Cisco Cisco TelePresence Video Communication Server Expressway
As per the recommendations in the Introduction section of this appendix, it is highly recommended to disable
SIP and H.323 ALGs on routers/firewalls carrying network traffic to or from a VCS Expressway, as, when
enabled this is frequently found to negatively affect the built-in firewall/NAT traversal functionality of the VCS
Expressway itself. This is also mentioned in
SIP and H.323 ALGs on routers/firewalls carrying network traffic to or from a VCS Expressway, as, when
enabled this is frequently found to negatively affect the built-in firewall/NAT traversal functionality of the VCS
Expressway itself. This is also mentioned in
.
General guidelines and design principles
With VCS Expressway deployments involving NAT and/or dual network interfaces, some general guidelines
and principles apply, as described below.
and principles apply, as described below.
Non-overlapping subnets
If the VCS Expressway will be configured to use both LAN interfaces, the LAN1 and LAN2 interfaces must
be located in non-overlapping subnets to ensure that traffic is sent out the correct interface.
be located in non-overlapping subnets to ensure that traffic is sent out the correct interface.
Clustering
When clustering VCSs that have the Advanced Networking option installed, cluster peers have to be
addressed with their LAN1 interface address. In addition, clustering must be configured on an interface that
does not have Static NAT mode enabled.
addressed with their LAN1 interface address. In addition, clustering must be configured on an interface that
does not have Static NAT mode enabled.
We therefore recommend that you use LAN2 as the externally facing interface, and that LAN2 is used as the
static NAT interface where applicable.
static NAT interface where applicable.
Static NAT restrictions when using SIP media encryption
You should not configure a VCS for SIP media encryption if that same VCS is also configured for static NAT.
If you do so, the private IP address will be sent in the SDP rather than the static NAT address and this will
cause calls to fail.
If you do so, the private IP address will be sent in the SDP rather than the static NAT address and this will
cause calls to fail.
Note that the recommended configuration for VCS Control with VCS Expressway deployments is to:
n
configure the same media encryption policy setting on the traversal client zone on VCS Control, the
traversal server zone on VCS Expressway, and every zone and subzone on VCS Expressway
traversal server zone on VCS Expressway, and every zone and subzone on VCS Expressway
n
use static NAT on the VCS Expressway only
With this configuration the encryption B2BUA will be enabled on the VCS Control only.
External LAN interface setting
The External LAN interface configuration setting on the
IP
configuration page controls on which network
interface TURN relays are allocated. In a dual network interfaces VCS Expressway configuration, this
should normally be set to the externally-facing LAN interface on the VCS Expressway.
should normally be set to the externally-facing LAN interface on the VCS Expressway.
Dual network interfaces
The following diagram shows an example deployment involving the use of a VCS Expressway with dual
network interfaces and static NAT, a VCS Control acting as a traversal client, and two firewalls/routers.
Typically in this DMZ configuration, FW A cannot route traffic to FW B, and devices such as the dual
interface VCS Expressway are required to validate and forward traffic from FW A’s subnet to FW B’s subnet
(and vice versa).
network interfaces and static NAT, a VCS Control acting as a traversal client, and two firewalls/routers.
Typically in this DMZ configuration, FW A cannot route traffic to FW B, and devices such as the dual
interface VCS Expressway are required to validate and forward traffic from FW A’s subnet to FW B’s subnet
(and vice versa).
Cisco VCS Basic Configuration (Control with Expressway) Deployment Guide
Page 59 of 65
Appendix 4: Advanced network deployments