I have just released GNU Gatekeeper version 5.3.

You can download it from https://www.gnugk.org/h323download.html

This release has a number of new features as well as some important bug
fixes.

Whats new ?

• LRQ loop detection to optimize calls flows between multiple neighbor gatekeepers This new feature has the potential to significantly reduce the load on all gatekeepers and prevent "LRQ storms".
• new routing policy to set call destinations by querying HTTP or REST servers, see [Routing::Http]
• much improved support for SNMP
• important bug fix for TLS encryption of signaling channels
• important bug fixes for H.460.18 NAT traversal (for H.245 tunneling and for multi-homed servers)
• performance optimization: this version can handle 5-10% more proxied  calls on the same hardware
• performance optimization: re-authenticate lightweight, additive registrations only when new aliases differ. This significantly reduces the load on password databases.

Enjoy!


Full change log:

- BUGFIX(ProxyChannel.cxx) don't send H.245 address to tunneling
  H.460.18 endpoint, breaks call when H.245 multiplexing
- performance optimization: 5% faster UDP handling
- changed default: [SNMP] Implementation=PTlib
- remove unfinished Windows-SNMP implementation, use PTLib-SNMP on Windows
- support SET and GET-NEXT in PTLib-SNMP
- support SNMP sysUpTime when running as standalone agent
- BUGFIX(configure.in) LARGE_FDSET defaults to off
- new SNMP OID 1.3.6.1.4.1.27938.11.1.9 to query total bandwidth allocated to ongoing calls
- BUGFIX(ProxyChannel.cxx) fix hangup when making many TLS calls quickly one after another
- BUGFIX(RasSrv.cxx) don't require H.460.22 parameters in ARQs
- BUGFIX(ProxyChannel.cxx) fix TLS without LARGE_FDSET
- BUGFIX(ProxyChannel.cxx) don't send H.460.22 priority field in SCI
- BUGFIX(gkauth.cxx) free memory from cached and expired passwords
- re-authenticate lightweight, additive registrations only when new aliases differ
- remove switch [Proxy]DisableRTPQueueing, always disabled now
- new routing policy: http with config section [Routing::Http]
- BUGFIX(ProxyChannel.cxx) fix H.460.18 on multi-homed servers (SCI comes from the correct IP now)
- new switch to disable SNMP traps [SNMP] EnableTraps=0
- BUGFIX(ProxyChannel.cxx) don't throw SNMP trap on H.245 connection errors
  (causes crash under load with Net-SNMP)
- BUGFIX(snmp.cxx) shutdown GnuGk when SNMP agent can't be started
- BUGFIX(snmp.cxx) protect NetSNMP library calls with mutex
- changed default: ForwardResponse now defaults to 1 in [RasSrv::LRQFeatures] and [Neighbor::...]
- new feature: loop detection for LRQs [RasSrv::LRQFeatures] LoopDetection=1
- BUGFIX(Neighbor.cxx) some settings in [RasSrv::LRQFeatures] were ignored if not set in [Neighbor::...]

I am happy to announce the release of GNU Gatekeeper 5.4.

You can download it from https://www.gnugk.org/h323download.html

New features:

• new accounting module to send accounting data to an MQTT server
• support for redis as database (eg. as backend for password storage)

Bug fixes:

• important fix for H.245 tunneling translation with H.460.18 endpoints
• fix for snmpwalk in PTLib-SNMP implementation
• fix sending alternate gatekeeper list to endpoints with assigned gatekeeper
• improved DRQ from child gatekeepers
• fix TLS with neighbor gatekeeper

Please also note that a bug has been found in PTLib that can cause a crash in any GnuGk version if you use the status port (manually of from an application). Please upgrade to PTLib 2.10.9.3!

I am happy to announce the release of GNU Gatekeeper 5.5.

This release has new features and bug fixes when you run clustered gatekeepers. It also improves the port detection feature and we have a complete and up to date Chinese documentation.

You can download it from https://www.gnugk.org/h323download.html

New features:

• new feature GnuGkAssignedGatekeeper to push endpoints back to their intended home gatekeepers in the cluster, even if the endpoints don't support assigned gatekeepers
• support new PBKDF2 password hashes for ssh logins to the status port
• new switches to fine tune port detection for H.239 channels (IgnoreSignaledPublicH239IPsFrom=x and IgnoreSignaledAllH239IPs=1)
• new Chinese manual

Bug fixes:

• select correct source IP for neighbor pings
• set altGKisPermanent=true when redirecting endpoints
• fix RRJ to include alternates when RedirectGK=Endpoints limit is reached
• fix reading of AllowSignaledIPs= switch
• don't complain about [Neighbor::xxx] SendAliases switch when using--strict

Enjoy!

Today GNU Gatekeeper version 5.6 has  been released.

Download: https://www.gnugk.org/h323download.html

It contains an important bug fix to H.460.19 multiplexing and H.460.26 (media over TCP) when using GnuGk's internal call forwarding (ForwadOnFacility).

I have also added an interop tweak to be able to call video services that don't understand H.323 URL aliases (eg. videobutler.nl). You can enable it with

Most H.323 vendors did not implement encrypting the signaling connection with TLS. They only encrypt the media (RTP). But you can use the two GNU Gatekeepers to encrypt you call signaling even when your endpoints don't support this natively.

Suppose you have 2 locations and want to connect them securely over the public internet.

GnuGk can encrypt call signalling between those locations using TLS and encrypt the media (RTP) using H.235.6 (AES encryption). 

 Configuration for GNU Gatekeeper 1 (prefix 01)

 

[Gatekeeper::Main]

[RoutedMode]
GKRouted=1
H245Routed=1
CallSignalPort=1720
AcceptUnregisteredCalls=1
; make sure H.245 gets tunneled for TLS
H245TunnelingTranslation=1
; add AES media encryption if the endpoint doesn't encrypt itself
EnableH235HalfCallMedia=1
; only allow encrypted calls
RequireH235HalfCallMedia=1
; change the media key after 2^31 operations
EnableH235HalfCallMediaKeyUpdates=1

[Proxy]
Enable=1

[ModeSelection]
0.0.0.0/0=PROXY
; only use routed mode for local calls
192.168.0.0/18=H245ROUTED

[TLS]
EnableTLS=1
PrivateKey=/path/to/server.pem
Certificates=/path/to/server.pem
CAFile=/path/to/rootcert.pem
Passphrase=MySecret
CheckCertificateIP=1

[Gatekeeper::Auth]
FileIPAuth=required;Setup

[FileIPAuth]
; allow all calls from local network
192.168.1.0/24=allow
; only allow TLS encrypted and authenticated calls from elsewhere
any=onlyTLS

[RasSrv::PermanentEndpoints]
; the GnuGk in the other location, serving prefix 02
1.2.3.4:1300=remote-gw;02

[EP::remote-gw]
; use TLS to call remote GnuGk
UseTLS=1 

Configuration for GNU Gatekeeper 2 (prefix 02)

[Gatekeeper::Main]

[RoutedMode]
GKRouted=1
H245Routed=1
CallSignalPort=1720
AcceptUnregisteredCalls=1
; make sure H.245 gets tunneled for TLS
H245TunnelingTranslation=1
; add AES media encryption if the endpoint doesn't encrypt itself
EnableH235HalfCallMedia=1
; only allow encrypted calls
RequireH235HalfCallMedia=1
; change the media key after 2^31 operations
EnableH235HalfCallMediaKeyUpdates=1

[Proxy]
Enable=1

[ModeSelection]
0.0.0.0/0=PROXY
; only use routed mode for local calls
192.168.0.0/18=H245ROUTED

[TLS]
EnableTLS=1
PrivateKey=/path/to/server.pem
Certificates=/path/to/server.pem
CAFile=/path/to/rootcert.pem
Passphrase=MySecret
CheckCertificateIP=1

[Gatekeeper::Auth]
FileIPAuth=required;Setup

[FileIPAuth]
; allow all calls from local network
192.168.1.0/24=allow
; only allow TLS encrypted and authenticated calls from elsewhere
any=onlyTLS

[RasSrv::PermanentEndpoints]
; the GnuGk in the other location, serving prefix 01
1.2.3.5:1300=remote-gw;01

[EP::remote-gw]
; use TLS to call remote GnuGk
UseTLS=1 

Other options

You could also configure the remote GNU Gatekeeper as a neighbor, but beware that the RAS traffic between neighbors will show meta data (whois is caling who) in clear text! 

See the GnuGk manual section on TLS for more details and examples how to generate the OpenSSL certificates. 

 

GNU Gatekeeper version 5.7 has some important bug fixes, improves interoperability
with other vendors and also has a few new features.
 

Several severe crashes and a few memory leaks have been fixed.

Improved interoperability with:

• Lifesize endpoints
• Poly's Microsoft Teams gateway
• Polycom RealPresence Capture Server

New features:

• You get a warning in the GUI / on the status port if one of your endpoints has an incorrect time setting and this password authentication fails. This makes trouble shooting a lot easier.
• Invalid TPKT packets (eg. due to network errors) now don't necessarily take down an otherwise healthy call. Use the new  AbortOnInvalidTPKT=0 switch to enable.
• GnuGk will now also return unused memory back to the OS periodically to make it available again to other applications on the same server.
  
• You have a new %{Vendor} variable for SqlAuth RegQuerys and LuaAuth

Full change log:

- BUGFIX(ProxyChannel.cxx) fix crash on non-standard H.245 Indication from
  Polycom RealPresence Capture Server
- BUGFIX(ProxyChannel.cxx) fix possible crashes on non-standard generic information in OLCs
- print warning message on status port when passwords get rejected due to wrong time
- BUGFIX(httpacct.cxx) fix memory leak
- BUGFIX(ProxyChannel.cxx) fix possible crash
- BUGFIX(gk.cxx) avoid crash when terminating in the middle of program startup,
  set non-zero exit code so restarter notices error
- return unused memory back to OS periodically
- new switch: [RoutedMode] AbortOnInvalidTPKT=0 for more graceful handling of network errors
- BUGFIX(gk.cxx) fix for running on Alpine Linux (needs updated PTLib, too)
- don't start GnuGk if RTP multiplexing is configured, but we can't start the listener
- new switch: [RoutedMode] MatchH239SessionsByType=0 to fix presentations with
  LifeSize endpoints over Poly's Microsoft Teams gateway
- BUGFIX(ProxyChannel.cxx) make sure we don't set RTP address on multiplexed RTCP keepalive
- BUGFIX(RasSrv.cxx) look at all tokens for H.235.TSSM
- add %{Vendor} variable for SqlAuth RegQuery and LuaAuth

GNU Gatekeeper version 5.8 has been released with a number of bug fixes and a few new features.

To stay updated on new releases, please also follow us on Twitter!

Improved interoperability with:

• EdgeProtect
• Avaya
  

 New features:

• experimental support for Avaya's non-standard version of H.323 (./configure --enable-avaya) (thanks Konstantin Prokazov)
• consider RFC 6598 shared network space (100.64.0.0/10) and Zeroconf (169.254.0.0/16) as private IPs
  
• new switch [Proxy] AllowSignaledIPsFrom= to skip auto-detect for messages received directly from certain IPs when IgnoreSignaledIPs=1
• new switch [Proxy] AllowAnyRTPSourcePortForH239From= to handle incorrect RTCP addresses in H.239 OLC (EdgeProtect interop)
• new switch [RoutedMode] MatchH239SessionsByIDOnly= to never attempt to match a H.239 reverse channel by type for improved interoperability with EdgeProtect
• new switches to set the HTTP Content-Type header in HttpAcct, HttpPasswordAuth and Routing::Http
• new switch [Routing::Http] JSONResponse=1 to send more flexible routing data in the HTML reponses
• many new status port shortcuts (see manual section for details)

Bug fixes:

• fix H.460.18/.19 on multi-homed servers
• fix race condition when handling H.460.19 multiplex IDs
• fix media loop on half port-detected channel when media is very early
• fix Net-SNMP query for total bandwidth
• save RTCP address from OLC for port-detection
• always check AllowSignaledIPs= before applying IgnoreSignaledAllH239IPs or IgnoreSignaledPrivateH239IPs
• handle extensions and CSRC in RTP header with H.235 half-call media
• better endpointIDs on Windows when compiling without OpenSSL

GNU Gatekeeper version 5.9 is out with a number of bug fixes and a few new features.

Download: https://www.gnugk.org/h323download.html

New features:

• new switches [Proxy] CachePortDetection=1 and CachePortDetectionDuration= to cache port detection packets for faster media connects when IgnoreSignaledIPs= is active
  
• new switch: [EP::] ForceTerminalType=
• new place holder for port notifications: %t for port type
• experimental: better error recovery if multiplexed RTP sending fails

Please note that Radius support is disabled by default now. You can enable it with the --enable-radius switch when running configure.

Bug fixes:

• fix bug in port detection with AllowSignaledIPsFrom=
• when DNS name resolves to IP without alias, remove alias from ACF completely (Cisco interop)
• remove RTP session 0 from internal tables once H.245 master has assigned a session ID
• fix compilation of Avaya support
• initialized cmsg struct to zero before using
• fix regression introduced with MatchH239SessionsByIDOnly= switch

 

GNU Gatekeeper version 5.10 has been released.

Download: https://www.gnugk.org/h323download.html

This is a bug fix release.

Bugs fixed:

• fix a crash when handling the MasterSlaveDetermination message
  
• fix the documentation of [RasSrv::LRQFeatures] NeighborTimeout and consistently treat the value as 10th of a second in the program
  

GNU Gatekeeper version 5.11 has been released.

Download: https://www.gnugk.org/h323download.html

This is a bug fix release with a few new features added.

An important bug in the handling of the ExternalIP switch has been fixed.

We also added a few features that make it easier to use GnuGk with Graphana and InfluxDB monitoring.

Changes and additions:

• remove non-working command line switch -e / --externalip, use config file to set ExternalIP
• new accounting variables %{registrations}, %{calls}, %{total-calls}, %{successful-calls}, %{allocated-bandwidth}
• new switch [HttpAcct] Authorization= to send authorization headers to support InfluxDB
• replace and in HttpAcct body with carriage return and line feed characters
• new switch: [RasSrv::LRQFeatures] PreserveDestination=1 (helpful when calling Pexip servers)

 GNU Gatekeeper version 5.12 has been released.

Download: https://www.gnugk.org/h323downldad.html

This is a bug fix release with a few new features added.

Another important bug in the handling of the ExternalIP switch has been fixed as well as Y2K38 issues.

This release also adds features:

• support for Oracle databases
• easier cloud deployment with IP detection with STUN
• better load scaling by mixing proxied with direct mode endpoints in a single gatekeeper
• Windows 64bit executables with VS2022

Full list of changes:

• enable more runtime hardening flags from OpenSSF recommendation 11/2023
• fix bug with H.245 address when using ExternalIP= switch without H.460.18/.19
• auto-detect public IP with ExternalIP=STUN and STUNServer=stun.example.com
• compiler support for VS2022
• new database driver for Oracle and new timestamp format 'Oracle'
• new switch [EP::xxx] ForceDirectMode=1 to handle all calls from this endpoint in direct mode
• BUGFIX(RasSrv.cxx, gkauth.cxx) make sure time_t is handled unsigned to avoid Y2K38 issue
• BUGFIX(ProxyChannel.cxx) check for too small packets when acting as encryption proxy

 

GNU Gatekeeper version 5.13 has been released.

Download: https://www.gnugk.org/h323download.html

This is a bug fix release with a no new features added. It fixes an issue with the RTP port detection and 2 other minor issues.

In today’s knowledge environment, individuals and groups who gather relevant information about the organization’s external environment and distribute that information for use by their colleagues receive increasing attention and are viewed with great importance. These individuals have been named Information Gatekeepers. Thus far, researchers have not established a unanimous and interdisciplinary definition regarding the human information gatekeeper. Nonetheless, a recurrent theme in previous papers regards gatekeepers as a select few throughout the organization. This approach creates two kinds of employees based on a specific set of criteria – those who are gatekeepers and those who are not. The main goal of this research is to examine whether gate keeping is an individual attribute that exists or does not exist within the organization, or whether gate keeping is a continuous attribute that exists within every member and throughout the organization in varying intensity subject to differences in personal characteristics and other factors. We find that evidence to the existence of latter approach is significant and suggest practical recommendations that arise from these findings.

A pacy, personal but unrevealing account of David Cameron’s government

London has more fancy hotel spas than you can shake a stick at. But nestled in the heart of the five-star Corinthia is a gem that delivers much more than just a few hours of pampering.

Greenleigh, Ian