermind on the "Also where do I disable ILS at?" post, it is not even installed on either machine.

(in reply to Number51)
  Post #: 10
RE: Inbound Netmeeting with ISA Server 2004 - 26.Sep.2005 4:06:00 PM   
Number51

 

Posts: 35
Joined: 24.May2005
From: Canada
Status: offline 		<ktech>
What do you have listed under "Active Terminals" on the ISA 2000 H.323 Gatekeeper?

(in reply to Number51)
Post #: 11
RE: Inbound Netmeeting with ISA Server 2004 - 26.Sep.2005 4:24:00 PM   
Guest
 Account = Machine name of PC1 (Gateway)10.15.0.1/8
Type = Dynamic
H.323 Type = Gateway or Proxy
Q931 Address = 10.15.0.1:1720

and when I host a call:

Account =
Phone = 1
Type = Dynamic
H.323 Type = User
Q931 Address = 10.2.209.1:1720

(in reply to Number51)
  Post #: 12
RE: Inbound Netmeeting with ISA Server 2004 - 26.Sep.2005 4:32:00 PM   
Number51

 

Posts: 35
Joined: 24.May2005
From: Canada
Status: offline 		So your external client attempts to call you, and they receive "no response".

Try this, if you haven't already:

Forget the link, that's gravy.

Have the external client run netmeeting, Tools->Options, [Advanced Calling]. They should turn on "Use a gateway to call..." under the Gateway settings. The gateway address should be your external IP. Save all this info.

Now have the external call to "1" (or whatever phone number you've registered with in the Gatekeeper... the "Phone" column in the Gatekeeper active registrations).

As long as no firewall is getting in the way on the external side, you should get a ring and be allowed to answer the call and initiate the session.

(in reply to Number51)
Post #: 13
RE: Inbound Netmeeting with ISA Server 2004 - 26.Sep.2005 4:54:00 PM   
Guest
 That is correct. I have tried, as you guessed without the link, and get the same result. I can see the traffic being allowed on the external firewall too, so I know I am getting to the external interface of ISA. Here is a copy of the log with IPs removed.

Number: 548027
Date: 26Sep2005
Time: 15:00:45
Product: Checkpoint Firewall
Interface: eth0
Origin: External Firewall
Type: Log
Action: Accept
Protocol: tcp
Service: H323_any (1720)
Source: Client Machine
Destination: H.323_Net_Meeting ISA Host IP
Rule: 1
Source Port: 3116

If I monitor on ISA all I see is the following, not much help. Also Event Viewer doesnÆt show anything interesting.

Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL
192.84.24.XX ISA - TCP - - 3104 0 0 0 0x0 0x0 0x0 Firewall 9/26/2005 2:36:31 PM 192.84.24.XXX1720 H.323 Protocol Initiated Connection 192.84.24.XX External Local Host - -
0.0.0.0 ISA - TCP - - 0 0 0 0 0x80074e24 0x0 0x0 Firewall 9/26/2005 2:36:34 PM 192.84.24.XXX1720 H.323 Protocol Closed Connection 0.0.0.0 Local Host - -
192.84.24.XX ISA - TCP - - 3104 4000 453 295 0x80074e20 0x0 0x0 Firewall 9/26/2005 2:36:35 PM 192.84.24.XXX1720 H.323 Protocol Closed Connection 192.84.24.XX External Local Host - -

Could this be a signature based problem, I am filtering some signatures, but I thought that only affected HTTP?

I appreciate your help on this issue.

www.isaserver.org is th greatest site ever.

(in reply to Number51)
  Post #: 14
RE: Inbound Netmeeting with ISA Server 2004 - 26.Sep.2005 6:50:00 PM   
Number51

 

Posts: 35
Joined: 24.May2005
From: Canada
Status: offline 		First of all
quote:
www.isaserver.org is th greatest site ever.
I gotta agree with you there... never have i found a bigger resource of useful information, and a more friendly community of helpful individuals!

Now, enough fluff.... gotta say i have no answer for your problem... my setup does not use the Checkpoint firewall at any point, so i'm pretty lost to help ya... hopefully one of the gurus around here can chip in some information that will assist you.

But i can GUESS.... you've reported seeing traffic IN through the Checkpoint firewall... how about anything going OUT? Same question on the ISA 2004...

What about a software firewall on the client computer? (WinXP, sp2 perhaps?)

From what i understand of your setup, the Gateway/proxy looks good, and your client register just fine... somewhere along the line things are getting gummed up.

Anyway you can remove the Checkpoint firewall to prove/disprove this as the problem?

(in reply to Number51)
Post #: 15
RE: Inbound Netmeeting with ISA Server 2004 - 27.Sep.2005 9:21:00 AM   
Guest
 I have never been able to record any outbound traffic. No client firewalls either except for the Microsoft ISA FW Client on the workstation hosting the call and on the gatekeeper. I am at a loss, it's like the traffic is hitting ISA and dropping. Does anyone else have any ideas? I may have to resort to some netmon to see what is happening to the traffic.

(in reply to Number51)
  Post #: 16
RE: Inbound Netmeeting with ISA Server 2004 - 27.Sep.2005 9:22:00 AM   
Guest
 I have found an error in the firewall event viewer:
"Registration with the H.323 Gatekeeper at address 192.0.0.37:1719 failed. This will prevent inbound calls."

This is obviously the problem, but i have no idea what is preventing the registration.

At this point I have the GNU gatekeeper installed and I do see both the Gateway and any client listed under current connections.

My symptoms appear to be the same as ktech's

(in reply to Number51)
  Post #: 17
RE: Inbound Netmeeting with ISA Server 2004 - 27.Sep.2005 10:25:00 AM   
Guest
 I have found in my Event Viewer ôRegistration with H.323 Gatekeeper at address 10.15.0.3:1719 succeeded.ö But I still cannot connect.

I did find though if I use Monitoring\Logging on ISA and edit the filter to include Destination IP Equals Gatekeeper IP (10.15.0.3) I see no traffic while attempting to connect from outside.

(in reply to Number51)
  Post #: 18
RE: Inbound Netmeeting with ISA Server 2004 - 27.Sep.2005 5:04:00 PM   
Guest
 No longer getting registration error, but still having problem (Rebooted ISA server).

Still same problem - cannot connect from external.

(in reply to Number51)
  Post #: 19
RE: Inbound Netmeeting with ISA Server 2004 - 28.Sep.2005 8:56:00 AM   
Guest
 Got it working!
Change Requests appear to come from the ISA Server computer: Yes
to
"requests appear to come from original client"

I am thinking Number51's network configuration is different - are you using a DMZ or just a perimerter firewall?

(in reply to Number51)
  Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Installation >> Inbound Netmeeting with ISA Server 2004 Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts