cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1377
Views
0
Helpful
10
Replies

disabling H.323 completely on EX90 (want to stop unsolicited calls)

Douglas Baggett
Level 1
Level 1

I have a couple of EX90s that are in a DMZ at a remote office. Other than by explicitly blocking the H.323 ports inbound at the firewall is there a way to completely disable H.323 so that they don't get unsolicited H.323 IP calls? The system is registered SIP with our expressway and I have H.323 set to direct on the EX90.

 

thanks!

1 Accepted Solution

Accepted Solutions

It always nice to leave both H.323 and SIP functionality open and used where need. Whilst interworking generally is OK, you may come across odd circumstance where it doesn't work quite as expected.

You could (if you wanted to) stick the EX90 behind NAT, and use the traversal capabilities of the VCS to allow it to register both on SIP and H.323.  This will further obscure the endpoint but still allow it to be contactable via the VCS-E (you might need to test this with you firewall/NAT and reconfigure some CODEC setting, but generally relatively straightforward). You can even setup authentication on H.323 as well, if required. I usually tie down Expressway registration to a specific public IP address (Sub Zone membership rules), and also use an allow list, but have been toying with authentication for H.323 devices as well.

The dial plan is where you would define what calls go where using what protocols.

 

Have a go, and post back in a new thread if you come across any other issues.

Cheers

Chris

 

View solution in original post

10 Replies 10

Patrick Sparkman
VIP Alumni
VIP Alumni

This has been asked many times in the forums, a quick search returned these two, but there are many more.

sourceh323idcisco-incomingcalls

nuisance-h323-calls-sx20

As you pointed out, beyond blocking all incoming traffic and only allowing traffic from known sources via IP.  There is really no work around to prevent the H323 calls if the system is exposed to the public internet.

However, because you have a VCS, I highly suggest you register your endpoints to it and use it as the gateway in and out of your network, after all, that is what it's there for.  You'll still get the same incoming calls on your VCS, but in the first discussion above, there is a CPL script that can be used to block them.

hmm.. looks like I should of searched a little better. Thanks for the references.

 

 

No worries, even if you search for something, you might not get the results you want right away.  I knew what to search and look for, but there are many other discussions out there on this.

Before it was just SIP, that was easy to prevent, just block port 5060.  However, recently these incoming call attempts starting coming in on H323, and well, you can't block them without breaking H323 dialing all together.  With a VCS it gets easier to work around and you're able to block them using a CPL script.

If you have any more questions, let us know.  Don't forget to mark replies as answered to help others that have the same question.

thanks for the response. I've posted another email that might clear up what I've got going now

Hey Douglas,

When you say that you have an Expressway, generally these devices are used as the single point of entry for video calls. If you want to use H.323, you could always register the endpoint with the VCS-E too, and use a dial plan to route the calls.

Just a thought.

Cheers

Chris

Just to clear things up.

The expressway is at our corporate office. The EX90 is overseas and is registered via SIP to the expressway. (No expressway or VCS at the remote site)

In the past the issue I had was configuring H.323 and SIP authentication at the same time so that (I'll have to look up what the problem was exactly..it was a while back) only authenticated devices could register with the expressway.

I don't really care about native H.323 functionality at the overseas office. Our expressway can do the translation if they really need to make an H.323 outbound call. 

how would you do this? What I want is that EX90 to be SIP only to our expressway (achieved) and I don't want incoming H.323 IP calls to the unit over there. (they get annoyed and end up turning the unit off and forgetting to turn it back on)

 

for clarity purposes and due to CISCO's confusing marketing.. :) when I say "Expressway" what I mean is VCS-E

 

thanks!

 

It sounds as if the IP that the EX90 is using is open to the public, if you want to prevent the incoming H323 calls, close the firewall and use the Expressway to communicate to the endpoint.  If for some reason after you close the firewall, and SIP dialing just doesn't work inbound and outbound, you could selectively open up the SIP ports.

We have a similar setup here, where an endpoint is in a hospital where they block all incoming traffic, we couldn't dial into it.  So we registered it to our Expressway and we're able to connect to it without issue now, and nothing was changed on the hospital firewall.

That's the easy solution..if I had access to the firewall at the remote site. :(

The ISP over in France we are dealing with seems to not really know what to do or understand anything complicated so as a result I'm stuck with the EX90 being open to the Internet. 

Now...if I had root on the device LIKE CISCO USED TO LET US ;) I could configure iptables to block H.323 on the device itself. 

Maybe I should put that in as a feature request to our account manager..the ability to craft local firewall rules right on the device. 

It always nice to leave both H.323 and SIP functionality open and used where need. Whilst interworking generally is OK, you may come across odd circumstance where it doesn't work quite as expected.

You could (if you wanted to) stick the EX90 behind NAT, and use the traversal capabilities of the VCS to allow it to register both on SIP and H.323.  This will further obscure the endpoint but still allow it to be contactable via the VCS-E (you might need to test this with you firewall/NAT and reconfigure some CODEC setting, but generally relatively straightforward). You can even setup authentication on H.323 as well, if required. I usually tie down Expressway registration to a specific public IP address (Sub Zone membership rules), and also use an allow list, but have been toying with authentication for H.323 devices as well.

The dial plan is where you would define what calls go where using what protocols.

 

Have a go, and post back in a new thread if you come across any other issues.

Cheers

Chris

 

Martin Koch
VIP Alumni
VIP Alumni

From what we see here most scan calls are SIP/UDP.

So if you face unwanted calls, please check first if its really H323 or if its SIP.

 

Besides that, the need of having a video system in a DMZ is to be able to use direct ip

dialing, which is h323.

 

So if you do not need h323, why dont you firewall the systems and put them behind NAT.

 

There might be deployments where you might need the direct media flow, but even that

could be handled with ICE.

 

So make sure you know what really happens and what you need and do the action

accordingly.

Please remember to rate helpful responses and identify