Cisco Systems VC-289 manual Proxy Outside the Firewall, Proxies and NAT, VC-300

Page 12

Configuring H.323 Gatekeepers and Proxies

H.323 Proxy Features

Proxy Outside the Firewall

To place the proxy and gatekeeper outside the firewall, two conditions must exist. First, the firewall must support H.323 dynamic access control. Second, Network Address Translation (NAT) must not be in use.

If NAT is in use, each endpoint must register with the gatekeeper for the duration of the time it is online. This will quickly overwhelm the firewall because a large number of relatively static, internal-to-external address mappings will need to be maintained.

If the firewall does not support H.323 dynamic access control, the firewall can be configured with static access lists that allow traffic from the proxy or gatekeeper through the firewall. This can present a security risk if an attacker can spoof, or simulate, the IP addresses of the gatekeeper or proxy and use them to attack the network. Figure 60 illustrates proxy outside the firewall.

Figure 60 Proxy Outside the Firewall

Terminals Firewall

Edge router

Gatekeeper

Proxy

 

Outside

 

devices

S6915

 

Proxies and NAT

When a firewall is providing NAT between an internal and an external network, proxies may allow H.323 traffic to be handled properly, even in the absence of a firewall that can translate addresses for H.323 traffic. Table 24 and Table 25 provide guidelines for proxy deployment for networks that use NAT.

Table 24

Guidelines for Networks That Use NAT

 

 

 

 

For Networks Using NAT

Firewall with H.323 NAT

Firewall Without H.323 NAT

 

 

 

Firewall with dynamic access

Gatekeeper and proxy inside the

Co-edge gatekeeper and proxy

control

 

firewall

 

 

 

 

Firewall without dynamic access

Gatekeeper and proxy inside the

Co-edge gatekeeper and proxy

control

 

firewall, with static access lists

 

 

 

on the firewall

 

 

 

 

 

Cisco IOS Voice, Video, and Fax Configuration Guide

VC-300

Page 11 Page 13
Image 12
Page 11 Page 13
Contents Configuring H.323 Gatekeepers and Proxies VC-289Principal Multimedia Conference Manager Functions VC-290Zone and Subnet Configuration Redundant H.323 Zone SupportGatekeeper Multiple Zone Support Gateway Support for Alternate GatekeepersTechnology Prefixes VC-292Interzone Communication Radius and TACACS+Accounting via Radius and TACACS+ Terminal Name RegistrationInterzone Routing Using E.164 Addresses VC-294VC-295 Hsrp Support VC-296Security VC-297Proxy Inside the Firewall VC-298Proxy in Co-Edge Mode VC-299Proxy Outside the Firewall Proxies and NATVC-300 Quality of Service Application-Specific RoutingVC-301 Prerequisite Tasks and Restrictions VC-302Configuring the Gatekeeper VC-303Starting a Gatekeeper VC-304H323-gateway voip h.323-id command Gw-prioritypriority gw-alias-Optional UseVC-305 Zone subnet command Mask-addressenableSubnet local-gatekeeper-name Subnet-address /bits-in-maskConfiguring Intergatekeeper Communication Server-address2...server-address6 -OptionalRas gk-id@host port priority VC-307Configuring Redundant H.323 Zone Support Other-gatekeeper-ip-address-Specifies the IPVC-308 Configuring Local and Remote Gatekeepers VC-309Configuring Redundant Gatekeepers for a Zone Prefix Verifying Zone Prefix RedundancyOther-gatekeeper-name -Name of the remote Other-gatekeeper-ip-address -IP addressConfiguring Redundant Gatekeepers for a Technology Prefix Zone local or zone remote command. You canVC-311 Verifying Technology Prefix Redundancy VC-312Configuring Static Nodes VC-313Configuring H.323 Users via Radius VC-314Server radius or aaa group server tacacs+ VC-315VC-316 Password default password-Specifies VC-317Configuring a RADIUS/AAA Server VC-318Users via Radius section on VC-319Configuring User Accounting Activity for Radius VC-320Configuring E.164 Interzone Routing Other-gatekeeper-ip-address -Specifies the IPVC-321 Configuring H.323 Version 2 Features VC-322Configuring a Dialing Prefix for Each Gateway VC-323Gateway with the h323-gateway voip h.323-id command VC-324Following is an example of a registration message VC-325Configuring a Prefix to a Gatekeeper Zone List VC-326Arq, lcf, lrj, lrq, rrq, urq -Specifies Registration VC-327VC-328 VC-329 Configuring Inbound or Outbound Gatekeeper Proxied Access Remote-zone remote-zone-name -Defines aVC-330 Verifying Gatekeeper Proxied Access Configuration Router# show gatekeeper zone statusVC-331 Configuring the Proxy Configuring a Forced Disconnect on a GatekeeperVC-332 Configuring a Proxy Without ASR Show interfaces commandVC-333 VC-334 VC-335 VC-336 Configuring a Proxy with ASR TunnelVg-anylan VC-337Without ASR section on VC-338VC-339 Cisco IOS Dial Technologies Command VC-340VC-341 VC-342 VC-343 VC-344 Configuring a Proxy with ASR section on VC-345Configuring a Gatekeeper Example VC-346Redundant Gatekeepers for a Zone Prefix Example Redundant Gatekeepers for a Technology Prefix ExampleInterzone Routing Example VC-347VC-348 Configuring Hsrp on the Gatekeeper Example VC-349Using ASR for a Separate Multimedia Backbone Example VC-350Enabling the Proxy to Forward H.323 Packets Isolating the Multimedia NetworkVC-351 PX1 Configuration VC-352R1 Configuration VC-353Co-Edge Proxy with Subnetting Example VC-354VC-355 PX2 Configuration R2 ConfigurationVC-356 Configuring a QoS-Enforced Open Proxy Using Rsvp Example VC-357VC-358 Configuring a Closed Co-Edge Proxy with ASR VC-359Defining Multiple Zones Example Defining One Zone for Multiple Gateways ExampleVC-360 Configuring a Proxy for Inbound Calls Example Configuring a Proxy for Outbound Calls ExampleVC-361 Removing a Proxy Example Security Example VC-362Gktmp and RAS Messages Example Prohibiting Proxy Use for Inbound Calls ExampleVC-363 VC-364

VC-289 specifications

Cisco Systems has long been a leader in networking technology, and among its diverse range of products is the VC-289. Designed specifically for enhanced performance in high-demand environments, the VC-289 serves a critical role in supporting the modern networking infrastructure.

One of the standout features of the VC-289 is its scalability. The device is engineered to easily accommodate expanded workloads, ensuring that organizations can grow without the need for frequent upgrades. This scalability is complemented by Cisco's commitment to backward compatibility, allowing businesses to integrate new systems with existing setups seamlessly.

In terms of performance, the VC-289 boasts impressive processing power. With advanced multi-core architecture, it is capable of handling multiple data streams simultaneously, making it ideal for environments that require consistent data flow, such as cloud computing and IoT applications. The device’s high throughput ensures that users experience minimal latency, facilitating quick data transfers even during peak usage times.

Security is another key characteristic of the VC-289. Cisco has integrated robust security protocols that protect against various cyber threats. Through features such as advanced encryption standards and intrusion prevention systems, organizations can ensure that sensitive data remains secure and is not compromised during transmission.

Another notable technology within the VC-289 is its support for software-defined networking (SDN) capabilities. This allows for more flexible network management, enabling IT teams to adapt the network according to evolving business needs. The ability to programmatically control the network also means that businesses can implement changes more rapidly, reducing downtime and improving overall productivity.

The VC-289 is designed with energy efficiency in mind, featuring power-saving modes that help reduce operational costs. This focus on sustainability not only benefits the environment but also appeals to organizations striving to meet corporate social responsibility objectives.

In conclusion, the Cisco Systems VC-289 stands as an exemplary solution for modern networking challenges. With its scalability, performance capabilities, enhanced security features, SDN support, and energy efficiency, it meets the demands of today's fast-paced and ever-evolving technological landscape. Organizations looking to invest in a robust networking solution would do well to consider the VC-289 as a cornerstone of their infrastructure.
Top Page Image Contents