TANDBERG N3, Gatekeeper User Manual

TANDBERG Gatekeeper User

Manual

Software version N3

D13381.03

This document is not to be reproduced in whole or in part without permission in writing from:

TANDBERG Gatekeeper User Manual

Trademarks and copyright

may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronically, mechanically, by photocopying, or otherwise, without the prior written permission of TANDBERG ASA. Nationally and internationally recognized trademarks and tradenames are the property of their respective holders and are hereby acknowledged.

Portions of this software are licensed under 3rd party licenses. See CD accompanying this product for details.

Disclaimer

The information in this document is furnished for informational purposes only, is subject to change without prior notice, and should not be construed as a commitment by TANDBERG ASA.

The information in this document is believed to be accurate and reliable, however TANDBERG ASA assumes no responsibility or liability for any errors or inaccuracies that may appear in this document, nor for any infringements of patents or other rights of third parties resulting from its use. No license is granted under any patents or patent rights of TANDBERG ASA.

TANDBERG Gatekeeper User Manual

iii

Environmental Issues

Thank you for buying a product which contributes to a reduction in pollution, and thereby helps save the environment. Our products reduce the need for travel and transport and thereby reduce pollution. Our products have either none or few consumable parts (chemicals, toner, gas, paper). Our products are low energy consuming products.

TANDBERG’s Environmental Policy

 TANDBERG’s Research and Development is continuously improving TANDBERG’s

products towards less use of environmentally hazardous components and substances as well as to make the products easier to recycle.

 TANDBERG's products are Communication Solutions. The idea of these solutions is

to reduce the need for expensive, time demanding and polluting transport of people. Through people’s use of TANDBERG’s products, the environment will benefit from less use of polluting transport.

 TANDBERG’s wide use of the concepts of outsourcing makes the company itself a

company with a low rate of emissions and effects on the environment.

 TANDBERG’s policy is to make sure our partners produce our products with minimal

influence on the environment and to demand and audit their compatibility according to applicable agreements and laws (national and international).

Environmental Considerations

Like other electronic equipment, the TANDBERG Gatekeeper contains components that may have a detrimental effect on the environment. TANDBERG works continuously towards eliminating these substances in our products.

 Printed-wiring boards made of plastic, with flame-retardants like Chloride or Bromide.  Component soldering that contains lead.  Smaller components containing substances with possible environmental effect.

After the product’s end of life cycle, it should be returned to authorized waste handling and should be treated according to National and International Regulations for waste of electronic equipment.

TANDBERG Gatekeeper User Manual

Operator Safety Summary

For your protection, please read these safety instructions completely before operating the equipment and keep this manual for future reference. The information in this summary is intended for operators. Carefully observe all warnings, precautions and instructions both on the apparatus and in the operating instructions.

Warnings

 Water and moisture - Do not operate the equipment under or near water - for

example near a bathtub, kitchen sink, or laundry tub, in a wet basement, or near a swimming pool or in areas with high humidity.

 Cleaning - Unplug the apparatus from the wall outlet before cleaning or polishing. Do

not use liquid cleaners or aerosol cleaners. Use a lint-free cloth lightly moistened with water for cleaning the exterior of the apparatus.

 Ventilation - Do not block any of the ventilation openings of the apparatus. Install in

accordance with the installation instructions. Never cover the slots and openings with a cloth or other material. Never install the apparatus near heat sources such as radiators, heat registers, stoves, or other apparatus (including amplifiers) that produce heat.

 Grounding or Polarization - Do not defeat the safety purpose of the polarized or

grounding-type plug. A polarized plug has two blades with one wider than the other. A grounding type plug has two blades and a third grounding prong. The wide blade or third prong is provided for your safety. If the provided plug does not fit into your outlet, consult an electrician.

 Power-Cord Protection - Route the power cord so as to avoid it being walked on or

pinched by items placed upon or against it, paying particular attention to the plugs, receptacles, and the point where the cord exits from the apparatus.

 Attachments - Only use attachments as recommended by the manufacturer.  Accessories - Use only with a cart, stand, tripod, bracket, or table specified by the

manufacturer, or sold with the apparatus. When a cart is used, use caution when moving the cart/apparatus combination to avoid injury from tip-over.

 Lightning - Unplug this apparatus during lightning storms or when unused for long

periods of time.

 Servicing - Do not attempt to service the apparatus yourself as opening or removing

covers may expose you to dangerous voltages or other hazards, and will void the warranty. Refer all servicing to qualified service personnel.

 Damaged Equipment - Unplug the apparatus from the outlet and refer servicing to

qualified personnel under the following conditions:

 When the power cord or plug is damaged or frayed  If liquid has been spilled or objects have fallen into the apparatus  If the apparatus has been exposed to rain or moisture  If the apparatus has been subjected to excessive shock by being dropped, or

the cabinet has been damaged

 If the apparatus fails to operate in accordance with the operating instructions.

Table Of Contents

TANDBERG Gatekeeper User Manual .......................................................................................i

Trademarks and copyright ......................................................................................................ii

Environmental Issues.............................................................................................................iii

Operator Safety Summary .....................................................................................................iv

1 Introduction......................................................................................................................... 1

1.1 TANDBERG Gatekeeper Overview ............................................................................ 2

2 Installation .......................................................................................................................... 3

2.1 Unpacking ................................................................................................................... 3

2.2 Mounting...................................................................................................................... 4

2.3 Connecting Cables......................................................................................................4

2.4 Switching on the System.............................................................................................4

2.5 Gatekeeper Initial Configuration ................................................................................. 5

3 Using the Gatekeeper ........................................................................................................ 7

3.1 System Administration ................................................................................................ 7

3.2 Registration.................................................................................................................7

3.3 Neighbor Gatekeepers................................................................................................8

3.4 Alternate Gatekeepers ................................................................................................9

3.5 Call Control................................................................................................................ 11

3.6 Bandwidth Control.....................................................................................................14

3.6.1 Bandwidth Control and Firewall Traversal......................................................... 16

3.6.2 Bandwidth Control Examples.............................................................................17

3.7 Registration Control .................................................................................................. 19

3.7.1 Registration Restriction Policy........................................................................... 19

3.7.2 Authentication .................................................................................................... 20

3.8 H.235 Authentication.................................................................................................20

3.8.1 Authentication using a local database ............................................................... 20

3.8.2 Authentication using an LDAP server................................................................ 21

3.9 URI Dialing................................................................................................................23

3.9.1 URI Dialing and firewall traversal.......................................................................24

3.9.2 Creating DNS SRV records ............................................................................... 24

3.10 Firewall traversal ................................................................................................... 24

3.10.1 Calling unregistered endpoints .......................................................................... 25

3.11 Call Policy..............................................................................................................25

3.11.1 Making Decisions Based on Addresses ............................................................ 26

3.11.2 CPL Script Actions.............................................................................................27

3.11.3 Unsupported CPL Elements .............................................................................. 28

3.11.4 CPL Examples ................................................................................................... 28

4 Software Upgrade ............................................................................................................ 30

TANDBERG Gatekeeper User Manual

4.1 Upgrading Using HTTP(S) ........................................................................................30

4.2 Upgrading Using SCP...............................................................................................31

5 Configuring the Gatekeeper .............................................................................................33

5.1 Status........................................................................................................................33

5.2 Configuration.............................................................................................................34

5.3 Command.................................................................................................................. 40

5.4 History.......................................................................................................................42

5.5 Feedback................................................................................................................... 42

5.6 Other commands....................................................................................................... 43

6 Appendix: Configuring DNS Servers................................................................................45

6.1 Microsoft DNS Server ............................................................................................... 45

6.2 BIND 8 & 9 ................................................................................................................45

6.3 Verifying the SRV record........................................................................................... 46

7 Appendix: Configuring LDAP Servers..............................................................................47

7.1 Microsoft Active Directory ......................................................................................... 47

7.1.1 Prerequisites......................................................................................................47

7.1.2 Adding H.350 objects.........................................................................................47

7.1.3 Securing with TLS..............................................................................................48

7.2 OpenLDAP................................................................................................................48

7.2.1 Prerequisites......................................................................................................48

7.2.2 Installing the H.350 schemas.............................................................................48

7.2.3 Adding H.350 objects.........................................................................................49

7.2.4 Securing with TLS..............................................................................................50

8 Approvals.......................................................................................................................... 51

9 Technical Specifications...................................................................................................52

10 Index.............................................................................................................................53

1 Introduction

This User Manual is provided to help you make the best use of your TANDBERG Gatekeeper. A Gatekeeper is a central part of an H.323 infrastructure. It provides address translation and

controls access to the network for H.323 terminals, Gateways and MCUs. The Gatekeeper also provides other services to the terminals, Gateways and MCUs such as bandwidth management and locating Gateways.

A Gatekeeper is also a key component of TANDBERG’s Expressway

firewall traversal solution. Used in conjunction with a TANDBERG Border Controller it allows calls to be made into and out of a secured private network.

The main features of the TANDBERG Gatekeeper are:

 Automatic discovery and manual registrations of H.323 terminals, gateways and

MCUs.

 Registration of H.323 ID, E.164 aliases and services.  Secure traversal of any firewall or NAT.  URI dialing.  Supports up to 1000 registered devices and services.  Supports up to 100 neighboring zones.  Up to 200 active calls.  Up to 100 traversal calls.  Flexible zone configuration with and without prefixes.  Can function as a leaf Gatekeeper or as a master Gatekeeper in a Gatekeeper

hierarchy.

 Can be used to control the amount of bandwidth used both within a zone and to

neighboring zones.

 Can limit total bandwidth usage and set maximum per call bandwidth usage with

automatic down-speeding if call exceeds per-call maximum.

 Can be managed with TANDBERG Management Suite 9.0 or newer, or as a

standalone system with RS-232, Telnet, SSH, HTTP and HTTPS.

 Embedded setup wizard on serial port for initial configuration.

Note that features may vary depending on software package.

TANDBERG Gatekeeper User Manual

1.1 TANDBERG Gatekeeper

Overview

On the front of the Gatekeeper there are three LAN interfaces, a serial port (Data 1) and a Light Emitting Diode (Power). The LAN 1 interface is used for connecting the system to your local area network, LAN interface 2 and 3 are disabled. The serial port (Data 1) is for connection to a PC, and power on is indicated by the Light Emitting Diode (Power) being lit.

The back of the Gatekeeper has a power connector, a power switch, and a serial port (Data

2) for connecting to a PC.

2 Installation

Precautions:

 Never install communication equipment during a lightning storm.  Never install jacks for communication cables in wet locations unless the jack is

specifically designed for wet locations.

 Never touch uninstalled communication wires or terminals unless the communication

line has been disconnected at the network interface.

 Use caution when installing or modifying communication lines.  Avoid using communication equipment (other than a cordless type) during an

electrical storm.

 There may be a remote risk of electrical shock from lightning.  Do not use communication equipment to report a gas leak in the vicinity of the leak.  The socket outlet shall be installed near to the equipment and shall be easily

accessible.

 Never install cables without first switching the power OFF.  This product complies with directives: LVD 73/23/EC and EMC 89/366/EEC.  Power must be switched off before power supplies can be removed from- or installed

into the unit.

2.1 Unpacking

The TANDBERG Gatekeeper is delivered in a special shipping box which should contain the following components:

 Gatekeeper unit  Installation sheet  User manual and other documentation on CD  Rack-ears and screws  Kit with 4 rubber feet.  Cables:

o Power cables o One Ethernet cable o One null-modem RS-232 cable

Installation site preparations

 Make sure that the Gatekeeper is accessible and that all cables can be easily connected.  For ventilation: Leave a space of at least 10cm (4 inches) behind the Gatekeeper’s rear

and 5cm (2 inches) on the sides.

 The room in which you install the Gatekeeper should have an ambient temperature

between 0oC and 35oC (32oF and 95oF) and between 10% and 90% non-condensing relative humidity.

TANDBERG Gatekeeper User Manual

 Do not place heavy objects directly on top of the Gatekeeper.  Do not place hot objects directly on top, or directly beneath the Gatekeeper.  Use a grounded AC power outlet for the Gatekeeper.

2.2 Mounting

The Gatekeeper comes with brackets for mounting in standard 19" racks. Before starting the rack mounting, please make sure the TANDBERG Gatekeeper is placed

securely on a hard, flat surface.

1. Disconnect the AC power cable.

2. Make sure that the mounting space is according to the `Installation site preparations' in section 2.1.

3. Attach the brackets to the chassis on both sides of the unit.

4. Insert the unit into a 19" rack, and secure it with screws.

2.3 Connecting Cables

Power cable

Connect the system power cable to an electrical distribution socket.

LAN cable

Connect a LAN cable from the LAN 1 connector on the front of the unit to your local area network.

Null-modem RS-232 cable

Connect the supplied null-modem RS-232 cable between the Gatekeeper’s Data 1 connector and the COM-port on a PC.

2.4 Switching on the System

To start the TANDBERG Gatekeeper, make sure that the following has been done:

 The power cable is connected.  The LAN cable is connected

Then switch the power switch button on the back of the unit to ’1'. On the front of the chassis you will see the Power LED being lit.

2.5 Gatekeeper Initial Configuration

The TANDBERG Gatekeeper requires some configuration before it can be used. This must be done using a PC connected to the serial port (Data 1).

The main thing that needs to be configured is the IP settings of the Gatekeeper. This includes the IP address, the IP subnet mask, and the IP gateway. The Gatekeeper has to be configured with a static IP address. Consult your network administrator for information on which addresses to use.

To set the initial configuration, do the following:

1. Connect the supplied null-modem RS-232 cable from Data 1 to a PC running a terminal program.

2. Start the terminal program and configure it with baud rate 115200, 8 data bits, no parity, 1 stop bit, no flow control.

3. Power on the unit if it is not already on.

4. You should see the unit display start up information.

5. After approximately 1 minute you will get a login prompt.

6. Enter username ‘admin’ and your password. The default password is TANDBERG.

7. You will be prompted if you want to run the install wizard. Type ‘Y’ and press Enter.

(none) login: admin Password: Run install wizard [n]: Y

8. Specify the following:

a. The password you want to use for your system. This password is used to

login to the system with the Admin user account. b. The IP address of the system. c. The IP subnet mask of the system. d. The IP default gateway of the system. e. The Ethernet speed. f. The local zone prefix you want to use for the zone controlled by this system. g. Whether you want to use SSH to administer the system. h. Whether you want to use Telnet to administer the system.

9. You will be prompted to login again. You should see a welcome message like this. Welcome to

TANDBERG Gatekeeper Release N3.0 SW Release Date: 2005-06-15 OK

10. Login with username ‘admin’ and your password.

11. Review other system settings. You may want to set the following:

a. The name of the Gatekeeper. This is used to identify the Gatekeeper by the

TANDBERG Management Suite and by the TANDBERG Border Controller. See the xConfiguration SystemUnit command in section 5.2 for more information on setting the name

b. Automatic discovery. If you have multiple Gatekeepers in the same network

you may want to disable automatic discovery on some of them. See the

TANDBERG Gatekeeper User Manual

xConfiguration Gatekeeper AutoDiscovery command in section 5.2 for more information.

12. Reboot the Gatekeeper by typing the command xCommand boot to make your new

settings take effect.

13. Disconnect the serial cable.

NOTE

To secure the Gatekeeper you should disable HTTP, HTTPS, SSH and Telnet, relying on the serial interface for management. If you need IP connectivity, it is recommended that you use SSH or HTTPS.

NOTE If you do not have an IP gateway, configure it with an unused IP address that is valid in your

subnet as your IP gateway.

3 Using the Gatekeeper

The Gatekeeper is used by H.323 terminals, Gateways and MCUs. These devices register with the Gatekeeper and the Gatekeeper then provides address translation and controls access to the network.

3.1 System Administration

To configure and monitor the TANDBERG Gatekeeper you can either use the web interface or a command line interface. The command line interface is available over SSH and Telnet, or through the serial port. The interface is the same using all three access methods.

To enter commands you should start a session and login with username ‘admin’ and your password.

The interface groups information in different commands

xstatus Provides a read only interface to determine the current status of

the system. Information such as current calls and registrations is available through this command group.

xconfiguration A read/write interface to set system configuration data such as

IP address and subnet.

xcommand A miscellaneous group of commands for setting information or

obtaining it. xhistory Provides historical information about calls and registrations. xfeedback An event interface, providing information about calls and

registrations.

A command reference is given in section 5, Configuring the Gatekeeper.

3.2 Registration

Before an endpoint can use the Gatekeeper it must register with the Gatekeeper. There are two ways an endpoint can register:

 Automatically.  Manually by specifying the IP address of the Gatekeeper.

You can disable automatic registration on the Gatekeeper. See auto discovery in section 5.2 for more information.

When registering, the endpoint registers with one or more of the following:

 One or more H.323 IDs.  One or more E.164 aliases.  One or more services.

Users on other registered endpoints can then call the endpoint by using the H.323 ID, a URI, an E.164 alias, or one of the services.

Consult the endpoint documentation for information on how to configure it with a Gatekeeper. The Gatekeeper can be configured to only accept registrations from particular endpoints. See

section 3.7, Registration Control for details.

TANDBERG Gatekeeper User Manual

NOTE Automatic discovery is a function that allows the Gatekeeper to reply to multicast Gatekeeper

discovery messages from the endpoint. NOTE If you have problems registering the endpoint, try turning on automatic discovery. Some

endpoints require automatic registration to be enabled.

NOTE

When URI dialing is used to discover an endpoint, the URI used is based on either the H.323 ID or the E.164 alias that the endpoint registered with. The local domain is then added to this. See section 3.9, URI Dialing for more details

3.3 Neighbor Gatekeepers

You may configure several Gatekeepers to work together, each taking responsibility for part of the endpoint community. You will typically want to do this for separate geographical regions or organizational entities. You may create a list of up to 100 neighbor Gatekeepers. Each of these may be assigned a prefix, similar to an area code in telephony terms. All endpoints which register with that Gatekeeper are assigned the same number prefix. They are referred to as being in the Gatekeeper’s zone. When one Gatekeeper needs to query another for a particular number, it can consult its own prefix list, find the appropriate Gatekeeper and issue the query.

The figure below shows an example with two zones, zone A with local prefix 54 and zone B with local prefix 65. A also has B configured as its neighbor.

This means that a system in zone A can call a system in zone B. If terminal 1 wants to dial terminal 3 it can do so by prefixing the number of terminal 3 with the zone prefix of zone B; the number to dial will then be 65331.

The TANDBERG Gatekeeper also supports prefixless zones. If none of the prefix zones provide a match for a dialed number, all of the prefixless zones will be queried.

In the example above, if Gatekeeper A had configured Gatekeeper B as a prefixless zone, Terminal 1 could call Terminal 3 by dialing 331. Gatekeeper A will not recognize 331 as a registered alias and because of this “forward” the request to the Gatekeeper in zone B.

Zones also play an important role in helping you to control the amount of traffic on your network. See section 3.6, Bandwidth Control for details on this.

Remote zones can be configured through the web interface of the TANDBERG Gatekeeper by navigating to Gatekeeper Configuration > Gatekeeper. See Figure 1 for a screenshot of the configuration.

Figure 1 Screenshot of the Adding a New Zone configuration

NOTE

When using a local zone prefix do not start the E.164 aliases with the same digits as the local prefix. If you do this the Gatekeeper will strip the digits equal to the prefix from the alias thinking it is a call from another zone.

NOTE

If you want to use URI dialing (see section 3.9, URI Dialing) to neighbor Gatekeepers you should not use prefixes on your zones.

NOTE

If prefixing zones are used, all prefixes used must be unique to both the other zones as well as to any other alias or service prefixes registered to the gatekeeper.

NOTE

If prefix mode is set to “Strip” rather than “Include” the gatekeeper will not send the remote zone prefix to the far end gatekeeper in the Location Requests.

3.4 Alternate Gatekeepers

Alternate Gatekeeper support is provided to increase the reliability of your deployment. If one Gatekeeper becomes unavailable, perhaps due to a network or power outage, another will be used as an Alternate. Alternate Gatekeepers share responsibility for their endpoint community: an individual endpoint may be registered with any one of the Alternates. You should configure Alternate Gatekeepers identically for all registration and call features such as authentication, bandwidth control and policy. If you do not do this, endpoint behavior will vary unpredictably depending on which Alternate it is currently registered with. Alternate Gatekeepers should also be deployed on the same LAN as each other so that they may be configured with the same routing information such as local domain names and local domain subnet masks.

Each Gatekeeper may be configured with the IP addresses of up to five Alternates. When an endpoint registers with the Gatekeeper, it is presented with the IP addresses of all the Alternates. If the endpoint loses contact with its initial Gatekeeper, it will seek to register with one of the Alternates. This may result in your endpoint community’s registrations being spread over all the Alternates.

TANDBERG Gatekeeper User Manual

When a Gatekeeper receives a Location Request, if it cannot respond from its own registration database, it will query all of its Alternates before responding. This allows the pool of registrations to be treated as if they were registered with a single Gatekeeper.

The Alternate Gatekeepers can be configured within the web interface of the Gatekeeper by navigating to Gatekeeper Configuration > Gatekeeper. Up to five different alternates can be configured. Please see Figure 2 for a screenshot of a sample configuration.

Figure 2 Screenshot of the Alternate Gatekeeper configuration

3.5 Call Control

When an end-point wants to call another endpoint it presents the address it wants to call to the Gatekeeper using a protocol knows as RAS. The Gatekeeper tries to resolve this address and supplies the calling endpoint with information about the called endpoint. The destination address can take several forms: IP address, H.323 ID, E.164 alias or a full H.323 URI.

Dialing by IP address is necessary when the destination endpoint is not registered with a Gatekeeper or Border Controller. If it is registered, then one of the other addressing schemes should be used instead as they are more flexible.

When an H.323 ID or E.164 alias is used, the Gatekeeper looks for a match between the dialed address and the aliases registered by its endpoints. If no match is found, it may query other Gatekeepers and Border Controllers.

When dialing by H.323 URI, the destination address resembles an email address. The Gatekeeper first follows the procedure for matching H.323 IDs. If that fails it looks for a Gatekeeper or Border Controller responsible for the domain (the part of the URI following the @) and queries that device.

NOTES

ARQ, Admission Request. An endpoint request to make or answer a call LRQ, Location Request. A query between Gatekeepers or Border Controllers to determine the

location of an endpoint. RAS, Registration, Admission and Status Protocol. Used by endpoints and Gatekeepers to

communicate. The Figures 1 and 2 illustrate the process the Gatekeeper performs when receiving call

requests.

TANDBERG Gatekeeper User Manual

Figure 3 Admission Request Processing

+ 41 hidden pages

TANDBERG N3, Gatekeeper User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual