Reference11r1:Concept H.323 over TCP/TLS (H.460.17): Difference between revisions

The standard H.460.17 is an extension to the H.323 standard. It defines a mode of operation to use a single TCP or TLS connection for RAS and call-control within H.323. This is done by tunneling the RAS messages within H.225 signaling messages. This simplifies or even allows different NAT or firewall traversal scenarios. This feature is available starting with version 11. In case of TLS device certificates can be used for authentication of phones at the PBX.

Configuration

Two new protocol selections are available on the phones and in gateway configuration: H.323/TCP and H.323/TLS.

On the PBX incoming H.460.16 registrations are accepted default. There is a new checkmark on devices 'TLS only' which can be used to only allow H.323/TLS registrations.

In case of TLS, the device certificate is used. If a registration with hardware id is done, the name of the device certificate is checked against the registration name. This way the phone can be authenticated towards the PBX without the need to configure any credentials on the phone.

Homeoffices without VPN

Together with ICE, this feature allows the use of phones in home offices without the need of a VPN connection. Even the PBX may be located inside a private network, provided there is a single mapping on the NAT router to map incoming TCP connections to port 1300 (the well-known port for H.323 over TCP) to the PBX.