Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Firewall traversal
Cisco VCS Administrator Guide (X7.2)
Page 231 of 498
l
The VCS also supports SIP outbound, which is an alternative method of keeping firewalls open without
the overhead of using the full registration message.
the overhead of using the full registration message.
n
SIP and H.323 endpoints can register to the VCS Expressway or they can just send calls to the
Expressway as the local "DMZ" firewall has relevant ports open to allow communication to the
Expressway over SIP and H.323 ports.
Expressway as the local "DMZ" firewall has relevant ports open to allow communication to the
Expressway over SIP and H.323 ports.
Endpoints can also use
to find the optimal (in their view of what optimal is) path for media
communications between themselves. Media can be sent directly from endpoint to endpoint, from endpoint
via the outside IP address of the destination firewall to the destination endpoint or, endpoint via a TURN
server to destination endpoint.
via the outside IP address of the destination firewall to the destination endpoint or, endpoint via a TURN
server to destination endpoint.
n
The VCS supports ICE for calls where the VCS does not have to traverse media (for example if there is no
IPv4/IPv6 conversion or SIP / H.323 conversion), so typically this means 2 endpoints which are able to
support ICE, directly communicating to a VCS Expressway cluster.
IPv4/IPv6 conversion or SIP / H.323 conversion), so typically this means 2 endpoints which are able to
support ICE, directly communicating to a VCS Expressway cluster.
n
The VCS has its own
built in to support the required functionality of ICE.
Configuring VCSs for firewall traversal
This section provides an overview to how your VCS can act as a traversal server or as a traversal client.
VCS as a firewall traversal client
Your VCS can act as a firewall traversal client on behalf of SIP and H.323 endpoints registered to it, and any
gatekeepers that are neighbored with it. To act as a firewall traversal client, the VCS must be configured with
information about the systems that will act as its firewall traversal server.
gatekeepers that are neighbored with it. To act as a firewall traversal client, the VCS must be configured with
information about the systems that will act as its firewall traversal server.
You do this by adding a new traversal client zone on the VCS client (
VCS configuration > Zones > Zones
)
and configuring it with the details of the traversal server. See
for more
information. You can create more than one traversal client zone if you want to connect to multiple traversal
servers.
servers.
Note that:
n
In most cases, you will use a VCS Control as a firewall traversal client. However, a VCS Expressway can
also act as a firewall traversal client.
also act as a firewall traversal client.
n
The firewall traversal server used by the VCS client can be a VCS Expressway, or (for H.323 only) a
TANDBERG Border Controller.
TANDBERG Border Controller.
VCS as a firewall traversal server
The VCS Expressway has all the functionality of a VCS Control (including being able to act as a firewall
traversal client). However, its main feature is that it can act as a firewall traversal server for other Cisco
systems and any traversal-enabled endpoints that are registered directly to it. It can also provide TURN relay
services to ICE-enabled endpoints.
traversal client). However, its main feature is that it can act as a firewall traversal server for other Cisco
systems and any traversal-enabled endpoints that are registered directly to it. It can also provide TURN relay
services to ICE-enabled endpoints.
Configuring traversal server zones
For the VCS Expressway to act as a firewall traversal server for Cisco systems, you must create and
configure a traversal server zone on the VCS Expressway (
configure a traversal server zone on the VCS Expressway (
VCS configuration > Zones > Zones
) and
configure it with the details of the traversal client. See
for more
information.