Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Firewall traversal
Firewall traversal
This section describes how to configure your Cisco VCS Control and Cisco VCS Expressway in order
to traverse firewalls.
to traverse firewalls.
It includes the following information:
n
an overview of
n
how to configure the Cisco VCS as a
and as a
n
firewall traversal
n
n
an overview of
About firewall traversal
The purpose of a firewall is to control the IP traffic entering your network. Firewalls will generally block
unsolicited incoming requests, meaning that any calls originating from outside your network will be
prevented. However, firewalls can be configured to allow outgoing requests to certain trusted
destinations, and to allow responses from those destinations. This principle is used by Cisco's
Expressway technology to enable secure traversal of any firewall.
unsolicited incoming requests, meaning that any calls originating from outside your network will be
prevented. However, firewalls can be configured to allow outgoing requests to certain trusted
destinations, and to allow responses from those destinations. This principle is used by Cisco's
Expressway technology to enable secure traversal of any firewall.
Expressway solution
The Expressway solution consists of:
n
a Cisco VCS Expressway or Border Controller located outside the firewall on the public network or
in the DMZ, which acts as the firewall traversal server
in the DMZ, which acts as the firewall traversal server
n
a Cisco VCS Control, Gatekeeper, MXP endpoint or other traversal-enabled endpoint located in a
private network, which acts as the firewall traversal client
private network, which acts as the firewall traversal client
The two systems work together to create an environment where all connections between the two are
outbound, i.e. established from the client to the server, and thus able to successfully traverse the
firewall.
outbound, i.e. established from the client to the server, and thus able to successfully traverse the
firewall.
How does it work?
The traversal client constantly maintains a connection via the firewall to a designated port on the
traversal server. This connection is kept alive by the client sending packets at regular intervals to the
server. When the traversal server receives an incoming call for the traversal client, it uses this existing
connection to send an incoming call request to the client. The client then initiates the necessary
outbound connections required for the call media and/or signaling.
traversal server. This connection is kept alive by the client sending packets at regular intervals to the
server. When the traversal server receives an incoming call for the traversal client, it uses this existing
connection to send an incoming call request to the client. The client then initiates the necessary
outbound connections required for the call media and/or signaling.
This process ensures that from the firewall’s point of view, all connections are initiated from the
traversal client inside the firewall out to the traversal server.
traversal client inside the firewall out to the traversal server.
For firewall traversal to function correctly, the Cisco VCS Expressway must have one traversal server
zone configured on it for each client system that is connecting to it (this does not include traversal-
enabled endpoints which register directly with the Cisco VCS Expressway; the settings for these
connections are configured in a different way). Likewise, each Cisco VCS client must have one
traversal client zone configured on it for each server that it is connecting to.
zone configured on it for each client system that is connecting to it (this does not include traversal-
enabled endpoints which register directly with the Cisco VCS Expressway; the settings for these
connections are configured in a different way). Likewise, each Cisco VCS client must have one
traversal client zone configured on it for each server that it is connecting to.
The ports and protocols configured for each pair of client-server zones must be the same. See the
for a summary of the required
configuration on each system. Because the Cisco VCS Expressway listens for connections from the
client on a specific port, you are recommended to create the traversal server zone on the Cisco VCS
Expressway before you create the traversal client zone on the Cisco VCS Control.
client on a specific port, you are recommended to create the traversal server zone on the Cisco VCS
Expressway before you create the traversal client zone on the Cisco VCS Control.
Cisco VCS Administrator Guide (X6)
Page 169 of 295