Grey Headline (continued)

Firewall Traversal Overview

TANDBERG VIDEO COMMUNICATIONS SERVER ADMINISTRATOR GUIDE

About Expressway™

 

VCS as a Firewall Traversal Client

 

 

 

The purpose of a firewall is to control the IP traffic entering your network. Firewalls will generally block unsolicited incoming requests, meaning that any calls originating from outside your network will be prevented. However, firewalls can be configured to allow outgoing requests to certain trusted destinations, and to allow responses from those destinations. This principle is used by TANDBERG’s Expressway™ solution to enable secure traversal of any firewall.

The Expressway™ solution consists of:

1.a TANDBERG VCS Expressway or TANDBERG Border Controller located outside the firewall on the public network or in the DMZ, which acts as the firewall traversal server

2.a TANDBERG VCS Control, TANDBERG Gatekeeper, MXP endpoint or other traversal-enabled endpoint located in a private network, which acts as the firewall traversal client.

The two systems work together to create an environment where all connections between the two are outbound, i.e. established from the client to the server, and thus able to successfully traverse the firewall.

How does it work?

The traversal client constantly maintains a connection via the firewall to a designated port on the traversal server. This connection is kept alive by the client sending packets at regular intervals to the server. When the traversal server receives

an incoming call for the traversal client, it uses this existing connection to send an incoming call request to the client. The client then initiates the necessary outbound connections required for the call media and/or signaling.

This process ensures that from the firewall’s point of view, all connections are initiated from the traversal client inside the firewall out to the traversal server.

Your VCS can act as a firewall traversal client on behalf of SIP and H.323 endpoints registered to it, and any gatekeepers that are neighbored with it.

In order to act as a firewall traversal client, the VCS must be configured with information about the system(s) that will be acting as its firewall traversal server. See the section on Configuring the VCS as a Traversal Client for full details on how to do this.

In most cases, you will use a VCS Control as a firewall

 

The firewall traversal server used by the VCS client can

traversal client. However, a VCS Expressway can also

 

be a TANDBERG VCS Expressway, or (for H.323 only) a

act as a firewall traversal client.

 

TANDBERG Border Controller.

 

 

 

VCS as a Firewall Traversal Server

The VCS Expressway has all the functionality of a VCS Control (including being able to act as a firewall traversal client). However, its main feature is that it can act as a firewall traversal server for other TANDBERG systems and any traversal-enabled endpoints that are registered directly to it. It can also provide STUN Discovery and STUN relay services to endpoints with STUN clients. These features are enabled as follows:

In order for the VCS Expressway to act as a firewall traversal server for TANDBERG systems, you must create and configure a new traversal server zone on the VCS Expressway for every system that is its traversal client. See Configuring the VCS as a Traversal Server for full instructions.

In order for the VCS Expressway to act as a firewall traversal server for traversal-enabled endpoints (i.e. TANDBERG MXP endpoints and any other endpoints that support the ITU H.460.18 and H.460.19 standards), no additional configuration is required. See Configuring Traversal for Endpoints for more information on the options available.

To enable STUN Discovery and STUN Relay services, see STUN Services.

To reconfigure the default ports used by the VCS Expressway, see Configuring Traversal Server Ports.

!In order for firewall traversal to function correctly, the VCS Expressway must have one traversal server zone configured on it for each client system that is connecting to it (this does not include traversal-enabled endpoints which register directly with

the VCS Expressway; the settings for these connections are configured in a different way). Likewise, each VCS client must have one traversal client zone configured on it for each server that it is connecting to. The ports and protocols configured for each pair of client-server zones must be the same. (See Quick Guide to VCS Traversal Client - Server Configuration for a summary of the configuration on each system.) Because the VCS Expressway listens for connections from the client on a specific port, we recommend that you create the traversal server zone on the VCS Expressway before you create the traversal client zone on the VCS Control.

Introduction

Getting Started

 

Overview and

 

System

 

VCS

 

Zones and

 

Call

 

Bandwidth

Firewall

Maintenance

 

Appendices

 

Status

 

Configuration

 

Configuration

 

Neighbors

 

Processing

 

Control

Traversal

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

D14049.03

 

 

 

 

 

 

 

 

146

 

 

 

 

 

 

MAY 2008

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Page 145 Page 147
Page 146
Image 146
TANDBERG Security Camera manual 146, Firewall Traversal Overview, About Expressway VCS as a Firewall Traversal Client
Page 145 Page 147
Top Page Image Contents