Cisco Cisco Expressway Maintenance Manual
Authentication and NTP
All Expressway traversal clients that support H.323 must authenticate with the Expressway-E. The authentication
process makes use of timestamps and requires that each system uses an accurate system time. The system time on
an Expressway is provided by a remote NTP server. Therefore, for firewall traversal to work, all systems involved must
be configured with details of an
process makes use of timestamps and requires that each system uses an accurate system time. The system time on
an Expressway is provided by a remote NTP server. Therefore, for firewall traversal to work, all systems involved must
be configured with details of an
About ICE and TURN Services
About ICE
ICE (Interactive Connectivity Establishment) provides a mechanism for SIP client NAT traversal. ICE is not a protocol,
but a framework which pulls together a number of different techniques such as TURN and STUN.
but a framework which pulls together a number of different techniques such as TURN and STUN.
It allows endpoints (clients) residing behind NAT devices to discover paths through which they can pass media, verify
peer-to-peer connectivity via each of these paths and then select the optimum media connection path. The available
paths typically depend on any inbound and outbound connection restrictions that have been configured on the NAT
device. Such behavior is described in
peer-to-peer connectivity via each of these paths and then select the optimum media connection path. The available
paths typically depend on any inbound and outbound connection restrictions that have been configured on the NAT
device. Such behavior is described in
.
An example usage of ICE is two home workers communicating via the internet. If the two endpoints can communicate
via ICE the Expressway-E may (depending on how the NAT devices are configured) only need to take the signaling
and not take the media (and is therefore a non-traversal call). If the initiating ICE client attempts to call a non-ICE
client, the call set-up process reverts to a conventional SIP call requiring NAT traversal via media latching where the
Expressway also takes the media and thus requires a RMS license.
via ICE the Expressway-E may (depending on how the NAT devices are configured) only need to take the signaling
and not take the media (and is therefore a non-traversal call). If the initiating ICE client attempts to call a non-ICE
client, the call set-up process reverts to a conventional SIP call requiring NAT traversal via media latching where the
Expressway also takes the media and thus requires a RMS license.
.
About TURN
TURN (Traversal Using Relays around NAT) services are relay extensions to the STUN network protocol that enable a
SIP or H.323 client to communicate via UDP or TCP from behind a NAT device.
SIP or H.323 client to communicate via UDP or TCP from behind a NAT device.
Each ICE client requests the TURN server to allocate relays for the media components of the call. A relay is required
for each component in the media stream between each client.
for each component in the media stream between each client.
After the relays are allocated, each ICE client has 3 potential connection paths (addresses) through which it can send
and receive media:
and receive media:
■
its host address which is behind the NAT device (and thus not reachable from endpoints on the other side of
the NAT)
the NAT)
■
its publicly-accessible address on the NAT device
■
a relay address on the TURN server
The endpoints then decide, by performing connectivity checks through ICE, how they are going to communicate.
Depending upon how the NAT devices are configured, the endpoints may be able to communicate between their
public-facing addresses on the NAT devices or they may have to relay the media via the TURN server. If both
endpoints are behind the same NAT device they can send media directly between themselves using their internal host
addresses.
Depending upon how the NAT devices are configured, the endpoints may be able to communicate between their
public-facing addresses on the NAT devices or they may have to relay the media via the TURN server. If both
endpoints are behind the same NAT device they can send media directly between themselves using their internal host
addresses.
After the media route has been selected, the TURN relay allocations are released if the chosen connection paths do
not involve routing via the TURN server. Note that the signaling always goes via the Expressway, regardless of the
final media communication path chosen by the endpoints.
not involve routing via the TURN server. Note that the signaling always goes via the Expressway, regardless of the
final media communication path chosen by the endpoints.
Capabilities and limitations
■
systems support up to 1800 relay allocations. This is typically enough to support 100 calls but
does depend on the network topology and the number of media stream components used for the call (for
60
Cisco Expressway Administrator Guide
Firewall Traversal