Home
Topics
Network Security
Network Security Monitoring and Analysis
Using H.323 with NAT

Using H.323 with NAT

What issues/considerations/workarounds exist when trying to implement H.323 gatekeepers and/or gateways when Network Address Translation is used and calls must be made between endpoints/gateways/gatekeepers in different NAT'd subnets? My understanding is that the IP addresses in the "phone books" inside the gatekeepers/gateways are at a higher layer in the protocols and therefore will not be properly NAT'd. What is being done to address this and what is the workaround at this time?

Requires Free Membership to View

Login

By submitting you agree to receive email communications from
TechTarget and its partners. Privacy Policy Terms of Use.

Your understanding about NAT related difficulties is partially correct: the issue really arises from the fact that H.323 is an umbrella that supports numerous protocols and transports. If a transport, such as HTTP or RTSP, embeds IP addresses in the payload portion of IP traffic (rather than just in the header), when those packets get segmented or fragmented, that data becomes difficult to track and use.

Your best solution is to contact your gatekeeper or gateway vendor and ask them about the most secure set of protocols to use for H.323 sessions between NAT'd subnets. Unfortunately, such solutions are very much vendor-specific; since I don't want to write a book on the subject I can only give you an injunction to research the matter with your vendor or vendors.

Other possible solutions include:

setting up VPN links and punching specific ports through your firewalls
working with robust NAT implementations that permit some addresses to be handled (obviously, public addresses are essential) without translation
using a dual-homed gateway or gatekeeper and passing traffic through the public (untranslated) address side of the box
situating a video-teleconferencing box in your DMZ or on the public side of your Internet interfaces and tunnelling traffic between that box and the private site of your network
selecting alternate H.323 compatible transports that don't embed address data in streaming video payloads

Alas, except for the last suggestion, all of these approaches do involve potential security risks, so select any of these with extreme caution and make sure you monitor related ports and services for potential signs of abuse or attack.

One last note: if you're using Port Address Translation (PAT) rather than NAT in any of your applications, you're basically out of luck in this area. Proposed solutions and workarounds for that technology are neither well- understood nor widely implemented because of terrible security risks involved (like opening up large ranges of UDP and TCP ports). Reasonable workarounds or solutions for PAT are beyond me, at any rate.

--Ed--

More News and Tutorials

Articles

Related glossary terms

Terms for Whatis.com - the technology online dictionary

This was first published in November 2001

Join the conversationComment

Share

Comments

Results

Contribute to the conversation

All fields are required. Comments will appear at the bottom of the article.

Back to top

More from Related TechTarget Sites

Enterprise WAN
Unified Communications
Mobile Computing
Data Center
Networking Channel

Enterprise WAN
- WAN optimization, management and security: Putting the pieces together
  
  By searching for solutions that put WAN optimization, management and security together, enterprise IT can reduce company bottom lines and complexity.
- Five ways applications benefit from enterprise WAN optimization
  
  These are five ways enterprise WAN optimization technology helps overcome productivity and application issues organizations face in today's workforce.
- Optimizing WAN performance: Industry trends driving demand
  
  As the enterprise workplace is becoming more virtual and mobile, optimizing WAN performance to fit end user demands is more vital than ever.
Unified Communications
- All You Can Meet video bridge prices meet more users' needs
  
  Blue Jeans Network, which provides hosted video bridges, is delivering All You Can Meet video conference pricing plans to enterprises.
- What is a call park phone feature and how does it work?
  
  UC expert, Matt Brunk, explains a call park phone feature, how it works and how it compares to a visual call park feature in this expert response.
- What's driving video interest and funding growth of video platforms?
  
  There are four drivers that are spurring video interest and funding the procurement of video platforms, says Nemertes Research's Irwin Lazar.
Mobile Computing
- Bringing BYOD to your enterprise
  
  Bring your own device (BYOD) can be a boon for both employees and enterprises, but clear policies and management tools are needed.
- Meeting technical requirements for mobile health care deployments
  
  IT departments deploying mobile health care solutions must ensure that using mobile devices in health care settings doesn't violate federal laws or compromise security.
- Making the call: Distributed antenna systems and in-building wireless
  
  Distributed antenna systems and in-building wireless solutions are two options to improve wireless cellular coverage within an enterprise facility.
Data Center
- Data center technologies evolve to meet tomorrow's computing demands
  
  VMware's upcoming public cloud and AMD's 64-bit ARM servers are technologies for the data center that exemplify the changes in the IT industry.
- New data center cooling strategies to improve efficiency, lower costs
  
  Stagnant strategies for data center cooling will keep energy bills climbing ever higher, but a more modern approach can bring them back down to earth.
- Converged systems usher in data center transformation
  
  The rise of converged systems has brought a new level of manageability to the data center, but these integrated offerings have a few drawbacks.
Networking Channel
- Aruba Networks Partner Program Checklist
  
  Value-added resellers and service providers interested in reselling Aruba networking hardware and software can learn the benefits of becoming an Aruba Networks partner with this standardized checklist. Compare Aruba's reseller partner program with other vendors' offering similar products.
- NetScout Systems Partner Program Checklist
  
  Learn the benefits of becoming a NetScout Systems reseller partner with our Partner Program Checklist.
- Visage Mobile Partner Program Checklist
  
  Learn the benefits of becoming a Visage Mobile reseller partner with our Partner Program Checklist.

All Rights Reserved,Copyright 2000 - 2013, TechTarget