Wednesday, March 21, 2018

What to do when your H.323 videoconferencing equipment reaches end-of-life ?

The big videoconferencing vendors (Polycom, Lifesize, Cisco etc.) only support their products for a limited time. After that they go „end-of-life“ and don't receive any more updates. That doesn't mean they don't work any longer. That H.323 standard how to do video conferences didn't change much in recent years, so there is no need for updates to accomodate other changes. But you there is a certain risk that they may have a security hole that doesn't get fixed any more.

Save money and stay independent

The vendors would prefer if you simply buy something new or subscribe to their proprietary “cloud service”. But to you this means spending money and a possible lock-in into their system versus just keeping systems going that run fine and owning the technology yourself with the independence that comes with it.

Move endpoints inside your firewall to private IPs

One important suggestion is to move end-of-life endpoints away from public IP addresses and to private IPs inside your firewall. Out of convenience many people used to operate their H.323 endpoints on public IPs, but nowadays its not much of a problem to use H.460 NAT traversal and move them to a safe place inside behind a GNU Gatekeeper.

If you have very old endpoints that don't support support H.460 NAT traversal, you can still do this. You just need a 2nd GNU Gatekeeper inside your firewall that tunnels the calls out to your external GNU Gatekeeper on the public IP. (Hey, its a free, you just need a 2nd server!)

Replace infrastructure devices with a GNU Gatekeeper

Some infrastructure devices (gatekeepers, gateways, proxies etc.) need to be on public IPs and thus there is a risk of exposing possible security holes to the open internet. Many of those can be replaced with a GNU Gatekeeper. Keep in mind it can be configured to do many different things that ordinary gatekeepers don't do.