Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Firewall traversal
Client
Server
Cisco VCS Control or Cisco VCS
Expressway
Expressway
If authentication is enabled on the Border
Controller, the Cisco VCS client provides
its Username and Password. These are
set on the traversal client zone by using
Controller, the Cisco VCS client provides
its Username and Password. These are
set on the traversal client zone by using
VCS configuration > Zones > Edit
zone
zone
, in the Connection credentials
section.
If the Border Controller is in Assent mode,
the Cisco VCS client provides its
Username. This is set on the traversal
client zone by using
the Cisco VCS client provides its
Username. This is set on the traversal
client zone by using
VCS configuration >
Zones > Edit zone
, in the Connection
credentials section.
TANDBERG Border Controller
If authentication is enabled on the Border Controller,
there must be an entry in the Border Controller’s
authentication database that matches the Cisco VCS
client’s authentication Username and Password.
there must be an entry in the Border Controller’s
authentication database that matches the Cisco VCS
client’s authentication Username and Password.
If the Border Controller is in Assent mode, the
traversal zone configured on the Border Controller to
represent the Cisco VCS client must use the Cisco
VCS’s authentication Username in the Assent
Account name field. This is set on the Border
Controller via
traversal zone configured on the Border Controller to
represent the Cisco VCS client must use the Cisco
VCS’s authentication Username in the Assent
Account name field. This is set on the Border
Controller via
TraversalZone > Assent > Account
name
.
Note that all Cisco VCS and Gatekeeper traversal clients must authenticate with the Cisco VCS
Expressway, even if the Cisco VCS Expressway is not using device authentication for endpoint
clients.
Expressway, even if the Cisco VCS Expressway is not using device authentication for endpoint
clients.
Authentication and NTP
All Cisco VCS and Gatekeeper traversal clients that support H.323 must authenticate with the Cisco
VCS Expressway. The authentication process makes use of timestamps and requires that each
system uses an accurate system time. The system time on a Cisco VCS is provided by a remote NTP
server. Therefore, for firewall traversal to work, all systems involved must be configured with details of
an
VCS Expressway. The authentication process makes use of timestamps and requires that each
system uses an accurate system time. The system time on a Cisco VCS is provided by a remote NTP
server. Therefore, for firewall traversal to work, all systems involved must be configured with details of
an
Firewall traversal and Dual Network Interfaces
The Dual Network Interfaces option key enables the LAN 2 interface on your Cisco VCS Expressway
(the option is not available on a Cisco VCS Control). The LAN 2 interface is used in situations where
your Cisco VCS Expressway is located in a DMZ that consists of two separate networks - an inner
DMZ and an outer DMZ - and your network is configured to prevent direct communication between the
two.
(the option is not available on a Cisco VCS Control). The LAN 2 interface is used in situations where
your Cisco VCS Expressway is located in a DMZ that consists of two separate networks - an inner
DMZ and an outer DMZ - and your network is configured to prevent direct communication between the
two.
With the LAN 2 interface enabled, you can configure the Cisco VCS with two separate IP addresses,
one for each network in the DMZ. Your Cisco VCS then acts as a proxy server between the two
networks, allowing calls to pass between the internal and outer firewalls that make up your DMZ.
one for each network in the DMZ. Your Cisco VCS then acts as a proxy server between the two
networks, allowing calls to pass between the internal and outer firewalls that make up your DMZ.
Note: all ports configured on the Cisco VCS, including those relating to firewall traversal, apply to both
IP addresses; it is not possible to configure these ports separately for each IP address.
IP addresses; it is not possible to configure these ports separately for each IP address.
Firewall configuration
For Expressway firewall traversal to function correctly, the firewall must be configured to:
n
allow initial outbound traffic from the client to the ports being used by the Cisco VCS Expressway
n
allow return traffic from those ports on the Cisco VCS Expressway back to the originating client
Cisco VCS Administrator Guide (X6)
Page 176 of 295