Configuring FireWall-1 and VoIP with H.323
Analog (conventional) telephones and digital (soft) telephones can be used in conjunction with a H.323-based VoIP solution. Conventional phones do not have IP addresses but can be connected to a H.323 gateway which converts the analog signal to digital so that it can participate in VoIP. Digital phones can be either a physical telephone that has an IP address or a computer with the appropriate software that enables it to act as a telephone. Both of these configurations are referred to as "soft phones." The IP addresses of the gateway (if necessary) and the soft phones should be their own subnet along with the H.323 gatekeeper computer.
The gatekeeper H.323 component is the focal point for all calls within a VoIP network. It provides important services such as addressing, authorization, and authentication for the gateway and the IP phones behind it. The gatekeeper can also provide bandwidth management, accounting, billing, charging, and call-routing services.
The first step in configuring the firewall to inspect VoIP traffic is to define host node and/or network objects that represent the IP phones, the gateway computer (optional) and the gatekeeper computer. The gatekeeper and the gateway should be created as host objects. Each IP phone can be a host node object as well or you could create a network object that represents the IP address range of your VoIP network. The only portion of the H.323 architecture in which you do not have to create objects is the analog phones. Since they don't have IP addresses, they are represented by the gateway object. If you do not have analog phones then you have no need to create a gateway object.
Creating the Gateway
If you have analog phones in your VoIP network you must create a VoIP
Domain H.323 Gateway object as outlined in the following steps:
1.
Go to Manage _
Network Objects and choose New _
VoIP Domains _
VoIP Domain H.323 Gateway.
2.
In the General tab, define the gateway's Name, Comment, and Color.
Choose the network object that represents the IP addresses of your
VoIP subnet in the Related Endpoints Domain pull-down menu. Keep
in mind that if different H.323 protocols are carried on different interfaces, then a separate host node object has to be created to represent each interface. These host node objects should then be grouped together and defined in the VoIP Installed field. If there is a single interface carrying the protocols that make up H.323 then only one host node object (which represents the H.323 gateway) should be defined in the VoIP Installed At field.
3.
In the Routing Mode tab, you'll see two options: the Call Setup and
Call Setup And Call Control. Call Setup (Q.931) handles the setup and
termination of the calls whereas Call Setup And Call Control does that
as well as negotiating the parameters necessary for multimedia. At
least one of the choices must be checked, depending on the VoIP product that you are using.
Most people are not familiar with the H.323 protocol but have experienced using it if they've ever used Microsoft's NetMeeting product.
Creating the Gatekeeper
The gatekeeper object must be created to securely pass H.323 traffic through your firewall. To create a gatekeeper object, follow these steps:
1.
Go to Manage _
Network Objects Go to the Network Objects window
and choose New _
VoIP Domains _
VoIP Domain H.323 Gatekeeper.
2.In the General tab, shown in Figure below, define the gatekeeper's Name, Comment, and Color. The network object or address range object that represents your soft phones subnet and/or the object that represents your gateway (if you're using analog phones) should be defined in the Related Endpoints Domain field. If you are using a combination of analog and digital phones then combine the gateway and the network range in a Simple Group and define it here. The host node object that represents your H.323 gatekeeper machine should be defined in the VoIP Installed At field.

21-1
3.Under the Routing Mode tab of the gatekeeper properties, you can
choose from three allowed routing modes. This option identifies
which connections will be rerouted from your VoIP gatekeeper to the
VoIP gatekeeper on the other end. At least one of the following choices must be checked depending on the VoIP equipment that is being utilized:
DirectThe H.225 and Q.931 protocols, which allow gatekeeper to
gatekeeper communication and call setup and breakdown respectively,
are rerouted if this check box is selected.
Call Setup (Q.931)H.245 which is the control protocol used by H.323
for multimedia communication will be rerouted from gatekeeper to gatekeeper along with the Q.931 protocols.
Call Setup (Q.931) and Call Control (H.245)Connections that deal
with video, audio and controls connections associated with video and
audio will be rerouted gatekeeper to gatekeeper.
VoIP is a large set of protocols that are not easily understood. A good resource to learn more about VoIP ishttp://www.voip-calculator.com/.
Configuring Global Properties
In the VoIP page of the Global Properties window, shown in Figure below, you can change the VoIP parameters from their default settings. If the Log VoIP Connection option is checked, every VoIP (SIP and H.323) connection will be logged including the telephone number information. Under the H.323 section, Allow to Re-direct Connections is a H.323 function that allows call forwarding and call waiting to occur. Disallow Blank Source Phone Numbers is what we commonly know as blocking CallerID. Enable Dynamic T.120 enables the T.120 protocol which most recognize as the whiteboarding feature of NetMeeting.

21-2
Configuring the Rule Base
Now that you have created your network objects and configured your VoIP global parameters, it's time to configure the rule base to filter H.323 traffic.
The concept in creating the rule is to allow traffic to pass from gatekeeper to gatekeeper or from gateway to gateway using the H.323 service. You have more than one H.323 service to choose from: H.323_any provides all the required services for VoIP, and H.323_ras includes only the RAS part of the
H.323 protocol. If you wish to use more than just H.323_ras then you will have to define additional services for this rule or create additional rules to allow the other protocols (e.g. T.120 orH.450) necessary for the call to be completed.
For our purposes in this book, Figure below displays a good example of an H.323 VoIP rule. The gatekeepers of Detroit and Madrid are listed in both the Source and Destination columns of the rule. The Service is H.323_any, and the Action is Accept.

21-3
You now have an understanding of how to configure the firewall for
H.323-based VoIP systems. Now look at the next section where you will
learn how to configure SIP-based VoIP systems.