Home > Neat Geek Stuff, Video Conferencing > Shooting Myself in the Foot With GNUGK and Polycom PVX

Shooting Myself in the Foot With GNUGK and Polycom PVX

We have started using a lot of video conferencing, using big room Polycom VSX 7000 systems on our boardrooms. Initialy we had three systems, and we had insufficient bandwidth on our internal WAN/VPN, so we got dedicated internet connections for the video conferencing sysetms and hung them right out on the internet. This worked fine for a few systems, and we could use simple cheapo firewall routers to provide a bit of security. Now we have five systems, and more on the way. We’ve also moved most (but not all) of our offices to a new private WAN infrastructure, and the Polycom systems have moved inside the firewalls into the internal WAN. The rest of the offices still will have dedicated internet connections for their Polycom systems. We also want to be able to connect desktop video conferencing software and third party organizations into our video conferencing network too.

Anyone familiar with VOIP and video conferencing can immediately see the problem: Video conferencing using the H.323 protocol is inherently not firewall friendly. It uses bi-directional call setup, wth some port connections initiated from both ends of the call, and numerous dynamically negotiated port numbers to stream the media content. Its a bear to get stuff like that working through a firewall, and since we use a private address space I would have to configure static NAT for each internal Polycom, using up several of my precious real external IP addresses.

There is a GNU project called GNU Gatekeeper (GNUGK) that can help wth this kind of a setup. Basically, a gatekeeper in H.323 parlance, is a service that VOIP endpoints can register with, so that calls can use the gatekeeper to get transferred onto different types of communications networks. Gatekeepers can allow VOIP calls to use ISDN lines, bridge VOIP to traditional PBX sysetms, or transfer VOIP onto PSTN lines, among other things. They can also maintain a list of short user-defined aliases for VOIP endpoints, so that you can make a call to a simple name, like Edmonton Boardroom instead of to an IP address. The GNUGK can do all of these things, plus it can act as an H.323 proxy with NAT. An H.323 proxy with NAT routes all VOIP calls in your network, and if it is connected at the border between a private IP address space and the public internet, it can translate the internal private address scheme to an external address that is accessible to VOIP enpoints outside. This is exactly what I needed. Polycom makes a hardware gadget that can do that, but it costs about $43,000 US or over $50,000 CDN, so I figured it was worth at least a bit of time put into testing the GNUGK to see if it would work for us.

I built a VMware virtual machine with SUSE Linux Enterprise Server 9 and installed GNUGK on it. I had a little bit of dependency struggles with it, but got it working. I stuck it on the border of our network, and had all my internal Polycom VSX 7000 units register with it. That worked great. Then, I enabled NAT on it, and allowed external video conferencing systems to connect to the gatekeeper from outside. I was using a trial version of Polycom PVX, which is a software videophone. It registered with the gatekeeper as soon as I enabled it to use the gatekeeper. However, it couldn’t complete a call, always complaining that the call had been routed through an intermediate network that didn’t service the far endpoint. I figured it must be a firewalling issue.

I fiddled with SuSEFirewall2 settings for a while without success, until I got frustrated and decided to switch to a simpler NAT and Firewll combination that I understood better. I dumped my SUSE Linux gatekeeper VM and installed FreeBSD 6.1 on it. Then I installed GNUGK from ports (/usr/ports/net/gatekeeper). I copied in my gnugk.ini file from the SUSE machine, started the gatekeeper, and voila!, I had the same problem as before: “bla bla intermediate network bla bla not service the far endpoint.”

I scratched my head a bit, and just for fun, I fired up Netmeeting instead of Polycom PVX. I registered it to the gatekeeper, dialed the Burnaby office, and BLAM!, I was staring at the darkened empty boardroom in Burnaby. What the hell! I went back into Polycom PVX and messed with the settings until I couldn’t think of anything else to try, and I couldn’t figure out how to get it to talk to the big Polycom VSX 7000 through the gatekeeper. I guess we’ll be using Netmeeting, which is included in XP anyways, rather than buying Polycom PVX for around $80 per seat.

My next trick will be getting two big Polycom VSX 7000 systems talking across the firewall using the GNUGK.

About these ads
  1. Kelly McLaurin
    2007-05-02 at 10:43

    Hello,
    I have a user who wants to video conference from anywhere (airport, hotspots), etc. Would gnugk help with this situation where I don’t have control over port forwarding on the firewall he is connecting through?
    Thanks for any help!

  2. Shiju
    2008-04-28 at 06:14

    Hi ,

    Would like to hear from you…where you able to register VSX 7000 to gnugk…? with ISDN and IP ?

    Thanks
    Shiju V.Joseph

  3. Vappy
    2008-08-12 at 07:41

    That error is indicative of a configuration issue in the PVX software. To put it bluntly and in the parlance of The Good Ol’ UK Of ..errr.. K…

    You basically knobbed up the software install.

    Try this:

    In your PVX Client (You want 8.0.4 – the current version as of this date) Click the Tools option and then Network then Connection. You have three options:

    * Directly connected behing a NAT…
    * Behind a NAT/ Firewall
    * Connected over VPN

    Try each on in turn but HERE’S the gotcha…

    It doesn’t bloody work…

    (or not every time, anyway) !! The trick is to close the PVX program, Ctrl+Alt+Esc into Task Manager… You’ll probably see vvsys.exe and ViaVideoNG.exe still running. Kill them with “End Process Tree” and restart PVX for the updated setting to actually kick in. It took me about 5 minutes of mucking about (and I have hardware NAT Firewalled router) but I found for me anyway it works perfectly on “Option One”.

    I’m connecting to a VSX3000 in the DMZ (albeit by direct IP) and it works flawlessly – perhaps experiment with that? It might the gatekeeper getting it’s knickers in a twist!

    So anyway I hope this helps or at least points you in the right direction. Ironically, I’ve never been able to make a NetMeeting connection to the damn thing, but I think that’s a problem with our other router filtering traffic.

    All the best and good luck,

    Vappy

  4. tony gallucci
    2008-09-11 at 16:30

    I don’t know linux, and couldn’t compile if I had to..That being said, should I attempt to install GNUGK on a box running Ubuntu? I need to get an older Radvision L2W working through my router/NAT.

  5. Jaken Theman
    2009-03-14 at 18:00

    The best option available for a free H.460 gateway is the Stalker Communigate Pro mail server. It has much better proxy services than gnugk. It’s not open source, but it is easy to configure multiple H323 sessions using H460. Great way around corporate firewall problems. Much better than hard-coding the router.

    It’s not well documented, so support and troubleshooting info is only available from the CGPro mailing list. Considering that Polycom and Tandberg charge a ton for the V2iu or VCS solutions, it’s a great deal. Configuration is straightforward and the logs tell you pretty much everything you need to know. We maxed out at over 100 simultaneous sessions. It packed the data-center bandwidth, but the server wasn’t even breathing hard. Good stuff.

  6. RANAKRISHNA.DESAI
    2010-08-28 at 02:46

    Date and timinges are changing friquently in 2to 3days anPOLYCOM VSX 7000SYSTEM?

  7. Steve
    2011-09-08 at 16:04

    Does anyone have any recommendations for a free Polycom Global Directory Server (GDS) which will run on Linux and is compatible with Polycom PVX?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: