Does anyone have any expereince of dealing with Checkpoint firewalls and disableing H.323 inspection?
We have an issue with a client where their firewall (CheckPoint 13500) is manipulating the H.245 signaling where the devices negotiate the logical media channels. Whilst this is not our responsibility to resolve, I just wondered if anyone out there has had experience of CheckPoint firewalls, and essentially turning off any H.323 inspection. I have no experience of dealing with these firewall, but a quick Google for info left me feeling a little bewildered .
For reference, the issue occurs because their VCS Control is in a DMZ (No NAT) and the locally registered endpoints are behind the CheckPoint firewall. Whilst this might not be an ideal topology, as we remotely manage the VCS, this was becided as a compromised solution, and has proved to work well elsewhere (when H.323 aware firewall aren't an issue.
Essentially, when two locally registered endpoints call each other, whilst the initial signaling flows through the VCS, the VCS point each device to the other when opening up the logical media channels, thereby stepping out of the media routing path. The packet being send from the VCS to device A that tells device A where to send its media stream (i.e. to the IP address of device B), ends up being altered by the firewall. The result is that the H.245 packet received by device A points the media steam to a NAT'ed address as the firewall assumes that device B is actually unreachable.
I supposed we could get the users to call direct dial via IP address (but they are used to using E.164) or get the VCS to actually traverse the call so route the media (perhaps getting one endpoint to register by SIP and the other by H.323), but both are just work around. We know what needs to be done, but these CheckPoints seem a little complex!!!
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast by Friday, December 3.
To learn what's new in this year's competition or to gain insights into the judging considerations, check out t...
Greetings, Wanted to share a few lessons learned while migrating from a distributed to centralized IMP deployment. Our current setup included many CUCM/IMP distributed clusters with centralized Expressway server for MRA login. We did not wish to perf...
Parsec's Cisco UCCE/PCCE CC Connector application for CRM works as a bridge between the CRM and Cisco UCCE/PCCE CC solution.The CRM can be any cloud based CRM like Salesforce (SFDC), ServiceNow ,MS Dynamics or a 3rd party CRM.The CRM user/Agent will have ...
It’s a feature which allows CUCM to determine whether the phone is in its home location or a roaming station.By enabling this feature users can roam from one site to another site and acquire the site-specific settings such as Codecs, MRGL, Call rout...