Gatekeeper User Guide

ManualsBrandsTANDBERG ManualsNetwork CardGatekeeper

TANDBERG Gatekeeper

User Guide

Software version N5.1

D13381.07

January 2007

This document is not to be reproduced in whole or in part without permission in writing from:

Summary of content (105 pages)

PAGE 1
TANDBERG Gatekeeper User Guide Software version N5.1 D13381.
PAGE 2
TANDBERG Gatekeeper User Guide Contents 1. 1.1. 1.2. 1.3. Product Information Trademarks and Copyright .......................................................................................................8 Disclaimer ................................................................................................................................8 Environmental Issues...............................................................................................................8 1.3.1. 1.3.2.
PAGE 3
TANDBERG Gatekeeper User Guide 4.7. 4.8. Alternates.............................................................................................................................. 23 Call Processing Overview....................................................................................................... 24 5. Transforming Destination Aliases 26 6. Unregistered Endpoints 28 7. Bandwidth Control 30 5.1. 5.2. 6.1. 6.2. 7.1. 7.2. 7.3. 7.4. 7.5. Alias Transforms ................................
PAGE 4
TANDBERG Gatekeeper User Guide 11.2. 11.3. 11.4. 11.5. Enterprise Gatekeepers ........................................................................................................ 48 Dialing Public IP Addresses ................................................................................................... 49 Neighbored Enterprises......................................................................................................... 49 URI Dialing from within the Enterprise ........................
PAGE 5
TANDBERG Gatekeeper User Guide 16.1.7. 16.1.8. IP ......................................................................................................................................................69 LDAP.................................................................................................................................................69 16.1.10. 16.1.11. NTP ....................................................................................................................................
PAGE 6
TANDBERG Gatekeeper User Guide 16.3.26. 16.3.27. SubZoneDelete ................................................................................................................................88 TransformAdd ..................................................................................................................................88 16.3.29. 16.3.30. ZoneAdd...........................................................................................................................................
PAGE 7
TANDBERG Gatekeeper User Guide 21. Bibliography 102 22. Glossary 103 23.
PAGE 8
TANDBERG Gatekeeper User Guide 1. 1.1. Product Information Trademarks and Copyright Copyright 1993-2006 TANDBERG ASA. All rights reserved. This document contains information that is proprietary to TANDBERG ASA. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronically, mechanically, by photocopying, or otherwise, without the prior written permission of TANDBERG ASA.
PAGE 9
TANDBERG Gatekeeper User Guide 1.3.2. European Environmental Directives As a manufacturer of electrical and electronic equipment TANDBERG is responsible for compliance with the requirements in the European Directives 2002/96/EC (WEEE) and 2002/95/EC (RoHS). The primary aim of the WEEE Directive and RoHS Directive is to reduce the impact of disposal of electrical and electronic equipment at end-of-life.
PAGE 10
TANDBERG Gatekeeper User Guide 1.4. Operator Safety Summary For your protection please read these safety instructions completely before you connect the equipment to the power source. Carefully observe all warnings, precautions and instructions both on the apparatus and in these operating instructions. Keep this manual for future reference. 1.4.1.
PAGE 11
TANDBERG Gatekeeper User Guide 1.4.7. Power connection and Hazardous voltage  The product may have hazardous voltage inside. Never attempt to open this product, or any peripherals connected to the product, where this action requires a tool.  This product should always be powered from an earthed power outlet.  Never connect attached power supply cord to other products.
PAGE 12
TANDBERG Gatekeeper User Guide 2. Introduction This User Manual is provided to help you make the best use of your TANDBERG Gatekeeper. 2.1. Main Features The main features of the TANDBERG Gatekeeper are:  IPv4 and IPv6 support.  Supports up to 2500 registered endpoints.  Supports up to 100 neighboring zones.  Flexible zone configuration with prefix and suffix support.  URI and ENUM dialing with DNS enabling global connectivity.
PAGE 13
TANDBERG Gatekeeper User Guide Figure 1: Front panel of Gatekeeper On the back of the Gatekeeper (see Figure 2) there are:  a power connector  a power switch  a serial port (Data 2) for connecting to a PC.
PAGE 14
TANDBERG Gatekeeper User Guide 3. 3.1. 3.2. Installation Precautions  Never install communication equipment during a lightning storm.  Never install jacks for communication cables in wet locations unless the jack is specifically designed for wet locations.  Never touch uninstalled communication wires or terminals unless the communication line has been disconnected at the network interface.  Use caution when installing or modifying communication lines.
PAGE 15
TANDBERG Gatekeeper User Guide 3.3. Unpacking The TANDBERG Gatekeeper is delivered in a special shipping box which should contain the following components:  Gatekeeper unit  Installation sheet  User manual and other documentation on CD  Rack-ears and screws  Kit with 4 rubber feet  Cables: o o o 3.4. Power cables One Ethernet cable One null-modem RS-232 cable Mounting The Gatekeeper comes with brackets for mounting in standard 19" racks.
PAGE 16
TANDBERG Gatekeeper User Guide 4. 4.1. Getting started Initial Configuration The TANDBERG Gatekeeper requires some configuration before it can be used. This must be done using a PC connected to the serial port (Data 1) or by connecting to the system's default IP address: 192.168.0.100. The IP address, subnet mask and gateway must be configured before use. The Gatekeeper has to be configured with a static IP address. Consult your network administrator for information on which addresses to use.
PAGE 17
TANDBERG Gatekeeper User Guide 9. Review other system settings. You may want to set the following: a. The name of the Gatekeeper. This is used by the TANDBERG Management Suite (TMS) to identify the Gatekeeper. See the xConfiguration SystemUnit command (section 16.2.18) for more information on setting the name. b. Automatic discovery. If you have multiple Gatekeepers in the same network you may want to disable automatic discovery on some of them.
PAGE 18
TANDBERG Gatekeeper User Guide You will be presented with the Overview screen: Note: HTTP and HTTPS must be enabled in order to use the web interface. This is done using the following commands: xConfiguration HTTP Mode: xconfiguration HTTPS Mode: Note: If web access is required, you are recommended to enable HTTPS and disable HTTP for improved security. 4.2.2. Command line interface The command line interface is available over SSH, Telnet and through the serial port.
PAGE 19
TANDBERG Gatekeeper User Guide Note: SSH and/or Telnet access must be enabled in order to use the command line interface. This is done using the following commands: xConfiguration SSH Mode: xconfiguration Telnet Mode: Note: For secure operation you should use SSH in preference to Telnet. 4.2.3. Session timeout By default, administration sessions remain active until you logout.
PAGE 20
TANDBERG Gatekeeper User Guide 4.4. IP Configuration The Gatekeeper may be configured to use IPv4, IPv6 or both protocols. If using both protocols, the Gatekeeper will act as a gateway if necessary, allowing calls to be made between an IPv4-only endpoint and an IPv6-only endpoint. This behavior will use a traversal license for each call gatewayed between IPv4 and IPv6.
PAGE 21
TANDBERG Gatekeeper User Guide When registering, the endpoint registers with one or more of the following:  One or more H.323 IDs  One or more E.164 aliases. Users of other registered endpoints can then call the endpoint by using either the H.323 ID, a URI, an E.164 alias, or one of the services. It is recommended that you do not use aliases that reveal sensitive information. Due to the nature of H.323, call setup information is exchanged in an unencrypted form.
PAGE 22
TANDBERG Gatekeeper User Guide Hierarchical dial plan One Gatekeeper is nominated as the directory gatekeeper for the deployment. All Border Controllers and public Gatekeepers are neighbored with it and vice versa. There is no need to neighbor the Border Controllers and public Gatekeepers with each other. Adding a new Border Controller or public Gatekeeper now only requires changing configuration on that system and the Directory Gatekeeper.
PAGE 23
TANDBERG Gatekeeper User Guide 4.7. Alternates Alternate Gatekeeper support is provided to increase the reliability of your deployment. If one Gatekeeper becomes unavailable, perhaps due to a network or power outage, another will be used as an Alternate. Alternates share responsibility for their endpoint community: an individual endpoint may be registered with any one of the Alternates.
PAGE 24
TANDBERG Gatekeeper User Guide 4.8. Call Processing Overview Figure 6 illustrates the process the Gatekeeper performs when receiving call requests.
PAGE 25
TANDBERG Gatekeeper User Guide When an endpoint wants to call another endpoint it presents the address it wants to call to the Gatekeeper using a protocol knows as RAS. The Gatekeeper applies any transforms (see section 5), tries to resolve the address, and if successful supplies the calling endpoint with information about the called endpoint. The destination address can take several forms: IP address, H.323 ID, E.164 alias or a full H.323 URI. When an H.323 ID or E.
PAGE 26
TANDBERG Gatekeeper User Guide 5. 5.1. Transforming Destination Aliases Alias Transforms The Alias Transforms function takes any aliases present in ARQ and LRQ messages and runs a set of transformations on them. The resulting aliases will then be used in the normal Gatekeeper logic, exactly as if those aliases were unchanged. Alias transforms will be applied prior to possible CPL modification and Zone transforms. The Alias transforms will not have any effect on aliases presented in GRQ or RRQ messages.
PAGE 27
TANDBERG Gatekeeper User Guide 5.2. Zone Transforms It is possible to direct an incoming location request to a different alias by replacing either the prefix or the suffix of the alias with a new string. Zone transform rules are created either:  using the xconfiguration zones set of commands, or  using the web interface when adding or editing a zone via Gatekeeper Configuration > Zones. You must first select from the Match 1, Match 2, etc.
PAGE 28
TANDBERG Gatekeeper User Guide 6. Unregistered Endpoints Although most calls are made between endpoints registered with a Gatekeeper or Border Controller, it is sometimes necessary to place a call to or from an unregistered endpoint. 6.1. Calling from an Unregistered Endpoint An unregistered endpoint can call an endpoint registered with the Gatekeeper.
PAGE 29
TANDBERG Gatekeeper User Guide When the Gatekeeper is used with a Border Controller for firewall traversal, you will typically set CallsToUnknownIPAddresses to Indirect on the Gatekeeper and Direct on the Border Controller. This will allow calls originating inside the firewall to use the Gatekeeper and Border Controller to successfully traverse the firewall. This is described in more detail in Dialing Public IP Addresses (section 11.3).
PAGE 30
TANDBERG Gatekeeper User Guide 7. 7.1. Bandwidth Control About Bandwidth Control The TANDBERG Gatekeeper allows you to control endpoints' use of bandwidth on your network. Figure 9 shows a typical network deployment: a broadband LAN, where high bandwidth calls are acceptable; a pipe to the internet with restricted bandwidth; and two satellite offices, each with their own restricted pipes.
PAGE 31
TANDBERG Gatekeeper User Guide Figure 10: Configuring a SubZone 7.2.1. Subzone links Subzones may be configured with links joining them to each other and to other zones. These links are used to calculate how a call is routed over the network and so which zones and subzones are involved. If multiple routes are possible, your Gatekeeper will select the one with the fewest links.
PAGE 32
TANDBERG Gatekeeper User Guide Figure 11: Configuring a pipe Pipes may be shared between one or more links. This is used to model the situation where a site communicates with several other sites over the same broadband connection to the Internet. Each link may have up to two pipes associated with it. This is useful for modeling two sites, each with their own broadband connection to the Internet backbone.
PAGE 33
TANDBERG Gatekeeper User Guide Figure 12: Configuring downspeeding options 7.4. Bandwidth Control and Firewall Traversal When a Border Controller and Gatekeeper are being used to traverse a firewall, an additional zone and subzone come into use, as follows:  The traversal zone is used to represent the zone containing the Gatekeeper with which this Gatekeeper is paired. This zone is automatically added for you.  The traversal subzone represents the Gatekeeper itself.
PAGE 34
TANDBERG Gatekeeper User Guide 7.5. Bandwidth Control Examples 7.5.1. Example without a firewall One possible configuration for the deployment in Figure 9 is shown in Figure 13. Each of the offices is represented as a separate subzone, with bandwidth configured according to local policy. The enterprise's leased line connection to the Internet, and the DSL connections to the remote offices, are modeled as separate pipes.
PAGE 35
TANDBERG Gatekeeper User Guide Figure 15: Border Controller example configuration Figure 15 shows how the Border Controller could be configured for the deployment in Figure 14. The introduction of the firewalls means that there is no longer any direct connectivity between the Branch and Home offices. All traffic must be routed through the Border Controller. This is shown by the absence of a link between the Home and Branch subzones. The Traversal Zone in Figure 15 represents the Enterprise Gatekeeper.
PAGE 36
TANDBERG Gatekeeper User Guide 8. Registration Control The TANDBERG Gatekeeper can control which endpoints are allowed to register with it. Two separate mechanisms are provided: a simple Registration Restriction Policy, and an authentication process based on user names and passwords.
PAGE 37
TANDBERG Gatekeeper User Guide Figure 17: Configuring registration restrictions 8.1.3. Managing entries in the Allow and Deny lists When adding entries to the Allow and Deny lists, you can either specify an exact alias or use pattern matching to specify a group of aliases.
PAGE 38
TANDBERG Gatekeeper User Guide 8.2. Authentication The TANDBERG Gatekeeper can use a user name and password based challenge-response scheme to permit registrations. For details of how to configure your endpoint with the appropriate information, please consult your endpoint manual. The Gatekeeper supports the ITU H.235 specification [1] for authenticating the identity of network devices with which the Gatekeeper communicates.
PAGE 39
TANDBERG Gatekeeper User Guide Configuring LDAP base DN The Gatekeeper needs to be configured with the area of the directory which will be searched for the communication device information. This should be specified as the Distinguished Name (DN) in the directory under which the H.350 objects reside.
PAGE 40
TANDBERG Gatekeeper User Guide 8.2.4. Securing the LDAP connection with TLS The traffic between the Gatekeeper and the LDAP server can be encrypted using Transport Layer Security (TLS). To use TLS, the LDAP server must have a valid certificate installed so that the Gatekeeper can verify the server's identity. For more information on setting up certificates using common LDAP servers, see Appendix B. LDAP uses port 636 as its default communications port.
PAGE 41
TANDBERG Gatekeeper User Guide 9. 9.1. URI Dialing About URI Dialing If an alias is not located in the Gatekeeper's list of registrations, it may attempt to find an authoritative Gatekeeper through the DNS system. URI dialing makes it easier for endpoints registered with different Gatekeepers or Border Controllers to call each other. Without URI dialing, you need to neighbor all the systems to each other. This does not scale well as the number of systems grows.
PAGE 42
TANDBERG Gatekeeper User Guide In addition, the DNS records should be updated with the address of the Border Controller as the authoritative Gatekeeper for the enterprise (see Appendix A). This ensures that calls placed using URI dialing enter and leave the enterprise through the Border Controller, allowing successful traversal of the firewall. Figure 18: Configuring IP interface 9.3.
PAGE 43
TANDBERG Gatekeeper User Guide 9.4. DNS Records URI dialing relies on the presence of records in the DNS information for the zone. For preference service (SRV) records should be used. These specify the location of a server for a particular protocol and domain. Their format is defined by an Internet standard (RFC 2782 [3]) as _Service._Proto.Name TTL Class SRV Priority Weight Port Target The Gatekeeper supports two types of SVR record as defined by H.323 Annex O.
PAGE 44
TANDBERG Gatekeeper User Guide 10. ENUM Dialing 10.1. About ENUM Dialing ENUM provides another DNS-based dialing scheme. Users dial an E.164 number - a telephone number which is converted in to an H.323 URI by the DNS system. The rules for URI dialing are then followed to place the call. This allows you to retain the flexibility of URI dialing whilst having the simplicity of calling using just a number. Before the DNS lookup can be performed, the E.164 number must be transformed into a host name.
PAGE 45
TANDBERG Gatekeeper User Guide Figure 19: Setting the ENUM Zone Page 45 of 105
PAGE 46
TANDBERG Gatekeeper User Guide 10.3. Configuring DNS NAPTR Records ENUM relies on the presence of NAPTR records, as defined by RFC 2915 [7]. This is used to obtain an H.323 URI from the E.164 number. The record format that the Gatekeeper supports is: ;; order flag preference service regex replacement IN NAPTR 10 100 "u" "E2U+h323" "!^(.*)$!h323:\1@example.com!" .
PAGE 47
TANDBERG Gatekeeper User Guide 11. Example Traversal Deployments 11.1. Simple Enterprise Deployment Figure 20: Simple enterprise deployment Figure 20 shows a typical enterprise deployment. Endpoints 1001, 1002 and a Gatekeeper are deployed on a private network, separated from the public network by a firewall and NAT. Endpoint 1003 is on a separate private network, perhaps a home worker on an DSL connection. A Border Controller is deployed on the public network to allow traversal across the firewalls.
PAGE 48
TANDBERG Gatekeeper User Guide 11.1.2. Enabling incoming URI calls In order to be able to receive calls placed to example.com using URI dialing, configure the following:  Set example.com as the domain name you are using on both the Gatekeeper and Border Controller. This can be done via either: xConfiguration Gatekeeper LocalDomain DomainName: or Gatekeeper or Border Controller Configuration -> Gatekeeper and in the Local Domain section in the Domain name field, enter the domain name.  11.2.
PAGE 49
TANDBERG Gatekeeper User Guide 11.3. Dialing Public IP Addresses Figure 22: Dialing a public IP address Figure 22 shows a private endpoint (1001) calling an endpoint on a public IP address. In this case the public endpoint is not registered to a Gatekeeper and can only be reached using its IP address.
PAGE 50
TANDBERG Gatekeeper User Guide 11.5. URI Dialing from within the Enterprise In this example, we want to set up our system so that users from within our enterprise can use URI dialing to call a user in another enterprise. To enable this: 1. Disable Allow DNS resolution on the TANDBERG Gatekeeper. You want to use the Border Controller to resolve any H.323 URI received. 2. Enable Allow DNS Resolution on the TANDBERG Border Controller. You want to use the Border Controller to resolve any H.
PAGE 51
TANDBERG Gatekeeper User Guide 12. Third Party Call Control 12.1. About Third Party Call Control The Gatekeeper provides a third party call control API which enables you to place calls, disconnect calls, or initiate a blind transfer of an existing call. The API is provided through the command line interface; it is not available via the web interface. 12.2.
PAGE 52
TANDBERG Gatekeeper User Guide 12.3.2. Enabling call transfer To enable call transfer, either: issue the command: xConfiguration Services CallTransfer Mode: or go to Gatekeeper Configuration -> Services and in the Call Transfer section, tick the Allow call transfer box (see Figure 23). Figure 23: Enabling call transfer 12.4.
PAGE 53
TANDBERG Gatekeeper User Guide 13. Call Policy 13.1. About Call Policy Your TANDBERG Gatekeeper allows you to set up policy to control which calls are allowed and even redirect selected calls to different destinations. You specify this policy by uploading a script written in the Call Processing Language (CPL).
PAGE 54
TANDBERG Gatekeeper User Guide 13.2. Making Decisions Based on Addresses 13.2.1. address-switch The address-switch node allows the script to run different actions based on the source or destination aliases of the call. The address-switch specifies which fields to match and then a list of address nodes contains the possible matches and their associated actions.
PAGE 55
TANDBERG Gatekeeper User Guide address The address construct is used within an address-switch to specify addresses to match. It supports the use of Regular Expressions (see Appendix C for further information). Note: All address comparisons ignore upper/lower case differences so address is="Fred" will match fred, freD etc. is=string Selected field and subfield exactly match the given string. contains=string Selected field and subfield contain the given string.
PAGE 56
TANDBERG Gatekeeper User Guide 13.3.2. proxy On executing a proxy node the Gatekeeper will attempt to forward the call to the locations specified in the current location set. If multiple entries are in the location set then they are treated as different aliases for the same destination and are all placed in the destination alias field. If the current location set is empty the call will be forwarded to its original destination.
PAGE 57
TANDBERG Gatekeeper User Guide 13.5.2. Call screening based on domain In this example, user fred will not accept calls from anyone at annoying.com, or from any unauthenticated users. All other users will allow any calls.

PAGE 58
TANDBERG Gatekeeper User Guide 14. Logging 14.1. About Logging The Gatekeeper provides logging for troubleshooting and auditing purposes. 14.2. Viewing the event log To view the event log, either issue the command: eventlog [n/all] where n The number of lines (from end of event log) to display. all Displays the whole event log. or go to System Status -> Event Log. 14.3. Controlling what is Logged 14.3.1.
PAGE 59
TANDBERG Gatekeeper User Guide 14.4. Event Log Format The event log is displayed in an extension of the UNIX syslog format: date time host_name facility_name : message_details where date the local date on which the message was logged time the local time at which the message was logged host_name the name of the system generating the log message facility message_details the name of the program generating the log message.
PAGE 60
TANDBERG Gatekeeper User Guide 14.5. Logged Events Events logged at level 1 Event Description Eventlog Cleared An operator cleared the event log. Admin Session Start An administrator has logged onto the system. Admin Session Finish An administrator has logged off the system. System Configuration Changed An item of configuration on the system has changed. The Detail event parameter contains the name of the changed configuration item and its new value.
PAGE 61
TANDBERG Gatekeeper User Guide Event Description External Server Communication Failure Communication with an external server failed unexpectedly. The event detail data should differentiate between 'no response' and 'request rejected'. Servers concerned are:  DNS  Neighbor Gatekeeper   LDAP servers NTP servers System Start The operating system has started. System Shutdown The operating system was shutdown. Application Start The Gatekeeper has started.
PAGE 62
TANDBERG Gatekeeper User Guide Event data fields Each Event has associated data fields. Fields are listed below in the order in which they appear in the log message. Field Description Applicable Events Protocol Specifies which protocol was used for the communication.
PAGE 63
TANDBERG Gatekeeper User Guide Field Src-ip Description Applicable Events Specifies the source IP address (the IP address of the device attempting to establish communications). Call Attempted Call Bandwidth Changed Call Connected The source IP is recorded in the dotted decimal format: (number).(number).(number).(number) or Call Disconnected the IPv6 colon separated format.
PAGE 64
TANDBERG Gatekeeper User Guide Field Time Level Description Applicable Events A full UTC timestamp in YYYY/MM/DD-HH:MM:SS All events format. Using this format permits simple ASCII text sorting/ordering to naturally sort by time. This is included due to the limitations of standard syslog timestamps. The level of the event as defined in 14.3.1. All events * Included if event parameter relevant or available for message concerned. In addition to the events described above, a syslog.
PAGE 65
TANDBERG Gatekeeper User Guide 15. Software Upgrading 15.1. About Software Upgrading Software upgrade can be done in one of two ways:  Using a web browser (HTTP/HTTPS).  Using secure copy (SCP). Note: To upgrade the Gatekeeper, a valid Release key and software file is required. Contact your TANDBERG representative for more information.
PAGE 66
TANDBERG Gatekeeper User Guide 3. Browse to the file containing the software and select Install. You will see a page indicating that upload is in progress: When the upload is completed you will see the following: 4. Select Restart. You will see a confirmation window: The system will then perform a second reboot to restore system parameters. After 3-4 minutes, the Gatekeeper is ready for use. 15.3.
PAGE 67
TANDBERG Gatekeeper User Guide To upgrade using SCP or PSCP: 1. Make sure the system is turned on and available on IP. 2. Upload the release key file using SCP/PSCP to the /tmp folder on the system e.g. scp release-key root@10.0.0.1:/tmp/release-key or pscp release-key root@10.0.0.1:/tmp/release-key 3. Enter password when prompted. 4. Copy the software image using SCP/PSCP. The target name must be /tmp/tandbergimage.tar.gz, e.g. scp s42000n51.tar.gz root@10.0.0.1:/tmp/tandberg-image.tar.
PAGE 68
TANDBERG Gatekeeper User Guide 16. Command Reference This chapter lists the basic usage of each command. The commands also support more advanced usage, which is outside the scope of this document. 16.1. Status The status root command, xstatus, returns status information from the Gatekeeper. 16.1.1. Listing all status information To list all status information, type: xstatus Status is reported hierarchically beneath the status root.
PAGE 69
TANDBERG Gatekeeper User Guide 16.1.5. ExternalManager xstatus ExternalManager Returns information about the external manager. The External Manager is the remote system, such as the TANDBERG Management Suite (TMS) used to manage the endpoints and network infrastructure. Address Returns the IP address of the external manager. Protocol Returns the Protocol used to communicate with the external manager. URL Returns the URL used to communicate with the external manager. 16.1.6.
PAGE 70
TANDBERG Gatekeeper User Guide 16.1.9. Links xstatus Links Reports call and bandwidth information for all links on the system. xstatus Links Link Reports call and bandwidth information for the specified link. Name Returns the name assigned to this link Calls Returns a list of call indices for calls currently active on this link. Bandwidth Returns the total and per-call bandwidth limits on this link, together with bandwidth currently in use. 16.1.10.
PAGE 71
TANDBERG Gatekeeper User Guide 16.1.13. ResourceUsage xstatus ResourceUsage Returns information about the usage of system resources. Registrations Number of currently active registrations. MaxRegistrations Maximum number of concurrent registrations since system TraversalCalls Number of currently active traversal calls. MaxTraversalCalls Maximum number of traversal calls since system start. TotalTraversalCalls Total number of traversal calls since system start.
PAGE 72
TANDBERG Gatekeeper User Guide 16.1.16. Zones xstatus Zones Returns call and bandwidth information for all zones on the system. Also shows status of the zone as a whole and the status of each gatekeeper in the zone. 16.2. Configuration The configuration root command, xconfiguration, is used to configuration the system's settings.
PAGE 73
TANDBERG Gatekeeper User Guide xconfiguration Authentication Mode: Specifies whether or not to use H.235 authentication of calls and registrations. The default is Off: no authentication is required. 16.2.2. Ethernet xconfiguration Ethernet Speed: Sets the speed of the Ethernet link. Use Auto to automatically configure the speed. The default is Auto. You must restart the system for changes to take effect.
PAGE 74
TANDBERG Gatekeeper User Guide xconfiguration Gatekeeper CallsToUnknownIPAddresses: Specifies whether or not the Gatekeeper will attempt to call systems which are not registered with it or one of its neighbor gatekeepers. Options are: Direct Allows an endpoint to make a call to an unknown IP address without the Gatekeeper querying any neighbors. The call setup would occur just as it would if the far end were registered directly to the local system.
PAGE 75
TANDBERG Gatekeeper User Guide xconfiguration Gatekeeper Registration AllowList [1..1000] Pattern: Specifies a pattern in the list of allowed registrations. If one of an endpoint's aliases matches one of the patterns in the Allow List, the registration will be allowed. xconfiguration Gatekeeper Registration ConflictMode: Determines how the Gatekeeper will behave if an endpoint attempts to register aliases currently registered from another IP address. The default is Reject.
PAGE 76
TANDBERG Gatekeeper User Guide 16.2.5. HTTP/HTTPS Commands under the HTTP and HTTPS nodes control web access to the Gatekeeper. xConfiguration HTTP Mode: Enables/disables HTTP support. The default is On. You must restart the system for changes to take effect. xconfiguration HTTPS Mode: Enables/disables HTTPS support. The default is On. You must restart the system for changes to take effect.
PAGE 77
TANDBERG Gatekeeper User Guide xconfiguration IP DNS Domain Name: Specifies the name to be appended to the domain name before a query to the DNS server is executed, when attempting to resolve a domain name which is not fully qualified. Note: This parameter is only used when attempting to resolve server addresses such as LDAP servers, NTP servers etc. It plays no part in URI dialing: (see xconfiguration gatekeeper localdomain). 16.2.7.
PAGE 78
TANDBERG Gatekeeper User Guide 16.2.10. NTP xconfiguration NTP Address: Sets the IP address of the NTP server to be used when synchronizing system time. Accurate timestamps play an important part in authentication, helping to guard against replay attacks. 16.2.11. Option Key xConfiguration Option [1..64] Key: Specifies the option key of your software option.
PAGE 79
TANDBERG Gatekeeper User Guide 16.2.14. Session xconfiguration Session TimeOut: <0..65534> Controls how long an administration session (HTTPS, Telnet or SSH) may be inactive before the session is timed out. A value of 0 turns session time outs off. The default is 0. You must restart the system for changes to take effect. 16.2.15. SNMP xconfiguration SNMP CommunityName: SNMP Community names are used to authenticate SNMP requests.
PAGE 80
TANDBERG Gatekeeper User Guide xconfiguration SubZones TraversalSubZone Bandwidth PerCall Limit: <1..100000000> Per-call bandwidth available on the traversal subzone. xconfiguration SubZones TraversalSubZone Bandwidth PerCall Mode: Whether or not the traversal subzone is enforcing per-call bandwidth restrictions. None corresponds to no bandwidth available. xconfiguration SubZones TraversalSubZone Bandwidth Total Limit: <1..
PAGE 81
TANDBERG Gatekeeper User Guide 16.2.18. SystemUnit xconfiguration SystemUnit Name: The name of the unit. Choose a name that uniquely identifies the system. xconfiguration SystemUnit Password: Specify the password of the unit. The password is used to login with Telnet, HTTP(S), SSH, SCP, and on the serial port. Note: To set an empty password type xconfiguration SystemUnit Password: "" 16.2.19. Telnet xconfiguration Telnet Mode: Enables/disables Telnet support.
PAGE 82
TANDBERG Gatekeeper User Guide xconfiguration Zones TraversalZone Match [1..5] Mode: The zone match mode determines when an LRQ will be sent to gatekeepers in the zone. If the mode is set to AlwaysMatch the zone will always be queried. If the mode is set to PatternMatch, the zone will only be queried if the alias queried for matches the corresponding pattern. If the mode is set to Disabled the zone will never be queried. xconfiguration Zones TraversalZone Match [1..
PAGE 83
TANDBERG Gatekeeper User Guide xconfiguration Zones Zone [1..100] Match [1..5] Pattern String: The pattern to be used when deciding whether or not to query a zone. This is only used if the zone's match mode is set to AlwaysMatch. xconfiguration Zones Zone [1..100] Match [1..5] Pattern Type: Prefix/Suffix determines whether the pattern string being checked should appear at the beginning or end of an alias.
PAGE 84
TANDBERG Gatekeeper User Guide 16.3. Command The command root command, xcommand, is used to execute commands on the Gatekeeper. To list all xcommands type: xcommand ? To get usage information for a specific command, type: xcommand ? 16.3.1. AllowListAdd xCommand AllowListAdd Adds an entry to the allow list, used by the registration restriction policy.
PAGE 85
TANDBERG Gatekeeper User Guide 16.3.7. CredentialDelete xCommand CredentialDelete Deletes the indexed credential. 16.3.8. DefaultLinksAdd xCommand DefaultLinksAdd Restores the factory default links for bandwidth control. 16.3.9. DefaultValuesSet xCommand DefaultValuesSet Level Resets system parameters to default values. Level 1 will reset most parameters. There are currently no level 2 parameters, so setting that level has the same effect as setting level 1.
PAGE 86
TANDBERG Gatekeeper User Guide 16.3.12. Dial xCommand Dial Bandwidth: Places call halves out to the specified source and destination, joining them together. callsrc and calldst can be specified using either an alias or IP address. Bandwidth is in kbps. 16.3.13. DisconnectCall xCommand DisconnectCall Disconnects the specified call. You can specify the call using either its call index or its serial number, which can be identified using xstatus call. 16.3.14.
PAGE 87
TANDBERG Gatekeeper User Guide 16.3.15. FeedbackDeregister xCommand FeedbackDeregister Deregisters the specified Feedback Expression. All registered Feedback Expressions may be removed by issuing the command: xCommand FeedbackDeregister 0 16.3.16. FindRegistration xCommand FindRegistration Returns information about the registration associated with the specified alias. The alias must be registered on the Gatekeeper on which the command is issued. See also xCommand Locate. 16.3.17.
PAGE 88
TANDBERG Gatekeeper User Guide 16.3.23. PipeDelete xCommand PipeDelete Deletes the pipe with the specified index. 16.3.24. RemoveRegistration xCommand RemoveRegistration Removes the specified registration. 16.3.25. SubZoneAdd xCommand SubZoneAdd
Adds and configures a new subzone. Parameters include: name User assigned label for the subzone. address IP address for the sub-zone.
PAGE 89
TANDBERG Gatekeeper User Guide 16.3.28. TransformDelete xCommand TransformDelete Deletes the transform with the specified index. Note: a list of all current transforms can be obtained using the command: xconfiguration gatekeeper transform. 16.3.29. ZoneAdd xCommand ZoneAdd Adds a new zone with the specified name and IP address. The zone is pre-configured with a link to the default subzone and a pattern match mode of AlwaysMatch. 16.3.30.
PAGE 90
TANDBERG Gatekeeper User Guide 16.4. History The history root command, xhistory, is used to display historical data on the Gatekeeper. To list all xhistory commands type: xhistory ? To list all history data, type: xhistory To show a specific set of history data, type: xhistory 16.4.1. calls xhistory calls Displays history data for up to the last 255 calls handled by the Gatekeeper. Call entries are added to the Call History on call completion.
PAGE 91
TANDBERG Gatekeeper User Guide 16.5. Feedback The feedback root command, xfeedback, is used to control notifications of events and status changes on the Gatekeeper. A Feedback Expression describes an interesting event or change in status. When a Feedback Expression is registered, a notification will be displayed on the console for each occurrence of the event described by that Expression. Notifications will continue to be displayed for a given event until the Expression is deregistered.
PAGE 92
TANDBERG Gatekeeper User Guide 16.5.3. Register event xfeedback Register Event Registers for all available Events. xfeedback Register Event/ Registers for feedback on the occurrence of the specified Event. Note: Registering for the ResourceUsage event will return the entire ResourceUsage structure every time one of the ResourceUsage fields changes.
PAGE 93
TANDBERG Gatekeeper User Guide 16.6. Other Commands 16.6.1. about about Returns information about the software version installed on the system. 16.6.2. clear clear Clears the event log or history of all calls and registrations. 16.6.3. eventlog eventlog Displays the event log. The event log contains information about past events which may be useful for diagnostic purposes. n The number of lines (from end of event log) to display. all Displays the whole event log. 16.6.
PAGE 94
TANDBERG Gatekeeper User Guide 17. Appendix A: Configuring DNS Servers In the examples below, we set up an SRV record to handle H.323 URIs of the form user@example.com These are handled by the system with the fully qualified domain name of gatekeeper1.example.com which is listening on port 1719, the default registration port. It is assumed that an A record already exists for gatekeeper1.example.com. If not, you will need to add one. 17.1.
PAGE 95
TANDBERG Gatekeeper User Guide 18. Appendix B: Configuring LDAP Servers 18.1. Microsoft Active Directory 18.1.1. Prerequisites These comprehensive step-by-step instructions assume that Active Directory is installed. For details on installing Active Directory please consult your Windows documentation. The following instructions are for Windows Server 2003 Enterprise Edition. If you are not using this version of Windows, your instructions may vary. 18.1.2. Adding H.350 objects 1.
PAGE 96
TANDBERG Gatekeeper User Guide 18.1.3. Securing with TLS To enable Active Directory to use TLS, you must request and install a certificate on the Active Directory server. The certificate must meet the following requirements: 18.2.  Be located in the Local Computer's Personal certificate store. This can be seen using the Certificates MMC snap-in.  Have the private details on how to obtain a key associated for use with it stored locally.
PAGE 97
TANDBERG Gatekeeper User Guide 18.2.3. 1. Adding H.350 objects Create the organizational hierarchy Create an ldif file with the following contents: # This example creates a single organizational unit to contain # the H.350 objects dn: ou=h350,dc=my-domain,dc=com objectClass: organizationalUnit ou: h350 Add the ldif file to the server using the command: slapadd -l This organizational unit will form the BaseDN to which the Gatekeeper will issue searches.
PAGE 98
TANDBERG Gatekeeper User Guide 18.2.4. Securing with TLS The connection to the LDAP server can be encrypted by enabling Transport Level Security (TLS) on the connection. To do this you must create an X.509 certificate for the LDAP server to allow the Gatekeeper to verify the server's identity. Once the certificate has been created you will need to install the following three files associated with the certificate onto the LDAP server:  The certificate for the LDAP server.
PAGE 99
TANDBERG Gatekeeper User Guide 19. Appendix C: Regular Expression Reference Regular expressions can be used in conjunction with a number of Gatekeeper features such as alias transformations, zone transformations, CPL policy and ENUM. The Gatekeeper uses POSIX format regular expression syntax. For an example of regex usage, see Call screening based on alias (section 13.5.4).
PAGE 100
TANDBERG Gatekeeper User Guide 20. Appendix D: Technical data 20.1. Technical Specifications 20.1.1. System Capacity  2500 registered traversal endpoints  100 traversal calls at 384 kbps  500 non-traversal calls  100 zones Option keys may restrict the system to a lower capacity than specified above. 20.1.2.  20.1.3.  20.1.4.
PAGE 101
TANDBERG Gatekeeper User Guide 20.1.9.  Hardware MTBF Hardware MTBF: 80,479 hours 20.1.10. Power Supply  250 Watt  90-264V full range @47- 63 Hz 20.1.11. 20.2. Certification  LVD 73/23/EC  EMC 89/366/ECC Approvals This product has been approved by various international approval agencies, among others CSA and Nemko. According to their Follow-Up Inspection Scheme, these agencies also perform production inspections at a regular basis, for all production of TANDBERG's equipment.
PAGE 102
TANDBERG Gatekeeper User Guide 21. Bibliography 1 ITU Specification: H.235 Security and encryption for H-Series (H.323 and other H.245-based) multimedia terminals http://www.itu.int/rec/T-REC-H.235/en 2 ITU Specification: H.350 Directory services architecture for multimedia conferencing http://www.itu.int/rec/T-REC-H.350/en 3 RFC 2782: A DNS RR for specifying the location of services (DNS SRV) http://www.ietf.org/rfc/rfc2782.txt 4 RFC 3164:The BSD syslog Protocol http://www.ietf.org/rfc/rfc3164.
PAGE 103
TANDBERG Gatekeeper User Guide 22. Glossary Alias The name an endpoint uses when registering with the Gatekeeper. Other endpoints can then use this name to call it. ARQ, Admission Request An endpoint RAS request to make or answer a call. DNS Zone A subdivision of the DNS namespace. example.com is a DNS zone. E.164 An ITU standard for structured telephone numbers. Each telephone number consists of a country code, area code and subscriber number.
PAGE 104
TANDBERG Gatekeeper User Guide 23. Index —A— DNS zone.......................................................... 44, 103 account Administrator Account........................................19 Root Account ......................................................19 domain, local...................................................... 20, 73 down-speed........................................................ 32, 73 about .........................................................................
PAGE 105
TANDBERG Gatekeeper User Guide LDAP ................................................................... 38, 69 LDAP over TLS .................................................... 40, 96 LDAP schema ............................................................96 LDAP servers - configuring........................................96 ldif 97 license .......................................................................93 links ....................................................... 30, 34, 70, 87 links, default..