Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


Protecting a co-edge H.323 Proxy

When implementing a Cisco IOS MCM with proxy functionality in a co-edge model (i.e. in parallel with an existing firewall, so the firewall does not have to inspect the H.323 traffic), what would be a suitable ACL to apply to the external-facing interface, to ensure that only H.323 entered the network? Would it be necessary to permit traffic from other gatekeepers. Can the ACL be restricted to certain ports, or does the dynamic nature of H.323 make this problematic?

Cisco Employee

Re: Protecting a co-edge H.323 Proxy

Not sure what application or functional use you require, but for IP/VC I would suggest:

configuring the proxy on the inside of your firewall , enabling H.323 fixup on the firewall (assuming PIX) and then creating an ACL on the firewall opening port 1719 to the IP address of the Proxy.

In some University environments that required internet users to access conferences inside the University firewall we have used a guest gatekeeper model. Install a guest gatekeeper outside the firewall that Internet users will use to access conferences and then use the proxy model described above to get the video traffic through the firewall.

CreatePlease to create content