Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
pair (either 2776 & 2777 or 50000 & 50001 by default, depending on upgrade path) and the switch Use configured
demultiplexing ports is set to Yes. If you do not want to use a particular pair of ports, switch Use configured
demultiplexing ports to No, then the VCS Expressway will listen on the first pair of ports in the media traversal port
range (36000 and 36001 by default). In this case, we recommend that you close the previously configured ports after
you configure the firewall for the new ports.
demultiplexing ports is set to Yes. If you do not want to use a particular pair of ports, switch Use configured
demultiplexing ports to No, then the VCS Expressway will listen on the first pair of ports in the media traversal port
range (36000 and 36001 by default). In this case, we recommend that you close the previously configured ports after
you configure the firewall for the new ports.
** On Large systems you can configure a range of TURN request listening ports. The default range is 3478 – 3483.
The default TURN relay media port range of 24000 – 29999 applies to new installations of X8.1 or later. The previous
default range of 60000 – 61799 still applies to earlier releases that have upgraded to X8.1.
The default TURN relay media port range of 24000 – 29999 applies to new installations of X8.1 or later. The previous
default range of 60000 – 61799 still applies to earlier releases that have upgraded to X8.1.
Firewall Traversal and Authentication
The VCS Expressway allows only authenticated client systems to use it as a traversal server.
Upon receiving the initial connection request from the traversal client, the VCS Expressway asks the client to
authenticate itself by providing its authentication credentials. The VCS Expressway then looks up the client’s
credentials in its own authentication database. If a match is found, the VCS Expressway accepts the request from the
client.
authenticate itself by providing its authentication credentials. The VCS Expressway then looks up the client’s
credentials in its own authentication database. If a match is found, the VCS Expressway accepts the request from the
client.
The settings used for authentication depend on the type of traversal client:
Traversal client
VCS Expressway traversal server
VCS Control (or VCS Expressway)
The VCS client provides its Username and
Password. These are set on the traversal client
zone by using Configuration > Zones > Zones >
Edit zone, in the Connection credentials section.
Edit zone, in the Connection credentials section.
The traversal server zone for the VCS client must be
configured with the client's authentication Username. This is
configured with the client's authentication Username. This is
set on the VCS Expressway by using Configuration > Zones >
Zones > Edit zone, in the Connection credentials section.
There must also be an entry in the VCS Expressway’s
authentication database with the corresponding client
username and password.
authentication database with the corresponding client
username and password.
Endpoint
The endpoint client provides its Authentication ID
and Authentication Password.
There must be an entry in the VCS Expressway’s
authentication database with the corresponding client
username and password.
authentication database with the corresponding client
username and password.
Note that all VCS traversal clients must authenticate with the VCS Expressway, even if the VCS Expressway is not
using device authentication for endpoint clients.
using device authentication for endpoint clients.
Authentication and NTP
All VCS traversal clients that support H.323 must authenticate with the VCS Expressway. The authentication process
makes use of timestamps and requires that each system uses an accurate system time. The system time on a VCS is
provided by a remote NTP server. Therefore, for firewall traversal to work, all systems involved must be configured
with details of an
makes use of timestamps and requires that each system uses an accurate system time. The system time on a VCS is
provided by a remote NTP server. Therefore, for firewall traversal to work, all systems involved must be configured
with details of an
.
Configuring Expressway and Traversal Endpoint Communications
Traversal-enabled H.323 endpoints can register directly with the VCS Expressway and use it for firewall traversal.
The Locally registered endpoints page (Configuration > Traversal > Locally registered endpoints) allows you to
configure the way in which the VCS Expressway and traversal-enabled endpoints communicate.
configure the way in which the VCS Expressway and traversal-enabled endpoints communicate.
The options available are:
60
Cisco TelePresence Video Communication Server Administrator Guide
Firewall Traversal