Firewall traversal overview, About expressway, How does it work – TANDBERG Security Camera User Manual
Page 146: Vcs as a firewall traversal client, Vcs as a firewall traversal server
146
D14049.03
MAY 2008
Grey Headline (continued)
TANDBERG
VIDEO COMMUNICATIONS SERVER
ADMINISTRATOR GUIDE
Firewall Traversal Overview
The purpose of a firewall is to control the IP traffic entering your
network. Firewalls will generally block unsolicited incoming
requests, meaning that any calls originating from outside your
network will be prevented. However, firewalls can be configured
to allow outgoing requests to certain trusted destinations, and
to allow responses from those destinations. This principle is
used by TANDBERG’s Expressway™ solution to enable secure
traversal of any firewall.
The Expressway™ solution consists of:
a TANDBERG VCS Expressway or TANDBERG Border Controller
1.
located outside the firewall on the public network or in the
DMZ, which acts as the firewall traversal server
a TANDBERG VCS Control, TANDBERG Gatekeeper, MXP
2.
endpoint or other traversal-enabled endpoint located in a
private network, which acts as the firewall traversal client.
The two systems work together to create an environment where
all connections between the two are outbound, i.e. established
from the client to the server, and thus able to successfully
traverse the firewall.
How does it work?
The traversal client constantly maintains a connection via
the firewall to a designated port on the traversal server. This
connection is kept alive by the client sending packets at regular
intervals to the server. When the traversal server receives
an incoming call for the traversal client, it uses this existing
connection to send an incoming call request to the client.
The client then initiates the necessary outbound connections
required for the call media and/or signaling.
This process ensures that from the firewall’s point of view, all
connections are initiated from the traversal client inside the
firewall out to the traversal server.
The VCS Expressway has all the functionality of a VCS Control (including being able to act as a firewall traversal client). However, its
main feature is that it can act as a firewall traversal server for other TANDBERG systems and any traversal-enabled endpoints that are
registered directly to it. It can also provide STUN Discovery and STUN relay services to endpoints with STUN clients. These features
are enabled as follows:
In order for the VCS Expressway to act as a firewall traversal server for TANDBERG systems, you must create and configure a new
•
traversal server zone on the VCS Expressway for every system that is its traversal client. See
Configuring the VCS as a Traversal
Server
for full instructions.
In order for the VCS Expressway to act as a firewall traversal server for traversal-enabled endpoints (i.e. TANDBERG MXP endpoints
•
and any other endpoints that support the ITU H.460.18 and H.460.19 standards), no additional configuration is required. See
Configuring Traversal for Endpoints
for more information on the options available.
To enable STUN Discovery and STUN Relay services, see
•
.
To reconfigure the default ports used by the VCS Expressway, see
•
Configuring Traversal Server Ports
.
Your VCS can act as a firewall traversal client on behalf of SIP and H.323 endpoints registered to it, and any gatekeepers that are
neighbored with it.
In order to act as a firewall traversal client, the VCS must be configured with information about the system(s) that will be acting as its
firewall traversal server. See the section on
Configuring the VCS as a Traversal Client
for full details on how to do this.
About Expressway™
!
In order for firewall traversal to function correctly, the VCS Expressway must have one traversal server zone configured on it
for each client system that is connecting to it (this does not include traversal-enabled endpoints which register directly with
the VCS Expressway; the settings for these connections are configured in a different way). Likewise, each VCS client must
have one traversal client zone configured on it for each server that it is connecting to. The ports and protocols configured for each
pair of client-server zones must be the same. (See
Quick Guide to VCS Traversal Client - Server Configuration
for a summary of the
configuration on each system.) Because the VCS Expressway listens for connections from the client on a specific port, we recommend
that you create the traversal server zone on the VCS Expressway before you create the traversal client zone on the VCS Control.
The firewall traversal server used by the VCS client can
be a TANDBERG VCS Expressway, or (for H.323 only) a
TANDBERG Border Controller.
VCS as a Firewall Traversal Client
VCS as a Firewall Traversal Server
In most cases, you will use a VCS Control as a firewall
traversal client. However, a VCS Expressway can also
act as a firewall traversal client.