Cisco Cisco TelePresence Video Communication Server Expressway
Example deployments
The following section contains additional reference designs which depict other possible deployment
scenarios.
scenarios.
Single subnet DMZ using single VCS Expressway LAN interface
In this case, FW A can route traffic to FW B (and vice versa). VCS Expressway allows video traffic to be
passed through FW B without pinholing FW B from outside to inside. VCS Expressway also handles firewall
traversal on its public side.
passed through FW B without pinholing FW B from outside to inside. VCS Expressway also handles firewall
traversal on its public side.
This deployment consists of:
n
a single subnet DMZ – 10.0.10.0/24, containing:
l
the internal interface of firewall A – 10.0.10.1
l
the external interface of firewall B – 10.0.10.2
l
the LAN1 interface of the VCS Expressway – 10.0.10.3
n
a LAN subnet – 10.0.30.0/24, containing:
l
the internal interface of firewall B – 10.0.30.1
l
the LAN1 interface of the VCS Control – 10.0.30.2
l
the network interface of Cisco TMS – 10.0.30.3
A static 1:1 NAT has been configured on firewall A, NATing the public address 64.100.0.10 to the LAN1
address of theVCS Expressway. Static NAT mode has been enabled for LAN1 on the VCS Expressway,
with a static NAT address of 64.100.0.10.
address of theVCS Expressway. Static NAT mode has been enabled for LAN1 on the VCS Expressway,
with a static NAT address of 64.100.0.10.
Note:
You must enter the FQDN of the VCS Expressway, as it is seen from outside the network, as the peer
address on the VCS Control's secure traversal zone. The reason for this is that in static NAT mode, the VCS
Expressway requests that incoming signaling and media traffic should be sent to its external FQDN, rather
than its private name.
address on the VCS Control's secure traversal zone. The reason for this is that in static NAT mode, the VCS
Expressway requests that incoming signaling and media traffic should be sent to its external FQDN, rather
than its private name.
This also means that the external firewall must allow traffic from the VCS Control to the VCS
Expressway's external FQDN. This is known as NAT reflection, and may not be supported by all
types of firewalls.
Expressway's external FQDN. This is known as NAT reflection, and may not be supported by all
types of firewalls.
So, in this example, firewall A must allow NAT reflection of traffic coming from the VCS Control that is
destined for the external address, that is 64.100.0.10, of the VCS Expressway. The traversal zone on the
VCS Control must have 64.100.0.10 as the peer address.
destined for the external address, that is 64.100.0.10, of the VCS Expressway. The traversal zone on the
VCS Control must have 64.100.0.10 as the peer address.
The VCS Expressway should be configured with a default gateway of 10.0.10.1. Whether or not static routes
are needed in this scenario depends on the capabilities and settings of FW A and FW B. VCS Control to VCS
Expressway communications will be to the 64.100.0.10 address of the VCS Expressway; the return traffic
from the VCS Expressway to VCS Control might have to go via the default gateway. If a static route is added
to the VCS Expressway so that reply traffic goes from the VCS Expressway and directly through FW B to
are needed in this scenario depends on the capabilities and settings of FW A and FW B. VCS Control to VCS
Expressway communications will be to the 64.100.0.10 address of the VCS Expressway; the return traffic
from the VCS Expressway to VCS Control might have to go via the default gateway. If a static route is added
to the VCS Expressway so that reply traffic goes from the VCS Expressway and directly through FW B to
Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway) Deploy-
ment Guide (X8.5.2)
ment Guide (X8.5.2)
Page 63 of 67
Appendix 4: Advanced network deployments