Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 13 – Cisco VCS and hardware load balancers in front of a bank of FEPs
Responses directly from devices behind a Hardware Load Balancer
If Source Address NATing is enabled on the HLB, responses to messages (like TRYING to an INVITE)
will be routed back to the Cisco VCS via the HLB because the new transaction will be sent to the
‘From’ address, however, mid dialogue requests (like Re-INVITE and BYE) will be sent to the Cisco
VCS directly because they will be sent to the device identified in the Record-route header.
will be routed back to the Cisco VCS via the HLB because the new transaction will be sent to the
‘From’ address, however, mid dialogue requests (like Re-INVITE and BYE) will be sent to the Cisco
VCS directly because they will be sent to the device identified in the Record-route header.
Authentication with TCP
Authorizing an IP address (the alternative to communicating over TLS) is a security risk if the HLB is
performing Source Address NATing, because in this case the FEPs will have to Authorize the IP
address of the HLB, and so any message sent via the HLB would be treated as authorized.
performing Source Address NATing, because in this case the FEPs will have to Authorize the IP
address of the HLB, and so any message sent via the HLB would be treated as authorized.
If Source Address NATing is not enabled on the HLB then the IP address of the Cisco VCS can be
authorized.
authorized.
Cisco VCS Deployment Guide: Microsoft OCS 2007 R1 and R2 and Cisco VCS X5.2
Page 88 of 92