Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

Boards | Newsletter | Patches | Shinder Section | Software

Site Search

Certification
Configuration - Alt. Products &
Platforms
Configuration - General
Configuration - Security
General Guides and Articles
Installation & Planning
Miscellaneous
Non-ISAserver.org Tutorials
Publishing

Authors

Thomas Shinder
Ricky M. Magalhaes
Will Schmied
Jim Harrison
Stefaan Pouseele
Liran Zamir

Books

Links

Message Boards

Newsletter Signup

Software

Access Control
Anti Virus
Authentication
Caching
Content Security
Free Tools
High Avail. & Load Bal.
Intrusion Detection
Misc. ISA server software
Monitoring & Admin

Basic NetMeeting

and ISA Server

H.323 Gatekeeper Configuration.

Date: Jul 25, 2001

Section:

Tutorials :: Configuration - General

Author:

Thomas Shinder

Printable Version

Rating: 4/5 - 24 Votes

A popular but

somewhat confusing

topic is the

configuration and use

of the H.323

Gatekeeper service.

The H.323

Gatekeeper can be

used to allow H.323

compliant applications

to participate in

audio, video and data

conferences. Data is

shared by taking

advantage of the

T.120 protocol, which

is supported by the

H.323 Protocol Filter.

The Gatekeeper

Service and the

Protocol Filter work

together to support

date, audio and video

communications.

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (1 of 15)10.05.2004 11:05:43

Rate this article

Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

Networking utilities
Reporting
Security Services
System hardening

Featured Product

Featured Book

Poll

Do you control user

web browsing through

ISA Server addon

software?

Yes

Recommended Sites

(Listen up! This article contains some

cool information builds on the H.323

material in the book. Be sure to print

this article and put it in your book

near the H.323 discussions on page

674. -Tom.)

A popular but somewhat confusing

topic is the configuration and use of

the H.323 Gatekeeper service. The

H.323 Gatekeeper can be used to

allow H.323 compliant applications to

participate in audio, video and data

conferences. Data is shared by taking

advantage of the T.120 protocol,

which is supported by the H.323

Protocol Filter. The Gatekeeper

Service and the Protocol Filter work

together to support date, audio and

video communications.

The H.323 Gatekeeper and H.323

Protocol Filter are extraordinarily

complex, and the complexity is made

even more so because of the number

of different scenarios the Gatekeeper

supports. These scenarios include,

but are not limited to:

Configuring ISA Server 2000 :

Building Firewalls for

Windows 2000

By Deb and Tom Shinder

Amazon.com

●

Direct PC to PC Communication when both machines are directly

connected to the Internet

●

PC to PC communication when one of the machines is directly

connected to the Internet and the other machine is behind an ISA

Server

●

PC to PC communications when both machines are located behind

ISA Servers

●

PC to PC communications when both machines are on the internal

network

●

PC to PC communications using an ILS Server when one machine

is on the internal network and one on an external network

●

PC to PC communications when both machines are on the same

internal name and connected to an ILS Server

And there are more. As you can see, there are a lot of different

environments in which a H.323 compliant application such as NetMeeting

can find itself in. In this article, we will limit ourselves to exploring

configuration options for when one client is directly connected to the

Internet and the other is behind the ISA Server H.323 Gatekeeper.

The setup is displayed in the figure below.

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (2 of 15)10.05.2004 11:05:43

Vote!

Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

To make the whole thing work, we need to take care of the following

issues:

●

Configure the supporting network infrastructure to support our

ISA Server installation

●

Configure the H.323 Application Filter

●

Configure the Protocol Rule to support H.323 Communications

●

Install and Configure H.323 Gatekeeper

●

Configure the NetMeeting clients

Once you've taken care of these tasks, you'll be able to carry on audio

and video conferences with other NetMeeting client computers that

participate in the type of scenario that we cover in this article.

Configure the Supporting Networking Infrastructure

If you've read my other articles, you're probably are getting tired of

hearing this advice. One of the most common reasons why

administrators have problems with their ISA Server configuration is that

the network infrastructure is not in place to support what they want to do

with ISA Server.

Some of network service issues you should consider include:

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (3 of 15)10.05.2004 11:05:43

Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

●

The DNS infrastructure and how internal and external names are

resolves for your clients

●

The types of ISA Server clients in use and what network services

are required by these clients

●

The NetBIOS name resolution infrastructure; this may or may not

be required depending on the types of client operating systems

you have on your internal network and what network features you

need to support

●

The NIC configuration parameters on the ISA Server itself

Make sure you are well versed in TCP/IP and TCP/IP networking services

before you begin your ISA Server adventure. The trip will be a lot more

pleasant and satisfying when you understand what networking services

are required to make everything work right. Check out the articles in the

Learning Zone for more information about how to optimize your

network infrastructure.

Configure the H.323 Application Filter

Network Clients needing to participate in audio, video or data

conferences can take advantage of the H.323 Applications Filter. Both

Gatekeeper aware and non-Gatekeeper NetMeeting aware clients access

the H.323 Application Filter. This Application Filter is enabled by default;

however, if for some reason it becomes disabled, you will not be able to

H.323 services.

Note:Data conferencing is supported by the H.120 protocol. Data

services through H.120 are tunneled through the H.323 protocol. The

H.323 Application Filter is able to handle and evaluate these complex

communications.

The H.323 Application Filter can be configured by performing the

following steps:

Open the ISA Management console, expand your server or array, and

then expand the Extensions node in the left pane.

1. Double click the H.323 Filter in the right pane and then click the

Call Control tab. You will see what appears in the figure below.

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (4 of 15)10.05.2004 11:05:43

Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

Let's cover the meaning of the configuration options in this dialog box.

Use this Gatekeeper

You can have the H.323 Gatekeeper service use the local Gatekeeper, or

another Gatekeeper on your internal network. In the present example,

and for most of the configurations you'll be working with, configure this

option with the IP Address of the Internal interface of the ISA Server. Do

not configure it to use the external interface.

Allow incoming calls

If you want clients on an external network (such as the Internet) to be

able to initiate inbound calls to an internal NetMeeting client, you must

enable this option.

Allow outgoing calls

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (5 of 15)10.05.2004 11:05:43

Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

If you want internal network clients to be able to initiate outbound calls

to external NetMeeting clients, you need to enable this option. If you

don't enable this option, internal clients will only be able to participate in

meetings with external clients when the external client initiates the call.

Use DNS Gatekeeper lookup and LRQs for alias resolution

This is the mystery configuration option! If you check the Help file on this

option, it will tell you:

"To enable DNS gatekeeper lookup, select the Use DNS gatekeeper

lookup and LRQs for alias resolution check box."

I have a explanation for this option, and I'll include it in a Tip article in

the future. Let's just take it for granted that you should have this option

checked. It will provide you the greatest flexibility in name resolution for

remote requests when you choose to call users using an email address.

The last three options:

●

Allow Audio

●

Allow Video

●

Allow T.120 and application sharing

Are used to allow or deny these features server-wide. You cannot allow

video for one group and audio for another group. Note that each option

in this group has an impact on bandwidth, with application sharing and

video being the biggest bandwidth hogs.

Generally, I recommend that you leave all these options enabled, at least

while you're testing your H.323 configuration. You might want to limit

what types of communications takes place, in terms of media control,

after you have determined that everything works.

Configure a Protocol Rule Supporting H.323 Communications

After the Application Filter is enabled and configured, you need to create

a Protocol Rule allowing outbound access for the H.323 Protocol. The

Protocol Rule allows for outbound access control of H.323

communications. Although you can't control the type (audio, video or

data) on a user/group basis, you can control who can use the H.323

protocol.

To create the H.323 Protocol Rule, perform the following steps:

Open the ISA Management console, expand your server or array, and

then expand the Access Policy node. Right click on the Protocol Rules

node, click New and then click Rule.

1. Name the Rule H.323 Outbound Access, or name it something

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (6 of 15)10.05.2004 11:05:43

Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

else if you like. Click Next.

2. On the Rule Action page, select Allow and click Next.
3. On the Protocols page, click the down-arrow and select the

Selected Protocols option. Scroll through the list and select the

H.323 protocol by putting a checkmark in the checkbox. Then

click Next.

4. On the Schedule page, select the appropriate schedule, then click

Next.

5. On the Client Type page, select the appropriate client type

depending on how you want to control outbound access. In this

example we'll select Any request and click Next.

6. Review the configuration selections and click Finish.

Note:At this point, internal NetMeeting clients can now make outbound

calls to NetMeeting clients directly connected to the Internet. The

Protocol Rule works together with the H.323 Protocol Filter. However,

external clients will not be able to initiate inbound calls to internal

NetMeeting clients, and an internal NetMeeting client will not be able to

call an external NetMeeting client behind an ISA Server H.323

Gatekeeper.

Install and Configure the H.323 Gatekeeper

The H.323 Gatekeeper service is an "add-in" to the base ISA Server

installation. This can be installed when you install the core ISA Server

components, or you can install it afterward. Use the Add/Remove

Programs applet in the Control Panel to add the H.323 Gatekeeper

service if you did not install it with the rest of the ISA Server.

There isn't too much configuration to be done for the Gatekeeper service

in this scenario. However, you do need to configure which interface on

which the Gatekeeper should be listening.

Open the ISA Management console, expand your server or array, and

then click H.323 Gatekeepers. You should see the name of your ISA

Server as a subnode. If you don't see this, right click on the H.323

Gatekeepers node and click Add Gatekeeper. Select This computer

and click OK.

1. Right click on your ISA Server name and click Properties. When

the dialog box opens click on the Network tab. Place a

checkmark in the checkbox that represents the internal interface

of your ISA Server. Do not select the external interface because

you do not want or need the external interface to be a gatekeeper

for external clients. (it won't work)

2. Click OK.

For our simple scenario of a NetMeeting client on the internal network,

and an external NetMeeting client directly connected to the Internet, we

do not need to create any routing rules.

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (7 of 15)10.05.2004 11:05:43

Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

THIS WEEK'S MYSTERY MEAT:

If you read Q289581, it seems to imply that if the internal NetMeeting

client is configured to use the Gatekeeper, then you must configure IP

address rules in order to connect to machines on the Internet. The

strange thing about this is 1. You don't need to do this, because it works

without the IP addresses rules, and 2. There is no way to create a

Destination to allow such a request, since the call is going directly to the

external NetMeeting client, and there is no mechanism to create such a

destination. It does make you wonder how the Gatekeeper handles

requests for non-local networks. Perhaps because I've run tests using the

Firewall Client, the LAT enters into the fray? At this time, IP address rules

and how they apply to making direct calls to Internet connected clients

are the mystery meat of the week.

Configure the NetMeeting Clients

The two NetMeeting clients need to be configured slightly differently. We

want the internal NetMeeting client to register with the H.323 Gatekeeper

and the external NetMeeting client to use the external interface of the

ISA Server as its Gateway. Remember that the internal clients always

external interface of the ISA Server as their Gateway.

Note: Depending on what Q289581 really means, you may have

'unregister' from the Gatekeeper in order to make outbound calls. I found

that this wasn't an issue, but if you can't make outbound calls, try

removing the Gatekeeper configuration for the internal client.

Configuring the Internal NetMeeting Client

To configure the internal NetMeeting client to use the Gatekeeper,

perform the following steps:

1. Open NetMeeting, click the Tools menu, and then click the

Options command.

2. You will see the General tab information as seen in the figure

below

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (8 of 15)10.05.2004 11:05:43

Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

4. Place a checkmark in the checkbox for Use a gatekeeper to

place calls and then type in the computer name or IP address for

the internal interface of the ISA Server. This is the same address

that you selected when you configured the Properties of the H.323

Gatekeeper. Next, put a checkmark in the checkbox for Log on

using my phone number and type in a phone number. This can

be any number you like, or your company may have assigned you

a number. Note that you must use numerical characters only. No

dashes, letters, spaces or anything else.

5. Click OK and click OK again.

Place your mouse pointer over the icon in the lower right corner of the

NetMeeting application interface. If you configured the Gatekeeper

settings correctly, you should see a tool tip pop up that says Logged on

to gatekeeper as seen in the figure below.

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (10 of 15)10.05.2004 11:05:43

Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

Configuring the External NetMeeting Client

The external NetMeeting client needs to be configured to use the external

interface of the ISA Server at its Gateway. I've noticed a few people

mention that they've tried to use the external interface of the ISA Server

as their Gatekeeper, and that just won't work! It might seem like it

works, but it doesn't so don't even try it. J

To configure the external NetMeeting client to use the external interface

of the ISA Server as their Gateway, perform the following steps:

1. Open NetMeeting, click the Tools menu and click the Options

command.

2. On the General tab, click on the Advanced Calling button.
3. In the Advanced Calling Options dialog box, put a checkmark in

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (11 of 15)10.05.2004 11:05:43

Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

the Use a gateway to call telephones and videoconferencing

systems checkbox. Then enter the IP address or the FQDN of the

external interface of the ISA Server.

4. Click OK and click OK again.

Making the Call

Once the external NetMeeting client is configured to use the external

interface of the ISA Server as its Gateway, it can call an internal client by

using the phone number the internal client registered with the

Gatekeeper. Note that with this configuration you cannot use an email

address to call the internal NetMeeting client, even though the client may

have registered an email address with the Gatekeeper.

To use email addresses to call another user, both machines must lie

behind an H.323 Gatekeeper and each site must have a q931 record

entered into the DNS. We will cover this subject in detail in a future

article.

To make the call, the external NetMeeting client click the icon that looks

like a telephone, and then enters the phone number, as seen in the

figure below.

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (12 of 15)10.05.2004 11:05:43

Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

After the call is established, you might see something scary, as

demonstrated from the machine of a poor bloke who called me. Note that

the lighting in my office was not optimal and the call was made at night.

Comments

This scenario where one computer is directly connected to the Internet

and the other is behind the ISA Server is commonly seen in smaller

offices where partners usually don't have their own firewalls. This also

the scenario you'll find yourself in when you want to talk to family

members and friends that have dial-up connections to the Internet.

Note that the external NetMeeting client must use a phone number to

make the call. There is no mechanism available for users to query the

registration database on the H.323 Gatekeeper. Therefore, you must

insure that external callers have the correct phone number for your

station before they make the call.

Video and audio quality are variable and dependent on the speed of the

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (13 of 15)10.05.2004 11:05:43

Basic NetMeeting and ISA Server H.323 Gatekeeper Configuration.

line, the type of camera you are using, and the video and audio

configuration settings on the NetMeeting client itself. On a LAN, you can

have high fidelity audio/video/data conferences, and even over a WAN if

the throughput is adequate.

I've noticed that for medium quality audio/video, it takes about 3000-

5000 Kbps inbound and outbound bandwidth to carry on the conference.

I suppose this value would increase if I increase the video quality and

line speed settings on the NetMeeting client. If you plan to introduce

NetMeeting as part of your business plan, be sure to test the various

NetMeeting client configuration settings and assess the bandwidth

required on a per call basis. Then multiply the figure by the number of

simultaneous calls you anticipate.

Summary

In this article we covered issues involved in configuring a simple

NetMeeting and H.323 Gatekeeper solution. We went over how to

configure the H.323 Application Filter and how to configure the interface

on the H.323 Gatekeeper. Finally, we configured the internal and external

NetMeeting clients so that an external NetMeeting client could call an

internal NetMeeting client, when the internal NetMeeting client was

registered with the H.323 Gatekeeper.

I would like to give special thanks to Ray Madison, who lent

technical assistance while I was researching video configuration

options and Internet ILS server scenarios.

I hope you found this article interesting and/or useful. If you have

anything to add, or would like to comment on this article, please feel free

to post to the message boards at

www.isaserver.org

. You can also email

me at

tshinder@isaserver.org

and I'll answer as soon as possible. Please

include the title of the article in the subject line. Thanks! -Tom.

If you would like us to email you when Tom Shinder releases another

article on ISAserver.org, subscribe to our 'Real-Time Article Update' by

clicking here

. Please note that we do NOT sell or rent the email addresses

belonging to our subscribers; we respect your privacy.

http://www.isaserver.org/tutorials/Basic_NetMeeting_and_ISA_Server_H323_Gatekeeper_Configuration.html (14 of 15)10.05.2004 11:05:43

Document Outline