155, Other Issues | TANDBERG D14049.04 manual

Grey Headline (continued)

Other Issues

TANDBERG VIDEO COMMUNICATIONS SERVER ADMINISTRATOR GUIDE

Firewall Traversal and Dual Network Interfaces		Firewall Configuration

The Dual Network Interfaces option enables the LAN 2 interface on your VCS Expressway (the option is not available on a VCS Control). The LAN 2 interface is used in situations where your VCS Expressway is located in a DMZ that consists of two separate networks - an inner DMZ and an outer DMZ - and your firewall rules prevent communication between the two.

With the LAN 2 interface enabled, you can configure the VCS with two separate IP addresses, one for each network in the DMZ. Your VCS then acts as a proxy server between the two networks, allowing calls to pass between the internal and outer firewalls that make up your DMZ.

All ports configured on the VCS, including those relating to firewall traversal, will apply to both IP addresses; it is not possible to configure these ports separately for each IP address.

In order for Expressway™ firewall traversal to function correctly, the firewall must be configured to:

•allow initial outbound traffic from the client to the ports being used by the VCS Expressway

•allow return traffic from those ports on the VCS Expressway back to the originating client.

TANDBERG offers a downloadable tool, the Expressway Port Tester, that allows you to test your firewall configuration for compatibility issues with your network and endpoints. It will advise if necessary which ports may need to be opened on your firewall in order for the Expressway™ solution to function correctly. The Expressway Port Tester currently only supports H.323. Contact your TANDBERG representative for more information.

We recommend that you turn off any H.323 and SIP protocol support on the firewall: these ! are not needed in conjunction with the TANDBERG Expressway™ solution and may interfere

with its operation.

Introduction

Getting Started

Overview and

System

VCS

Zones and

Call

Bandwidth

Firewall

Applications

Maintenance

Appendices

Status

Configuration

Configuration

Neighbors

Processing

Control

Traversal

D14049.04

155

JULY 2008

Image 155

TANDBERG D14049.04 manual 155, Other Issues

Contents

Guide Getting Started What’s in this Manual?Preamble Introduction DNS Overview and Status NTP VCS Configuration Call Processing Zones and Neighbors Bandwidth Control 151 Applications Maintenance Appendices Copyright 2008, Tandberg Legal Notices Approvals Safety Instructions and ApprovalsSafety Instructions Waste Handling Digital User Guides Environmental IssuesTANDBERG’s Environmental Policy Environmental Issues Tandberg VCS Overview VCS and the Tandberg Total Solution VCS Expressway VCS Base ApplicationsVCS Control User Policy FindMe Standard Features Optional FeaturesDual Network Interfaces What’s New in this Version? Typographical conventions Administrator GuideUsing this Administrator Guide Command Line Interface Getting Started Connecting the Cables InstallationInstallation Site Preparations General Installation Precautions Powering on the VCS Initial Configuration via Serial Cable Initial Configuration Down key Initial Configuration via Front PanelUP key Overview System Administrator Access Supported Browsers Using the Web InterfaceSelect Administrator Login Web Interface General page features How Command are Shown in this Guide Command Line Interface Supported CharactersUsing the Command Line Interface CLI Types of Commands Overview and Status Viewing the Overview Understanding the Overview Overview System Information Speed EthernetStatus System Ethernet MAC address Viewing the IP Status Understanding the IP Status IP Status Status System Resource Usage Traversal calls Resource UsageViewing the Resource Usage Understanding the Resource Usage Viewing the Registrations Understanding the Registrations Registrations End Time Registration HistoryReason Duration Publishers Presentities Subscribers PresenceViewing the Presence Status Pages Viewing the Calls Understanding the Calls Calls Status Call History Filter Call HistoryViewing the Call History Understanding the Call History Status Search History Search HistoryViewing the Search History Understanding the Search History About Searches Viewing the Local Zone Understanding the Local Zone Local Zone Status Zones ZonesViewing the Zones Understanding the Zones Status Links LinksViewing the Links Understanding the Links Status Pipes PipesViewing the Pipes Understanding the Pipes Viewing the Stun Relays Understanding the Stun Relays Stun Relays Status Applications ApplicationsViewing the Applications Understanding the Applications Status Warnings Viewing the Warnings Understanding the Warnings Event Log Levels Event LogViewing the Event Log Understanding the Event Log Event Log Color Coding Event Log Format Interpreting the Event Log Event Message Details Field Events and Levels Registration Accepted Message ReceivedMessage Rejected Message Sent User session Login failure System Backup errorSystem Restore error TLS Negotiation Error Types of Configuration Events Configuration LogViewing the Configuration Log Understanding the Configuration Log System Configuration About the System Name System AdministrationOverview Configuration About Administrator Access settings Ethernet speed System Configuration EthernetXConfiguration Ethernet About Ethernet Speed About IPv4 to IPv6 Gatewaying Overview IP ConfigurationXConfiguration IP XConfiguration IPProtocol XConfiguration IP Route XCommand RouteAdd IPv4 subnet mask Overview LAN ConfigurationAbout LAN Configuration About Dual Network Interfaces About the DNS Domain Name XConfiguration IP DNSAbout DNS Servers About the Time Zone System Configuration NTPXConfiguration NTP Address XConfiguration TimeZone Name About the NTP Server About Snmp XConfiguration Snmp Address XConfiguration ExternalManagerExternal Manager About the External Manager Remote Logging LoggingAbout Logging About Remote Logging About Event Log Levels Setting the Event Log LevelXConfiguration Log Level Log Levels VCS Configuration Overview Endpoint Registration 323 XConfiguration H323 Configuring H.323 SIP Registration Expiry Using the VCS as a SIP RegistrarSIP Overview About SIP on the VCS SIP protocols and ports Using the VCS as a SIP Proxy ServerUsing the VCS as a SIP Presence Server XConfiguration SIP Configuring SIP Registrations, Protocols and Ports View/Edit Configuring SIP DomainsVCS Configuration Protocols SIP Domains Cancel Interworking Configuring InterworkingXConfiguration Interworking Mode Save SIP interworking mode Endpoint Registration MCU, Gateway and Content Server RegistrationRegistration Control Registration Overview H323 Gatekeeper AutoDiscovery Finding a VCS with which to Register323 Preventing automatic registrations Authentication for Local Registrations AuthenticationAuthentication Mode Configuring Authentication About External Registration Credentials Configuring External Registration Credentials Authentication using an Ldap Server Authentication DatabasesAlias Origin Setting XConfiguration Ldap XConfiguration Authentication Ldap Configuring Ldap Server settings Configuring the Local Database Authentication using a Local Database Alias Registration Attempts to Register using an Existing AliasRegistering Aliases About Alias Registration Removing existing registrations Allow and Deny ListsAbout Allow and Deny Lists Activating use of Allow or Deny Lists Managing Entries in the Allow List XCommand AllowListAdd XConfigurationAllowList Registration Add Deny List Pattern VCS Configuration Registration Deny ListXCommand DenyListAdd XConfigurationDenyList Registration Managing Entries in the Deny List Zones and Neighbors About your Video Communications Network Example Network DiagramIntroduction Local Zone Matches Overview Configuring the Local Zone and its SubzonesLocal Zone and Subzones Bandwidth Management What are traversal calls? Configuring the Traversal Subzone PortsVCS Configuration Local Zone Traversal Subzone Traversal Subzone Neighbor Zone About Zones Traversal Client Zone Traversal Server Zone XCommand DefaultLinksAdd Enum Zone DNS Zone Default Zone XConfiguration Zones Zone Adding Zones Configuring ZonesVCS Configuration Zones XCommand ZoneAdd Match1 Match5 Configuring Zones All TypesHop count Configuring Neighbor Zones Retry interval Configuring Traversal Client ZonesAuthentication username Configuring Traversal Server Zones DNS suffix Configuring Enum Zones Configuring DNS Zones Cluster Subzone Clustering, Peers and AlternatesAbout Clustering System Name Administration Accounts IP configurationDNS Configuration Prerequisites Upgrading to Backup and RestoreRegistrations SIP Registrations Enabling the Replication of FindMe Information ConfigurationClustering and FindMe Viewing Peers Clustering and Presence Peer 1...Peer 6 address 100Neighboring the Local VCS to a Cluster Dial Plans 101 Call Processing 102 Search Process Call Processing Diagram103 Dialing by Enum 104Dialing by Address Types Dialing by IP Address Dialing by H.323 or SIP URI Hop Counts About Hop Counts Configuring Hop CountsXConfiguration Zones Zone 1..200 HopCount 105 Pre-Search Transforms 106Searches and Transforms Overview of Searches and Transforms 107 Configuring Pre-Search TransformsXConfiguration Transform Zone Searching and Transforming 108 Local Zone Configuring Zone Searches and TransformsDefault Settings 109 Never Query a Zone 110Examples Combining Match Types and Priorities Filter Queries to a Zone Without Transforming 111 Query a Zone for Original and Transformed Alias 112 Query a Zone for Two or More Transformed Aliases 113 114 About Call Policy Administrator Policy and AuthenticationAuthentication Mode On Authentication Mode Off Administrator Policy Mode Administrator PolicyEnabling the use of Administrator Policy VCS Configuration Call Policy 116 Configuring Administrator Policy via the Web Interface About CPL XSD files 117Uploading a CPL Script H323 118URI Dialing Process Configuring Matches for DNS Zones119 URI Dialing for Outgoing Calls Advanced Adding and Configuring DNS ZonesXCommand ZoneAdd XConfiguration Zones Zone 120 121 Configuring DNS ServersXConfiguration IP DNS Server URI Dialing for Incoming Calls 122 URI Dialing and Firewall Traversal Example DNS Record ConfigurationRecommended Configuration 123 Overview Process Enabling Enum Dialing 124Enum Dialing 7.6.5.4.3.2.1.4.4 125Enum Dialing for Outgoing Calls Example 126 Configuring Matches for Enum ZonesConfiguring Transforms for Enum Zones Mode of PatternMatch Pattern string Pattern type of Prefix Click Create Zone Configuring Enum Zones127 128 About DNS Domains for Enum Configuring DNS Naptr Records129 Enum Dialing for Incoming Calls Unregistered Endpoints Recommended Configuration for Firewall TraversalXConfiguration Call Services 130 Fallback Alias Overview Configuration Example UsageXConfiguration Call Services Fallback Alias 131 Identifying a Particular Call 132Call IDs, Serial Numbers and Tags 133 Disconnecting CallsDisconnecting a Call via the Web Interface Issues when Disconnecting SIP Calls Bandwidth Control 134 Bandwidth Control on the VCS Example Network Deployment 135Bandwidth Control Overview Specifying the Subzone IP Addresses Subzone Links About the Default Subzone136 Subzones Creating a Subzone XCommand SubZoneAdd137 138 Configuring a SubzoneXConfiguration Zones LocalZone SubZone How Different Bandwidth Limitations are Managed 139Applying Bandwidth Limitations to Subzones Types of Limitations About Links Creating Links Default LinksXCommand LinkAdd 140 Editing Links XConfiguration Bandwidth Link141 142 Default LinksAbout Default Links Pre-Configured Links About Pipes Creating Pipes XCommand PipeAdd143 Editing an Existing Pipe XConfiguration Bandwidth Pipe144 Editing Pipes One Pipe, Two or More Links 145Applying Pipes to Links One Pipe, One Link 146 Default Bandwidth and DownspeedingAbout the Default Call Bandwidth Configuring Default Call Bandwidth and Downspeeding Example Without a Firewall 147Bandwidth Control Examples Example With a Firewall VCS Expressway Subzone ConfigurationVCS Control Subzone Configuration 148 Firewall Traversal 149 How does it work? 150Firewall Traversal Overview About Expressway VCS as a Firewall Traversal Client VCS Expressway Server Quick Guide to VCS Traversal Client Server Configuration151 SIP Firewall Traversal Protocols 152Firewall Traversal Protocols and Ports Overview Expressway Process Firewall Traversal Protocols SIP Ports Call signaling153 Media 154 Firewall Traversal and AuthenticationAuthentication and NTP Configuration Zones Edit Zone, in the Configuration section 155 Other Issues TraversalClient Create Zone Configuring the VCS as a Traversal Client156 Adding a New Traversal Client Zone 157 Configuring a Traversal Client Zone TraversalServer Create Zone Configuring the VCS as a Traversal Server158 Adding a New Traversal Server Zone 159 Configuring a Traversal Server ZoneClient authentication username Demux mode 160 Configuring Traversal for EndpointsXConfiguration Zones LocalZone Traversal H323 161 Configuring Traversal Server Ports 162 Stun Services 163 Configuring Stun Services 164 FindMe User Policy 165 Enabling FindMe on the VCS Configuring User Policy ManagerXConfiguration Policy UserPolicy 166 About User Accounts Creating a New User Account 167Managing FindMe User Accounts 168 Changing a User PasswordViewing Existing User Account Settings Are you sure...? 169Deleting a User Account About your FindMe User Account Using TANDBERG’s FindMeAccessing the FindMe Configuration 170 171 Configuring your FindMe User Account Overview Presence Server 172 Registration refresh period 173Presence User Agent PUA Aggregation of Presence Information 174 Enabling and Disabling Presence ServicesEnabled Disabled Presentities 175Viewing Presence Status Publishers 176 Maintenance Upgrading Software Overview Upgrading Using SCP/PSCPInstalling and Restarting 177 Upgrading via the Web Interface 178 Restart system Software upgrade in progressSoftware successfully upgraded 179 Downgrading Software Downgrade Procedure Impact on features introduced180 Overview Adding Options via the CLI XConfiguration Option 1..64 Key181 Option Keys Add option key Maintenance Option Keys182 Adding Options via the Web Interface Overview Enabling Security 183Security 184 Administration AccountsAdding an Administration Account 185 Editing an Administration AccountAccount Disabled This account can not be used Limitations Backup and RestoreOverview Creating a Backup of your VCS Configuration 186 187 Restoring a Previous Backup Overview Creating a System Snapshot Error Reports188 System Snapshot Restarting Maintenance RestartXCommand Boot 189 Overview Shutting Down Maintenance Shutdown190 Shutting Down 191 Restoring Default ConfigurationOverview DefaultValuesSet Level XCommand DefaultValuesSet Level 3 must be 192 Password EncryptionOverview Maximum length of Passwords Command Line Interface Appendices 193 Overview of CPL on the VCS Address-switch194 CPL Reference Field 195 Otherwise Not-present 196Subfield Reject Rule-switch197 Location Call Screening Based on Alias Call Screening of Authenticated Users198 CPL Examples Dont accept calls from this source 199Call Screening Based on Domain Change of Domain Name Allow Calls from Locally Registered Endpoints Only Block Calls from Default Zone and Default SubzoneAddress Address is=DefaultSubZone 200 201 Restricting Access to a Local GatewayUsing the address-switch node Using the rule-switch node Matches 0 or more repetitions of the previous match 202Regular Expression Reference Overview Common Regular Expressions Pattern Variable Reference 203 VCS Ports VCS Configuration Protocols H.323204 VCS Port Reference XConfiguration H323 Gatekeeper CallSignaling PortRange End XConfiguration Traversal Server Stun Relay PortXConfiguration SIP TCP Port XConfiguration SIP TLS Port 206 XConfiguration SIP TCP Outbound Port StartXConfiguration SIP TCP Outbound Port End XConfiguration Traversal Media Port Start Verifying the SRV Record DNS Configuration207 Overview Microsoft DNS Server About the Ldap Databases Ldap ConfigurationDownloading the Ldap schemas 208 Create the Organizational Hierarchy 209Adding H.350 Objects Securing with TLS OpenLDAP Include /etc/openldap/schemas/sipidentity.ldif210 Slapadd -l ldif file 211# MeetingRoom1 endpoint 212 Command Reference xConfiguration 213 214 Example Configuration Applications Presence Server Mode On 215 216 Example xConfiguration Bandwidth Downspeed PerCall Mode OnExample xConfiguration Bandwidth Downspeed Total Mode On Example xConfiguration Bandwidth Link 1 Node1 Name HQ 217 Example xConfiguration Bandwidth Pipe 1 Name 512Kb AsdlExample xConfiguration Error Reports Mode Off Example xConfiguration ExternalManager Address Example xConfiguration Ethernet 1 IP V4 AddressExample xConfiguration Ethernet 1 IP V4 SubnetMask Example xConfiguration Ethernet 1 Speed Auto 219 Example xConfiguration H323 Gatekeeper CallTimeToLiveExample xConfiguration H323 Gatekeeper TimeToLive 220 221 222 223 Example xConfiguration Policy UserPolicy Mode Local 224 Example xConfiguration Registration RestrictionPolicy NoneExample Configuration SIP Loop Detect Mode On 225 226 Example xConfiguration Transform 1 Pattern Behavior Replace Example xConfiguration SystemUnit Name Oslo HQ VCSExample xConfiguration SystemUnit Password password123 Example xConfiguration TimeZone Name GMT 228 Example Traversal Server Stun Relay Port Example xConfiguration Traversal Server Stun Discovery PortExample xConfiguration Traversal Server Stun Relay Mode On 229 230 231 Example xConfiguration Zones LocalZone Match 1..5 Priority 232 233 234 235 Example xConfiguration Zones Zone 1 H323 Mode On 236 Example xConfiguration Zones Zone 1 HopCount 237 Example xConfiguration Zones Zone 1 Match 1 PriorityExample xConfiguration Zones Zone 1 Name UK Sales Office Example xConfiguration Zones Zone 1 Neighbor H323 Port 238 Example xConfiguration Zones Zone 1 Neighbor Peer 1 AddressExample xConfiguration Zones Zone 1 Neighbor SIP Port 239 Example xConfiguration Zones Zone 1 SIP Mode On 240 Example xConfiguration Zones Zone 3 TraversalServer SIP Port 241 Example xConfiguration Zones Zone 1 Type Neighbor 242 Command Reference xCommand 243 Example xCommand AdminAccountDelete AdminAccountIdExample xCommand AllowListDelete AllowListId Example xCommand boot 244 Example xCommand DenyListDelete DenyListId Example xCommand CredentialDelete CredentialIdExample xCommand DefaultLinksAdd Example xCommand DefaultValuesSet Level 246 Example xCommand DomainAdd DomainName example.comExample xCommand DomainDelete DomainId Example xCommand FeedbackDeregister ID 247 248 Example xCommand LinkDelete LinkId 249 Example xCommand OptionKeyAdd Key 1X4757T5-1-60BAD5CDExample xCommand OptionKeyDelete OptionKeyId 250 Example xCommand PipeDelete PipeIdExample xCommand RouteDelete RouteId 251 Example xCommand SubZoneDelete SubZoneId2 252 Example xCommand TransformDelete TransformIdExample xCommand ZoneDelete ZoneId 253 Example xCommand ZoneList Alias john.smith@example.com 254 Command Reference xStatus SystemUnit 255 Ethernet 256 NTP 257 Calls 258 259 Registrations 260 Zones 261 262 263 Links 264 Alternates 265 SIP 266 Stun 267 268 269 Bibliography 270 Glossary 271 Fqdn 272 Term Definition Local VCS 273 RTP 274 VCS 275 Contact Information 276