Authentication And Ntp; Firewall Traversal And Dual Network Interfaces; Firewall Configuration; Configuring Traversal For Endpoints - Cisco TelePresence Video Communication Server Administrator's Manual

Authentication and NTP

All VCS and Gatekeeper traversal clients that support H.323 must authenticate with the VCS
Expressway. The authentication process makes use of timestamps and requires that each system
uses an accurate system time. The system time on a VCS is provided by a remote NTP server.
Therefore, for firewall traversal to work, all systems involved must be configured with details of an
NTP server.

Firewall traversal and Dual Network Interfaces

The Dual Network Interfaces option key enables the LAN 2 interface on your VCS Expressway (the
option is not available on a VCS Control). The LAN 2 interface is used in situations where your VCS
Expressway is located in a DMZ that consists of two separate networks - an inner DMZ and an outer
DMZ - and your network is configured to prevent direct communication between the two.
With the LAN 2 interface enabled, you can configure the VCS with two separate IP addresses, one for
each network in the DMZ. Your VCS then acts as a proxy server between the two networks, allowing
calls to pass between the internal and outer firewalls that make up your DMZ.
Note: all ports configured on the VCS, including those relating to firewall traversal, apply to both IP
addresses; it is not possible to configure these ports separately for each IP address.

Firewall configuration

For Expressway firewall traversal to function correctly, the firewall must be configured to:
allow initial outbound traffic from the client to the ports being used by the VCS Expressway
n
allow return traffic from those ports on the VCS Expressway back to the originating client
n
Cisco offers a downloadable tool, the Expressway Port Tester, that allows you to test your firewall
configuration for compatibility issues with your network and endpoints. It will advise if necessary
which ports may need to be opened on your firewall in order for the Expressway™ solution to function
correctly. The Expressway Port Tester currently only supports H.323. Contact your Cisco
representative for more information.
Note: you are recommended to turn off any H.323 and SIP protocol support on the firewall: these are
not needed in conjunction with the Expressway solution and may interfere with its operation.
The Port usage pages (under
ports that are being used on the VCS, both inbound and outbound. This information can be provided to
your firewall administrator so that the firewall can be configured appropriately.

Configuring traversal for endpoints

Traversal-enabled H.323 endpoints can register directly with the VCS Expressway and use it for
firewall traversal.
The Locally registered endpoints page
endpoints) allows you to configure the way in which the VCS Expressway and traversal-enabled
endpoints communicate.
The options available are:
Cisco VCS Administrator Guide (X6.1)
Maintenance > Tools > Port
(VCS configuration > Expressway > Locally registered
usage) show, in table format, all the IP
Firewall traversal
Page 176 of 401