Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Firewall traversal
Cisco VCS Administrator Guide (X7.1)
Page 222 of 479
Firewall traversal protocols and ports
Ports play a vital part in firewall traversal configuration. The correct ports must be set on the VCS
Expressway, traversal client and firewall in order for connections to be permitted.
Expressway, traversal client and firewall in order for connections to be permitted.
Ports are initially configured on the VCS Expressway by the VCS Expressway administrator. The firewall
administrator and the traversal client administrator should then be notified of the ports, and they must then
configure their systems to connect to these specific ports on the server. The only port configuration that is
done on the client is the range of ports it uses for outgoing connections; the firewall administrator may need to
know this information so that if necessary they can configure the firewall to allow outgoing connections from
those ports.
administrator and the traversal client administrator should then be notified of the ports, and they must then
configure their systems to connect to these specific ports on the server. The only port configuration that is
done on the client is the range of ports it uses for outgoing connections; the firewall administrator may need to
know this information so that if necessary they can configure the firewall to allow outgoing connections from
those ports.
The
pages (under
Maintenance > Tools > Port usage
) show, in table format, all the IP ports that
are being used on the VCS, both inbound and outbound. This information can be provided to your firewall
administrator so that the firewall can be configured appropriately.
administrator so that the firewall can be configured appropriately.
Expressway process
The Expressway solution works as follows:
1. Each traversal client connects via the firewall to a unique port on the VCS Expressway.
2. The server identifies each client by the port on which it receives the connection, and the authentication
credentials provided by the client.
3. After the connection has been established, the client constantly sends a probe to the VCS Expressway
via this connection in order to keep the connection alive.
4. When the VCS Expressway receives an incoming call for the client, it uses this initial connection to send
an incoming call request to the client.
5. The client then initiates one or more outbound connections. The destination ports used for these
connections differ for signaling and/or media, and depend on the protocol being used (see the following
sections for more details).
sections for more details).
H.323 firewall traversal protocols
The VCS supports two different firewall traversal protocols for H.323: Assent and H.460.18/H.460.19.
n
Assent is Cisco’s proprietary protocol.
n
H.460.18 and H.460.19 are ITU standards which define protocols for the firewall traversal of signaling and
media respectively. These standards are based on the original Assent protocol.
media respectively. These standards are based on the original Assent protocol.
A traversal server and traversal client must use the same protocol in order to communicate. The two
protocols each use a different range of ports.
protocols each use a different range of ports.
SIP firewall traversal protocols
The VCS supports the Assent protocol for SIP firewall traversal of media.
The signaling is traversed through a TCP/TLS connection established from the client to the server.