Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Firewall traversal
The ICE clients on each of the SIP endpoints must be able to discover these ports, either by using
SRV records in DNS or by direct configuration.
SRV records in DNS or by direct configuration.
Ports for connections out to the public internet
In situations where the VCS Expressway is attempting to connect to an endpoint on the public
internet, you will not know the exact ports on the endpoint to which the connection will be made. This
is because the ports to be used are determined by the endpoint and advised to the VCS Expressway
only after the server has located the endpoint on the public internet. This may cause problems if your
VCS Expressway is located within a DMZ (that is, there is a firewall between the VCS Expressway
and the public internet) as you will not be able to specify in advance rules that will allow you to connect
out to the endpoint’s ports.
internet, you will not know the exact ports on the endpoint to which the connection will be made. This
is because the ports to be used are determined by the endpoint and advised to the VCS Expressway
only after the server has located the endpoint on the public internet. This may cause problems if your
VCS Expressway is located within a DMZ (that is, there is a firewall between the VCS Expressway
and the public internet) as you will not be able to specify in advance rules that will allow you to connect
out to the endpoint’s ports.
You can however specify the ports on the VCS Expressway that are used for calls to and from
endpoints on the public internet so that your firewall administrator can allow connections via these
ports. The ports that can be configured for this purpose are:
endpoints on the public internet so that your firewall administrator can allow connections via these
ports. The ports that can be configured for this purpose are:
H.323
SIP
TURN
TCP/1720: signaling
UDP/1719: signaling
UDP/50000-52399: media
TCP/15000-19999: signaling
TCP/5061: signaling
UDP/5060 (default): signaling
UDP/50000-52399: media
TCP: a temporary port in the
range 25000-29999 is
allocated
range 25000-29999 is
allocated
UDP/3478 (default): TURN
services
services
UDP/60000-61200 (default
range): media
range): media
Firewall traversal and authentication
To control which systems can use the VCS Expressway as a traversal server, each VCS Control or
Gatekeeper that wants to be its client must first authenticate with it.
Gatekeeper that wants to be its client must first authenticate with it.
Upon receiving the initial connection request from the traversal client, the VCS Expressway asks the
client to authenticate itself by providing its authentication credentials. The VCS Expressway then
looks up the client’s credentials in its own authentication database. If a match is found, the VCS
Expressway accepts the request from the client.
client to authenticate itself by providing its authentication credentials. The VCS Expressway then
looks up the client’s credentials in its own authentication database. If a match is found, the VCS
Expressway accepts the request from the client.
The settings used for authentication depend on the combination of client and server being used. These
are detailed in the table below.
are detailed in the table below.
Client
Server
VCS Control or VCS Expressway
The VCS client provides its Username and
Password. These are set on the traversal
client zone by using
Password. These are set on the traversal
client zone by using
VCS configuration >
Zones > Edit zone
, in the Connection
credentials section.
VCS Expressway
The traversal server zone for the VCS client must be
configured with the client's authentication
Username. This is set on the VCS Expressway by
using
configured with the client's authentication
Username. This is set on the VCS Expressway by
using
VCS configuration > Zones > Edit zone
, in
the Connection credentials section.
There must also be an entry in the VCS
Expressway’s authentication database with the
corresponding client username and password.
Expressway’s authentication database with the
corresponding client username and password.
Cisco VCS Administrator Guide (X6.1)
Page 174 of 401