×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Does anyone have any expereince of dealing with Checkpoint firewalls and disableing H.323 inspection?

Unanswered Question
Dec 4th, 2013
User Badges:
  • Silver, 250 points or more

Hi All,


We have an issue with a client where their firewall (CheckPoint 13500) is manipulating the H.245 signaling where the devices negotiate the logical media channels. Whilst this is not our responsibility to resolve, I just wondered if anyone out there has had experience of CheckPoint firewalls, and essentially turning off any H.323 inspection. I have no experience of dealing with these firewall, but a quick Google for info left me feeling a little bewildered .


Cheers,


Chris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Chris Swinney Thu, 12/05/2013 - 00:07
User Badges:
  • Silver, 250 points or more

For reference, the issue occurs because their VCS Control is in a DMZ (No NAT) and the locally registered endpoints are behind the CheckPoint firewall. Whilst this might not be an ideal topology, as we remotely manage the VCS, this was becided as a compromised solution, and has proved to work well elsewhere (when H.323 aware firewall aren't an issue.


Essentially, when two locally registered endpoints call each other, whilst the initial signaling flows through the VCS, the VCS point each device to the other when opening up the logical media channels, thereby stepping out of the media routing path. The packet being send from the VCS to device A that tells device A where to send its media stream (i.e. to the IP address of device B), ends up being altered by the firewall. The result is that the H.245 packet received by device A points the media steam to a NAT'ed address as the firewall assumes that device B is actually unreachable.


I supposed we could get the users to call direct dial via IP address (but they are used to using E.164) or get the VCS to actually traverse the call so route the media (perhaps getting one endpoint to register by SIP and the other by H.323), but both are just work around. We know what needs to be done, but these CheckPoints seem a little complex!!!


Cheers


Chris

Actions

This Discussion