Manualshelf

System information

ManualsBrandsATech Machine ManualsComputer equipmentLIBRA-02 M
651652653654655656657658659660
Security considerations
H.323 is a relatively secure protocol and does not require many security considerations
beyond those that are common to any network communicating with the Internet. Since
H.323 uses the RTP protocol for media communications, it does not natively support
encrypted media paths. The use of a VPN or other encrypted tunnel between endpoints
is the most common way of securely encapsulating communications. Of course, this
has the disadvantage of requiring the establishment of these secure tunnels between
endpoints, which may not always be convenient (or even possible). As VoIP becomes
used more often to communicate with financial institutions such as banks, we’re likely
to require extensions to the most commonly used VoIP protocols to natively support
strong encryption methods.
H.323 and NAT
The H.323 standard uses the Internet Engineering Task Force (IETF) RTP protocol to
transport media between endpoints. Because of this, H.323 has the same issues as SIP
when dealing with network topologies involving NAT. The easiest method is to simply
forward the appropriate ports through your NAT device to the internal client.
To receive calls, you will always need to forward TCP port 1720 to the client. In addi-
tion, you will need to forward the UDP ports for the RTP media and RTCP control
streams (see the manual for your device for the port range it requires). Older clients,
such as Microsoft NetMeeting, will also require TCP ports forwarded for H.245 tun-
neling (again, see your client’s manual for the port number range).
If you have a number of clients behind the NAT device, you will need to use a gate-
keeper running in proxy mode. The gatekeeper will require an interface attached to the
private IP subnet and the public Internet. Your H.323 client on the private IP subnet
will then register to the gatekeeper, which will proxy calls on the clients’ behalf. Note
that any external clients that wish to call you will also be required to register with the
proxy server.
At this time, Asterisk can’t act as an H.323 gatekeeper. You’ll have to use a separate
application, such as the open source OpenH323 Gatekeeper (http://www.gnugk.org),
for this purpose.
MGCP
The Media Gateway Control Protocol (MGCP) also comes to us from the IETF. While
MGCP deployment is more widespread than one might think, it is quickly losing
ground to protocols such as SIP and IAX. Still, Asterisk loves protocols, so naturally it
has rudimentary support for it.
624 | Appendix B:Protocols for VoIP