Shooting Myself in the Foot With GNUGK and Polycom PVX
We have started using a lot of video conferencing, using big room Polycom VSX 7000 systems on our boardrooms. Initialy we had three systems, and we had insufficient bandwidth on our internal WAN/VPN, so we got dedicated internet connections for the video conferencing sysetms and hung them right out on the internet. This worked fine for a few systems, and we could use simple cheapo firewall routers to provide a bit of security. Now we have five systems, and more on the way. We’ve also moved most (but not all) of our offices to a new private WAN infrastructure, and the Polycom systems have moved inside the firewalls into the internal WAN. The rest of the offices still will have dedicated internet connections for their Polycom systems. We also want to be able to connect desktop video conferencing software and third party organizations into our video conferencing network too.
Anyone familiar with VOIP and video conferencing can immediately see the problem: Video conferencing using the H.323 protocol is inherently not firewall friendly. It uses bi-directional call setup, wth some port connections initiated from both ends of the call, and numerous dynamically negotiated port numbers to stream the media content. Its a bear to get stuff like that working through a firewall, and since we use a private address space I would have to configure static NAT for each internal Polycom, using up several of my precious real external IP addresses.
There is a GNU project called GNU Gatekeeper (GNUGK) that can help wth this kind of a setup. Basically, a gatekeeper in H.323 parlance, is a service that VOIP endpoints can register with, so that calls can use the gatekeeper to get transferred onto different types of communications networks. Gatekeepers can allow VOIP calls to use ISDN lines, bridge VOIP to traditional PBX sysetms, or transfer VOIP onto PSTN lines, among other things. They can also maintain a list of short user-defined aliases for VOIP endpoints, so that you can make a call to a simple name, like Edmonton Boardroom instead of to an IP address. The GNUGK can do all of these things, plus it can act as an H.323 proxy with NAT. An H.323 proxy with NAT routes all VOIP calls in your network, and if it is connected at the border between a private IP address space and the public internet, it can translate the internal private address scheme to an external address that is accessible to VOIP enpoints outside. This is exactly what I needed. Polycom makes a hardware gadget that can do that, but it costs about $43,000 US or over $50,000 CDN, so I figured it was worth at least a bit of time put into testing the GNUGK to see if it would work for us.
I built a VMware virtual machine with SUSE Linux Enterprise Server 9 and installed GNUGK on it. I had a little bit of dependency struggles with it, but got it working. I stuck it on the border of our network, and had all my internal Polycom VSX 7000 units register with it. That worked great. Then, I enabled NAT on it, and allowed external video conferencing systems to connect to the gatekeeper from outside. I was using a trial version of Polycom PVX, which is a software videophone. It registered with the gatekeeper as soon as I enabled it to use the gatekeeper. However, it couldn’t complete a call, always complaining that the call had been routed through an intermediate network that didn’t service the far endpoint. I figured it must be a firewalling issue.
I fiddled with SuSEFirewall2 settings for a while without success, until I got frustrated and decided to switch to a simpler NAT and Firewll combination that I understood better. I dumped my SUSE Linux gatekeeper VM and installed FreeBSD 6.1 on it. Then I installed GNUGK from ports (/usr/ports/net/gatekeeper). I copied in my gnugk.ini file from the SUSE machine, started the gatekeeper, and voila!, I had the same problem as before: “bla bla intermediate network bla bla not service the far endpoint.”
I scratched my head a bit, and just for fun, I fired up Netmeeting instead of Polycom PVX. I registered it to the gatekeeper, dialed the Burnaby office, and BLAM!, I was staring at the darkened empty boardroom in Burnaby. What the hell! I went back into Polycom PVX and messed with the settings until I couldn’t think of anything else to try, and I couldn’t figure out how to get it to talk to the big Polycom VSX 7000 through the gatekeeper. I guess we’ll be using Netmeeting, which is included in XP anyways, rather than buying Polycom PVX for around $80 per seat.
My next trick will be getting two big Polycom VSX 7000 systems talking across the firewall using the GNUGK.