Grey Headline (continued)
Firewall Traversal and Authentication
TANDBERG VIDEO COMMUNICATIONS SERVER ADMINISTRATOR GUIDE
Overview
In order to control which systems can use the VCS Expressway as a traversal server, each VCS Control or Gatekeeper that wishes to be its client must first authenticate with it.
Upon receiving the initial connection request from the traversal client, the VCS Expressway asks the client to authenticate itself by providing a username and password. The VCS Expressway then looks up the client’s username and password in its own authentication database. If a match is found, the VCS Expressway will accept the request from the client.
The settings used for authentication depend on the combination of client and server being used. These are detailed in the table opposite.
All VCS and Gatekeeper traversal
clients must authenticate with the VCS Expressway, regardless of the VCS
Expressway’s Authentication Mode setting. However, endpoint clients are only required to authenticate if the VCS Expressway’s Authentication Mode is On.
Authentication and NTP
All VCS and Gatekeeper traversal clients must authenticate with the VCS Expressway. The authentication process makes use of timestamps and requires that each system is using an accurate system time. The system time on a VCS is provided by a remote NTP server. Therefore, in order for firewall traversal to work, all systems involved must be configured with details of an NTP server.
Client | Server |
VCS Control or VCS Expressway | VCS Expressway |
• The VCS client provides its Authentication Username and | • The traversal server zone for the VCS client must be configured with the |
Authentication Password. These are set on the VCS client via VCS | Client Authentication Username. This is set on the VCS Expressway via |
Configuration > Authentication > Configuration, in the External | VCS Configuration > Zones > Edit Zone, in the Configuration section. |
Registration Credentials section. | • There must also be an entry in the VCS Expressway’s authentication |
| database with the corresponding client username and password. |
Endpoint | VCS Expressway |
• The endpoint client provides its Authentication ID and Authentication | • There must be an entry in the VCS Expressway’s authentication |
Password. | database with the corresponding client username and password. |
TANDBERG Gatekeeper (version 5.2 and earlier) | VCS Expressway |
• The Gatekeeper looks up its System Name in its own authentication | • The traversal server zone for the Gatekeeper client must be configured |
database and retrieves the password for that name. It then provides | with the Gatekeeper’s System Name in the Client Authentication |
this name and password. | Username field. This is set on the VCS Expressway via VCS |
| Configuration > Zones > Edit Zone, in the Configuration section. |
| • There must be an entry in the VCS Expressway’s authentication |
| database that has the Gatekeeper’s System name as the username, |
| along with the corresponding password. |
TANDBERG Gatekeeper (version 6.0 and later) | VCS Expressway |
• The Gatekeeper provides its Authentication Username and | • The traversal server zone for the Gatekeeper client must be configured |
Authentication Password. These are set on the Gatekeeper via | with the Gatekeeper’s Authentication Username. This is set on the |
Gatekeeper Configuration > Authentication, in the External Registration | VCS Expressway via VCS Configuration > Zones > Edit Zone, in the |
Credentials section. | Configuration section |
| • There must also be an entry in the VCS Expressway’s authentication |
| database with the corresponding client username and password. |
VCS Control or VCS Expressway | Border Controller |
• If Authentication is On on the Border Controller, the VCS client provides | • If Authentication is On on the Border Controller, there must be an entry |
its Authentication Username and Authentication Password. These | in the Border Controller’s authentication database that matches the |
are set on the VCS client via VCS Configuration > Authentication > | VCS client’s Authentication Username and Authentication Password. |
Configuration, in the External Registration Credentials section. |
|
• If the Border Controller is in Assent mode, the VCS client provides | • If the Border Controller is in Assent mode, the traversal zone |
its Authentication Username. This is set on the VCS client via VCS | configured on the Border Controller to represent the VCS client must |
Configuration > Authentication > Configuration, in the External | use the VCS’s Authentication Username in the Assent Account name |
Registration Credentials section. | field. This is set on the Border Controller via TraversalZone > Assent > |
| Account name. |
|
|
Introduction | Getting Started |
| Overview and |
| System |
| VCS |
| Zones and |
| Call |
| Bandwidth | Firewall | Maintenance |
| Appendices |
| Status |
| Configuration |
| Configuration |
| Neighbors |
| Processing |
| Control | Traversal |
| ||||
|
|
|
|
|
|
|
|
|
|
| |||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
D14049.03 |
|
|
|
|
|
|
|
| 150 |
|
|
|
|
|
| ||
MAY 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |||
