About Firewall Traversal - Cisco TelePresence Administrator's Manual
Video communication server
Hide thumbs
Also See for TelePresence:
- Administrator's manual (507 pages) ,
- Manual (24 pages) ,
- Specifications (7 pages)
Table of Contents
Advertisement
About firewall traversal
The purpose of a firewall is to control the IP traffic entering your network. Firewalls will generally block
unsolicited incoming requests, meaning that any calls originating from outside your network will be
prevented. However, firewalls can be configured to allow outgoing requests to certain trusted destinations,
and to allow responses from those destinations. This principle is used by Cisco's Expressway technology to
enable secure traversal of any firewall.
Expressway solution
The Expressway solution consists of:
a VCS Expressway or Border Controller located outside the firewall on the public network or in the DMZ,
n
which acts as the firewall traversal server
a VCS Control, Gatekeeper, MXP endpoint or other traversal-enabled endpoint located in a private network,
n
which acts as the firewall traversal client
The two systems work together to create an environment where all connections between the two are
outbound, i.e. established from the client to the server, and thus able to successfully traverse the firewall.
How does it work?
The traversal client constantly maintains a connection via the firewall to a designated port on the traversal
server. This connection is kept alive by the client sending packets at regular intervals to the server. When the
traversal server receives an incoming call for the traversal client, it uses this existing connection to send an
incoming call request to the client. The client then initiates the necessary outbound connections required for
the call media and/or signaling.
This process ensures that from the firewall's point of view, all connections are initiated from the traversal
client inside the firewall out to the traversal server.
For firewall traversal to function correctly, the VCS Expressway must have one traversal server zone
configured on it for each client system that is connecting to it (this does not include traversal-enabled
endpoints which register directly with the VCS Expressway; the settings for these connections are
configured in a different way). Likewise, each VCS client must have one traversal client zone configured on it
for each server that it is connecting to.
The ports and protocols configured for each pair of client-server zones must be the same. See the
Configuring a traversal client and server
Because the VCS Expressway listens for connections from the client on a specific port, you are
recommended to create the traversal server zone on the VCS Expressway before you create the traversal
client zone on the VCS Control.
Endpoint traversal technology requirements
The "far end" (at home or at a hotel, for example) endpoint requirements to support firewall traversal are
summarized below:
For H.323, the endpoint needs to support Assent or H460.18 and H460.19.
n
For SIP, the endpoint just needs to support standard SIP.
n
Registration messages will keep the "'far end" firewall ports open for VCS to send messages to that
l
endpoint. The VCS waits for media from the endpoint behind the firewall, before returning media to it on
that same port – the endpoint does have to support media transmission and reception on the same port.
Cisco VCS Administrator Guide (X7.2)
for a summary of the required configuration on each system.
Firewall traversal
Page 230 of 498
Hide quick links:
Advertisement
Table of Contents
