(Listen up! This article contains some cool information builds on the H.323 material in the book. Be sure to print this article and put it in your book near the H.323 discussions on page 674. -Tom.)
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
And there are more. As you can see, there are a lot of different environments in which a H.323 compliant application such as NetMeeting can find itself in. In this article, we will limit ourselves to exploring configuration options for when one client is directly connected to the Internet and the other is behind the ISA Server H.323 Gatekeeper.
The setup is displayed in the figure below.
To make the whole thing work, we need to take care of the following issues:
Once you’ve taken care of these tasks, you’ll be able to carry on audio and video conferences with other NetMeeting client computers that participate in the type of scenario that we cover in this article.
Configure the Supporting Networking Infrastructure
If you’ve read my other articles, you’re probably are getting tired of hearing this advice. One of the most common reasons why administrators have problems with their ISA Server configuration is that the network infrastructure is not in place to support what they want to do with ISA Server.
Some of network service issues you should consider include:
Make sure you are well versed in TCP/IP and TCP/IP networking services before you begin your ISA Server adventure. The trip will be a lot more pleasant and satisfying when you understand what networking services are required to make everything work right. Check out the articles in the Learning Zone for more information about how to optimize your network infrastructure.
Configure the H.323 Application Filter
Network Clients needing to participate in audio, video or data conferences can take advantage of the H.323 Applications Filter. Both Gatekeeper aware and non-Gatekeeper NetMeeting aware clients access the H.323 Application Filter. This Application Filter is enabled by default; however, if for some reason it becomes disabled, you will not be able to H.323 services.
Note:Data conferencing is supported by the H.120 protocol. Data services through H.120 are tunneled through the H.323 protocol. The H.323 Application Filter is able to handle and evaluate these complex communications.
The H.323 Application Filter can be configured by performing the following steps:
Open the ISA Management console, expand your server or array, and then expand the Extensions node in the left pane.
Let’s cover the meaning of the configuration options in this dialog box.
Use this Gatekeeper
You can have the H.323 Gatekeeper service use the local Gatekeeper, or another Gatekeeper on your internal network. In the present example, and for most of the configurations you’ll be working with, configure this option with the IP Address of the Internal interface of the ISA Server. Do not configure it to use the external interface.
Allow incoming calls
If you want clients on an external network (such as the Internet) to be able to initiate inbound calls to an internal NetMeeting client, you must enable this option.
Allow outgoing calls
If you want internal network clients to be able to initiate outbound calls to external NetMeeting clients, you need to enable this option. If you don’t enable this option, internal clients will only be able to participate in meetings with external clients when the external client initiates the call.
Use DNS Gatekeeper lookup and LRQs for alias resolution
This is the mystery configuration option! If you check the Help file on this option, it will tell you:
“To enable DNS gatekeeper lookup, select the Use DNS gatekeeper lookup and LRQs for alias resolution check box.”
I have a explanation for this option, and I’ll include it in a Tip article in the future. Let’s just take it for granted that you should have this option checked. It will provide you the greatest flexibility in name resolution for remote requests when you choose to call users using an email address.
The last three options:
Are used to allow or deny these features server-wide. You cannot allow video for one group and audio for another group. Note that each option in this group has an impact on bandwidth, with application sharing and video being the biggest bandwidth hogs.
Generally, I recommend that you leave all these options enabled, at least while you’re testing your H.323 configuration. You might want to limit what types of communications takes place, in terms of media control, after you have determined that everything works.
Configure a Protocol Rule Supporting H.323 Communications
After the Application Filter is enabled and configured, you need to create a Protocol Rule allowing outbound access for the H.323 Protocol. The Protocol Rule allows for outbound access control of H.323 communications. Although you can’t control the type (audio, video or data) on a user/group basis, you can control who can use the H.323 protocol.
To create the H.323 Protocol Rule, perform the following steps:
Open the ISA Management console, expand your server or array, and then expand the Access Policy node. Right click on the Protocol Rules node, click New and then click Rule.
Note:At this point, internal NetMeeting clients can now make outbound calls to NetMeeting clients directly connected to the Internet. The Protocol Rule works together with the H.323 Protocol Filter. However, external clients will not be able to initiate inbound calls to internal NetMeeting clients, and an internal NetMeeting client will not be able to call an external NetMeeting client behind an ISA Server H.323 Gatekeeper.
Install and Configure the H.323 Gatekeeper
The H.323 Gatekeeper service is an “add-in” to the base ISA Server installation. This can be installed when you install the core ISA Server components, or you can install it afterward. Use the Add/Remove Programs applet in the Control Panel to add the H.323 Gatekeeper service if you did not install it with the rest of the ISA Server.
There isn’t too much configuration to be done for the Gatekeeper service in this scenario. However, you do need to configure which interface on which the Gatekeeper should be listening.
Open the ISA Management console, expand your server or array, and then click H.323 Gatekeepers. You should see the name of your ISA Server as a subnode. If you don’t see this, right click on the H.323 Gatekeepers node and click Add Gatekeeper. Select This computer and click OK.
For our simple scenario of a NetMeeting client on the internal network, and an external NetMeeting client directly connected to the Internet, we do not need to create any routing rules.
THIS WEEK’S MYSTERY MEAT:
If you read Q289581, it seems to imply that if the internal NetMeeting client is configured to use the Gatekeeper, then you must configure IP address rules in order to connect to machines on the Internet. The strange thing about this is 1. You don’t need to do this, because it works without the IP addresses rules, and 2. There is no way to create a Destination to allow such a request, since the call is going directly to the external NetMeeting client, and there is no mechanism to create such a destination. It does make you wonder how the Gatekeeper handles requests for non-local networks. Perhaps because I’ve run tests using the Firewall Client, the LAT enters into the fray? At this time, IP address rules and how they apply to making direct calls to Internet connected clients are the mystery meat of the week.
Configure the NetMeeting Clients
The two NetMeeting clients need to be configured slightly differently. We want the internal NetMeeting client to register with the H.323 Gatekeeper and the external NetMeeting client to use the external interface of the ISA Server as its Gateway. Remember that the internal clients always register with the Gatekeeper and the external clients always use the external interface of the ISA Server as their Gateway.
Note: Depending on what Q289581 really means, you may have ‘unregister’ from the Gatekeeper in order to make outbound calls. I found that this wasn’t an issue, but if you can’t make outbound calls, try removing the Gatekeeper configuration for the internal client.
Configuring the Internal NetMeeting Client
To configure the internal NetMeeting client to use the Gatekeeper, perform the following steps:
Place your mouse pointer over the icon in the lower right corner of the NetMeeting application interface. If you configured the Gatekeeper settings correctly, you should see a tool tip pop up that says Logged on to gatekeeper as seen in the figure below.
Configuring the External NetMeeting Client
The external NetMeeting client needs to be configured to use the external interface of the ISA Server at its Gateway. I’ve noticed a few people mention that they’ve tried to use the external interface of the ISA Server as their Gatekeeper, and that just won’t work! It might seem like it works, but it doesn’t so don’t even try it. J
To configure the external NetMeeting client to use the external interface of the ISA Server as their Gateway, perform the following steps:
Making the Call
Once the external NetMeeting client is configured to use the external interface of the ISA Server as its Gateway, it can call an internal client by using the phone number the internal client registered with the Gatekeeper. Note that with this configuration you cannot use an email address to call the internal NetMeeting client, even though the client may have registered an email address with the Gatekeeper.
To use email addresses to call another user, both machines must lie behind an H.323 Gatekeeper and each site must have a q931 record entered into the DNS. We will cover this subject in detail in a future article.
To make the call, the external NetMeeting client click the icon that looks like a telephone, and then enters the phone number, as seen in the figure below.
After the call is established, you might see something scary, as demonstrated from the machine of a poor bloke who called me. Note that the lighting in my office was not optimal and the call was made at night.
This scenario where one computer is directly connected to the Internet and the other is behind the ISA Server is commonly seen in smaller offices where partners usually don’t have their own firewalls. This also the scenario you’ll find yourself in when you want to talk to family members and friends that have dial-up connections to the Internet.
Note that the external NetMeeting client must use a phone number to make the call. There is no mechanism available for users to query the registration database on the H.323 Gatekeeper. Therefore, you must insure that external callers have the correct phone number for your station before they make the call.
Video and audio quality are variable and dependent on the speed of the line, the type of camera you are using, and the video and audio configuration settings on the NetMeeting client itself. On a LAN, you can have high fidelity audio/video/data conferences, and even over a WAN if the throughput is adequate.
I’ve noticed that for medium quality audio/video, it takes about 3000-5000 Kbps inbound and outbound bandwidth to carry on the conference. I suppose this value would increase if I increase the video quality and line speed settings on the NetMeeting client. If you plan to introduce NetMeeting as part of your business plan, be sure to test the various NetMeeting client configuration settings and assess the bandwidth required on a per call basis. Then multiply the figure by the number of simultaneous calls you anticipate.
In this article we covered issues involved in configuring a simple NetMeeting and H.323 Gatekeeper solution. We went over how to configure the H.323 Application Filter and how to configure the interface on the H.323 Gatekeeper. Finally, we configured the internal and external NetMeeting clients so that an external NetMeeting client could call an internal NetMeeting client, when the internal NetMeeting client was registered with the H.323 Gatekeeper.
I would like to give special thanks to Ray Madison, who lent technical assistance while I was researching video configuration options and Internet ILS server scenarios.
I hope you found this article interesting and/or useful. If you have anything to add, or would like to comment on this article, please feel free to post to the message boards at www.isaserver.org. You can also email me at [email protected] and I’ll answer as soon as possible. Please include the title of the article in the subject line. Thanks! -Tom.