Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Firewall Traversal
This section describes how to configure your VCS Control and VCS Expressway in order to traverse firewalls.
About Firewall Traversal
The purpose of a firewall is to control the IP traffic entering your network. Firewalls will generally block unsolicited
incoming requests, meaning that any calls originating from outside your network will be prevented. However, firewalls
can be configured to allow outgoing requests to certain trusted destinations, and to allow responses from those
destinations. This principle is used by Cisco's Expressway technology to enable secure traversal of any firewall.
incoming requests, meaning that any calls originating from outside your network will be prevented. However, firewalls
can be configured to allow outgoing requests to certain trusted destinations, and to allow responses from those
destinations. This principle is used by Cisco's Expressway technology to enable secure traversal of any firewall.
The Expressway Solution
The Expressway solution consists of:
■
A VCS Expressway located outside the firewall on the public network or in the DMZ, which acts as the firewall
traversal server.
traversal server.
■
A VCS Control or other traversal-enabled endpoint located in a private network, which acts as the firewall
traversal client.
traversal client.
The two systems work together to create an environment where all connections between the two are outbound, i.e.
established from the client to the server, and thus able to successfully traverse the firewall.
established from the client to the server, and thus able to successfully traverse the firewall.
We recommend that both the VCS Expressway and the VCS Control run the same software version.
How Does it Work?
The traversal client constantly maintains a connection via the firewall to a designated port on the traversal server.
This connection is kept alive by the client sending packets at regular intervals to the server. When the traversal server
receives an incoming call for the traversal client, it uses this existing connection to send an incoming call request to
the client. The client then initiates the necessary outbound connections required for the call media and/or signaling.
This connection is kept alive by the client sending packets at regular intervals to the server. When the traversal server
receives an incoming call for the traversal client, it uses this existing connection to send an incoming call request to
the client. The client then initiates the necessary outbound connections required for the call media and/or signaling.
This process ensures that from the firewall’s point of view, all connections are initiated from the traversal client inside
the firewall out to the traversal server.
the firewall out to the traversal server.
For firewall traversal to function correctly, the VCS Expressway must have one traversal server zone configured on it
for each client system that is connecting to it (this does not include traversal-enabled endpoints which register
directly with the VCS Expressway; the settings for these connections are configured in a different way). Likewise,
each VCS client must have one traversal client zone configured on it for each server that it is connecting to.
for each client system that is connecting to it (this does not include traversal-enabled endpoints which register
directly with the VCS Expressway; the settings for these connections are configured in a different way). Likewise,
each VCS client must have one traversal client zone configured on it for each server that it is connecting to.
Cisco Systems, Inc.
42