Proxy outside the firewall, Proxies and nat – Cisco H.323 VC-289 User Manual

Page 12

Advertising
background image

Configuring H.323 Gatekeepers and Proxies

H.323 Proxy Features

VC-300

Cisco IOS Voice, Video, and Fax Configuration Guide

Proxy Outside the Firewall

To place the proxy and gatekeeper outside the firewall, two conditions must exist. First, the firewall must
support H.323 dynamic access control. Second, Network Address Translation (NAT) must not be in use.

If NAT is in use, each endpoint must register with the gatekeeper for the duration of the time it is online.
This will quickly overwhelm the firewall because a large number of relatively static, internal-to-external
address mappings will need to be maintained.

If the firewall does not support H.323 dynamic access control, the firewall can be configured with static
access lists that allow traffic from the proxy or gatekeeper through the firewall. This can present a
security risk if an attacker can spoof, or simulate, the IP addresses of the gatekeeper or proxy and use
them to attack the network.

Figure 60

illustrates proxy outside the firewall.

Figure 60

Proxy Outside the Firewall

Proxies and NAT

When a firewall is providing NAT between an internal and an external network, proxies may allow H.323
traffic to be handled properly, even in the absence of a firewall that can translate addresses for H.323
traffic.

Table 24

and

Table 25

provide guidelines for proxy deployment for networks that use NAT.

S6915

Terminals

Gatekeeper

Firewall

Edge router

Outside
devices

Proxy

Table 24

Guidelines for Networks That Use NAT

For Networks Using NAT

Firewall with H.323 NAT

Firewall Without H.323 NAT

Firewall with dynamic access
control

Gatekeeper and proxy inside the
firewall

Co-edge gatekeeper and proxy

Firewall without dynamic access
control

Gatekeeper and proxy inside the
firewall, with static access lists
on the firewall

Co-edge gatekeeper and proxy

Advertising