Special Issues 423NBX ConneXtions does not support the Layer 3 (IP) 6-bit TOS/DS priorityfield. However, it is usually possible for IP routers to use these priorityschemes if they are configured to prioritize H.323 packets.Special Issues This section describes issues related to H.323 telephony in general and toConneXtions gateways in particular. These include:■ Firewall Security■ Gateway Load■ Remote Access■ PBX Connections■ Class of Service■ IP Type of Service and Differentiated Services■ Alternate GatekeepersFirewall Security Firewalls determine which packets can cross the boundary between aprotected network (intranet) and the public internet. The networkadministrator specifies crossing privileges according to network needsand policies. Control criteria consists of direction of transfer, source anddestination address, packet type, and access ports.Firewalls affect, and are affected by, H.323 gateways. For example,firewall processing increases packet delay while the complexity of theH.323 protocol complicates the firewall programming.The only way to safely avoid firewall delays is to exclude outside internetaccess. This means calls can only be made within the secure intranet.In some business applications, it is possible to eliminate the firewall delayby setting up a dedicated physical connection between the H.323gateway and the router. This approach, which requires a second NIC inthe ConneXtions PC system, bypasses the firewall and puts the burden ofdiscriminating against non-H.323 packets on the gateway. The PC systemthat runs the ConneXtions software must be secure.Systems that must conform to very conservative firewall policies can use aVirtual Private Network (VPN) if they need to filter incoming H.323 callsfrom the public Internet. An alternative is to use a firewall with H.323proxy support.