Here is my problem: I have netmeeting clients on 2 differents LAN and a FireWall that prevent clients to communicate directly. NM1 (on LAN1)----- FireWall ----- NM2 (on LAN2)
I can not change the firewalls rules to allows NetMeeting Traffic for all clients in both LANs.
So, the idea is to use GateKeepers (GKs) : NM1 ---- GK1 ==== FireWall ==== GK2 ---- NM2 FireWalls is configured to allow all traffic between the GKs (fixed @IP). => I would like all traffic between endpoints to be routed via ISA GKs.
I set up 2 test configurations : - one with 2 GnuGateKeeper : works OK in routed mode - one with 2 ISA GK : don't work
With ISA GK, I configured a routing rule based on mail like address. The calls are OK without the firewalls, but fails if firewall is on. => Trafic is not tunneled throught the GK2GK connection
Is there a way to force ISA to handle all the traffic (H.245 + T.120 + AV) and not let the EndPoints (NM) communicate directly ?
On LAN 1 : - NetMeeting Client1 is Registred with ISA GK1 - GK1 has a routing destination to GK2 as a gateway - GK1 has a routing rule that forward call to LAN2 to GK2 as a gateway
On LAN 2 : - NetMeeting Client2 is Registred with ISA GK2 - GK2 has a routing destination to GK1 as a gateway - GK2 has a routing rule that forward call to LAN2 to GK1 as a gateway
=> When client from LAN1 call somebody@LAN2 : - client from LAN1 automaticaly connect to GK2 - communication between endpoint occurs throught GK2
=> This is not exactly what I wanted to do : for this configuration to work I have to configure firewall to allow ALL client from LAN1 to connect to GK2
In addtion, it seems that when NM connect to GK2 as a Gateway, it try to open other ports than 1503(T.120) and 1720(Setup H323) : it try to open 2 dynamics TCP Port even if audio and video are disable (callto + av=false). And in fact port 1503 is not used, even when sharing an application ...
Is there a better way to enable NM communication between my to LANs throught the FireWall ?
In fact, I don't want to use the same GK for all lans, for 2 reasons : - there are really a lot of users (3000+) in each LANs (10 LANs) - registering all the users with the same GK will not solve the problem of all the network traffic going throught the GK
I see the problem, although 3000 registrations isn't that many, although if a lot of them are going over a VPN, it would be a problem. You can create call routing rules and forward calls to specific phone numbers to the other gateway. That would mean creating a phone numbering scheme that would support this kind of routing.
Once again, I am afraid I dont understand fully your answer. Sorry, I am quite knew to H.323 ...
There is no VPN, just a firewall that prevent computers on different LAN to cummunicate directly. So my purpous is to force all traffic between 2 NetMeeting client to go throught a GK-to-GK link, because I can only modify the firewall rule to allow all traffic between the 2 @Ip of the GKs.
This option is available in GnuGK and is called Routed/Proxy mode.
I just can't find a way to tell ISA GK that ALL Ip traffic has to go throught him. In my test config ISA GK route the call, but after that the end point bypass his GateKeeper to directly communicate with the GK of the other LAN (wich is used as a Gateway)...
To be very simple : I would like a NM client in LAN 1 to be able to make a call to a NM client on LAN 2 without having to connect directly to any computer on LAN 2 (neither a endpoint, nor a GateWay / GateKeeper). The only communication permited between LANs is GK-to-GK.
You should be able to configure the gatekeepers to use q931 records to resolve user names. Or, you can configure your phonebooks, you can create routing rules based on phone number. The problem with q931 record is DNS dependent, and if all the clients are in the same domain, then that won't help. The best thing to do is create a phonebook and configure call routing rules based on something simple, such as the first few digits in the phone number.
I tried using phone numbers instead of mail adresses. The result is the same : - the routing is done correctly, but - the client on LAN 1 does the fellowing : 1 - connect to his GK (GK1) that FW request to GK2 2 - try to connect to GK2 directly (prohibited!) => if connection is allowed : it works => if connection is not allowed : it fails
To be perfectly honest, I must say that in my test configuration : - NM1 and GK1 are on the same domaine - NM2 and GK2 are both logged on local account - FireWall is simulated using a software FireWall on each netMeeting client
simulating a firewall by using a software firewall on each NetMeeting client isn't a very realistic scenario. You should bring an ISA server in the picture. The H.323 Gatekeeper and the H.323 Application filter should be used together to have the wanted functionality.