Table of Contents
Advertisement
Grey Headline (continued)
Firewall traversal overview
About Expressway™
The purpose of a firewall is to control the IP traffic entering your network. Firewalls will generally
block unsolicited incoming requests, meaning that any calls originating from outside your network
will be prevented. However, firewalls can be configured to allow outgoing requests to certain
trusted destinations, and to allow responses from those destinations. This principle is used by
TANDBERG's Expressway™ solution to enable secure traversal of any firewall.
The Expressway™ solution consists of:
1.
a TANDBERG VCS Expressway or TANDBERG Border Controller located outside the firewall on the
public network or in the DMZ, which acts as the firewall traversal server
2.
a TANDBERG VCS Control, TANDBERG Gatekeeper, MXP endpoint or other traversal-enabled
endpoint located in a private network, which acts as the firewall traversal client.
The two systems work together to create an environment where all connections between the two
are outbound, i.e. established from the client to the server, and thus able to successfully traverse
the firewall.
How does it work?
The traversal client constantly maintains a connection via the firewall to a designated port on the
traversal server. This connection is kept alive by the client sending packets at regular intervals to
the server. When the traversal server receives an incoming call for the traversal client, it uses this
existing connection to send an incoming call request to the client. The client then initiates the
necessary outbound connections required for the call media and/or signaling.
This process ensures that from the firewall's point of view, all connections are initiated from the
traversal client inside the firewall out to the traversal server.
In order for firewall traversal to function correctly, the VCS Expressway must have one
!
traversal server zone configured on it for each client system that is connecting to it (this
does not include traversal-enabled endpoints which register directly with the VCS
Expressway; the settings for these connections are configured in a different way). Likewise, each
VCS client must have one traversal client zone configured on it for each server that it is connecting
to. The ports and protocols configured for each pair of client-server zones must be the same. (See
Quick guide to VCS traversal client - server configuration
system.) Because the VCS Expressway listens for connections from the client on a specific port, we
recommend that you create the traversal server zone on the VCS Expressway before you create the
traversal client zone on the VCS Control.
Overview and
Introduction
Getting started
status
D14049.05
February 2009
for a summary of the configuration on each
System
VCS
Zones and
configuration
configuration
neighbors
VCS as a firewall traversal client
Your VCS can act as a firewall traversal client on behalf of SIP and H.323 endpoints registered to it,
and any gatekeepers that are neighbored with it.
In order to act as a firewall traversal client, the VCS must be configured with information about the
system(s) that will be acting as its firewall traversal server. See the section on
as a traversal client
for full details on how to do this.
In most cases, you will use a VCS Control as a firewall traversal client. However, a VCS
Expressway can also act as a firewall traversal client.
The firewall traversal server used by the VCS client can be a TANDBERG VCS Expressway, or
(for H.323 only) a TANDBERG Border Controller.
VCS as a firewall traversal server
The VCS Expressway has all the functionality of a VCS Control (including being able to act as a
firewall traversal client). However, its main feature is that it can act as a firewall traversal server for
other TANDBERG systems and any traversal-enabled endpoints that are registered directly to it. It
can also provide STUN Discovery and STUN relay services to endpoints with STUN clients. These
features are enabled as follows:
•
In order for the VCS Expressway to act as a firewall traversal server for TANDBERG systems, you
must create and configure a new traversal server zone on the VCS Expressway for every system
that is its traversal client. See
Configuring the VCS as a traversal server
•
In order for the VCS Expressway to act as a firewall traversal server for traversal-enabled
endpoints (i.e. TANDBERG MXP endpoints and any other endpoints that support the ITU
H.460.18 and H.460.19 standards), no additional configuration is required. See
traversal for endpoints
for more information on the options available.
•
To enable STUN Discovery and STUN Relay services, see
•
To reconfigure the default ports used by the VCS Expressway, see
ports.
Call
Bandwidth
processing
control
132
TANDBERG
VIDEO COMMUNICATIONS SERVER
for full instructions.
STUN
services.
Configuring traversal server
Firewall
Applications
Maintenance
traversal
ADMINISTRATOR GUIDE
Configuring the VCS
Configuring
Appendices
Advertisement
Table of Contents
Need help?
Do you have a question about the Video Communication Server and is the answer not in the manual?