This is the manual for GNU Gatekeeper 4.9.
A manual for your version is in your GnuGk download archive.
A PDF version can be found in the download section.

Chapters: Contents · Introduction · Installation · Getting started · Basic Config · Routed Mode & Proxy · Routing · RAS Config · Authentication · Accounting · Neighbors · Per Endpoint Config · Advanced Config · Monitoring · Advanced Topics

Download GnuGk    Join the community    Get support

The GNU Gatekeeper Manual Chapter 5

5. Routed Mode and Proxy Configuration

5.1 Section [RoutedMode]

Call signaling messages may be passed in two ways: The first method is Direct Endpoint Call Signaling, where call signaling messages are passed directly between the endpoints. The second method is Gatekeeper Routed Call Signaling. With this second method, the call signaling messages are routed through the gatekeeper.

When Gatekeeper Routed Call Signaling is used, there are three different options for routing the H.245 channel and media channels.

Case I.

The gatekeeper doesn't route H.245 and media. The H.245 channel and media channels are established directly between the endpoints.

Case II.

The H.245 channel is routed through the gatekeeper, while the media channels are established directly between the endpoints.

Case III.

The gatekeeper routes the H.245 channel, as well as the media channels, including RTP/RTCP for audio and video, and T.120 channel for data. In this case, no traffic is passed directly between the endpoints. This is usually called a H.323 Proxy, and can be treated as a H.323-H.323 gateway.

This section defines the gatekeeper routed mode options (case I & II). The proxy feature is defined in the [Proxy] section.

The settings in this section may be updated by reloading the configuration while the gatekeeper is running.

  • GKRouted=1
    Default: 0

    Enables gatekeeper routed signaling mode.

  • H245Routed=1
    Default: 0

    Enables routing of the H.245 control channel through the gatekeeper. This setting is honored if GKRouted=1 and H.245 tunneling is disabled for a call. Even when this option is disabled, if Proxy or ProxyForNAT takes effect, a H.245 channel is always routed through the gatekeeper for calls being proxied.

  • CallSignalPort=1721
    Default: 1720

    The port for call signaling on the gatekeeper. You may set it to 0 to let the gatekeeper choose an arbitrary port.

  • TLSCallSignalPort=1300
    Default: 1300

    The port where GnuGk should listen for TLS (transport layer security) signaling, if enabled in the [TLS] section.

  • CallSignalHandlerNumber=10
    Default: 5

    The number of threads dedicated to handle signaling/H.245 channels (between 1-200). You may increase this number in a heavy loaded gatekeeper. Each thread can process one signaling message at time, so increasing this number will increase call throughput. Under Windows, there exists a default limit of 64 sockets used by a single signaling thread, so each signaling thread is able to handle at most 32 calls (with H.245 tunneling enabled).

  • RtpHandlerNumber=2
    Default: 1

    The number of RTP proxy handling threads. Increase this value only if you experience problems with RTP delay or jitter on a heavily loaded gatekeeper. Special care has to be taken on Windows, as RTP handling threads are subject to the same limit of 64 sockets as signaling threads. Thus on Windows each RTP thread is able to handle at most 32 proxied calls (2 sockets per call).

  • AcceptNeighborsCalls=1
    Default: 1

    With this feature enabled, the call signaling thread will accept calls without a pre-existing CallRec found in the CallTable, provided an endpoint corresponding to the destinationAddress in Setup can be found in the RegistrationTable, and the calling party is a neighbor or parent gatekeeper. The gatekeeper will also use its own call signaling address in the LCF when responding to the LRQ. Call signaling will be routed to gatekeeper 2 in gatekeeper-to-gatekeeper calls. As a result, the CDRs in gatekeeper 2 will correctly show the connected time, instead of 'unconnected'.

  • AcceptUnregisteredCalls=1
    Default: 0

    With this feature enabled, the gatekeeper will accept calls from any unregistered endpoint. Make sure you do proper authentication on these calls if you don't want to let everybody use your gatekeeper. When working with unregistered endpoints, you will probably also want to change the CallSignalPort to 1720.

  • RemoveH245AddressOnTunneling=1
    Default: 0

    Some endpoints send h245Address in the UUIE of Q.931 even when h245Tunneling is set to TRUE. This may cause interoperability problems. If the option is TRUE, the gatekeeper will remove h245Address when h245Tunneling flag is TRUE. This enforces the remote party to stay in tunneling mode.

  • RemoveH245AddressFromSetup=1
    Default: 0

    With this switch GnuGk will strip H.245 addresses from incoming Setup messages to avoid interoperability issues.

  • DisableH245Tunneling=1
    Default: 0

    Force both sides of a call to disable H.245 tunneling.

  • H245TunnelingTranslation=1
    Default: 0

    Allow one side of a call to use H.245 tunneling even if the other side does not, with the gatekeeper performing the appropriate H.245 message conversion. This will reduce the number of ports required on the tunneling side of the connection.

  • RemoveCallOnDRQ=0
    Default: 1

    With this option disabled, the gatekeeper will not disconnect a call if it receives a DRQ for it. This avoids potential race conditions when a DRQ overtakes a Release Complete. This is only meaningful in routed mode because in direct mode, the only mechanism to signal end-of-call is a DRQ. When using call failover this must be set to 0.

  • DropCallsByReleaseComplete=1
    Default: 0

    According to Recommendation H.323, the gatekeeper could tear down a call by sending RAS DisengageRequest to endpoints. However, some bad endpoints just ignore this command. With this option turning on, the gatekeeper will send Q.931 Release Complete instead of RAS DRQ to both endpoints to force them drop the call.

  • SendReleaseCompleteOnDRQ=1
    Default: 0

    On hangup, the endpoint sends both Release Complete within H.225/Q.931 and DRQ within RAS. It may happen that DRQ is processed first, causing the gatekeeper to close the call signaling channel, thus preventing the Release Complete from being forwarding to the other endpoint. Though the gatekeeper closes the TCP channel to the destination, some endpoints (e.g. Cisco CallManager) don't drop the call even if the call signaling channel is closed. This results in phones that keep ringing if the caller hangs up before the called number answers. Setting this parameter to 1 makes the gatekeeper always send Release Complete to both endpoints before closing the call when it receives a DRQ from one of the parties.

  • SupportNATedEndpoints=1
    Default: 0

    Whether to allow an endpoint behind a NAT box register to the gatekeeper. If yes, the gatekeeper will translate the IP address in Q.931 and H.245 channel into the IP of NAT box.

    GnuGk supports NAT outbound calls (from an endpoint behind NAT to public networks) directly without any necessary modification of endpoints or NAT box. Just register the endpoint with GnuGk and you can make call now.

  • SupportCallingNATedEndpoints=0
    Default: 1

    Whether to allow an endpoint behind an NAT box that support GnuGk NAT Traversal technique to receive calls. Use this to block errant gateways that do not support GnuGk Nat Traversal technique properly from causing one way audio problems when trying to call to the gateway. Calls to the gateways return caller unreachable. To be effective SupportNATedEndpoints must be set to 1.

  • TreatUnregisteredNAT=1
    Default: 0

    Used in conjunction with AcceptUnregisteredCalls and SupportNATedEndpoints will automatically treat all unregistered calls which cannot be determined as being NAT are treated as being NAT.

    Not all Endpoints send sourceSignalAddress in the setup message which can be used to determine whether a caller is NAT. This adds support to those that don't.

  • ScreenDisplayIE=MyID
    Default: N/A

    Modify the DisplayIE of Q.931 to the specified value.

    If you set the switch to "Calling", the DisplayIE of the calling party is set to the CallingStationID and with "Called" the respective is done to DisplayIEs from the called party. "Setting it to "CallingCalled" rewrites all DisplayIEs to the Calling/CalledStationID.

    If you set the switch to "Delete" all DisplayIEs will be removed.

  • AppendToDisplayIE=SomeText
    Default: N/A

    When ScreenDisplayIE= is set, this text is appended to the new DisplayIE.

  • PrependToDisplayIE=SomeText
    Default: N/A

    When ScreenDisplayIE= is set, this text is prepended to the new DisplayIE.

  • ScreenCallingPartyNumberIE=0965123456
    Default: N/A

    Modify the CallingPartyNumberIE of Q.931 to the specified value.

    When you set the string to RegisteredAlias, GnuGk will set it to the first registered E.164, falling back to the first alias if the endpoint doesn't have an E.164 registered or the empty string if the endpoint isn't registered.

    Default: N/A

    Append this string to the CallingPartyNumberIE when ScreenCallingPartyNumberIE=RegisteredAlias.

    The following placeholders will be replaced:

    • %{gkip} - IP address of the gatekeeper
    • %{external-ip} - external IP, if configured

  • ScreenSourceAddress=MyID
    Default: N/A

    Modify the sourceAddress field of UUIE element from Q.931 Setup message.

  • ForwardOnFacility=1
    Default: 0

    If set, the gatekeeper will forward calls directly to the forwarded endpoint when it receives a Q.931 Facility with reason callForwarded, routeCallToGatekeeper or routeCallToMC, instead of passing the message back to the caller. If you have broken endpoints that can't handle Q.931 Facility with reason callForwarded (or the other reasons), turn on this option. Note that this feature may not always work correctly, as it does not provide any means of capability renegotiation and media channel reopening. The call is only forwarded if the forwarder is the called party and the H.245 channel is not established, yet.

  • RerouteOnFacility=1
    Default: 0

    If set, GnuGk will translate received Q.931 Facility with reason callForwarded or routeCallToMC into gatekeeper based call reroutes. This will enable call transfers for established calls with almost all endpoints, even those that do not understand how to process call transfers by themselves.

    H.245 tunneling should be disabled for rerouting ([RoutedMode] DisableH245Tunneling=1) as well as media encryption (RemoveH235Call=1).

  • ShowForwarderNumber=0
    Default: 0

    Whether to rewrite the calling party number to the number of forwarder. It's usually used for billing purpose. Only valid if ForwardOnFacility=1.

  • Q931PortRange=20000-20999
    Default: N/A (let the OS allocate ports)

    Specify the range of TCP port number for Q.931 signaling channels. Note the range size may limit the number of concurrent calls. Make sure this range is wide enough to take into account TIME_WAIT TCP socket timeout before a socket can be reused after closed. TIME_WAIT may vary from 15 seconds to a few minutes, depending on an OS. So if for example your range is 2000-2001 and you made two calls, the next two calls can be made after TIME_WAIT timeout elapses and the sockets can be reused. The same applies to H245PortRange and T120PortRange. TIME_WAIT can be usually tuned down on most OSes.

  • H245PortRange=30000-30999
    Default: N/A (let the OS allocate ports)

    Specify the range of TCP port number for H.245 control channels. Note the range size may limit the number of concurrent calls. See remarks about TIME_WAIT socket state timeout in the Q931PortRange description.

  • SetupTimeout=4000
    Default: 8000

    A timeout value (in milliseconds) to wait for a first message (Setup) to be received after a signaling TCP channel has been opened.

  • SignalTimeout=10000
    Default: 30000

    A timeout value (in milliseconds) to wait for a signaling channel to be opened after an ACF message is sent or to wait for an Alerting message after a signaling channel has been opened. This option can be thought as a maximum allowed PDD (Post Dial Delay) value.

  • AlertingTimeout=60000
    Default: 180000

    A timeout value (in milliseconds) to wait for a Connect message after a call entered Alerting state. This option can be thought as a maximum "ringing time".

  • TcpKeepAlive=1
    Default: 0

    Enable/disable keepalive feature on TCP signaling sockets. This can help to detect inactive signaling channels and prevent dead calls from hanging in the call table. For this option to work, you also need to tweak system settings to adjust keep alive timeout. See docs/keepalive.txt for more details. If this switch is not present in the configuration, the socket is left untouched.

  • TranslateFacility=1
    Default: 0

    Enable this option if you have interoperability problems between H.323v4 and non-H.323v4 endpoints. It converts Facility messages with reason = transportedInformation into Facility messages with an empty body, because some endpoints do not process tunneled H.245 messages inside Facility, if the body is not empty. The conversion is performed only when necessary - if both endpoints are v4 or both endpoints are pre-v4, nothing is changed.

  • FilterEmptyFacility=1
    Default: 0

    Filter out Facility messages with reason transportedInformation, but without h245Control or h4501SupplementaryService field. Needed for Avaya interop.

  • SocketCleanupTimeout=1000
    Default: 5000

    Define time to wait before an unused socket is closed (if it is not yet closed) and deleted (its memory is released). If you use very small port ranges, like a few ports (e.g. RTPPortRange=2000-2009), you may want to decrease this value to get sockets reusable faster.

  • ActivateFailover=1
    Default: 0

    Activate call failover: When activated, GnuGk will try to find other possible routes to a destination if the call fails on the first route. The list of routes for a call is built when the call first comes in and currently not all routing policies are able to provide multiple routes. You can use the 'internal' and the 'sql' policy to provide multiple routes. In addition to that multiple routes can be set by SQL and Radius authenticators.

    For accounting of calls using failover, see the SingleFailoverCDR switch in the [CallTable] section.

  • FailoverCauses=1-15,21-127
    Default: 1-15,21-127

    Define which cause codes in a ReleaseComplete will trigger call failover.

  • DisableRetryChecks=1
    Default: 0

    This will disable all checks if a failed call has already received FastStart or H.245 messages. Caution: Using this switch enables you to retry more calls, but you run the risk that some of the retried calls will fail because the caller is already in a state where he can't talk to a new partner.

  • CalledTypeOfNumber=1
    Default: N/A

    Sets Called-Party-Number type of number to the specified value for all calls (0 - UnknownType, 1 - InternationalType, 2 - NationalType, 3 - NetworkSpecificType, 4 - SubscriberType, 6 - AbbreviatedType, 7 - ReservedType).

  • CallingTypeOfNumber=1
    Default: N/A

    Sets Calling-Party-Number type of number to the specified value for all calls (0 - UnknownType, 1 - InternationalType, 2 - NationalType, 3 - NetworkSpecificType, 4 - SubscriberType, 6 - AbbreviatedType, 7 - ReservedType).

  • CalledPlanOfNumber=1
    Default: N/A

    Sets Called-Numbering-Plan of number to the specified value (0 - UnknownType, 1 - ISDN, 3 - X.121 numbering, 4 - Telex, 8 - National standard, 9 - private numbering).

  • CallingPlanOfNumber=1
    Default: N/A

    Sets Calling-Numbering-Plan of number to the specified value (0 - UnknownType, 1 - ISDN, 3 - X.121 numbering, 4 - Telex, 8 - National standard, 9 - private numbering).

    Default: N/A

    Sets the enum server list in priority order separated by (,) for the enum policy. This overrides the PWLIB_ENUM_PATH environmental variable.

    Default: N/A

    Use this to specify a RDS server to query for rds routing policy. This set the domains to use to resolve URI's which do not have SRV records and may be virtually hosted or where SRV records are stored in another host. This overrides the PWLIB_RDS_PATH environmental variable.

  • CpsLimit=10
    Default: 0

    Limit the rate of incoming calls to n calls per second. If more calls are received they are rejected at the TCP level without H.323 error messages, so they won't show up in CDRs. A value of zero (default) disables the feature.

    The limit only applies if the calls in the check interval are greater than check-interval * CPS-rate. This allows small call spikes on a machine without much load, but will apply strict limits when the overall load is high.

    This feature is meant to shield the gatekeeper from overload and to avoid as much resource usage a possible in an overload situation.

    Currently the calls are blocked when the first message comes in on the signaling port. This makes it very effective for unregistered calls. However, ARQs are not blocked, so it will be less effective with registered calls.

  • CpsCheckInterval=1
    Default: 5

    Define the check interval in seconds before the CpsLimit is applied.

  • GenerateCallProceeding=1
    Default: 0

    When set, GnuGk will generate a CallProceeding for each Setup message it receives. This can be helpful to avoid a timeout in calling endpoints if the destination takes a long time to answer or the call is processed in a virtual queue. Without setting UseProvisionalRespToH245Tunneling=1 this will disable H.245 tunneling.

    CallProceeding messages sent by endpoints or gateways will be translated into Facility or Progress messages.

  • UseProvisionalRespToH245Tunneling=1
    Default: 0

    WARNING: This is an experimental feature and not tested very well.

    If you only use H.323 equipment that supports provisionalRespToH245Tunneling, you can set this switch to keep H.245 tunneling enabled when using gatekeeper generated CallProceeding.

  • EnableH450.2=1
    Default: 0

    When set, GnuGk will intercept H.450.2 call transfer messages and if possible transfer the call on behalf of the endpoint. This allows the endpoint initiated transferring of calls where the remote endpoint may not support H.450 and the gatekeeper initiates the call transfer.

  • H4502EmulatorTransferMethod=Reroute
    Default: callForwarded

    Set the call transfer method for the H.450.2 emulator. It defaults to sending a callFordwarded Facility to the endpoint. Setting it to "Reroute" uses a gatekeeper based TCS=0 transfer. ("Reroute" is still considered and experimental feature, that should be used with care.)

  • TranslateReceivedQ931Cause=17:=34
    Default: N/A

    Translate all received cause codes in ReleaseComplete messages. In the above example code 17 (User busy) will be translated into cause code 34 (No circuit/channel available).

  • TranslateSentQ931Cause=21:=34,27:=34
    Default: N/A

    Translate all cause codes in ReleaseComplete messages sent out. In the above example code 21 and 27 will be translated into cause code 34, because this particular gateway might deal with error code 34 better than with others.

  • RemoveH235Call=1
    Default: 0

    For compatibility with endpoints which do not support large Setup messages or if endpoints send incorrect H.235 tokens, this switch removes all clearTokens and cryptoTokens from Setup and Connect messages.

    If you turn the feature on with setting the switch to 1, the H.235 tokens will be removed from all calls. You can also specify a list of networks, the only calls from these networks get the H.235 tokens removed, eg. RemoveH235Call=,

  • RemoveH460Call=1
    Default: 0

    For compatibility with pre-H323v4 devices that do not support H.460, this switch strips the H.460 feature advertisements from the Setup PDU. Usually they should be ignored anyway; use this switch if they cause trouble.

  • EnableGnuGkNATTraversal=1
    Default: 0

    Enable support for GnuGk's old NAT traversal method for legacy endpoints. You should use H.460.17/.18/.19 for new installations.

  • ForceNATKeepAlive=1
    Default: 0

    Force all non-H.460 registrations to use GnuGk's old NAT traversal method, even when they don't appear to be NATed. Only available when GnuGk's NAT traversal method is enabled.

  • EnableH46017=1
    Default: 0

    Enable support for H.460.17. To enable H.460.19 for the media stream, you should also set EnableH46018=1.

  • EnableH46018=1
    Default: 0

    Enable support for H.460.18 and H.460.19. This feature is covered by patents held by Tandberg. If you don't use the official releases by the GNU Gatekeeper Project, make sure you have a valid license before enabling it.

  • H46018KeepAliveInterval=19
    Default: 19

    Set the H.460.18 keep-alive interval used for H.460.19 endpoints and in H.460.18 traversal zones with neighbors.

  • H46018NoNat=0
    Default: 1

    Enable H.460.18 even if the endpoint is not behind a NAT. Setting to 0 will disable H.460.18 if the endpoint is detected as not being behind a NAT. If H.460.23 is supported and enabled then direct media is still supported.

  • EnableH46023=1
    Default: 0

    Enable support for H.460.23/.24. You must also set STUN servers for H.460.23/.24 to become active.

    Default: N/A

    Sets the STUN server list for use with H.460.23 separated by (,). Each Network interface must have a STUNserver set for H.460.23 support on that interface.

  • H46023PublicIP=1
    Default: 0

    Newer endpoints on public IP addresses can receive calls from endpoints behind NAT. This feature when enabled will presume all endpoints that are not NAT can receive calls from endpoints behind NAT for the purpose of H.460.24 media pathway calculations so to avoid proxying of media. This maybe used in conjunction with AlwaysRewriteSourceCallSignalAddress=0 to trick the remote endpoint to think that the call is coming direct from behind NAT and not routed via the gatekeeper.

  • H46023SignalGKRouted=1
    Default: 0

    Force all call signaling for NAT to be GK routed. There are a number of conditions where call signaling may be offloaded when using H.460.23/.24 This switch will force all the signaling to be Gatekeeper routed.

  • H46024ForceDirect=1
    Default: 0

    Force all media to NOT proxy if the remote NAT status cannot be determined. Most (not all) H.323 devices are able if on a public IP to receive calls from endpoints that are behind NAT. Use this switch with caution.

  • H46024ForceNat=1
    Default: 0

    Where an endpoint is detected as being on the public internet force the device to appear as being firewalled. This resolve inconsistent behaviour where firewalled endpoints on public IP appear not to be firewalled.

  • NATStdMin=18
    Default: N/A

    Require registering endpoints detected as being behind a NAT to support a Standard NAT Traversal mechanism. When an endpoint registers from behind a NAT and does not support the minimum NAT standard then the registration will be rejected with a reason neededFeatureNotSupported. Valid values are "18" for H.460.18/.19 and "23" for H.460.23/.24

  • EnableH46026=1
    Default: 0

    Enable support for H.460.26 (media over TCP).

  • UseH46026PriorityQueue=0
    Default: 1

    Use a priority queue when sending to H.460.26 endpoints. It will batch RTP packets together and make sure the endpoint isn't flooded with more messages than it can handle.

  • TranslateSorensonSourceInfo=1
    Default: 0

    Translate the non-standard caller information eg. from a Sorenson VP200 into sourceAddress and CallingPartyIE.

  • RemoveSorensonSourceInfo=1
    Default: 0

    Remove the non-standard caller information eg. from a Sorenson VP200 after translation.

  • RemoveFaxUDPOptionsFromRM=1
    Default: 0

    An Avaya Communication Manager 3.1 system equipped with TN2602AP media processors becomes confused when it receives t38FaxUdpOptions in t38FaxProfile of H.245 RequestMode. AddPac VoiceFinder is an example of an application which does this. At that point, the TN2602AP will begin to send larger T.38 packets than the receiver can process, resulting in facsimile document distortion. This switch will remove t38FaxUdpOptions from RequestMode, making the combination of Avaya Communication Manager 3.1 equipped and TN2602AP media processors compatible with endpoints which send t38FaxUdpOptions in RM.

  • AlwaysRewriteSourceCallSignalAddress=0
    Default: 1

    When set to false or 0, GnuGk will not rewrite the sourceCallSignalAddress to its own IP in routed mode. This helps some endpoints to get through NATs. In proxy mode, the IP is always rewritten to GnuGk's IP, regardless of this switch.

  • AutoProxyIPv4ToIPv6Calls=0
    Default: 1

    Automatically put calls between different IP versions into full proxy mode. Note that this auto detection only looks at the call signal addresses to make the decision. It is possible that one endpoint decides to use H.245 or media IPs with a different IP version later on and the call will fail if the receiving endpoint isn't capable of handling multiple IP versions.

  • EnableH235HalfCallMedia=1
    Default: 0

    When the endpoint on one side of a call supports encryption and the endpoint on the other side does not, the gatekeeper will act as a "man-in-the-middle" and encrypt the media stream to the encryption-capable system. A decrypted media stream will be sent to the endpoint which is otherwise unable to encrypt / decrypt traffic because of licensing issues, lack of encryption chip support in the hardware, obsolescence, etc. This may be useful if the system you are trying to reach is on the Internet; your internal traffic can remain unencrypted, but your external traffic will be secure.

    Enabling this feature will force call signaling for all calls to routed-mode, and will set it to proxy-mode for encrypted calls.

    When not using RTP multiplexing, the caller and called endpoint must be on different IPs and may not be behind the same NAT. The endpoints also must send RTP from the same IP as their signalling messages.

    As of Version 3.x of GnuGk, encryption of data channels is not supported.

  • RequireH235HalfCallMedia=1
    Default: 0

    Require at least one leg of the call to be encrypted. (Terminate the call if both legs are unencrypted.)

  • H235HalfCallMaxTokenLength=2048
    Default: 1024

    Set the maximum token length for for H.235 half call media. With 1024 bit tokens AES 128 encryption will be used. For token length greather than 1024 GnuGk will use AES 256.

  • EnableH235HalfCallMediaKeyUpdates=1
    Default: 0

    Update media keys after they have been used for too many operations to remain cryptographically safe. This feature has only been tested GnuGk to GnuGk. It seems endpoints from most vendors do not support key updates as defined in H.235.6.

  • Q931DecodingError=Drop
    Default: Disconnect

    Specify GnuGk's reaction to invalid Q.931 messages that it cannot decode. Until version 3.1 GnuGk would "Disconnect" the connection to protect internal endpoints from possibly malicious messages, but if you have some buggy endpoints that you can't get fixed, it might be helpful just to "Drop" this Q.931 message that couldn't be decoded. The last option to simply "Forward" the messages should be used with great care, since invalid messages might cause your endpoints to crash or worse.

  • PregrantARQ=1
    Default: 0

    Use pre-ganted ARQ model: Endpoints don't have to send ARQ before a call and will save one message round-trip in the call establishment. Endpoints that don't support this H.323 version 2 feature and will keep sending ARQs as usual.

    Note: When using this switch in a direct-mode configuration, you will loose almost all control over your calls. When the gatekeeper is in routed-mode, calls without ARQ can still be authenticated on the Setup message.

  • EnableH460P=1
    Default: 0

    WARNING: This is an experimental feature to support the not-yet-released H.460 presence standard.

  • ProxyHandlerHighPrio=0
    Default: 1

    Set the proxy handler for signalling connections to high priority. In some virtual server configurations we have to turn this off if PTLib fails with "pthread_setschedparam failed".

  • H225DiffServ=46
    Default: 0

    Set the DiffServ class (DSCP) for H.225 messages. (On most Windows versions, setting the the DSCP this way won't work.)

  • H245DiffServ=46
    Default: 0

    Set the DiffServ class (DSCP) for H.245 messages. (On most Windows versions, setting the the DSCP this way won't work.)

  • DisableFastStart=1
    Default: 0

    Remove fastStart elements from signalling messages so the endpoints are not able to establish a fastStart connection.

  • DisableSettingUDPSourceIP=1
    Default: 0

    Let the OS decide the source IP for UDP packets. Needed in some rare network configurations, but may break H.460.19 on interfaces with multiple IPs.

  • EnableGnuGkTcpKeepAlive=1
    Default: 0

    Send a empty TPKT keep-alive on all H.225 and H.245 connections. For calls using H.460.18, these keep-alives are enabled automatically, whithout using this switch.

  • DisableGnuGkH245TcpKeepAlive=1
    Default: 0

    Disable the keep-alive on H.245 connections for non-H.460.18 connections (needed due to interop issues with Polycom).

  • GnuGkTcpKeepAliveInterval=29
    Default: 19

    Set keep alive interval in seconds.

  • GnuGkTcpKeepAliveMethodH225=Status
    Default: EmptyFacility

    Set the message to be used for the keep alive on the H.225 connection when H.460.18 is not used.

    Possible values: TPKT, EmptyFacility, Notify, Status, StatusInquiry, Information, None.

  • H460KeepAliveMethodH225=Status
    Default: EmptyFacility

    Set the message to be used for the keep alive on the H.225 connection when H.460.18 is used.

    Possible values: TPKT, EmptyFacility, Notify, Status, StatusInquiry, Information, None.

  • GnuGkTcpKeepAliveMethodH245=TPKT
    Default: UserInput

    Set the message to be used for the keep alive on the H.245 connection when H.460.18 is not used.

    Possible values: TPKT, UserInput, None.

  • H460KeepAliveMethodH245=TPKT
    Default: UserInput

    Set the message to be used for the keep alive on the H.245 connection when H.460.18 is used.

    Possible values: TPKT, UserInput, None.

  • RedirectCallsToGkIP=1
    Default: 0

    Send a Facility redirect to callers when the destCallSIgnallAddress is not one of the gatekeeper's own IPs or the external IP. This can be used to redirect calls directly to the gatekeeper that have been forwarded to it by a load balancer that needs to be removed from the call path.

    Note that this is incompatible with the 'explicit' routing policy and endpoints won't be able to call any other IP via the gatekeeper than the gatekeeper's own IP in many cases.

5.2 Section [Proxy]

The section defines the H.323 proxy features. It means the gatekeeper will route all the traffic between the calling and called endpoints, so there is no traffic between the two endpoints directly. Thus it is very useful if you have some endpoints using private IP behind an NAT box and some endpoints using public IP outside the box.

The gatekeeper can do proxy for logical channels of RTP/RTCP (audio and video) and T.120 (data). Logical channels opened by fast-connect procedures or H.245 tunneling are also supported.

Note to make proxy work, the gatekeeper must have direct connection to both networks of the caller and callee.

  • Enable=1
    Default: 0

    Whether to enable the proxy function. You have to enable gatekeeper routed mode first (see the previous section). You don't have to specify H.245 routed. It will automatically be used if required.

  • InternalNetwork=
    Default: N/A

    If you want to override automatic detection of networks behind the proxy, you may do so by specifying them here. Multiple internal networks are allowed. Packets to internal networks will use the local interface as sender instead of the default IP or ExternalIP. For internal networks, the proxying can be disabled, even when global proxying is activated.


    InternalNetwork=network address/netmask[,network address/netmask,...]

    The netmask can be expressed in decimal dot notation or CIDR notation (prefix length), as shown in the example.



  • ProxyAlways=1
    Default: 0

    Always proxy all calls regardless of other settings.

  • T120PortRange=40000-40999
    Default: N/A (let the OS allocate ports)

    Specify the range of TCP port number for T.120 data channels. Note the range size may limit the number of concurrent calls. See remarks about TIME_WAIT socket state timeout in the Q931PortRange description.

  • RTPPortRange=50000-59999
    Default: 1024-65535

    Specify the range of UDP port number for RTP/RTCP channels. Since RTP streams require two sockets, the range must contain an even number of ports. Note that the size of the specified range may limit the number of possible concurrent calls.

  • ProxyForNAT=1
    Default: 0

    If set, the gatekeeper will function as a proxy for calls where one of the participating endpoints is behind a NAT box. This ensures the RTP/RTCP stream can penetrate into the NAT box without modifying it. However, the endpoint behind the NAT box must use the same port to send and receive RTP/RTCP stream. If you have bad or broken endpoints that don't satisfy the precondition, you should disable this feature and let the NAT box forward RTP/RTCP stream for you.

  • ProxyForSameNAT=1
    Default: 0

    Whether to proxy for calls between endpoints from the same NAT box. There is a degree of uncertainty when endpoints are behind the same NAT as to whether they can communicate directly as one or both may be on subNATs. Disable this feature with caution.

  • DisableRTPQueueing=0
    Default: 1

    Sometimes GnuGk will receive RTP data before it knows where to forward it to. GnuGk can buffer this data up to a certain amount and send it once the destination becomes available. In some cases this can cause a short loopback of RTP data.

  • EnableRTPMute=1
    Default: 0

    This setting allows either call party in media proxy mode to mute the audio/video by sending a * as either string or tone.userinput. The sending of * mutes the audio/video and a subsequent send of * unmutes the audio/video. Only the party who muted the call can unmute. This is designed as a hold function for terminals which do not support H450.4.

  • EnableRTCPStats=1
    Default: 0

    When enabled, GnuGk will collect RTCP sender reports (eg. to send them to a Radius server).

  • RemoveMCInFastStartTransmitOffer=1
    Default: 0

    Remove the mediaChannel from fastStart transmit offers. For unicast transmit channels, mediaChannel should not be sent on offer; it is the responsibility of the callee to provide mediaChannel in an answer.

  • SearchBothSidesOnCLC=1
    Default: 0

    The H.245 CloseLogicalChannel request should only reference the endpoint's own logical channels. Some bad endpoint implementations require searching and closing logical channels for the other endpoint as well. Up to version 2.3.0 GnuGk did this automatically, but it can break channel establishment in some cases, so you must enable this switch if you have these broken endpoints.

  • CheckH46019KeepAlivePT=0
    Default: 1

    Verify the correct payload type on H.460.19 keep alive packets. Disable for endpoints advertising an incorrect payload type.

  • RTPMultiplexing=1
    Default: 0

    Enable H.460.19 RTP multiplexing. H.460.19 must be enabled for multiplexing.

    NOTE: To change RTP multiplexing settings, including ports, you must restart GnuGk. A configuration reload will not re-read this configuration item.

  • RTPMultiplexPort=4000
    Default: 3000

    Set the RTP port for H.460.19 RTP multiplexing.

  • RTCPMultiplexPort=4001
    Default: 3001

    Set the RTCP port for H.460.19 RTP multiplexing.

  • RTPDiffServ=46
    Default: 4

    Set the DiffServ class (DSCP) for proxied RTP. The default value corresponds to the old IPTOS_LOWDELAY flag we have used previously. New installations should use eg. 46 which is DSCP EF reccomended for RTP. For IPv6 packets the TCLASS is set. (On most Windows versions, setting the the DSCP this way won't work.)

  • ExplicitRoutes=,,
    Default: n/a

    Add explicit routing rules to GnuGk's internal routing table. Rules can have 2 formats: sourceIP/mask or network/mask-sourceIP. The above example would use as sender IP for all messages to the network and for messages to the network. Messages to the network get as sender IP. All sender IPs should be included in the list of Home IPs.

  • IgnoreSignaledIPs=1
    Default: 0

    Ignore all IPs for RTP streams signaled by the endpoints and rely 100% on port auto detection. In some cases this results in much better NAT traversal for unregistered endpoints and endpoints not capable of a NAT traversal protocol. This feature gets automatically disabled for calls from endpoints using H.460 NAT traversal and for H.239 video streams which are unidirectional by nature so we can't use auto detection.

  • IgnoreSignaledPrivateH239IPs=1
    Default: 0

    Also ignore IPs signaled for H.239 streams if they are private IPs.

  • AllowSignaledIPs=,
    Default: n/a

    When IgnoreSignaledIPs is active, don't ignore IPs from these networks (eg. because they don't actively send an RTP stream and only provide a loopback).

  • UpdateCalledPartyToH225Destination=1
    Default: 0

    With this switch you can let GnuGk update the CalledPartyNumber element in outgoing Setup messages to the first E.164 number of the H.225 destinationAddress or remove it if none of the destinations is an E164 number. This is intended to aid interoperability with gateways that use the CalledPartyNumber instead of the H.225 destinationAddress.

  • FilterVideoFastUpdatePicture=10
    Default: 0

    When endpoints notice that the video image quality is degrading, they can notify the remote side with a H.245 VideoFastUpdatePicture message. The remote side usually responds by sending a full I-Frame instead of partial image updates.

    Usually thats a good thing. But in some cases having too many update requests increases the bandwidth usage drastically and can worsen the situation.

    When you set this switch to 1, GnuGk will allow 1 update request per second. If you set it to 10, GnuGk will allow 1 request every 10 seconds.

  • LimitRTPSources=IP
    Default: n/a

    Only accept RTP form the same IP where the call signaling goes to. When Set to 'Net', RTP from the whole class C network (/24 netmask) is accepted (or /64 netmask for IPv6).

    This setting protects against RTP bleed atacks, but may break valid calls where call signaling and RTP come from different IPs.

  • LegacyPortDetection=1
    Default: 0

    Keep port detection help for some very old and broken endpoints that will make your gatekeeper vulnerable to RTP Bleed attacks.

    Note: This is a SECURITY RISK!

5.3 Section [ModeSelection]

In routed mode or proxy mode, you may use this section to specify the exact routing mode (routed mode, routed mode plus H.245 routing or proxy mode) on a per-IP network basis.



The network is specified by an IP plus optional CIDR, eg. The rule for the network with the longest netmask is used (the most specific).

Possible modes are (the names are case in-sensitive)

    Routed mode where Q.931 messages are routed, but not H.245 messages (unless H.245 tunneling is active).
  • H245ROUTED
    Routed mode plus H.245 routing.
    Proxy mode with RTP proxying.

The first mode is used for calls into and out of the specified network. The second mode is used for calls that stay inside the network. If only one mode is specified it is used for both cases.


In this example calls into and out of the network are proxied, but calls that remain inside this network are in routed mode. Calls in the are always proxied, even when they remain inside the network, unless IP is involved. If 2 networks have a rule for the call, the one with the most proxying is used, eg. a call from to would be proxied.


If no rules match the settings then [RoutedMode]GkRouted=, H245Routed= or [Proxy]Enable= are used to determine the routing mode.

There are a few cases where these rules don't apply, because the GNU Gatekeeper knows that the call needs proxying: For example calls involving H.460.18/.19 will always be proxied (because this protocol requires proxying).

5.4 Section [ModeVendorSelection]

In routed mode or proxy mode, you may use this section to specify the exact routing mode (routed mode, routed mode plus H.245 routing or proxy mode) on vendor specific basis. The vendor information is collected from the H225_EndpointType field of the setup and connect message



The vendor is specified by an string matching value. The rule for the longest string match is used (the most specific).

Possible modes are in accordance with the [ModeSelection] section above.


VoIP Technologies=PROXY

Next Previous Contents

Chapters: Contents · Introduction · Installation · Getting started · Basic Config · Routed Mode & Proxy · Routing · RAS Config · Authentication · Accounting · Neighbors · Per Endpoint Config · Advanced Config · Monitoring · Advanced Topics

Last updated: 09. Jun 2018