Firewalls should have any H.323-aware mode (ALG/Application Layer Gateway for H.323) disabled. ALGs are intended to help with firewall traversal but are not required when H.460 is in use and can cause problems (typically, failure of inbound audio, video, or content channels). How to change this depends on the manufacturer of your firewall. In many firewalls, this mode is enabled by default, and has to actively be turned off. Some examples are:

  • Checkpoint: create rules matching the port ranges described above and with a source/destination of Set the protocol for these rules to be None, which disables all inspection of matching traffic. Alternatively, the GUI of your Checkpoint firewall might allow you to disable all H.323 features under SmartDefense >Application Intelligence >VoIP
  • Cisco PIX or ASA: remove the fixup and inspect commands for H.323, H.225, and RAS protocols
  • Fortinet/Fortigate: delete the session helpers for RAS (port 1719) and H.225 (port 1720). In the default configuration, these are session helpers 2 and 3
  • Juniper: follow these instructions to disable the ALG for H.323
  • Palo Alto Networks: disable the ALG (Application Layer Gateway) for H.323
  • Sonicwall: follow these instructions to disable Enable H.323 Transformation under VOIP > Settings > H.323 Settings