cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2620
Views
0
Helpful
2
Replies

Does anyone have any expereince of dealing with Checkpoint firewalls and disableing H.323 inspection?

Chris Swinney
Level 5
Level 5

Hi All,

We have an issue with a client where their firewall (CheckPoint 13500) is manipulating the H.245 signaling where the devices negotiate the logical media channels. Whilst this is not our responsibility to resolve, I just wondered if anyone out there has had experience of CheckPoint firewalls, and essentially turning off any H.323 inspection. I have no experience of dealing with these firewall, but a quick Google for info left me feeling a little bewildered .

Cheers,

Chris

2 Replies 2

Chris Swinney
Level 5
Level 5

For reference, the issue occurs because their VCS Control is in a DMZ (No NAT) and the locally registered endpoints are behind the CheckPoint firewall. Whilst this might not be an ideal topology, as we remotely manage the VCS, this was becided as a compromised solution, and has proved to work well elsewhere (when H.323 aware firewall aren't an issue.

Essentially, when two locally registered endpoints call each other, whilst the initial signaling flows through the VCS, the VCS point each device to the other when opening up the logical media channels, thereby stepping out of the media routing path. The packet being send from the VCS to device A that tells device A where to send its media stream (i.e. to the IP address of device B), ends up being altered by the firewall. The result is that the H.245 packet received by device A points the media steam to a NAT'ed address as the firewall assumes that device B is actually unreachable.

I supposed we could get the users to call direct dial via IP address (but they are used to using E.164) or get the VCS to actually traverse the call so route the media (perhaps getting one endpoint to register by SIP and the other by H.323), but both are just work around. We know what needs to be done, but these CheckPoints seem a little complex!!!

Cheers

Chris

Hi Chris,

I am not checkpoint specialist myself so I was having lot of troubles figuring out how to pass traffic uninspected and this helped me before, as well as Checkpoint support forums (look for "voip" ):

http://www.checkpoint.com/smb/help/utm1/8.1/8922.htm

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: