Cisco Cisco Expressway Maintenance Manual
About firewall traversal
The purpose of a firewall is to control the IP traffic entering your network. Firewalls will generally block
unsolicited incoming requests, meaning that any calls originating from outside your network will be
prevented. However, firewalls can be configured to allow outgoing requests to certain trusted destinations,
and to allow responses from those destinations. This principle is used by Cisco's Expressway technology to
enable secure traversal of any firewall.
unsolicited incoming requests, meaning that any calls originating from outside your network will be
prevented. However, firewalls can be configured to allow outgoing requests to certain trusted destinations,
and to allow responses from those destinations. This principle is used by Cisco's Expressway technology to
enable secure traversal of any firewall.
The Expressway solution
The Expressway solution consists of:
n
An Expressway-E located outside the firewall on the public network or in the DMZ, which acts as the
firewall traversal server.
firewall traversal server.
n
An Expressway-C or other traversal-enabled endpoint located in a private network, which acts as the
firewall traversal client.
firewall traversal client.
The two systems work together to create an environment where all connections between the two are
outbound, i.e. established from the client to the server, and thus able to successfully traverse the firewall.
outbound, i.e. established from the client to the server, and thus able to successfully traverse the firewall.
We recommend that both the Expressway-E and the Expressway-C run the same software version.
How does it work?
The traversal client constantly maintains a connection via the firewall to a designated port on the traversal
server. This connection is kept alive by the client sending packets at regular intervals to the server. When the
traversal server receives an incoming call for the traversal client, it uses this existing connection to send an
incoming call request to the client. The client then initiates the necessary outbound connections required for
the call media and/or signaling.
server. This connection is kept alive by the client sending packets at regular intervals to the server. When the
traversal server receives an incoming call for the traversal client, it uses this existing connection to send an
incoming call request to the client. The client then initiates the necessary outbound connections required for
the call media and/or signaling.
This process ensures that from the firewall’s point of view, all connections are initiated from the traversal
client inside the firewall out to the traversal server.
client inside the firewall out to the traversal server.
For firewall traversal to function correctly, the Expressway-E must have one traversal server zone configured
on it for each client system that is connecting to it. Likewise, each Expressway client must have one
traversal client zone configured on it for each server that it is connecting to.
on it for each client system that is connecting to it. Likewise, each Expressway client must have one
traversal client zone configured on it for each server that it is connecting to.
The ports and protocols configured for each pair of client-server zones must be the same. See the
for a summary of the required configuration on each system.
Because the Expressway-E listens for connections from the client on a specific port, you are recommended
to create the traversal server zone on the Expressway-E before you create the traversal client zone on the
Expressway-C.
to create the traversal server zone on the Expressway-E before you create the traversal client zone on the
Expressway-C.
Note that the traversal client and the traversal server must both be Expressway systems (neither can be a
Cisco VCS).
Cisco VCS).
H.323 firewall traversal protocols
The Expressway supports two different firewall traversal protocols for H.323: Assent and
H.460.18/H.460.19.
H.460.18/H.460.19.
Cisco Expressway Administrator Guide (X8.5)
Page 45 of 394
Firewall traversal
About firewall traversal