Showing results for 
Search instead for 
Did you mean: 
Chris Swinney

Does anyone have any expereince of dealing with Checkpoint firewalls and disableing H.323 inspection?

Hi All,

We have an issue with a client where their firewall (CheckPoint 13500) is manipulating the H.245 signaling where the devices negotiate the logical media channels. Whilst this is not our responsibility to resolve, I just wondered if anyone out there has had experience of CheckPoint firewalls, and essentially turning off any H.323 inspection. I have no experience of dealing with these firewall, but a quick Google for info left me feeling a little bewildered .



Chris Swinney

For reference, the issue occurs because their VCS Control is in a DMZ (No NAT) and the locally registered endpoints are behind the CheckPoint firewall. Whilst this might not be an ideal topology, as we remotely manage the VCS, this was becided as a compromised solution, and has proved to work well elsewhere (when H.323 aware firewall aren't an issue.

Essentially, when two locally registered endpoints call each other, whilst the initial signaling flows through the VCS, the VCS point each device to the other when opening up the logical media channels, thereby stepping out of the media routing path. The packet being send from the VCS to device A that tells device A where to send its media stream (i.e. to the IP address of device B), ends up being altered by the firewall. The result is that the H.245 packet received by device A points the media steam to a NAT'ed address as the firewall assumes that device B is actually unreachable.

I supposed we could get the users to call direct dial via IP address (but they are used to using E.164) or get the VCS to actually traverse the call so route the media (perhaps getting one endpoint to register by SIP and the other by H.323), but both are just work around. We know what needs to be done, but these CheckPoints seem a little complex!!!



Hi Chris,

I am not checkpoint specialist myself so I was having lot of troubles figuring out how to pass traffic uninspected and this helped me before, as well as Checkpoint support forums (look for "voip" ):

Recognize Your Peers
Content for Community-Ad