Microsoft ISA Server H.323 Gateway and Gatekeeper

Overview of IP Telephony, H.323, and ISA Server H.323 Support

Presentation Agenda

• IP Telephony Overview

• The ITU H.323 Specification

• Microsoft ISA Server H.323 Gateway

• Microsoft ISA Server H.323 Gatekeeper

• Microsoft ISA Server Scenarios

IP Telephony OverviewDefinition

• IP Telephony refers to the hardware and software technologies that provide the ability to place telephone calls over IP based networks.

IP Telephony OverviewTraditional Voice Networks – PSTN

• The Public Switched Telephone Network– The collection of networking equipment that belongs to

the carriers involved in providing telephone service. 

• The PSTN is a Circuit Switched Network– A virtual circuit is created in the PSTN “Cloud” for

each telephone call. The circuit is allocated (64k bps) and maintained for the duration of the call, regardless of the amount of traffic flowing over the circuit.

IP Telephony OverviewPSTN - Basic Network Topology

IP Telephony OverviewTraditional IP Networks – The Internet

• Packet Switched Networks– Separate packets from the same communication

may take different paths through the cloud.– More efficient use of network resources – No inherent QoS or Security, without special a

special implementation to address these issues.

• Signaling and Media use the same network

IP Telephony OverviewStandards Bodies

• International Telecommunications Union (ITU)– ITU-T division’s H SERIES specs define the

Transmission of non-telephone signals.

– Specifications must be licensed from the ITU

• Internet Engineering Task Force (IETF)– RFC and Internet-Draft specifications are well-known

to most IT professionals

– Available in the public domain : http://www.ietf.org

IP Telephony OverviewThe 3 competing signaling protocols

• H.323 (ITU)– Umbrella specification defining the protocols and codecs

to be used by H.323 compliant devices.

• SIP (IETF)– Session Initiation Protocol. New, up and coming

standard. Similar to H323 mechanically, but text-based and simpler. More closely related to HTTP “on the wire.”

• S/MGCP (IETF)– Signaling Gateway Control Protocol / Media Gateway

Control Protocol.

IP Telephony OverviewMedia Protocols

• RTP/RTCP (IETF)– Real-Time Protocol/ Real-Time Control

Protocol.– This is used almost universally for media

transport. Both H.323 and SIP specify RTP as the media transport protocol of choice

IP Telephony OverviewBasic VoIP network diagram

The ITU H.323 Specification

• H.323 Specification

Title: Visual telephone systems and equipment for local area networks which provide a non‑guaranteed quality of service

The ITU H.323 SpecificationImportant Terms

• H.323 Entity: Any H.323 component, including

– Terminals

– Gateways

– Gatekeepers

– MCs, MPs, and MCUs.

• Endpoint: A Terminal, Gateway, or MCU.

• Call: Point-to-point multimedia communication between two H.323 endpoints

• Multipoint Conference: A conference between three or more terminals

The ITU H.323 SpecificationH.323 Protocol Stack

The ITU H.323 SpecificationBasic Call Model

A typical H.323 Call consists of 5 phases:1. Call Setup (Phase A)2. Initial communication between endpoints and

terminal capability exchange (Phase B)3. Establishment of of Audio / Visual

communication between endpoints (Phase C)4. Request and negotiation of Call Services (Phase

D)5. Call Termination (Phase E)

The ITU H.323 SpecificationBasic Call in Action

ISA Server H.323 GatewayIntroduction

• The ISA Server H.323 Gateway is an application layer H.323 Proxy.

• Traditional circuit-layer proxies (Winsock Proxy, ISA Firewall Service) and transparent proxies (NAT, SecureNAT) do not properly handle H.323 traffic because of the Protocol’s complexity.

ISA Server H.323 GatewayProxy History

• Proxy Server 2.0 – Winsock Proxy could handle only one outbound H.323

call at a time.– No inbound H.323 calls were possible (No Server Proxy)

• Windows 2000 NAT– H.323 / LDAP Protocol Editor allows outbound H.323

Calls (LDAP is needed for ILS lookup)

• ISA H.323 Gateway – supports outbound H.323 calls and inbound calls with

Gatekeeper assistance

ISA Server H.323 GatewayH.323 Gateway Implementation

• The ISA H.323 Proxy is implemented as an ISA Application Filter.– Application Filters can be externally developed using the

ISA SDK. – Application filters plug-in to the ISA Firewall Service – Application filters can perform

• protocol editing, e.g., H.323 filter• Content inspection, e.g., SMTP filter• Virus scanning, e.g., 3rd Party filter• Other activities enabled by access to the application data stream

• Both SecureNAT Clients and Firewall (WSP) Clients can use the H.323 Gateway

ISA Server H.323 GatewayH.323 Gateway Implementation (cont.)

ISA Server H.323 GatekeeperIntroduction

• ISA Gatekeeper Functionality– Register Users (directory)

• The GK defines an H.323 zone and is referenced when attempting to locate a user or terminal. The GK provides alias to IP address resolution.

– Route Calls• Terminals specify a GK if one exists for their zone.

The GK will route calls to the appropriate destinations based on routing rules created by an administrator.

ISA Server H.323 GatekeeperScenario Example

ISA Server H.323 GatekeeperServer Properties

ISA Server H.323 GatekeeperServer Properties (cont.)

ISA Server H.323 GatekeeperRegistering Users

ISA Server H.323 GatekeeperCall Routing - Destinations

ISA Server H.323 GatekeeperCall Routing Rules

• Rules are used to determine how a GK should help the caller route the call.

• 3 Types of Call Routing Rules – Phone Number Rules – Email Address Rules – IP Address Rules

• By matching the ID type to a destination, – Phone# calls can be routed to a PSTN Gateway– External IP Addresses, Email addresses, or Names can

be routed to external endpoints or GK’s.

ISA Server H.323 GatekeeperRouting Rule Precedence

• GK finds matching rules for each destination type.

• Matching rules are then sorted by – Quality of match (more matching elements)– If Quality of match is equal, “exact” rule types

have precedence over “prefix” (ph#) or “suffix” (domain/IP) rule types.

– If Quality and Type match, rule precedence number is used.

ISA Server H.323 GatekeeperRouting Rule Precedence (cont)

• Now that rules have been sorted based on matching, there may be equal rules with different destinations. Each destination should be tried in the case that a previous response is negative.

e.g., If ILS lookup fails, we should try Active Directory for a match as well (assuming there are rules for each of these destinations)

ISA Server H.323 GatekeeperRouting Rule Precedence (cont)

• Destinations are contacted in the following order:– None. This is a “deny rule” and causes processing to

cease.– Local Registration Database– Gateway/Proxy– Internet Locator Service (ILS)– Gatekeeper– Multicast Gatekeeper– DNS– Active Directory– Local Network

ISA Server H.323 GatekeeperRouting Rule Precedence (cont)

Which Rules get applied?

What order are the applied rules processed?

Resources and References

• Books– IP Telephony. (Bill Douskalis)

• Much of the VoIP and H.323 information in this presentation came from this book

– IP Telephony: Packet-Based Multimedia Communications Systems (Hersent, Gurle, Petit)

• Web Sites– Databeam. This site has a good primer on H.323 and

T.120• http://www.databeam.com/standards/index.html

– Intel. This page describes the problems and pitfalls of getting H.323 through Firewalls

• http://support.intel.com/support/videophone/trial21/h323_wpr.htm

Resources and References(cont.)

• Specs– ITU-T:

• H.323

• T.120

– IETF: • RTP (RFC 1889) ftp://ftp.isi.edu/in-notes/rfc1889.txt