January 2000

BY Tom Keating

We've all heard the hype surrounding the H.323 protocol and how it will make VoIP gateways interoperate, and make Internet telephony software such as NetMeeting compatible with NetSpeak's WebPhone software or VocalTec's Internet Phone. This notoriety might make you think that H.323 is heralding the "second coming" of Alexander Graham Bell, come back to do away with the outdated circuit-switched telephone systems in favor of packet switched "IP-centric" phone systems. In fact, I had a dream the other night in which I heard Mr. Bell shouting, "Be gone analog! I decree that IP communication is the only way to true salvation." (I think I've been in this industry too long!)

H.323 has come a long way, but don't be fooled, it still has a long way to go. I'll address some of H.323's limitations, the current state of H.323, as well as the future of H.323 and Internet telephony in general. But first, let?s brush up on H.323 with a bit of a backgrounder.

H.323 CRASH COURSE
Let me begin by describing gatekeepers, MCUs, and gateways, which provide some additional functionality to the H.323 environment.

Gatekeeper
The gatekeeper acts as monitor of all H.323 calls within its zone on the LAN. It provides two important call control functions: The first is address translation from LAN aliases for terminals and gateways to IP addresses and the second is bandwidth management. An H.323 client that wants to place a call can do so with the assistance of the gatekeeper. The gatekeeper provides the address resolution to the destination client. During this address resolution phase, the gatekeeper may also make decisions whether or not to complete the call based upon available bandwidth or permissions.

MCU
The Multipoint Control Unit (MCU) provides the ability to have multi-party, multimedia conferences. It coordinates all of the media capabilities of the participants.

Gateway
Gateways provide interoperability with other standards-based media devices. For instance, gateways are defined for H.320 (ISDN-based video conferencing devices), H.324 (telephony-based video conferencing terminals), and POTS (Plain Old Telephone System) devices.

DON’T BELIEVE THE HYPE!
Now that you’ve read up on H.323, let me just say this: don’t believe them when someone claims their product is H.323 compliant. Today, H.323 has had mixed success. Several VoIP gateways claim to be “H.323 compliant,” but in reality, there are several shades of gray when it comes to H.323 compatibility. Just because two competing VoIP gateway vendors claim H.323 compatibility does not mean that their gateways will interoperate with each other. Fortunately, the competing gateway manufacturers understand the importance of adhering to an open standard and have been working together to make their products 100 percent compatible with each other.

In fact, at Internet Telephony™ Expo this past October, several Internet telephony companies worked on the show floor for hours, in a special section called ConvergeNET, trying to get their products to communicate with each other. Several companies succeeded in getting their products to interoperate for the very first time. (See www.tmcnet.com/tmcnet /newsit/it1000540.htm and www.tmcnet.com/tmcnet/newsit/it1000581.htm)

STATE OF THE (H.323) UNION
But all is not roses and peaches. There are some hurdles to jump before H.323 can gain a foothold in the business world. Before I address these hurdles, let’s look at the state of H.323 and Internet telephony in general. Today, the technology exists for companies to install Internet telephony gateways in all their branch offices, and save a ton of money on long distance calls. In fact, several large companies have done so. Of course, the current driving factor in buying these products is saving money.

In the future, however, Internet telephony will be about more than just about saving money. Enhanced services, video conferencing, application sharing, and better customer service will be key forces driving Internet telephony. A few companies who are leading the way toward IP-enabled telephony systems include Cisco, 3Com, and Lucent — all names you should recognize.

But there are some names you might not be familiar with, like Dialpad.com, Lands’ End, and Callrewards.com. Both DialPad.com and CallRewards.com offer free long distance calls from your multimedia PC to any phone in the country. Without getting too technical, these two companies use VoIP gateways along with their own proprietary software that you download in order to communicate with anyone in the continental United State. Both use banner advertisements to make money.

As for Lands’ End, a company that I have mentioned in a past CC: column, I bring them up again because their Web site offers not only Web call back, but I also recently learned that they have Web call through (VoIP) installed. This means that a visitor to their Web site can click a button and talk to a call center agent across the Internet without having to disconnect their Internet dial-up connection. In addition, although it’s not free, I should also point out that Delta Three has recently launched a PC-to-phone service at very competitive rates.

H.323 HURDLES
One of the first well-known problems was the long connection time for an H.323 call. In the first version of H.323, a call was placed from one endpoint to another, but streams were not immediately available. This resulted in a long delay between the time a call was answered and the point at which the participants could hear each other. With the release of H.323 Version 2 and the introduction of Fast Call Setup, this problem has been eliminated.

As Chief Technology Officer of TMC, one of my responsibilities is ensuring the security of our data networks. As such, two critical points that I need to make sure are tightly controlled include the router and any firewalls put onto our network. What’s so difficult about getting H.323 through firewalls? The simplest answer is that H.323 is complex, uses dynamic ports, and includes multiple UDP streams. Some of the ports required include 1718 (gatekeeper discovery), 1719 (gatekeeper RAS), 1720 (call setup), and several dynamic ports.

Opening several ports for just one VoIP application makes a network manager cringe, since it possibly opens another security hole. Since hackers often take advantage of certain network ports to break into computer systems, many network managers would be hesitant to open several network ports on both the router and the firewall to allow H.323 traffic to pass through. H.323’s requirement that several ports be opened is something that I feel needs to be addressed in any future modification of this specification.

Other hurdles to H.323 deployment include forklift upgrades to the infrastructure, including access routers, firewalls, and gatekeeper/proxy. In addition, an H.320-H.323 gateway at every LAN/WAN interface is required. Bilateral “communications agreements” between gatekeepers must be agreed to and implemented before VoIP communication will work.

TESTING, 1… 2… 3…
Just for fun, I tested H.323 in TMC Labs on a testing network using Microsoft Proxy as our pseudo firewall connected to the Internet. I set up one PC behind the firewall, (we’ll call it PC-FIRE), and the other PC was connected directly to the Internet with no firewall in front of it, (called PC-NOFIRE).

I was able to make outbound calls using a H.323 client (NetMeeting 3.01) from PC-FIRE (behind the Microsoft Proxy), to PC-NOFIRE, just by typing the IP address for PC-NOFIRE. It connected and I was able to transmit voice across the Internet.

The next test involved making an outbound call to the machine behind the firewall, from PC-NOFIRE to PC-FIRE. Oh, that this could be so simple! We can only wish this were true. The IP address for PC-NOFIRE was an invalid Internet address (192.0.3.1) used on our corporate LAN. Of course the IP address is valid on our LAN, just not on the Internet. To be able to make a call to PC-FIRE, I thought perhaps if I logged onto a ULS server, it just might work, assuming Microsoft Proxy knew how to proxy NetMeeting requests.

I logged PC-FIRE onto one of Microsoft’s ULS servers, and then from PC-NOFIRE, I double-clicked on PC-FIRE’s name. It wasn’t able to make the connection. Of course, I wasn’t anticipating this working anyway. Since Microsoft Proxy is publishing its IP address to the ULS Server (to protect PC-FIRE) instead of PC-FIRE’s IP address, when I double-clicked on PC-FIRE’s name, I was actually sort of initiating a NetMeeting call to the Microsoft Proxy machine. While not exactly accurate, to keep this discussion from digressing into the nitty-gritty of networking, this description will suffice.

In any event, when Microsoft Proxy received the NetMeeting call, it needs to proxy it (or forward it) to PC-FIRE, just like it proxies Web page requests. Unfortunately, the current version of Microsoft Proxy does not do this. Or if it does, I don’t see an easy way of configuring Microsoft Proxy to get it to work. I’m told the next version of Microsoft Proxy, which is currently in beta, will better handle H.323 traffic.

The fact that you cannot make an H.323 call to someone in a corporate setting due to a firewall is something that I believe is impeding the Internet telephony industry. If the future truly is an IP world, then in this future world I certainly should be able to make an IP phone call to any other IP phone device. I should be able to make an IP phone call without worrying whether or not my uncle put a firewall in front of his newfangled AT&T 2010 IP phone or if he forgot to open the necessary H.323 ports. This is a liability that certainly will need to be addressed before we will be able to make IP phone calls from an IP device to any other IP device in the world.

I should point out that the router and firewall manufacturers are aware of this issue and have started to come out with H.323-compatible products. For instance, I’m aware that Checkpoint, the most popular firewall vendor, has a H.323 compliant firewall product.

One vendor has come up with a solution for this problem though. RidgeWay Systems & Software has a product called VX-Centrex that acts as a central proxy server. Some of the advantages of using this product include:

• Only response to location requests is the IP address of the VX server.
• Fully terminates H.323 call setup and media to apply inverse NAT and client authentication.
• Existing firewall system can simply be reconfigured to securely handle H.323 traffic (no forklift upgrade to H.323 compliant firewall).
• Only packets to/from central server IP address.
• Only packets on one pair of well-known ports, 2776 and 2777 (versus using H.323 alone, which requires opening several ports).
• Enables regular NAT or PAT routers to handle H.323 traffic without modification.

CONCLUSION
Today we are at a crossroads between two worlds: the circuit-switched world and the soon-to-be-IP-everywhere world. More and more companies are migrating towards packet-based telephony systems, but for the near future we will certainly see a combination of circuit- switched and packet networks. Eventually, most experts predict that the circuit-switched networks will become obsolete, supplanted by the IP juggernaut. I couldn’t agree more. There are still few bumps in the road for H.323 and Internet telephony in general, but it’s going to be an exciting road to travel!