1. Introduction

This manual is also available in Portuguese and Traditional Chinese. The English version is the master document and will get updated first.

1.1 About

OpenH323 Gatekeeper - The GNU Gatekeeper is an open-source project that implements an H.323 gatekeeper. A gatekeeper provides call control services to the H.323 endpoints. It is an integral part of most usefull internet telephony installations that are based on the H.323 standard.

According to Recommendation H.323, a gatekeeper shall provide the following services:

• Address Translation
• Admissions Control
• Bandwidth Control
• Zone Management
• Call Control Signaling
• Call Authorization
• Bandwidth Management
• Call Management

The GNU Gatekeeper implements most of these functions based on the OpenH323 protocol stack.

Recommendation H.323 is an international standard published by the ITU. It is a communications standard for audio, video, and data over the Internet. See also Paul Jones' primer on H.323.

For a detailed description of what a gatekeeper does, see here.

1.2 Copyright

It is covered by the GNU General Public License (GNU GPL). In addition to that, we explicitely grant the right to link this code to the OpenH323 and OpenSSL library.

Generally speaking, the GNU GPL allows you to copy, distribute, resell or modify the softwares, but it requires that all derived works must be published under GNU GPL also. That means that you must publish full source for all extensions to the gatekeeper and for all programs you include the gatekeeper into. See the file COPYING for details.

If that's not what you want, you must interface to the gatekeeper through the status port and communicate via TCP with it. That way you only have to integrate the basic funtionality into the gatekeeper (and provide source for that) and can keep other parts of your application private.

1.3 Name

The formal name of this project is OpenH323 Gatekeeper - The GNU Gatekeeper, short GnuGk. Please don't confuse it with other gatekeeper projects.

There are several open-source gatekeeper projects based on the OpenH323 protocol stack.

• OpenGatekeeper - by Egoboo

  A full featured gatekeeper freely available under MPL. The project has been inactive for a period of time now. There is an H.323 proxy based on OpenGatekeeper, see OpenH323Proxy.

• OpenGK - by Equivalence

  Only in a very primary grades.

• OpenH323 Gatekeeper - this one.

To have different gatekeepers with very similar names is really confusing for most users. Since our "OpenH323 Gatekeeper" was the first on the scene, it is not our fault that others have chosen similar names. But to make the destinction a little more clear without confusing people even more, we have decided to give the project a subtitle "OpenH323 Gatekeeper - The GNU Gatekeeper" and start using gnugk as name for executables.

1.4 Features

The version 2.0.8 is a bugfix release, plus the following enchancements:

• RIP (Request In Progress) message is now understood by the gatekeeper.
• Parametrized FileAcct CDR output.
• Do not list H.235 Auth Procedure I support in GCF messages, as it is not fully implemented.
• Fixed interoperability problem with some Cisco IOSes, because of copying nonStandardData field from RAS requests to RAS replies.
• Fixed vulnerability to an invalid destCallSignalAddress in ARQ or Q.931 Setup messages.
• Fixed a critical bug with queueing proxied packets.
• A new ParseEmailAliases config option that allows parsing of email/DNS-like aliases for a destination address.
• Fixed LDAP support for Windows (from Franz J Ehrengruber) and Unix.
• Changed addpasswd utility invokation syntax.
• Fixed critical bug with internal handling of signalling addresses.
• Rewrite mechanism should work now also in direct signalling mode.
• New ScreenSourceAddress configuration option.
• MCUs are treated like gateways and allow to register with their prefixes.
• Improved GNU Gatekeeper Service Windows utility from Franz J Ehrengruber.
• Direct IP-IP (from an unregistered endpoint to an unregistered endpoints) calls are now possible.
• New config variable AlwaysUseCLID.
• Permanent endpoints are correctly reloaded now.
• Generic SQL engine with MySQL and PostgreSQL support. New authentication modules introduced - [SQLPasswordAuth] and [SQLAliasAuth].
• Ability to read some configuration settings from a SQL database. The new config section [SQLConfig] introduced.
• New config variable CheckSetupUnregisteredOnly for [RadAliasAuth] module.
• Performance of the socket code improved (especially when LARGE_FDSET is enabled).
• Acct-Session-Id is now 16 characters long to guarantee uniqueness.
• New direct SQL accounting module ( [SQLAcct]).
• Flexible FileAcct CDR file rotation.

The version 2.0.7 is a bugfix release, plus the following enchancements:

• RadAuth/RadAliasAuth modules can now add/remove endpoint aliases during endpoint registration (see radauth.txt for more info).
• added utilities to the contrib dir that allow the gnugk ro run as a Windows service process. Thanks to Franz J Ehrengruber!
• Windows improvements (project icon, version info, better console handler). Thanks to Franz J Ehrengruber!
• Radius Q.931 Setup authentication routines optimized.
• gateway and neighbor prefixes match can also occur with alias types (in addition to dialedDigits) partyNumber and h323_ID (containing only 0-9#*)
• Added new VirtualQueuePrefixes and VirtualQueueRegex config variables. These make possible to call virtual queue not only with the exact alias name, but also with an alias that matches configured prefixes or configured regular expression. Thanks to Max Speransky
• accounting updates for calls in progress
• improved Radius h323-xxx attributes handling (now understands attributes both with embedded name strings and without them)

The version 2.0.6 is a bugfix release, plus the following enchancements:

• FileAcct - plain CDR text accounting logger module.
• Commandline option (-u) to change the gatekeeper process owner.
• Improved virtual queues.
• Full pre-paid support - both for registered endpoints (ARQ) and for unregistered endpoints (Q.931 Setup). Call duration limit is fully supported by RADIUS authenticators at the moment.

The version 2.0.5 is a bugfix release, plus the following enchancements:

• a first TransferCall implementation
• RADIUS H.235 (username/password) and alias authentication.
• Modular accounting framework.
• RADIUS accounting module.
• Signalling channel authentication/authorization (Q.931/H.225.0 Setup). Call duration limit (pre-paid services) can be controlled using this authorization scheme. RADIUS Q.931 authentication/authorization module is provided.

The version 2.0.3 is a bugfix release, plus a little enhancement:

• Forward a call Setup to the specified endpoint directly on receiving Q.931 Facility with reason callForwarded.
• Allow specify NATed endpoints manually.
• Added a simple form of inbound call distribution. Calls to a VirtualQueue can be routed to agents by an external distribution application.

The new features added to version 2.0.2 are:

• Add Citron's NAT Technology that allows transparently penetrate NAT boxes.Support multiple endpoints and calls concurrently.
• The gatekeeper can sit behind an NAT box and registered by endpoints with public IPs.
• New extended fd_set structure, which allow the gatekeeper to support thousands of concurrent calls in routed mode.
• Support QoS by adding TOS flag to RTP/RTCP packets.
• Login status port by username and password.

Of course, the major functions in version 2.0 are also included:

• The registration table and call record table are redesigned, thread-safe, and very efficient. Support ten thousands of registrations and thousands of concurrent calls.
• A new routed mode architecture that support H.225.0/Q.931 routed and H.245 routed without forking additional threads. Thus the thread number limit will not restrict the number of concurrent calls.
• Support H.323 proxy by routing all logical channels, including RTP/RTCP media channels and T.120 data channels. Logical channels opened by H.245 tunnelling and fast-connect procedure are also supported. In proxy mode, there is no traffic between the calling and called parties directly. Thus it is very useful if you have some endpoints using private IP behind an NAT box and some endpoints using public IP outside the box.
• Support gatekeepers cluster by exchanging LRQ/LCF/LRJ (neighboring function). If the destination of a received LRQ is unknown, the GnuGk can forward it to next hop. Therefore the GnuGk can work as a directory gatekeeper.
• Support various authentication methods for selectable RAS requests, including H.235 password (MD5, SHA-1 and CAT), IP pattern and prefixes matching. MySQL and LDAP are supported as backend database for authentication.
• Support alternate gatekeepers for redundancy and load balancing. If the GnuGk is overloaded, the endpoints can be redirected to other gatekeepers.
• Can work as an endpoint (gateway or terminal) by resigtering with a parent gatekeeper. With this feature, building gatekeeper hierarchies is easily.
• Monitor and control the GnuGk via TCP status port, including registration and call statistics.
• Output CDR(call detail record) to status port for backend billing system. The CDR contains call identifier, calling and called IP, start and end time and call duration.
• Most configurations are changeable at runtime. The GnuGk rereads the configurations on receiving reload command via status port, or on receiving HUP signal (Unix platform).

1.5 Download

The newest stable and a development version are available at the download page.

The very latest source code is in the CVS at Sourceforge ( Web-GUI). Beware - that's the bleeding edge.

You can also download some executables from the download page. Only some versions are made available as executables.

1.6 Mailing Lists

There are two mailing list for the project, one for the developers and one for the users.

General user questions should be send to the users mailing list. You can find the list archive here. To join this mailing list, click here.

To report problems or submit bugs/patches, send mails to the developers mailing list. The list archive is here. Please send user questions to the users mailinglist and keep this list to development! If you want to contribute to the project, please join the mailing list.

Note: Please don't send your questions as private emails to individual developer. We are usually busy. We would not like to be your private consultant, unless you'd like to pay us. Send your problems to the appropriate public mailing list so everybody can help you.

Also please don't send the GnuGk specific problems to the OpenH323 mailing list, or vice versa. They are different projects, though closely related.

Before you sending an email, make sure you have read the related documents carefully. Describe your problems clearly and precisely. Show us the error messages or logs if there is any.

1.7 Contributors

The current project coordinator is Jan Willamowius <jan@willamowius.de>

The main features and functions of version 2.0 are contributed by Chih-Wei Huang <cwhuang@linux.org.tw> and Citron Network Inc., including thread-safe registration and call tables, new routed mode architecture, H.323 proxy, H.235 authentication and MySQL backend.

Michal Zygmuntowicz <m.zygmuntowicz@onet.pl> has done some great work on Radius support and other improvements.

A team at mediaWays is working on LDAP database-subsystem, overlapped sending and advanced routing mechanisms.

The initial version of the gatekeeper has been developed by Xiang Ping Chen, Joe Metzger and Rajat Todi.