19
Figure 12 Gatekeeper example configuration
All of the endpoints in the enterprise will be assigned to the default subzone. The Traversal
subzone controls traversal traffic flowing through the Gatekeeper, whilst the Traversal Zone
controls all traffic traversing the enterprise firewall and passing on to the Border Controller.
Both subzones and the Traversal zone are linked: the link between the default subzone and
the Traversal zone is used by endpoints which can send media directly to the Border
Controller. The other two links are used by endpoints using the Gatekeeper to traverse the
firewall.
Both the Border Controller and Gatekeeper are shipped with Default and Traversal Zones and
Default and Traversal subzones already configured. They are also preconfigured with the
links between these zones to allow calls to be placed. You may delete or amend the default
links if you need to model restrictions of your network. The default links may be restored by
running the command
xCommand DefaultLinksAdd
3.7 Registration Control
The TANDBERG Gatekeeper can control which endpoints are allowed to register with it. Two
separate mechanisms are provided: a simple Registration Restriction Policy and an
authentication process based on user names and passwords. It is possible to use both
mechanisms at once: authentication to verify an endpoint’s identity from a corporate directory
and registration restriction to control which of those authenticated endpoints may register with
a particular Gatekeeper.
3.7.1 Registration Restriction Policy
When an endpoint registers with your Gatekeeper it presents a list of aliases. By default,
registration restriction policy is set to None. In this state, any endpoint may register. The
registration restriction policy can be configured using the following command:
xConfiguration Gatekeeper RegistrationRestrictionPolicy [None |
AllowList | DenyList ]
or by using the web interface, on the Gatekeeper Configuration > Restrictions page (see
Figure 13 for a screenshot of the Registration Restrictions Configuration). If the policy is set to
AllowList, only those endpoints with an alias which matches an entry in the AllowList may
register. Conversely, if the policy is set to DenyList, all endpoints may register, unless they