Wednesday, June 5, 2019

Celebrating 20 Years of GnuGk

20 years

20 years ago, in June 1999, I released the first version of the GNU Gatekeeper. Back then we still called it "OpenH323 Gatekeeper".

The first version was very simple and only supported RAS and what we call 'direct mode' today, but it still seems useful to people and within a year it grew into a tool that people used in production.

I quit my day job in 2003 to work full time on GnuGk and it has feed the family ever since. I am still amazed how well it works to give software away for free. How many people and companies contribute and give feedback and how many are willing to pay for support or new

I want to thank everybody who used it, provided feedback, bug fixes and ideas to make it into the great software that it is today!

We are not stopping here, the next release is already underway with many improvements and new features. Watch for it!

Happy Birthday GnuGk!

Monday, March 18, 2019

GNU Gatekeeper 5.2 released

This release that has a rewritten networking implementation (aka
"large-fdset") that allows GnuGk to scale to higher numbers of calls
per server than previous versions.

This new implementation replaces the old hack to extend the select()
system call by using poll() which enables GnuGk to handle huge numbers
of sockets at the same time. The new implementation also works on
Windows, but has been tested mostly on the different Unix versions we

Please note that the relevant configure option when comping GnuGk
source code has changed to --enable-large-fdset. There is no need to
specify a maximum number of sockets any more.

This release also has a few bug fixes, eg. for using LUA scripts with
shared libraries and for memory leaks in the error handling of H.235
password authentication.

Whats new ?
  • re-implement LARGE_FDSET using poll(), enable with configure option --enable-large-fdset
  • ExternalIP is automatically added to the default domains
  • support running LUA scripts that require dynamic libraries
  • change default for [TLS] CipherList= to allow elliptical curve ciphers
  • BUGFIX(gkauth.h) fix memory leak in H.235 password auth
  • BUGFIX(gkacct.cxx) set known, but unavailable accounting parameters to empty string
  • BUGFIX(ProxyChannel.cxx) fix setting UDP source IP on Windows when compiled for Vista or higher

You can download it from

Friday, January 4, 2019

GNU Gatekeeper 5.1 is out

The main new feature in this release is H.245 multiplexing.
Together with the long supported RTP multiplexing it allows GnuGk to handle a large amount of concurrent calls from H.460 endpoints using just 5 ports total.

Whats new ?
  • support for H.245 multiplexing with H.460.18: [RoutedMode] EnableH245Multiplexing=1, H245MultiplexPort=1722
  • improved interop with Lifesize Icon (H.235), Scopia VC240 (H.460.18) and Yealink Mobile (H.239 and H.460.19)
  • improved detection of neighbor gatekeeper availability
  • public IP detection for Google Cloud
  • new feature to let GnuGk send an event if port detection fails

Bug fixes:

  • allow ommitting Host= switch in Neighbor section for H.460.18 clients
  • fix sending of queued H.245 messages
  • update RAS port when NAT mapping for H.460.18 endpoint changes
  • fix H.245 tunneling translation with H.460.18 endpoints
  • always send genericIndication to traversal server gatekeeper
  • don't include 'bearer service changed' in keep-alive Notify
  • fix building Status and StatusInquiry keep-alives
  • fix check for librabbitmq
  • Solaris 11 compile fix
  • better OLC sessionType matching (fix for Yealink H.239)
  • fix handling aliases of type email_ID
You can download it from


Friday, August 17, 2018

GNU Gatekeeper 5.0 released

I'm happy to announce the release of GNU Gatekeeper version 5.0.

This version has new features and a few bug fixes. You can download it from

Whats new ?

  • support for Azure and Alibaba Cloud in addition to AWS
  • performance optimizations, especially for multiplexed RTP and LUA
  • compatible with OpenSSL 1.1.x
  • switch to translate Facility transfers into gatekeeper TCS0 reroutes

There were also a number of bug fixes, please see changes.txt for


Thursday, April 5, 2018

GNU Gatekeeper 4.9 released

This version has new features and a few bug fixes. You can  download it from

Whats new ?

We have 2 new accounting modules: HtttpAcct and AMQPAcct that allow
you to send accounting events via HTTP GET or POST to a web service
or push them into a RabbitMQ queue.

There are also many new accounting placeholders that you can use with
any of the accounting modules and there is a new accounting event
'reject' to track calls rejected with ARJ that went unnoticed before.

The new RTP inactivity checking allows you to drop calls if there
wasn't any RTP activity for a defined amount of time.

GeoIP authentication has been significantly updated to support all
RAS and all Q.931 messages and to support the new Maxmind database
format (GeoIP2).

There were also a few bug fixes:
  • fix crash while handling RTP packets
  • fix disconnecting unregistered endpoints
  • fix crash in some Avaya endpoints when receiving GCF with a gatekeeperIdentifier
  • fix crash when using IPv6
  • fix handling of CloseLogicalChannel

Wednesday, March 21, 2018

What to do when your H.323 videoconferencing equipment reaches end-of-life ?

The big videoconferencing vendors (Polycom, Lifesize, Cisco etc.) only support their products for a limited time. After that they go „end-of-life“ and don't receive any more updates. That doesn't mean they don't work any longer. That H.323 standard how to do video conferences didn't change much in recent years, so there is no need for updates to accomodate other changes. But you there is a certain risk that they may have a security hole that doesn't get fixed any more.

Save money and stay independent

The vendors would prefer if you simply buy something new or subscribe to their proprietary “cloud service”. But to you this means spending money and a possible lock-in into their system versus just keeping systems going that run fine and owning the technology yourself with the independence that comes with it.

Move endpoints inside your firewall to private IPs

One important suggestion is to move end-of-life endpoints away from public IP addresses and to private IPs inside your firewall. Out of convenience many people used to operate their H.323 endpoints on public IPs, but nowadays its not much of a problem to use H.460 NAT traversal and move them to a safe place inside behind a GNU Gatekeeper.

If you have very old endpoints that don't support support H.460 NAT traversal, you can still do this. You just need a 2nd GNU Gatekeeper inside your firewall that tunnels the calls out to your external GNU Gatekeeper on the public IP. (Hey, its a free, you just need a 2nd server!)

Replace infrastructure devices with a GNU Gatekeeper

Some infrastructure devices (gatekeepers, gateways, proxies etc.) need to be on public IPs and thus there is a risk of exposing possible security holes to the open internet. Many of those can be replaced with a GNU Gatekeeper. Keep in mind it can be configured to do many different things that ordinary gatekeepers don't do.

Wednesday, January 17, 2018

GNU Gatekeeper 4.8 released

GNU Gatekeeper version 4.8 has been released

This version has many new features. You can download the new version from


New maintenance mode: When you need to take down your GnuGk server
(eg. for an OS update), you can switch GnuGk to maintenance mode where
it will only allow ongoing calls to finish and automatically redirects
all idle endpoints to an alternate GnuGk server.
The status port command is "MaintenanceMode <alternate IP>".

Detailed information about ongoing calls: You can now display lots of
information about each ongoing call (codecs, bandwidth used, IPs etc.).
The web interface has been extended to to show this information.

Easier installation on AWS and inside docker containers. You can now
let GnuGk automatically detect the public IP of your AWS server, even
from within a docker container. You can also automatically insert your
public/external IP into your trace file names to store logs from many
servers in the same directory.

Extended API: Call routing with external applications has been
expanded. You can now set the display names for participants and
desired reject codes on the status port. You can also access the
vendor information of all registered endpoints. The web interface has
been extended to provide this information, too.

HttpPasswordAuth has been greatly extended to fetch password
information from backend servers. We now use curl to support https
and you can add many new placeholders in your queries.

Extended screening and rewriting of display names and calling party

Important bug fixes: Multiplexed RTP is now much more robust and
password authentication to parent gatekeepers has been fixed. There
are also interop fixes for TCP keep-alives.

Please see the full change log below for more details.

Changes from 4.7 to 4.8
  • HttpPasswordAuth: support https and add new placeholders
  • PrintAllRegistrationsVerbose now also shows the endpoint vendor
  • new status port command: MaintenanceMode
  • new status port command: PrintCallInfo
  • allow placeholder %{gkip} and %{external-ip} in [LogFile] Filename=
  • fetch AWS public/elastic IP if ExternalIP=AWSPublicIP
  • new commandline switch: -e / --externalip
  • extend status port command RouteReject to set reject reason
  • extend status port commands RouteToAlias, RouteToGateway etc. to set display IE for calling and called
  • new switch: [LogFile] DeleteOnRotation=1 to delete the old logfile when rotating instead of renaming it
  • new switches: [RoutedMode] AppendToCallingPartyNumberIE= / PrependToCallingPartyNumberIE= to add any string before or after the calling party number IE when ScreenCallingPartyNumberIE=RegisteredAlias
  • when [RoutedMode] ScreenCallingPartyNumberIE= is set to RegisteredAlias, GnuGk sets calling party number IE to the registered alias (forced screening)
  • delete DisplayIE when [RoutedMode] ScreenDisplayIE=Delete
  • new switch [Endpoint] Authenicators=
  • new default: [RoutedMode] GnuGkTcpKeepAliveMethodH225=EmptyFacility
  • new default: [RoutedMode] H460KeepAliveMethodH225=EmptyFacility for Cisco interop
  • new setting "None" for keep-alive methods
  • BUGFIX(ProxyChannel.cxx) fix bugs in H.460.19 RTP multiplexing
  • BUGFIX(ProxyChannel.cxx) don't send H.460 keep-alive to non-H.460 party when calling H.460 party
  • BUGFIX(Routing.cxx) show called port in RouteRequests (as documented)
  • BUGFIX(GkClient.*) fix password authentication with parent
  • BUGFIX(Routing.cxx) remove semicolon and pipe chars from vendor string in RouteRequests
  • better handling of IPv6 GRQ without RAS address
  • BUGFIX(ProxyChannel.cxx) turn off encryption proxy if DH key is negotiated, but TCS doesn't contain any H.235 entries
  • BUGFIX(ProxyChannel.cxx) fix running in proxy mode on FreeBSD when one Home IP is set
  • BUGFIX(ProxyChannel.cxx) fix DisableSettingUDPSourceIP=1 for Windows, NetBSD, OpenBSD and Solaris
  • BUGFIX(yasocket.cxx) fix LARGE_FDSET for NetBSD, OpenBSD and Solaris