Understanding the ISA Server H.323 Gatekeeper

You can configure the ISA Server H.323 Gatekeeper to control the following elements over the network or Internet:

  • Data conferencing

  • Video

  • Audio

H.323 is a standard that specifies how this information is formatted and transmitted over networks. The H.323 standard contains a number of protocols developed by the International Telecommunications Union (ITU) that define how multimedia equipment, and computers and services should operate over the private network or Internet.

The H.323 standard contains the Internet Engineering Task Force (IETF) standards listed here, as well as a set of other protocols:

  • Real-Time Protocol (RTP)

  • Real-Time Control Protocol (RTCP)

For networks that do not provide quality of service (QoS), H.323 enables real-time multimedia. It can also switch audio and video sessions from packet-switched networks to the following circuit-switched and cell-switched networks:

  • Integrated Services Digital Network (ISDN) networks

  • Asynchronous Transfer Mode (ATM) networks

  • Public Switched Telephone Network (PSTN)

For network-based conferencing, the H.323 defines the following main components:Configuring the ISA Server H.323 Gatekeeper

  • Terminals; these are client endpoints that run H.323-compliant applications

  • Gateways; enables connectivity between an H.323 network and a non-H.323 network.

  • Gatekeepers; provides control services and call routing services.

  • Multipoint control units (MCUs); supports conferences between three or greater endpoints.

The H.323 Gatekeeper provides communication for H.323 clients. These are clients that use H.323 Gatekeeper compliant applications. NetMeeting 3.0 or later is an example of such as application. The Gatekeeper receives client requests and then checks whether the requests are authorized. If they are authorized, the H.323 Gatekeeper routes the request to the proper address.

The ISA Server H.323 Gatekeeper uses the H.323 protocol filter to provide registered clients with address resolution services, and call routing and call authentication. When clients are registered, the H.323 Gatekeeper can route requests so that they can partake in video, audio and data conferencing.

While H.323 is a standard for audio and video conferencing, T-120 is the ITU standard for real-time, multipoint data connections and conferencing. The H.323 standard also defines how video and audio conferencing can operate together with T-120 equipment. You can use T-120 alone, or together with the H.323 protocol. NetMeeting 3.0 or later is designed to meet the T-120 standards.

The networking component of T-120 describes standards for:

  • Sending/receiving data over a number of connections.

  • Establishing conferences, irrespective of the platform.

  • Maintaining conferences.

  • Managing multiple participants or programs.

The application component of T-120 describes standards for:

  • File transfer

  • Electronic whiteboards

  • Program sharing work

A number of components operate in combination to provide ISA Server H.323 Gatekeeper functionality: They are listed here:

  • H.323 Gatekeeper service: The H.323 Gatekeeper service provides Gatekeeper services for registered H.323 clients. You have to install the H.323 Gatekeeper service on the ISA Server computer.

  • H.323 protocol filters: Used to define call-plans that route calls based on the address of the called entity. The H.323 protocol filters associate addresses with that of a computer or other networking device.

  • Registration database contains the H.323 clients that have registered with the Gatekeeper service. The database contains the aliases and their associated IP addresses. This information enables the H.323 Gatekeeper to translate between these sets of information. The Gatekeeper controls connections to addresses registered in the database.

For the following types of H.323 communication, clients have to be registered in the registration database:

    • To receive inbound calls through the Gatekeeper service to a well-known alias such as an email address.

    • When translation services are used to reference H.323 services which do not have a registered DNS address.

  • Registration, Admission, and Status (H.323 RAS) protocol: You should use the H.323 RAS protocol to register end-points with the H.323 Gatekeeper. You should only add static registrations for endpoints which cannot use the H.323 RAS protocol.

The type of H.323 RAS addressing supported by the H.323 Gatekeeper is listed here:

    • E164 phone number addressing

    • H.323 ID addressing

    • Email-ID type addressing

  • Registration process: An endpoint can be either of the following:

    • H.323 client, such as ISA Server

    • H.323 gateway

    • Client running NetMeeting

Registration involves:

    • Endpoint Q931 addresses: This is the IP address and port.

    • H.323 RAS addresses for the endpoint

    • List of aliases.

After entering the Gatekeeper IP address in the client application, the H.323 protocol then contacts the H.323 Gatekeeper. The client is automatically registered.

  • Gatekeeper rule processing algorithms: You have to configure Gatekeeper rules in the ISA Server Gatekeeper service management snap-in. You can configure:

    • Call routing rules

    • IP address rules

    • Phone number rules

    • Email address rules.

Inbound and outbound calls are processed differently.
The process that occurs when inbound calls are received is illustrated here:

    • The alias type is determined.

    • The alias is then compared to the rule database.

    • Any rules that match the pattern are added to an ordered rule list.

    • The rules are then sorted, based on metric, from the lowest to the highest.

    • The rules are next processed to the point that the request is resolved, or fails to be processed.

The process that occurs when outbound calls are received from internal clients is illustrated here:

    • The request is passed to the H.323 Gatekeeper.

    • The destination alias of the request is used by the H.323 Gatekeeper to determine whether an address for the destination alias exists.

    • Admission confirmation is forwarded to the client if the H.323 Gatekeeper found a destination address. The address is included in the admission confirmation.

    • The request fails if the H.323 Gatekeeper processes all rules and finds no resolution.

The ports used in H.323 communications are listed here:

  • Port 1720; used for H.323 call setup.

  • Port 1731; used for audio call control.

  • Dynamic (TCP); used for H.323 call control.

  • Dynamic (RTP over UDP); used for H.334 streaming

  • Port 389 (TCP); used by Internet Locator Server.

  • Port 522 (TCP); used by User Location Service.

  • Port 1503 (TCP); used by T.120

Adding the H.323 Gatekeeper to ISAServer

Before installing the H.323 Gatekeeper, consider the following important factors:

  • The H.323 protocol provides no security features.

  • The ISA Server H.323 Gatekeeper service features can be used to alleviate the risks of enabling the H.323 protocol. You can use the H.323 application filter to dynamically open and close the ports used by the allowing audio, video and data conferencing to pass over the firewall.

  • The H.323 Gatekeeper residing on the internal network is unable to exchange location messages with a Gatekeeper hosted on the Internet.

  • Clients that are internal to the H.323 Gatekeeper are not able register with an H.323 Gatekeeper on the Internet.

  • Clients can use an alias from multiple locations to register.

  • Aliases do not have to unique.

  • Q931 addresses have to be unique.

To add the H.323 Gatekeeper to ISA Server, you have to perform the following tasks:

  • Enable the H.323 protocol rule.

  • Configure H.323 protocol access

  • Configure DNS

  • Add the Gatekeeper to ISA Server

  • Enable fast kernel mode

How to enable the H.323 protocol rule

  1. Open the ISA Management console.

  2. Navigate to and expand the Application Filters node.

  3. Select the H.323 filter.

  4. Right-click H.323 filter and then select Properties from the shortcut menu.

  5. The H.323 Filter Properties dialog box opens.

  6. Select the Enable This Filter checkbox on the General tab.

  7. Click the Call Control tab.

  8. Select the Use this Gatekeeper checkbox. Specify the FQDN of the ISA Server that hosts this service.

  9. In the Call Direction area of the Call Control tab, select the Allow incoming calls checkbox if you want to allow incoming calls.

  10. Select the Allow outgoing calls checkbox if you want to allow outgoing calls.

  11. Select the Use DNS gatekeeper lookup and LRQs for alias resolution checkbox if you want to be able to look up a aliases through the Gatekeeper

  12. In the Media Control area of the Call Control tab, select the Allow audio checkbox if you want to allow audio.

  13. Select the Allow video checkbox if you want to allow video.

  14. Select the Allow T120 and application sharing checkbox to allow it.

  15. Click OK.

How to configure H.323 protocol rules

  1. Open the ISA Management console.

  2. Create the necessary policy elements for the rule.

  3. Expand the Access Policy folder in the console tree.

  4. Right-click Protocol Rules and select New Rule from the shortcut menu.

  5. The New Protocol Rule Wizard launches.

  6. Provide a name for the new protocol rule. Click Next.

  7. When the Rule Action page opens, select either Allow or Deny. Click Next.

  8. On Protocols page, choose the Selected Protocols option from the Apply This Rule To drop-down list box.

  9. In the Protocols drop-down list box, select the H.323 protocol. Click Next.

  10. On the Schedule page define the schedule for the rule. This schedule defines when the rule will be enforced. Click Next.

  11. On the Client type page, select the client type and then click Next.

  12. Click Finish.

How to configure DNS

  1. Click Start, Administrative Tools, and then select the DNS management console.

  2. Navigate to the zone in which the ISA server resides.

  3. Right-click the zone and then select Other New Records from the shortcut menu.

  4. The Resource Record Type dialog box opens.

  5. Select the resource record type and select Service Location.

  6. Click Create Record.

  7. The New Resource Record dialog box opens.

  8. In the Service box, enter Q931.

  9. In the Protocol box, choose _tcp.

  10. Enter the port number in the Port Number box.
    In the Host Offering This Service box, provide the external FQDN of the ISA Server Computer whereon the H.323 service runs.

  11. Click OK.

How to install the H.323 Gatekeeper

  1. Open Control Panel.

  2. Double-click Add/Remove Programs.

  3. Click Microsoft Internet Security And Acceleration Server.

  4. Click Change

  5. In ISA Server Setup, select the Add/Remove button.

  6. The Installation dialog box opens.

  7. Click Add-in services and then click Change Option.

  8. Click Install H.323 Gatekeeper Service.

  9. Click OK.

How to add the Gatekeeper to ISA Server

  1. Open the ISA Management console.

  2. Navigate to the H.323 Gatekeepers node.

  3. Right-click H.323 Gatekeepers and select Add Gatekeeper from the shortcut menu.

  4. The Add Gatekeeper dialog box opens.

  5. You can accept the default setting of This Computer being enabled.

  6. Click OK.

How to register NetMeeting with the Gatekeeper

  1. Click the Start, Programs, Accessories, Communications, and then click NetMeeting.

  2. A NetMeeting page is displayed, listing the features of NetMeeting. Click Next.

  3. Enter first name information in the First Name textbox.

  4. Enter the last name in the Last Name textbox.

  5. Enter the appropriate email in the Email Address textbox. Click Next

  6. On the following page displayed, uncheck the Log On To A Directory Server When NetMeeting Starts checkbox. Click Next.

  7. On the page requesting information on connection speed, select the Local Area Network option. Click Next.

  8. You can now specify any shortcuts that should be applied. Click Next.

  9. The Audio Tuning Wizard launches.

  10. Accept all the default settings of the Audio Tuning Wizard.

  11. Click Finish.

  12. The NetMeeting – Not In A Call console should be displayed on the desktop.

  13. Click the Tools menu and select Options.

  14. The Options dialog box opens.

  15. Click Advanced Calling.

  16. The Advanced Calling Options dialog box opens.

  17. Enable the Use A Gatekeeper To Place Calls checkbox.

  18. Enter the server in the Gatekeeper textbox.

  19. Select the Log On Using My Account Name checkbox.

  20. Enter a valid name in the Account Name textbox.

  21. Click OK in the Advanced Calling Options dialog box.

  22. Click OK in the Options dialog box.

Configuring Gatekeeper Properties

You can configure a number of settings for the Gatekeeper by using the various tabs available in its Properties dialog box.

The settings that you can configure on the Network tab are:

  • You can specify which network adapters the Gatekeeper uses.

The settings that you can configure on the Advanced tab are:

  • In the Expiration Times area of the tab, you can use the Registration expiration time box to specify the time duration that clients stay registered in the registration database.

  • In the Expiration Times area of the tab, you can use the Active call expiration time box to specify an expiration time for active calls.

  • In the Registration Database area of the tab, you will see the database file size that was specified when the Gatekeeper was installed.

  • If you want to compact the database, click the Compact Database button to compact the registration database.

Configuring Gatekeeper Call Routing Rules

The Gatekeeper call routing rules are used to define how the H.323 Gatekeeper routes a call. Call routing rules define:

  • How the request is processed.

  • To which destination the request is forwarded:

    • ISA Server

    • Gatekeeper

    • Proxy

Call routing rules must be defined for each specific Gatekeeper individually. You can specify call routing rules for:

  • IP addresses

  • Phone numbers

  • Email addresses

Default call routing rules specify that the Gatekeeper resolves destinations in the local registration database or on the local network.

Before you can create call routing rules, you first have to create the destinations that will be used in the call routing rule. To add a destination to be utilized in call routing rules, you have to use the Add Destination Wizard.

Configuring Phone Number Rules

Phone number rules are used to determine routing for requests when:

  • A request contains a specific phone number.

  • A request contains a specific prefix on the phone number.

The settings that you can specify when configuring phone number rules are listed here:

  • Enter a name for the phone number rule.

  • Enter a description for the rule.

  • Enter the prefix or phone number that you want to match.

  • Configure the matching type that determines whether the rule is implemented. This is done by specifying whether the pattern type must be a string at the start of the phone number, or whether it must be a precise match for the phone number.

  • Specify the destination that will be used by the rule.

  • Set the number of digits that are discarded from the phone number, prior to it being routed to the destination.

  • Define a prefix to add to the destination.

  • Define a metric for the rule.

  • Enable or disable the rule.

Configuring Email Address Rules

Email address rules are used to define how requests with email addresses external to the domain are routed. A default email address rule uses the Registration database for all addresses.

The settings that you can specify when configuring email address rules are listed here:

  • Enter a name for the email address rule.

  • Enter a description email address rule.

  • Enter the pattern you want to match – domain name suffix.

  • Configure the matching type that determines whether the rule is implemented or not. This is done by specifying whether the pattern is a suffix or whether it must be a precise match.

  • Specify the destination that will be used by the rule.

  • Define a metric for the rule.

  • Enable or disable the rule.

Configuring IP Address Rules

There are default IP address rules for each IP address range that deny address translation for the private address ranges on the network. You can create IP address rules to define how requests that have IP addresses are routed.

The settings that you can specify when configuring IP address rules are listed here:

  • Enter a name for the IP address rule.

  • Enter a description IP address rule.

  • Enter the pattern of the IP address you want to match. Subnet mask information must be specified as well.

  • Specify the destination that will be used by the rule.

  • Define a metric for the rule.

  • Enable or disable the rule.

The destination types that you can choose between for IP address rules are listed here

  • None; the call will be disconnected.

  • Gateway or proxy; the call is forwarded to:

    • H.323 Gateway

    • Internet firewall

    • Proxy server

  • Gatekeeper; the call is routed to a gatekeeper located within another zone.

  • Multicast gatekeeper; the call is routed to a group of multicast gatekeepers

  • Local network; the call is sent back to the caller to handle. Here, the called entity exists in the same network as the caller.

How to add a destination to use in call routing rules

  1. Open the ISA Management console.

  2. Expand the H.323 Gatekeeper node, and then expand the Call Routing folder.

  3. Right-click the destinations folder and select Add Destination from the shortcut menu.

  4. The New Destination Wizard launches.

  5. On the Destination Type page, select the destination type from the following available options:

    • Gateway or proxy server

    • Internet Local Service (ILC)

    • Gatekeeper

    • Multicast group

Click Next.

  1. On the Destination Name or Address page, provide either of the following:

    • IP address of the Gatekeeper

    • DNS name of the Gatekeeper

Click Next.

  1. When the Destination Description page opens, provide a description for the destination and then click Next.

  2. Click Finish.

How to create a call routing rule

  1. Open the ISA Management console.

  2. Expand the H.323 Gatekeeper node, and then expand the Call Routing folder.

  3. If you want to create a phone number rule, right-click the Phone Number Rules folder and select Add Routing Rule from the shortcut menu. Proceed to follow the prompts of the New Routing Rule Wizard.

  4. If you want to create an email address number rule, right-click the Email Address Rules folder and select Add Routing Rule from the shortcut menu. Proceed to follow the prompts of the New Routing Rule Wizard.

  5. If you want to create an IP address number rule, right-click the IP Address Rules folder and select Add Routing Rule from the shortcut menu. Proceed to follow the prompts of the New Routing Rule Wizard.

How to configure phone number rules

  1. Open the ISA Management console.

  2. Expand the H.323 Gatekeeper node, and then expand the Call Routing folder.

  3. Right-click the Phone Number Rules folder and then select Add Routing Rule from the shortcut menu.

  4. The New Routing Rule Wizard launches.

  5. Provide a name for the new phone number rule.

  6. Provide a description for the new phone number rule. Click Next.

  7. On the Prefix or Phone Number page, type a prefix or phone number.

  8. Uncheck the All Phone Numbers Using This Prefix checkbox if you have entered a phone number. Click Next.

  9. On the Destination Type page, specify the destination which will be used with this phone number rule. Click Next.

  10. Provide the destination name and then click Next.

  11. When the Change a Phone Number page opens, you can discard digits from the phone number or add a prefix. Click Next.

  12. Specify the metric for the new phone number rule. Click Next.

  13. Click Finish.

How to configure email address rules

  1. Open the ISA Management console.

  2. Expand the H.323 Gatekeeper node, and then expand the Call Routing folder.

  3. Right-click the Email Address Rules folder and then select Add Routing Rule from the shortcut menu.

  4. The New Routing Rule Wizard launches.

  5. Provide a name for the new email address rule.

  6. Provide a description for the new email address rule. Click Next.

  7. On the Domain Name Suffix page, enter the domain name suffix.

  8. Select the Route All E-mail Addresses That Include This General DNS Domain Name checkbox if you want to route all calls in the DNS domain name suffix. Click Next.

  9. On the Destination Type page, specify the destination to use with the email address rule and then click Next.

  10. Specify the destination name and then click Next.

  11. Provide a metric for the new email address rule.

  12. Click Finish.

How to configure IP address rules

  1. Open the ISA Management console.

  2. Expand the H.323 Gatekeeper node, and then expand the Call Routingfolder.

  3. Right-click the IP Address Rules folder and select Add Routing Rule from the shortcut menu.

  4. The New Routing Rule Wizard launches.

  5. Provide a name for the new IP address rule.

  6. Provide a description for the IP address rule. Click Next.

  7. On the IP Address Pattern page, enter the IP address and the network mask that defines the IP address range. Click Next

  8. On the Destination Type page, specify the destination to use with the IP address rule and then click Next.

  9. Specify the destination name and then click Next.

  10. Provide a metric for the new IP address rule.

  11. Click Finish.