Firewall Traversal
TANDBERG VIDEO COMMUNICATION SERVER ADMINISTRATOR GUIDE
Firewall Traversal Overview | VCS and Firewall Traversal |
About Firewall Traversal | VCS as a Firewall Traversal Client |
The purpose of a firewall is to control the IP traffic entering your network. Firewalls will generally block unsolicited incoming requests, meaning that any calls originating from outside your network will be prevented. However, firewalls can be configured to allow outgoing requests to certain trusted destinations, and to allow responses from those destinations. This principle is used by TANDBERG’s Expressway™ solution to enable secure traversal of any firewall.
The Expressway™ solution consists of:
•a VCS Border Controller or Border Controller located outside the firewall on the public network or DMZ, which acts as the firewall traversal server,
•a VCS, Gatekeeper, MXP endpoint or other
The two systems work together to create an environment where all connections between the two are outbound, i.e. established from the client to the server, and thus able to successfully traverse the firewall.
How does it work?
The traversal client constantly sends a probe via the firewall to a designated port on the traversal server. This keeps a connection alive between the client and server. When the traversal server receives an incoming call for the traversal client, it uses this existing connection to send an incoming call request to the client. The client then initiates a connection to the server and upon receipt the server responds with the incoming call. This process ensures that from the firewall’s point of view, all connections are initiated from the traversal client inside the firewall out to the traversal server.
Your VCS can act as a firewall traversal client on behalf of SIP and H.323 endpoints registered to it, and any gatekeepers that are neighbored with it.
In order to act as a firewall traversal client, the VCS must be configured with information about the system(s) that will be acting as its firewall traversal server. See the section on Configuring the VCS as a Traversal Client for full details on how to do this.
The firewall traversal server used by the VCS can be another VCS with the Border Controller option enabled, or a TANDBERG Border Controller.
VCS as a Firewall Traversal Server
In addition to being a firewall traversal client, the VCS can be enabled to act as a firewall traversal server. With this option enabled, the VCS will act as a traversal server for other TANDBERG systems and any
•To enable
•To enable
•To enable STUN Discovery and STUN Relay services, see STUN Services.
•To reconfigure the default ports used by the VCS Border Controller, see Configuring traversal server Ports.
To use the VCS as a traversal server, you must install the Border Controller option key on your system. Contact your TANDBERG representative for further information.
!In order for firewall traversal to function correctly, the VCS Border Controller must have a traversal server zone configured on it for each client that is connecting to it. Likewise, each VCS client must have a traversal client zone configured on it for each server that it is
connecting to. The ports and protocols configured for each pair of zones must be the same. Because the VCS Border Controller listens for connections from the client on a specific port, we recommend that you create the traversal server zone before you create the traversal client zone.
Introduction | Getting | System | System | H.323 & SIP | Registration | Zones and | Call | Firewall | Bandwidth | Maintenance | Appendices | |
Started | Overview | Configuration | Configuration | Control | Neighbors | Processing | Traversal | Control | ||||
|
|
| ||||||||||
D 14049.01 |
|
|
|
| 97 |
|
|
|
|
|
| |
07.2007 |
|
|
|
|
|
|
|
|
|
|
