gk-proxy
Prev Kernun UTM Reference (8) Next

Name

gk-proxy, test-gk — H.323 Gatekeeper RAS proxy

Synopsis

gk-proxy [-hv] [-d dbglev] -f cfgfile

test-gk [-hv] [-d dbglev] -f cfgfile [-r] [-t test_expr]

Description

The gk-proxy provides H.323 Registration, Admission and Status (RAS) proxying service. It allows clients in local network to register at gatekeepers and to request them to manage H.323 connections.

Program test-gk tests syntax and partially semantics of the configuration; for test expression syntax, see test-expr(5).

The gk-proxy reads its configuration file and starts receiving datagrams on UDP sockets (address/port couples) specified by the listen-on configuration directive (see listen-on(5)). It also maintains a list of active sessions with two connections (one from the client, the other to the server). When a datagram arrives, the proxy checks its source and destination addresses and tries to assign the datagram to an existing session. If a match is found, the datagram is passed to a peer belonging to the session. If no session matches and ACL allow it, a new session is created. Otherwise, the datagram is dropped.

The proxy usually runs as two processes (not counting the configuration resolving process - see resolving(7)): the single child process manages all the sessions and the parent process manages the child and restarts it after a failure, see also udpserver(7). Format of the proxy configuration file is described in gk-proxy.cfg(5). The maximum number of concurrent active sessions is set by the configuration directive max-sessions.

The proxy registers all clients in a special memory mapped file. Its name must be specified in map-file configuration item. Contents of the file is used by the h323-proxy for decision about H.323 connection destinations.

The gk-proxy uses single-phase ACLs which are checked at the moment of a session establishment. The ACL is named session-acl.

When a non-transparent session is created (i.e., a session initiated by a datagram destined directly to one of the sockets the gk-proxy is listening on) and is allowed by policy, the proxy must be configured to communicate to a specific remote server with the plug-to configuration directive.

When a transparent session is created (i.e., a session initiated by a datagram destined to a real server and transparently redirected to the gk-proxy (see transparency(7) for details), the proxy either communicates with the destination server specified by the client or with the one defined by the plug-to directive. If a plug-to is applicable for a transparent session, it has precedence over the original destination. This means that gk-proxy will ignore the original destination and communicate with the plug-to server.

Common Kernun Features

The proxy uses common Kernun mechanism for name resolving (see resolving(7)).

The proxy uses common Kernun mechanism for logging (see logging(7)). When a RAS request comes to the proxy, the SESSION-START (MMCG-810-I) and the ACL (MMCG-821-I) messages are logged. If the request is accepted, a new ID is assigned to it and the SESSION-INIT (MMCG-811-I) message is logged. After end of processing the set of requests from/for the client, the SESSION-END (MMCG-812-I) message is logged.

The proxy uses common Kernun mechanism for traffic shaping. For more detailed information, see traffic-shaping(7).

The proxy uses common Kernun mechanism for policy decisions about received and sent datagrams. It is described in access-control(7) and host-matching(7). For example, it is possible for gk-proxy to use the real client's address or any specified address as source address for datagrams forwarded to a server.

Special Configuration Topics

The gk-proxy adds many configuration directives to the session-acl:

register

Type of client registration. For details, see h323-proxy(8).

h323-address

Address to which announced H.323 sessions are redirected. For details, see h323-proxy(8).

h323-session-timeout

Timeout to establish the H.323 session. After receiving an ARQ or ACF packet, the gk-proxy builds the NAT rule so that the following H.323 session will reach running h323-proxy. This rule must be deleted by the originator — gk-proxy. However, the gk-proxy has no information about success or failure of the H.323 session establishing. That's why there is a timeout to delete the rule. If the client starts the H.323 session within the timeout, deleting the rule will not affect the session. Otherwise, the H.323 session will not succeed. If there are problems with establishing H.323 sessions in your network, increase this timeout.

timeout.session

The session will be terminated if this number of seconds elapse since the session establishment.

timeout.in

Timeout for datagrams from the server. If so many seconds elapse without receiving a datagram from the server, the session will be terminated.

timeout.out

Timeout for datagrams from the client. If so many seconds elapse without receiving a datagram from the client, the session will be terminated.

timeout.both

Timeout for datagrams regardless their direction. If no datagram belonging to a session is received for so long time period, the session will be terminated.

Program options

-h

Print usage information.

-v

Display version information and exit.

-d dbglev

Set debuging level to a specific number. Permitted values are 3 through to 9, 3 being the least and 9 the most verbose. See logging(7) for details. This setting is relevant only till configuration reading is finished.

-f cfgfile

Read cfgfile for configuration information.

See Also

gk-proxy.cfg(5), listen-on(5), application(5), test-expr(5), MMCG-810(6), MMCG-811(6), MMCG-812(6), MMCG-821(6), access-control(7), configuration(7), host-matching(7), logging(7), netio(7), resolving(7), time-matching(7), traffic-shaping(7), transparency(7), udpserver(7), h323-proxy(8)

Authors

This man page is a part of Kernun Firewall.
Copyright © 2000–2023 Trusted Network Solutions, a. s.
All rights reserved.

Prev Up Next
ftp-proxy Home h323-proxy