• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

More adventures with H323 - Gatekeepr

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> General >> More adventures with H323 - Gatekeepr Page: [1]
Login
Message << Older Topic   Newer Topic >>
More adventures with H323 - Gatekeepr - 4.Feb.2002 3:24:00 PM   
Jim507

 

Posts: 11
Joined: 27.Sep.2001
From: Malvern, Pa USA
Status: offline
I'm try to resolve a problem with an ISA server that we have up and running as a firewall/proxy server. Its running in a stand alone mode in a WinNT eviroment (very soon to be Completely win2k AD). The problem is that internally you can connect to the Gatekeeper and call any one in house with no issues. But when you try to call outside the corporate LAN you can make the connection but it is immediately dropped. Same thing with incoming calls. I read through Tom's adventure and made sure that I have allow all requests for that protocol. I did find one section in Tom's book about IP filtering not working well with Multimedia streams. So I disabled the rules for filtering IP fragments and Ip options. And it is still not working. I can how ever make successfull calls using the Firewall client to outside sources but I obviusly can't make any incoming using.

Any suggestions?

Jim

Post #: 1
RE: More adventures with H323 - Gatekeepr - 5.Feb.2002 2:20:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jim,

Make sure the external network client is either behind another H.323 Gatekeeper, or directly connected to the Internet. It will NOT work if they are behind a NAT server.

HTH,
Tom

------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to Jim507)
Post #: 2
RE: More adventures with H323 - Gatekeepr - 11.Feb.2002 6:36:00 PM   
Jim507

 

Posts: 11
Joined: 27.Sep.2001
From: Malvern, Pa USA
Status: offline
Tom,

I had already thought of that and have had no success. I removed my NAT'd firewall and direct connected to the internet, the only other fire wall that is involved in this process is an ASTARO linux firewall. But its only doing packet filtering to the external interface of ISA. And that is currently set to Allow any. (Man I hope ISA is as good a firewall as they say [Wink] . The last thing I tried is a local security policy that allows the EVERYONE group to access the machine from the network. Still no success.

Any other thoughts you might have would be appreciated.

Thanks,

Jim

(in reply to Jim507)
Post #: 3
RE: More adventures with H323 - Gatekeepr - 12.Feb.2002 1:59:00 PM   
Jim507

 

Posts: 11
Joined: 27.Sep.2001
From: Malvern, Pa USA
Status: offline
Tom,

One thing that I noticed in your adventures, You said you had the firewall client installed in the machines you where using. Are you using the firewall client to make outbound Netmeeting calls?

Thanks,

Jim

(in reply to Jim507)
Post #: 4
RE: More adventures with H323 - Gatekeepr - 13.Feb.2002 3:06:00 PM   
Jim507

 

Posts: 11
Joined: 27.Sep.2001
From: Malvern, Pa USA
Status: offline
Update from the Field.

I've managed to get it to work by opening up all my protocol rules and site and content rules. Esentially giving every one in the company full control to the internet, not something I would recommened at all ! [Smile] Now I just have to figure which site and content rule or protocol rule, besides the obvious H.323 to every one, is causing it to drop out.

Jim

(in reply to Jim507)
Post #: 5
RE: More adventures with H323 - Gatekeepr - 14.Feb.2002 3:24:00 PM   
Jim507

 

Posts: 11
Joined: 27.Sep.2001
From: Malvern, Pa USA
Status: offline
Another Update.

I think I found the problem. It appears that the H.323 Application filter is not Properly authenticating to the Domain. As Tom mentioned in his Adventures he opened the H.323 protocol to any request. Well I've had to disable a rule in my Site and Content rules that only allowed a set group of users to have access to the Internet. With allowing all requests from every one to go out it works fine. Protocol Rules are still in place and my Forbidden sites are also still enabled but it wants every one to have the ability to access the internet.

Back to the trenches to fix the problem.

Jim

(in reply to Jim507)
Post #: 6
RE: More adventures with H323 - Gatekeepr - 4.Mar.2002 2:21:00 PM   
Jim507

 

Posts: 11
Joined: 27.Sep.2001
From: Malvern, Pa USA
Status: offline
Well,

I've gotten it to work. But I had to create a relay with another ISA server that wasn't limiting outbound access to a group in the Site and content rules.

Hopefully MS will find a way to make the H323 Filter work with authentication. In the mean time it is working.

Jim

(in reply to Jim507)
Post #: 7
RE: More adventures with H323 - Gatekeepr - 7.Mar.2002 7:57:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jim,

Thanks for all the updates! I usually don't have enough time for follow-up's but I will sometimes check a thread that have 5+ posts in it [Smile]

Yes, I've also found out that unless you give everyone access to the H.323 Protocol.

So, in your configuration, you have to allow an "all access" Site and Content Rule as well?

Thanks!

Tom

(in reply to Jim507)
Post #: 8
RE: More adventures with H323 - Gatekeepr - 7.Mar.2002 7:11:00 PM   
Jim507

 

Posts: 11
Joined: 27.Sep.2001
From: Malvern, Pa USA
Status: offline
Hi Tom,

Unfortunitly that seems to be the case. I had already allowed every one access to the H.323 Protocol but it wouldn't work. So I started testing the configs and found that the only way I could get the inbound and outbound to stop dropping out 3 seconds after the connection, was to allow all requests to access all sites except the ones that I specificly blocked.

So my work around was to create a relay with another ISA server until either I or the tech from Microsoft can figure out what is causing the authentication problem.

Thanks,

Jim

(in reply to Jim507)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> General >> More adventures with H323 - Gatekeepr Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts