Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
129
D14049.08
November 2010
November 2010
Grey Headline (continued)
CISCO TELEPRESENCE
VIDEO COMMUNICATION SERVER
ADMINISTRATOR GUIDE
Firewall traversal overview
The purpose of a firewall is to control the IP traffic entering your network. Firewalls will generally
block unsolicited incoming requests, meaning that any calls originating from outside your network
will be prevented. However, firewalls can be configured to allow outgoing requests to certain trusted
destinations, and to allow responses from those destinations. This principle is used by Cisco's
Expressway™ solution to enable secure traversal of any firewall.
The Expressway™ solution consists of:
block unsolicited incoming requests, meaning that any calls originating from outside your network
will be prevented. However, firewalls can be configured to allow outgoing requests to certain trusted
destinations, and to allow responses from those destinations. This principle is used by Cisco's
Expressway™ solution to enable secure traversal of any firewall.
The Expressway™ solution consists of:
•
a VCS Expressway or TANDBERG Border Controller located outside the firewall on the public
network or in the DMZ, which acts as the firewall traversal server
network or in the DMZ, which acts as the firewall traversal server
•
a VCS Control, TANDBERG Gatekeeper, MXP endpoint or other traversal-enabled endpoint
located in a private network, which acts as the firewall traversal client
located in a private network, which acts as the firewall traversal client
The two systems work together to create an environment where all connections between the two
are outbound, i.e. established from the client to the server, and thus able to successfully traverse
the firewall.
are outbound, i.e. established from the client to the server, and thus able to successfully traverse
the firewall.
How does it work?
The traversal client constantly maintains a connection via the firewall to a designated port on the
traversal server. This connection is kept alive by the client sending packets at regular intervals
to the server. When the traversal server receives an incoming call for the traversal client, it uses
this existing connection to send an incoming call request to the client. The client then initiates the
necessary outbound connections required for the call media and/or signaling.
This process ensures that from the firewall’s point of view, all connections are initiated from the
traversal client inside the firewall out to the traversal server.
traversal server. This connection is kept alive by the client sending packets at regular intervals
to the server. When the traversal server receives an incoming call for the traversal client, it uses
this existing connection to send an incoming call request to the client. The client then initiates the
necessary outbound connections required for the call media and/or signaling.
This process ensures that from the firewall’s point of view, all connections are initiated from the
traversal client inside the firewall out to the traversal server.
!
For firewall traversal to function correctly, the VCS Expressway must have one traversal
server zone configured on it for each client system that is connecting to it (this does not
include traversal-enabled endpoints which register directly with the VCS Expressway; the
server zone configured on it for each client system that is connecting to it (this does not
include traversal-enabled endpoints which register directly with the VCS Expressway; the
settings for these connections are configured in a different way). Likewise, each VCS client must
have one traversal client zone configured on it for each server that it is connecting to. The ports
and protocols configured for each pair of client-server zones must be the same. (See the
have one traversal client zone configured on it for each server that it is connecting to. The ports
and protocols configured for each pair of client-server zones must be the same. (See the
section for a summary of the required configuration
on each system.) Because the VCS Expressway listens for connections from the client on a specific
port, you are recommend to create the traversal server zone on the VCS Expressway before you
create the traversal client zone on the VCS Control.
port, you are recommend to create the traversal server zone on the VCS Expressway before you
create the traversal client zone on the VCS Control.
The VCS Expressway has all the functionality of a VCS Control (including being able to act as a
firewall traversal client). However, its main feature is that it can act as a firewall traversal server for
other Cisco systems and any traversal-enabled endpoints that are registered directly to it. It can
also provide TURN relay services to ICE-enabled endpoints. These features are enabled as follows:
firewall traversal client). However, its main feature is that it can act as a firewall traversal server for
other Cisco systems and any traversal-enabled endpoints that are registered directly to it. It can
also provide TURN relay services to ICE-enabled endpoints. These features are enabled as follows:
•
For the VCS Expressway to act as a firewall traversal server for Cisco systems, you must create
and configure a new traversal server zone on the VCS Expressway for every system that is
its traversal client. See the
and configure a new traversal server zone on the VCS Expressway for every system that is
its traversal client. See the
section for full
instructions.
•
For the VCS Expressway to act as a firewall traversal server for traversal-enabled endpoints
(such as Cisco MXP endpoints and any other endpoints that support the ITU H.460.18 and
H.460.19 standards), no additional configuration is required. See the
(such as Cisco MXP endpoints and any other endpoints that support the ITU H.460.18 and
H.460.19 standards), no additional configuration is required. See the
section for more information.
•
To enable TURN relay services and find out more about ICE, see the
section.
•
To reconfigure the default ports used by the VCS Expressway, see the
section.
Your VCS can act as a firewall traversal client on behalf of SIP and H.323 endpoints registered to it,
and any gatekeepers that are neighbored with it.
In order to act as a firewall traversal client, the VCS must be configured with information about the
system(s) that will be acting as its firewall traversal server. See the
and any gatekeepers that are neighbored with it.
In order to act as a firewall traversal client, the VCS must be configured with information about the
system(s) that will be acting as its firewall traversal server. See the
section for full details on how to do this.
In most cases, you will use a VCS Control as a firewall traversal client. However, a VCS
Expressway can also act as a firewall traversal client.
Expressway can also act as a firewall traversal client.
The firewall traversal server used by the VCS client can be a VCS Expressway, or (for H.323
only) a TANDBERG Border Controller.
only) a TANDBERG Border Controller.
About Expressway™
Cisco VCS as a firewall traversal client
Cisco VCS as a firewall traversal server