[unisog] h.323 Gatekeeper/proxy vs. direct dial to units

Kim Cary Kim.Cary at pepperdine.edu
Wed May 30 15:18:38 GMT 2007

Hi UNISOG colleagues,

We're ramping up our h.323 video conferencing usage here. Our current  
setup is an h.323 gatekeeper/proxy. An external client enters our  
gatekeeper IP into their software or video conference station, then  
dials a specified h.323 number. Bing! All their traffic goes through  
the gatekeeper/proxy and then to our inside endpoint.

I certainly prefer to have a single IP to watch for this kind of  
traffic and not to have to poke inbound holes in the firewall all  
over user space to allow inbound calls (which I view as not only poor  
security but a potential for a service disaster).

Gatekeeper/proxy is also very handy in that the majority of our VC  
stations currently are mobile. The station changes subnets and gets a  
new IP address, then registers with the gatekeeper and its h.323  
number remains constant, so its reachable wherever it goes. I'm  
guessing we'll get profs with webcams wanting to conference with  
students shortly (you have any of that type of use?) and it seems  
like a gatekeeper/proxy is the best choice there, too.

We have a couple missing pieces at this point: published instructions  
and a directory of public conference station h.323 numbers, but our  
director of academic client services is working on that.

That said there's some debate here about whether requiring an inbound  
caller to enter a gatekeeper address is too much of a barrier to  

How do your institutions balance the risk/service equation for video  
conference? How much is requiring a gatekeeper for inbound callers a  
barrier to service?

Thanks for your views!


Dr. Kim Cary, CISSP
Information Security Officer
M-F 7-4 ~ 310 506 6655 ~ PCC 218

More information about the unisog mailing list