Saturday, October 8, 2016

Mobile H.323 endpoints revisited

If you are looking for a free H.323 endpoint to connect to the GNU Gatekeeper, mobile apps for smartphones and tablets seem to offer the widest variety of choice right now.


My personal favorite are the RealPresence apps from Polycom, available  for iOS and Android. They offer you to sign in with a Polycom account, but you can simply skip this and just register with any H.323 gatekeeper in the settings.


Collaborate Mobile is also a good choice and also available for iOS and Android from the respective app stores.


Yealink VC Mobile is relatively new, but seems to work find with GnuGk, too.


There used to be an Android version of BeedHD, but now its only available for iOS.

I have dropped Sony IPELA from the list, because their apps seem to hang up without any visible reason after a few seconds in the call.

Here is my older post about free mobile H.323 endpoints for reference.

Tuesday, May 31, 2016

GNU Gatekeeper 4.2

I'm happy to announce the release of GNU Gatekeeper 4.2.

Version 4.2 is mainly a bug fix release.

A bug in proxying H.239 connections through NAT has been fixes as well
as a number of possible crashes and a few other small bugs.

The main functional change is that GnuGk's old NAT traversal method is
now disabled by default. Everybody should use H.460.x. If you want keep
using the old NAT traversal method, you can re-enable it with



You can download the new version from

Please see the full change log below.


Changes from 4.1 to 4.2
  • BUGFIX(ProxyChannel.cxx) fix H.239 forwarding issue in call where  only one side uses H.460.19
  • BUGFIX( make sure LUA test fails for versions below 5.2
  • BUGFIX(gkh235.cxx) small fix with password auth
  • BUGFIX(ProxyChannel.cxx) apply codec filtering also to  receiveAndTransmit capabilities
  • BUGFIX(ProxyChannel.cxx) fix crash in RTP multiplexing
  • BUGFIX(ProxyChannel.cxx) fix crash when using H.245 tunneling translation
  • BUGFIX(gk.cxx) fix shutdown on NetBSD 7
  • BUGFIX(ProxyChannel.cxx) fix compile on NetBSD 7
  • new switch: [RoutedMode] FilterVideoFastUpdatePicture= to reduce the  number of update requests from endpoints
  • disable SSLv3 when using TLS
  • BUGFIX(ProxyChannel.cxx) fix crash in call cleanup
  • support ON and OFF event in LuaAcct
  • BUGFIX(sqlacct.*) implement ON and OFF event as documented
  • new switches [RoutedMode] EnableGnuGkNATTraversal=1 and [Endpoint]  EnableGnuGkNATTraversal=1 to keep GnuGk's old NAT traversal method enabled

Sunday, April 17, 2016

Please tell us what you think about the GNU Gatekeeper!

We are running a suvery to get feedback and ideas for the future development of the GNU Gatekeeper.

Please take a moment to answer a few short questions:

Thanks for your time!

Wednesday, February 17, 2016

GNU Gatekeeper 4.1

I'm happy to announce the availability of GNU Gatekeeper 4.1.

This is mainly a bug fix release. If you are using GnuGk as a server in
a traversal zone or if you do H.239 presentations with Avaya endpoints,
you are strongly encouraged to update. This version also fixes a memory
leak that mainly affects long running gatekeepers with a lot of RAS
traffic. Some of the bugs were long standing, so if you skipped some
previous releases, this is really a good time to update.

The main new feature in this release is expanded LUA support.
Besides LUA authentication and LUA routing, there is now a LuaAcct
module that allows you to run a script on every accounting event of your
choice. Please see the updated manual for details.

You can download the new version from

Please see the full change log below.

My support website also got a face lift.
Please check it out as well.


Changes from 4.0 to 4.1

  • BUGFIX(ProxyChannel.cxx) fix crash processing Setup
  • BUGFIX(RasSrv.cxx) update IP/port of traversal neighbor on every SCI,  not only on IP changes
  • new status port command: PrintNeighbors
  • BUGFIX(ProxyChannel.cxx) fix H.239 inside multiplePayloadStream from  Avaya XT5000 with H.460.19
  • new accounting module: LuaAcct
  • LUA: new library "gnugk" to allow access to GnuGk functionality
  • BUGFIX(configure) set all detected options in gnugkbuildopts.h on Unix
  • BUGFIX(ProxyChannel.cxx) removing H.235 capabilities might have skipped items
  • BUGFIX(lua.cxx) initialize all LUA variables for LUA routing
  • status port configuration (MaxStatusClients, StatusEventBacklog, StatusEventBacklogRegex) now changable at runtime
  • BUGFIX(GkStatus.cxx) fix StatusEventBacklogRegex for patterns that start at the beginning of the event line
  • BUGFIX(ProxyChannel.cxx) use RealPresence Group 0-Byte keep-alive for IgnoreSignaledH239PrivateIPs (needs LARGE_FDSET to work)
  • new switches to set database connect and read timeout (only used by  MySQL for now)
  • new switch to set worker thread idle timeout: [Gatekeeper::Main] WorkerThreadIdleTimeout=
  • BUGFIX(gk.cxx) better test for gatekeeper shutdown
  • BUGFIX(Routing.cxx) fix fromIP for ARQ and LRQ RouteRequests
  • BUGFIX(gkauth.cxx) only call Q.931 checks when activated
  • BUGFIX(Routing.cxx) fix RouteRequest from unregistered caller who  doesn't provide any alias
  • new switch: [RoutedMode] DisableSettingUDPSourceIP=1

Friday, January 29, 2016

Getting H.323 through Firewalls and NAT by using the free GNU Gatekeeper

The H.323 protocol places IP numbers inside the signaling messages and establishes multiple TCP and UDP connections for a single call. You can't even be sure beforehand of the direction in which some of these connections are established. This makes it harder to get
H.323 through a NAT than other protocols.

To get through firewalls and NATs, the GNU Gatekeeper supports a lot of different traversal methods and protocols. The combination of H.460.18 and H.460.19 (usually called "H.460 NAT traversal" for short) is by far the most common NAT traversal protocol and is supported by virtually all H.323 endpoints today.

The best approach is to place a GNU Gatekeeper on a public IP address in front of your firewall and enable H.460.18 NAT traversal. You don't have to open any inbound port - just allow outgoing connections in your firewall, which is usually the default anyway.

If not all of your endpoints support H.460.18 or if you have a lot of internal calls, you can place a 2nd GnuGk inside your firewall and let it tunnel calls out for all internal endpoints combined. This called a "traversal zone". See Chapter 10 in the GNU Gatekeeper manual how to configure the outside GnuGk as traversal server and the GnuGk inside the firewall as traversal client.

A simple, one gatekeeper configuration for NAT traversal looks like this:




Register all your endpoints with the gatekeeper, whether they are inside or outside the firewall, and you should be able to make calls in and out.

Thursday, December 3, 2015

GNU Gatekeeper 4.0 available

I am pleased to announce the release of GNU Gatekeeper 4.0.

It is now available from

This release includes source code suitable for Linux, Windows, MacOS X,
FreeBSD, NetBSD, OpenBSD and Solaris and executables for Linux.

GnuGk 4.0 includes many new features as well as some important bug
fixes, but remains fully compatible with your previous configuration

Whats new ?
  • rewrite of the H.235 password authentication - much better interoperability and much more secure (it is high time to get ride of MD5 based authentication!)
  • IP authentication for all RAS and Q.931 messages
  • important IPv6 updates and fixes
  • support for TCS0 call transfers ("reroute") that can be initiated from applications
  • better NAT traversal support for unregistered endpoints
  • better blocking of spam calls using SQLAuth
  • per endpoint codec filtering
  • DisplayIE rewriting
  • more secure handling of status port passwords (only hash stored)
  • important fix for ODBC database driver
  • CalledPartyNumber IE rewriting for better Polycom interoperability
  • bug fixes

Some of the new 4.0 features are discussed in more detail this post:

Changes from 3.9 to 4.0
  • [...PasswordAuth] CheckID switch is now deprecated, use [H235] CheckSendersID instead
  • provide vendor informations from ARQ or Setup as %{Vendor} in SQLAuth CallQuery
  • prepend timestamp to events in status port backlog
  • BUGFIX(Routing.cxx) remove newlines from vendor string before sending out  RouteRequest to virtual queue
  • BUGFIX(gksql_odbc.cxx) fix DSN initialization when having multiple DSNs at the same time
  • new switch: [RoutedMode] UpdateCalledPartyToH225Destination=1 to always rewrite the CalledPartyNumberIE in Setup to the first E.164 of the H.225 destinationAddress
  • BUGFIX(ProxyChannel.cxx) fix crash on shutdown
  • new settings for [RoutedMode] ScreenDisplayIE=: 'Calling', 'Called', 'CallingCalled' to set the DisplayIE to the (rewritten) caller ID
  • new switch: [RoutedMode] AppendToDisplayIE= to add a string to the DisplayIE when ScreenDisplayIE= is on
  • changed default: H.460.18 keep-alive in traversal zone between neighbors now defaults to 19 sec (was 29)
  • new switch: [RoutedMode] H46018KeepAliveInterval=
  • BUGFIX(ProxyChannel.cxx) better port detection for H.239 when IgnoreSignaledPrivateH239IPs=1
  • BUGFIX(gkacct.cxx) %{caller-port} and %{called-port} now default to "0" instead of the empty string when not available (eg. in direct mode) to avoid SQL errors when they are stored in a numeric column
  • BUGFIX(RasSrv.cxx) fix additive registration with parent gatekeeper
  • BUGFIX(ProxyChannel.cxx) fix IPv6 dual-stack proxy on Linux and Windows
  • dump file descriptor usage on USR2 signal (Linux only)
  • new switch [RoutedMode] DisableFastStart=1
  • support for H.235.1, incl. setting and checking tokens in all RAS and Q.931 messages
  • extend SimplePasswordAuth and FileIPAuth to all RAS and all Q.931 messages
  • store only PBKDF2 hash for [GkStatus::Auth] password in config, not a recoverable password
  • BUGFIX(ProxyChannel.cxx) fix crash when receiving message without UUIE
  • new switch [EP::] DisabledCodecs=
  • much improved TCS0 3rd-party call transfer using 'Reroute' command on status port
  • BUGFIX(Routing.cxx) add field for destination alias in ARQ if missing and a dynamic routing policy sets it
  • BUGFIX(ProxyChannel.cxx) fix crash in H.235 Media for endpoints with more than 64 capability entries in TCS
  • new switch [Proxy] AllowSignaledIPs= to skip to skip auto-detect for network when IgnoreSignaledIPs=1

Friday, November 20, 2015

Wireshark 2 is out - including H.323 over IPv6 decoding

Wireshark 2 has been released. It includes decoding of H.323 over IPv6 wich didn't work properly in all previous version.

Wireshark 2 has a new UI that takes a moment to get used to, but also includes a version with the 'lecacy' UI if you need to get things donme in a hurry and can't fuss with the new UI right now.