The purpose of a firewall is to control the IP traffic entering your network. Firewalls will generally
block unsolicited incoming requests, meaning that any calls originating from outside your network
will be prevented. However, firewalls can be configured to allow outgoing requests to certain
trusted destinations, and to allow responses from those destinations. This principle is used by
TANDBERG’s Expressway™ solution to enable secure traversal of any firewall.
The Expressway™ solution consists of:

a VCS Border Controller or Border Controller located outside the firewall on the public network
or DMZ, which acts as the firewall traversal server,
a VCS, Gatekeeper, MXP endpoint or other traversal-enabled endpoint located on the private
network, which acts as the firewall traversal client.

The two systems work together to create an environment where all connections between the two
are outbound, i.e. established from the client to the server, and thus able to successfully traverse
the firewall.

How does it work?

The traversal client constantly sends a probe via the firewall to a designated port on the traversal
server. This keeps a connection alive between the client and server. When the traversal server
receives an incoming call for the traversal client, it uses this existing connection to send an
incoming call request to the client. The client then initiates a connection to the server and upon
receipt the server responds with the incoming call. This process ensures that from the firewall’s
point of view, all connections are initiated from the traversal client inside the firewall out to the
traversal server.

•

VCS as a Firewall Traversal Server

In addition to being a firewall traversal client, the VCS can be enabled to act as a firewall traversal
server. With this option enabled, the VCS will act as a traversal server for other TANDBERG
systems and any traversal-enabled endpoints that are registered directly to it. It can also provide
STUN Discovery and STUN relay services to endpoints with STUN clients.

To enable server-side firewall traversal for other systems, you must create and configure a new
traversal server zone on the VCS for every system that is its traversal client. See

Configuring

the VCS as a traversal server

for details on how to do this.

To enable server-side firewall traversal for traversal-enabled endpoints (i.e. TANDBERG MXP
endpoints and any other endpoints that support the ITU H.460.18 and H.460.19 standards)
no additional configuration is required. See

Configuring traversal for endpoints

for more

information on the options available.
To enable STUN Discovery and STUN Relay services, see

STUN Services

To reconfigure the default ports used by the VCS Border Controller, see

Configuring traversal

server Ports

•

•
•

VCS as a Firewall Traversal Client

Your VCS can act as a firewall traversal client on behalf of SIP and H.323 endpoints registered to
it, and any gatekeepers that are neighbored with it.
In order to act as a firewall traversal client, the VCS must be configured with information about the
system(s) that will be acting as its firewall traversal server. See the section on

Configuring the

VCS as a Traversal Client

for full details on how to do this.

Firewall Traversal Overview

In order for firewall traversal to function correctly, the VCS Border Controller must have a
traversal server zone configured on it for each client that is connecting to it. Likewise,
each VCS client must have a traversal client zone configured on it for each server that it is

connecting to. The ports and protocols configured for each pair of zones must be the same.
Because the VCS Border Controller listens for connections from the client on a specific port, we
recommend that you create the traversal server zone before you create the traversal client zone.

The firewall traversal server used by the VCS can be another VCS with the Border Controller
option enabled, or a TANDBERG Border Controller.

VCS and Firewall Traversal

To use the VCS as a traversal server, you must install the Border Controller option key on
your system. Contact your TANDBERG representative for further information.

TANDBERG

VIDEO COMMUNICATION SERVER

ADMINISTRATOR GUIDE

Firewall Traversal

Advertising

Popular Brands

Popular manuals