Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Tunneling NM traffic throught GK2GK Link

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> H.323 Gatekeeper >> Tunneling NM traffic throught GK2GK Link Page: [1]
Login
Message << Older Topic   Newer Topic >>
Tunneling NM traffic throught GK2GK Link - 21.Jan.2003 8:20:00 PM   
tiry

 

Posts: 5
Joined: 21.Jan.2003
Status: offline 		Hi,

Here is my problem:
I have netmeeting clients on 2 differents LAN and a FireWall that prevent clients to communicate directly.
NM1 (on LAN1)----- FireWall ----- NM2 (on LAN2)

I can not change the firewalls rules to allows NetMeeting Traffic for all clients in both LANs.

So, the idea is to use GateKeepers (GKs) :
NM1 ---- GK1 ==== FireWall ==== GK2 ---- NM2
FireWalls is configured to allow all traffic between the GKs (fixed @IP).
=> I would like all traffic between endpoints to be routed via ISA GKs.

I set up 2 test configurations :
- one with 2 GnuGateKeeper : works OK in routed mode
- one with 2 ISA GK : don't work

With ISA GK, I configured a routing rule based on mail like address. The calls are OK without the firewalls, but fails if firewall is on.
=> Trafic is not tunneled throught the GK2GK connection

Is there a way to force ISA to handle all the traffic (H.245 + T.120 + AV) and not let the EndPoints (NM) communicate directly ?

Thx for your help

Tiry
Post #: 1
RE: Tunneling NM traffic throught GK2GK Link - 22.Jan.2003 12:03:00 PM   
tiry

 

Posts: 5
Joined: 21.Jan.2003
Status: offline 		Hi again [Smile]

I found a working configuration:

On LAN 1 :
- NetMeeting Client1 is Registred with ISA GK1
- GK1 has a routing destination to GK2 as a gateway
- GK1 has a routing rule that forward call to LAN2 to GK2 as a gateway

On LAN 2 :
- NetMeeting Client2 is Registred with ISA GK2
- GK2 has a routing destination to GK1 as a gateway
- GK2 has a routing rule that forward call to LAN2 to GK1 as a gateway

=> When client from LAN1 call somebody@LAN2 :
- client from LAN1 automaticaly connect to GK2
- communication between endpoint occurs throught GK2

=> This is not exactly what I wanted to do : for this configuration to work I have to configure firewall to allow ALL client from LAN1 to connect to GK2

In addtion, it seems that when NM connect to GK2 as a Gateway, it try to open other ports than 1503(T.120) and 1720(Setup H323) : it try to open 2 dynamics TCP Port even if audio and video are disable (callto + av=false). And in fact port 1503 is not used, even when sharing an application ...

Is there a better way to enable NM communication between my to LANs throught the FireWall ?

Thx

[ January 22, 2003, 12:39 PM: Message edited by: tiry ]

(in reply to tiry)
Post #: 2
RE: Tunneling NM traffic throught GK2GK Link - 26.Jan.2003 1:37:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Tiry,

Have you tried having all host registry with the same gatekeeper? Since the network is joined by a VPN gateway, that should work.

Thanks!
Tom

(in reply to tiry)
Post #: 3
RE: Tunneling NM traffic throught GK2GK Link - 27.Jan.2003 12:33:00 PM   
tiry

 

Posts: 5
Joined: 21.Jan.2003
Status: offline 		Hi, and thx for your reply ...

In fact, I don't want to use the same GK for all lans, for 2 reasons :
- there are really a lot of users (3000+) in each LANs (10 LANs)
- registering all the users with the same GK will not solve the problem of all the network traffic going throught the GK

May be I did not completly understand your answer [Frown]

Tiry

(in reply to tiry)
Post #: 4
RE: Tunneling NM traffic throught GK2GK Link - 27.Jan.2003 3:32:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Tiry,

I see the problem, although 3000 registrations isn't that many, although if a lot of them are going over a VPN, it would be a problem. You can create call routing rules and forward calls to specific phone numbers to the other gateway. That would mean creating a phone numbering scheme that would support this kind of routing.

Thanks!
Tom

(in reply to tiry)
Post #: 5
RE: Tunneling NM traffic throught GK2GK Link - 27.Jan.2003 4:36:00 PM   
tiry

 

Posts: 5
Joined: 21.Jan.2003
Status: offline 		Hi!

Once again, I am afraid I dont understand fully your answer. Sorry, I am quite knew to H.323 ...

There is no VPN, just a firewall that prevent computers on different LAN to cummunicate directly.
So my purpous is to force all traffic between 2 NetMeeting client to go throught a GK-to-GK link, because I can only modify the firewall rule to allow all traffic between the 2 @Ip of the GKs.

This option is available in GnuGK and is called Routed/Proxy mode.

I just can't find a way to tell ISA GK that ALL Ip traffic has to go throught him. In my test config ISA GK route the call, but after that the end point bypass his GateKeeper to directly communicate with the GK of the other LAN (wich is used as a Gateway)...

To be very simple : I would like a NM client in LAN 1 to be able to make a call to a NM client on LAN 2 without having to connect directly to any computer on LAN 2 (neither a endpoint, nor a GateWay / GateKeeper).
The only communication permited between LANs is GK-to-GK.

Tiry

(in reply to tiry)
Post #: 6
RE: Tunneling NM traffic throught GK2GK Link - 28.Jan.2003 2:46:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Tiry,

You should be able to configure the gatekeepers to use q931 records to resolve user names. Or, you can configure your phonebooks, you can create routing rules based on phone number. The problem with q931 record is DNS dependent, and if all the clients are in the same domain, then that won't help. The best thing to do is create a phonebook and configure call routing rules based on something simple, such as the first few digits in the phone number.

HTH,
Tom

(in reply to tiry)
Post #: 7
RE: Tunneling NM traffic throught GK2GK Link - 28.Jan.2003 6:55:00 PM   
tiry

 

Posts: 5
Joined: 21.Jan.2003
Status: offline 		Hi,

I tried using phone numbers instead of mail adresses. The result is the same :
- the routing is done correctly, but
- the client on LAN 1 does the fellowing :
1 - connect to his GK (GK1) that FW request to GK2
2 - try to connect to GK2 directly (prohibited!)
=> if connection is allowed : it works
=> if connection is not allowed : it fails

To be perfectly honest, I must say that in my test configuration :
- NM1 and GK1 are on the same domaine
- NM2 and GK2 are both logged on local account
- FireWall is simulated using a software FireWall on each netMeeting client

Tiry

[ January 28, 2003, 06:58 PM: Message edited by: tiry ]

(in reply to tiry)
Post #: 8
RE: Tunneling NM traffic throught GK2GK Link - 28.Jan.2003 11:47:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Tiry,

simulating a firewall by using a software firewall on each NetMeeting client isn't a very realistic scenario. You should bring an ISA server in the picture. The H.323 Gatekeeper and the H.323 Application filter should be used together to have the wanted functionality.

You might check out my article http://www.isaserver.org/articles/Using_NetMeeting_and_the_H323_Gatekeeper_as_a_HelpDesk_tool.html to better understand how the H.323 protocol actual works.

HTH,
Stefaan

(in reply to tiry)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> H.323 Gatekeeper >> Tunneling NM traffic throught GK2GK Link Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts