<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21"> <TITLE>OpenH323 Gatekeeper - The GNU Gatekeeper: Routed Mode and Proxy Configuration</TITLE> <LINK HREF="manual-6.html" REL=next> <LINK HREF="manual-4.html" REL=previous> <LINK HREF="manual.html#toc5" REL=contents> </HEAD> <BODY> <A HREF="manual-6.html">Next</A> <A HREF="manual-4.html">Previous</A> <A HREF="manual.html#toc5">Contents</A> <HR> <H2><A NAME="s5">5.</A> <A HREF="manual.html#toc5">Routed Mode and Proxy Configuration</A></H2> <H2><A NAME="routed"></A> <A NAME="ss5.1">5.1</A> <A HREF="manual.html#toc5.1">Section [RoutedMode]</A> </H2> <P>Call signaling messages may be passed in two ways. The first method is Direct Endpoint Call Signaling, in which case the call signaling messages are passed directly between the endpoints. The second method is Gatekeeper Routed Call Signaling. In this method, the call signaling messages are routed through the gatekeeper between the endpoints. The choice of which methods is used is made by the gatekeeper.</P> <P>When Gatekeeper Routed call signaling is used, the gatekeeper may choose whether to route the H.245 control channel and logical channels.</P> <P> <DL> <DT><B>Case I.</B><DD><P>The gatekeeper doesn't route them. The H.245 control channel and logical channels are established directly between the endpoints.</P> <DT><B>Case II.</B><DD><P>The H.245 control channel is routed between the endpoints through the gatekeeper, while the logical channels are established directly between the endpoints.</P> <DT><B>Case III.</B><DD><P>The gatekeeper routes the H.245 control channel, as well as all logical channels, including RTP/RTCP for audio and video, and T.120 channel for data. In this case, no traffic is passed directly between the endpoints. This is usually called an H.323 Proxy, which can be regarded as an H.323-H.323 gateway.</P> </DL> </P> <P>This section defines the gatekeeper routed mode options (case I & II). The proxy feature is defined in the <A HREF="#proxy">next section</A>. All settings in this section are affected by reloading.</P> <P> <UL> <LI><CODE>GKRouted=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>Whether to enable the gatekeeper routed signaling mode.</P> </LI> <LI><CODE>H245Routed=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>Whether to route the H.245 control channel through the gatekeeper too. Only takes effect if <CODE>GKRouted=1</CODE> and H.245 tunneling is disabled for a call. Even when this option is disabled, if Proxy or ProxyForNAT takes effect, an H.245 channel is always routed through the gatekeeper for calls being proxied.</P> </LI> <LI><CODE>CallSignalPort=0</CODE><BR> Default: <CODE>1721</CODE><BR> <P>The port of call signaling for the gatekeeper. The default port is <CODE>1721</CODE>. We don't use the well-known port <CODE>1720</CODE> so you can run an H.323 endpoint in the same machine of the gatekeeper. You may set it to <CODE>0</CODE> to let the gatekeeper choose an arbitrary port.</P> </LI> <LI><CODE>CallSignalHandlerNumber=10</CODE><BR> Default: <CODE>5</CODE><BR> <P>The number of threads dedicated to handle signaling/H.245 channels (between 1-200). You may increase this number in a heavy loaded gatekeeper. Each thread can process one signaling message at time, so increasing this number will increase call throughput. Under Windows, there exists a default limit of 64 sockets used by a single signaling thread, so each signaling thread is able to handle at most 32 calls (with H.245 tunneling enabled).</P> </LI> <LI><CODE>RtpHandlerNumber=2</CODE><BR> Default: <CODE>1</CODE><BR> <P>The number of RTP proxy handling threads. Increase this value only if you experience problems with RTP delay or jitter on a heavily loaded gatekeeper. A special care has to be taken on Windows, at RTP handling threads are subject of the same limit of 64 sockets as signaling threads. Each RTP thread is able to handle at most 32 proxied calls (2 sockets per call).</P> </LI> <LI><CODE>AcceptNeighborsCalls=1</CODE><BR> Default: <CODE>1</CODE><BR> <P>With this feature enabled, the call signaling thread will accept calls without a pre-existing CallRec found in the CallTable, provided an endpoint corresponding to the destinationAddress in Setup can be found in the RegistrationTable, and the calling party is its neighbors or parent GK. The gatekeeper will also use it's own call signaling address in LCF in responding to an LRQ. That means, the call signaling will be routed to GK2 in GK-GK calls. As a result, the CDRs in GK2 can correctly show the connected time, instead of 'unconnected'.</P> </LI> <LI><CODE>AcceptUnregisteredCalls=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>With this feature enabled, the gatekeeper will accept calls from any unregistered endpoint. However, it raises security risks. Be careful to use it.</P> </LI> <LI><CODE>RemoveH245AddressOnTunneling=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>Some endpoints send h245Address in the UUIE of Q.931 even when h245Tunneling is set to TRUE. This may cause interoperability problems. If the option is TRUE, the gatekeeper will remove h245Address when h245Tunneling flag is TRUE. This enforces the remote party to stay in tunneling mode.</P> </LI> <LI><CODE>RemoveCallOnDRQ=0</CODE><BR> Default: <CODE>1</CODE><BR> <P>With this option turning off, the gatekeeper will not disconnect a call if it receives a DRQ for it. This avoids potential race conditions when a DRQ overtakes a Release Complete. This is only meaningful in routed mode because in direct mode, the only mechanism to signal end-of-call is a DRQ. When using call failover this must be set to 0.</P> </LI> <LI><CODE>DropCallsByReleaseComplete=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>According to Recommendation H.323, the gatekeeper could tear down a call by sending RAS DisengageRequest to endpoints. However, some bad endpoints just ignore this command. With this option turning on, the gatekeeper will send Q.931 Release Complete instead of RAS DRQ to both endpoints to force them drop the call.</P> </LI> <LI><CODE>SendReleaseCompleteOnDRQ=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>On hangup, the endpoint sends both Release Complete within H.225/Q.931 and DRQ within RAS. It may happen that DRQ is processed first, causing the gatekeeper to close the call signaling channel, thus preventing the Release Complete from being forwarding to the other endpoint. Though the gatekeeper closes the TCP channel to the destination, some endpoints (e.g. Cisco CallManager) don't drop the call even if the call signaling channel is closed. This results in phones that keep ringing if the caller hangs up before the callee pickups. Setting this parameter to <CODE>1</CODE> makes the gatekeeper always send Release Complete to both endpoints before closing the call when it receives DRQ from one of the parties.</P> </LI> <LI><CODE>SupportNATedEndpoints=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>Whether to allow an endpoint behind an NAT box register to the gatekeeper. If yes, the gatekeeper will translate the IP address in Q.931 and H.245 channel into the IP of NAT box.</P> <P>Since 2.0.2, the GnuGk supports NAT outbound calls (from an endpoint behind NAT to public networks) directly without any necessary modification of endpoints or NAT box. Just register the endpoint with the GnuGk and you can make call now. </P> </LI> <LI><CODE>SupportCallingNATedEndpoints=0</CODE><BR> Default: <CODE>1</CODE><BR> <P>Whether to allow an endpoint behind an NAT box that support GnuGK Nat Traversal technique to receive calls. Use this to block errant gateways that do not support GnuGK Nat Traversal technique properly from causing one way audio problems when trying to call to the gateway. Calls to the gateways return caller unreachable. To be effective SupportNATedEndpoints must be set to 1.</P> </LI> <LI><CODE>TreatUnregisteredNAT=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>Used in conjunction with AcceptUnregisteredCalls and SupportNATedEndpoints will automatically treat all unregistered calls which cannot be determined as being NAT are treated as being NAT. </P> <P>Not all Endpoints send sourceSignalAddress in the setup message which can be used to determine whether a caller is NAT. This adds support to those that don't.</P> </LI> <LI><CODE>ScreenDisplayIE=MyID</CODE><BR> Default: <CODE>N/A</CODE><BR> <P>Modify the DisplayIE of Q.931 to the specified value.</P> </LI> <LI><CODE>ScreenCallingPartyNumberIE=0965123456</CODE><BR> Default: <CODE>N/A</CODE><BR> <P>Modify the CallingPartyNumberIE of Q.931 to the specified value.</P> </LI> <LI><CODE>ScreenSourceAddress=MyID</CODE><BR> Default: <CODE>N/A</CODE><BR> <P>Modify the sourceAddress field of UUIE element from Q.931 Setup message.</P> </LI> <LI><CODE>ForwardOnFacility=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>If yes, on receiving Q.931 Facility with reason <B>callForwarded</B>, the gatekeeper will forwards call Setup directly to the forwarded endpoint, instead of passing the message back to the caller. If you have broken endpoints that can't handle Q.931 Facility with reason <B>callForwarded</B>, turn on this option. Note that this feature may not always work correctly, as it does not provide any means of capability renegotiation and media channel reopening.</P> </LI> <LI><CODE>ShowForwarderNumber=0</CODE><BR> Default: <CODE>0</CODE><BR> <P>Whether to rewrite the calling party number to the number of forwarder. It's usually used for billing purpose. Only valid if <CODE>ForwardOnFacility=1</CODE>.</P> </LI> <LI><CODE>Q931PortRange=20000-20999</CODE><BR> Default: <CODE>N/A (let the OS allocate ports)</CODE><BR> <P>Specify the range of TCP port number for Q.931 signaling channels. Note the range size may limit the number of concurrent calls. Make sure this range is wide enough to take into account TIME_WAIT TCP socket timeout before a socket can be reused after closed. TIME_WAIT may vary from 15 seconds to a few minutes, depending on an OS. So if your range is 2000-2001 and you made two calls, next two can be made after TIME_WAIT timeout elapses and the sockets can be reused. The same applies to <CODE>H245PortRange</CODE> and <CODE>T120PortRange</CODE>. TIME_WAIT can be usually tuned down on most OSes.</P> </LI> <LI><CODE>H245PortRange=30000-30999</CODE><BR> Default: <CODE>N/A (let the OS allocate ports)</CODE><BR> <P>Specify the range of TCP port number for H.245 control channels. Note the range size may limit the number of concurrent calls. See remarks about TIME_WAIT socket state timeout in the <CODE>Q931PortRange</CODE> description.</P> </LI> <LI><CODE>SetupTimeout=4000</CODE><BR> Default: <CODE>8000</CODE><BR> <P>A timeout value (in milliseconds) to wait for a first message (Setup) to be received after a signaling TCP channel has been opened.</P> </LI> <LI><CODE>SignalTimeout=10000</CODE><BR> Default: <CODE>30000</CODE><BR> <P>A timeout value (in milliseconds) to wait for a signaling channel to be opened after an ACF message is sent or to wait for an Alerting message after a signaling channel has been opened. This option can be thought as a maximum allowed PDD (Post Dial Delay) value.</P> </LI> <LI><CODE>AlertingTimeout=60000</CODE><BR> Default: <CODE>180000</CODE><BR> <P>A timeout value (in milliseconds) to wait for a Connect message after a call entered Alerting state. This option can be thought as a maximum "ringing time".</P> </LI> <LI><CODE>TcpKeepAlive=0</CODE><BR> Default: <CODE>1</CODE><BR> <P>Enable/disable keepalive feature on TCP signaling sockets. This can help to detect inactive signaling channels and prevent dead calls from hanging in the call table. For this option to work, you also need to tweak system settings to adjust keep alive timeout. See docs/keepalive.txt for more details.</P> </LI> <LI><CODE>TranslateFacility=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>Enable this option if you have interoperability problems between H.323v4 and non-H.323v4 endpoints. It converts Facility messages with reason = transportedInformation into Facility messages with an empty body, because some endpoints do not process tunneled H.245 messages inside Facility, if the body is not empty. The conversion is performed only when necessary - if both endpoints are v4 or both endpoints are pre-v4, nothing is changed.</P> </LI> <LI><CODE>SocketCleanupTimeout=1000</CODE><BR> Default: <CODE>5000</CODE><BR> <P>Define time to wait before an unused socket is closed (if it is not yet closed) and deleted (its memory is released). If you use very small port ranges, like a few ports (e.g. RTPPortRange=2000-2009), you may want to decrease this value to get sockets reusable faster.</P> </LI> <LI><CODE>ActivateFailover=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>Activate call failover: When activated, GnuGk will try to find other possible routes to a destination if the call fails on the first route. Currently only routes available via the 'internal' routing policy can be used as alternatives routes.</P> <P>For accounting of calls using failover, see the SingleFailoverCDR switch in the <A HREF="manual-12.html#calltable">[CallTable]</A> section.</P> </LI> <LI><CODE>FailoverCauses=1-15,21-127</CODE><BR> Default: <CODE>1-15,21-127</CODE><BR> <P>Define which cause codes in a ReleaseComplete will trigger call failover.</P> </LI> <LI><CODE>DisableRetryChecks=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>This will disable all checks if a failed call has already received FastStart or H.245 messages. Caution: Using this switch enables you to retry more calls, but you run the risk that some of the retried calls will fail because the caller is already in a state where he can't talkt to a new partner.</P> </LI> <LI><CODE>CalledTypeOfNumber=1</CODE><BR> Default: <CODE>N/A</CODE><BR> <P>Sets Called-Party-Number type of number to the specified value for all calls (0 - UnknownType, 1 - InternationalType, 2 - NationalType, 3 - NetworkSpecificType, 4 - SubscriberType, 6 - AbbreviatedType, 7 - ReservedType).</P> </LI> <LI><CODE>CallingTypeOfNumber=1</CODE><BR> Default: <CODE>N/A</CODE><BR> <P>Sets Calling-Party-Number type of number to the specified value for all calls (0 - UnknownType, 1 - InternationalType, 2 - NationalType, 3 - NetworkSpecificType, 4 - SubscriberType, 6 - AbbreviatedType, 7 - ReservedType).</P> </LI> </UL> </P> <H2><A NAME="proxy"></A> <A NAME="ss5.2">5.2</A> <A HREF="manual.html#toc5.2">Section [Proxy]</A> </H2> <P>The section defines the H.323 proxy features. It means the gatekeeper will route all the traffic between the calling and called endpoints, so there is no traffic between the two endpoints directly. Thus it is very useful if you have some endpoints using private IP behind an NAT box and some endpoints using public IP outside the box.</P> <P>The gatekeeper can do proxy for logical channels of RTP/RTCP (audio and video) and T.120 (data). Logical channels opened by fast-connect procedures or H.245 tunneling are also supported.</P> <P>Note to make proxy work, the gatekeeper must have <B>direct connection</B> to both networks of the caller and callee.</P> <P> <UL> <LI><CODE>Enable=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>Whether to enable the proxy function. You have to enable gatekeeper routed mode first (see the <A HREF="#routed">previous section</A>). You don't have to specify H.245 routed. It will automatically be used if required.</P> </LI> <LI><CODE>InternalNetwork=10.0.1.0/24</CODE><BR> Default: <CODE>N/A</CODE><BR> <P>Define the networks behind the proxy. Multiple internal networks are allow. The proxy route channels only of the communications between one endpoint in the internal network and one external. If you don't specify it, all calls will be proxied. If using GnuGk behind a NAT and the [Gatekeeper::Main] ExternalIP is set then there is not requirement to set this as it is auto-detected at startup. Using this setting will simply override the default detected settings. </P> <P> <DL> <DT><B>Format:</B><DD><P><CODE>InternalNetwork=network address/netmask[,network address/netmask,...]</CODE></P> <P>The netmask can be expressed in decimal dot notation or CIDR notation (prefix length), as shown in the example.</P> <DT><B>Example:</B><DD><P><CODE>InternalNetwork=10.0.0.0/255.0.0.0,192.168.0.0/24</CODE></P> </DL> </P> </LI> <LI><CODE>T120PortRange=40000-40999</CODE><BR> Default: <CODE>N/A (let the OS allocate ports)</CODE><BR> <P>Specify the range of TCP port number for T.120 data channels. Note the range size may limit the number of concurrent calls. See remarks about TIME_WAIT socket state timeout in the <CODE>Q931PortRange</CODE> description.</P> </LI> <LI><CODE>RTPPortRange=50000-59999</CODE><BR> Default: <CODE>1024-65535</CODE><BR> <P>Specify the range of UDP port number for RTP/RTCP channels. Note the range size may limit the number of concurrent calls.</P> </LI> <LI><CODE>ProxyForNAT=1</CODE><BR> Default: <CODE>1</CODE><BR> <P>If yes, the gatekeeper will proxy for calls to which one of the endpoints participated is behind an NAT box. This ensure the RTP/RTCP stream can penetrate into the NAT box without modifying it. However, the endpoint behind the NAT box must use the same port to send and receive RTP/RTCP stream. If you have bad or broken endpoints that don't satisfy the precondition, you have better to disable this feature and let the NAT box forward RTP/RTCP stream for you.</P> </LI> <LI><CODE>ProxyForSameNAT=0</CODE><BR> Default: <CODE>0</CODE><BR> <P>Whether to proxy for calls between endpoints from the same NAT box. You do not need to enable this feature in general, since usually endpoints from the same NAT box can communicate with each other.</P> </LI> <LI><CODE>DisableH235Call=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>This setting removes the cryptoTokens and clearTokens off the Setup Message. Use this when working with IP Phones that do not support large Setup messages</P> </LI> <LI><CODE>DisableH460Call=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>This setting removes the H.460 features from the Setup Message. Use this with pre-H.323v4 Endpoints and Gateways which cannot decode these messages.</P> </LI> <LI><CODE>EnableRTPMute=1</CODE><BR> Default: <CODE>0</CODE><BR> <P>This setting allows either call party in media proxy mode to mute the audio/video by sending a * as either string or tone.userinput. The sending of * mutes the audio/video and a subsequent send of * unmutes the audio/video. Only the party who muted the call can unmute. This is designed as a hold function for terminals which do not support H450.4.</P> </LI> </UL> </P> <HR> <A HREF="manual-6.html">Next</A> <A HREF="manual-4.html">Previous</A> <A HREF="manual.html#toc5">Contents</A> </BODY> </HTML>