cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
54791
Views
51
Helpful
71
Replies

VCS Control and VCS Expressway design

e.lopessilva
Level 1
Level 1

I have an implementation where I have 2 VCS Control and 1 VCS Expressway software version X6. The end costumer has a Internet firewall Fortinet woroking in routed mode with NAT. My question is about the placement of the VCS Expressway in the environment. Is it mandatory put the Expressway in front of the firewall with a Internet valid IP address on it? Is it possible put the Expressway behind of the firewall and configure a NAT for it? Make sense having VCS control and VC expressway in the IP subnet without NAT between them?

Thanks in advance.

Everaldo

71 Replies 71

Tino.

I'm not saying that you should install the VCS-E in the Internet subnet, with my suggestion, both VCS-E interfaces will remain in the private addressing space, outside the DMZ firewall and inside the Internet firewall. Unless the VCS-E can somehow communicate with the Internet firewall, how would it in any case be reachable from the Internet side?

VCS-E would not necessarily be open for management from public networks, you should easily be able to block access to management/low ports from public networks in the Internet-facing firewall, so that shouldn't be an issue.

The VCS-E currently only supports having one static NAT address, so in your scenario, you would have to find a way to let these foreign networks reach the VCS-E via its current static NAT address.

- Andreas

Hi Martin,

sorry for misunderstanding you. Outside DMZ Firewall and Inside Internet Firewall is unfortunately the same subnet.

Not sure, if I understand you right, but the VCS-E would be reachable via the static NAT from the internet.

To summarize this, my wishlist for future releases would be:

  • being able to exclude the NAT IP from Traversal Zone and/or set both LAN1 and LAN2 into the same Subnet.
  • being able to use LAN3 and LAN4

cheers

Tino

Tino,

it may be that in your case, outside DMZ firewall and inside Internet firewall is the same subnet, which would then not be a viable solution for the VCS-E, but in general, if these firewalls had their outside and inside interfaces, respectively, in different subnets, or if they have multiple interfaces or are VLAN capable, then the concept is that the VCS-E would connect to each of these subnets with each of its interfaces.

That being said, it is not always the case that a dual-NIC VCS-E can be dropped into any existing deployment and be expected to work "out-of-the-box", considerations will always have to be made and in some cases, the network will have to be modified or re-designed somewhat to allow the VCS-E to function properly in a static NAT environment (as is the case with many other network devices as well).

Regarding your comment on the VCS management (HTTPS, SSH) being reachable from the Internet via the static NAT, if you are in control of the Internet-facing firewall, you would be able to create firewall rules preventing traffic from Internet to TCP ports 22, 80 and 443 of the VCS-E, and this is the recommended way to do things in any case.

What would you like to use LAN3 and LAN4 for? Link aggregation for resiliency and increased bandwidth, or other applications?

Thanks,

Andreas

Hi Andreas,

yes, I try to get a second DMZ Subnet whenever possible. What Martin mentioned before ist, that many customers do have a very simple firewall solution (for example one 3port Firewall) and in these cases, pointing the VCS-C to the public IP of VCS-E often isn´t possible. I can confirm that and that´s why I´m asking to consider a feature enhancement for future releases.

Regarding Static Multiple Static NATs: Other devices like email servers are working fine also with multiple Static NATs from different external IPs to the same private IP in the DMZ. For example in my drawing if VCS-E would be a email Server, it would work with both Static NATs from external to the same DMZ IP. That´s why customers expect that this would also work with VCS-E, but it doesn´t because of IPs included in SIP protocoll and the fact, that VCS-E can handle "only" one NAT IP per LAN Interface. (Regardless I´m glad that it works at all).

If I would be able to use LAN3 and LAN4 I would be able to handle 2 additional networks with NAT. But usually, there is only one additional network to be NATed to the VCS-E.

many thanks for your advice

Tino

Hi,

I have one question regarding the manipulation of the SIP header done by the VCS-E when there's local NAT done by the firewall. In the opposite flow, from home Movi for example to VCS-E, what happens when home router does NAT? In this situation the IP address in the SIP header (Movi private address) is different than the IP address in the L3 header (PATed public address). This is real scenario as well as home Movi with direct public IP.

My topology is a little bit different but I'm ahving some troubles:

VCS Starter Package with Dual interface but only LAN1 connected to inside --> L3 switch --> Firewall --> Internet

In this topology, there are some external calls that fail, from the troubleshooting, only the calls that come NATed by a home router are working properly. When the Movi client has a public IP, it is not working.

Any idea?

Thxs!

Could you define "failed"?

* Provisioning failure

* Registraion failure?

* Does the remote site ring on a call?

* what happens if answer is clicked

* does video / and or audio not work

* does the problem occur in both directions?

* ...

* Did you check that the Firewall has proper firewall openings to all used ports, inbound and outbound?

(expecially / in / out)

* did you enter the external IP address in the NAT config of the VCS?

* is there an additional firewall in between the internet and the endpoint on the public ip?

* do you use turn / ice?

* which movi / vcs versions do you use? (to test bugs I would alsways use the latest, here X7.0.3 and Jabber 4.3)

If movi is on a public ip and a firewall blocking ports (which shall be open) you might see issues.

Please remember to rate helpful responses and identify

I've got an Expressway with a public IP outside an ISA firewall with NO DMZ.  My Control is behind it.  The Expressway and Control seem to be in "Active" mode but I can't seem to dial out or get TMS to see the Expressway.  I'm new to the infrastructure boxes of Tandberg/Cisco, but have used and installed the endpoints for years.  Thoughts?

Thanks.

Jeremy

Jeremy,

when the traversal server/client zone shows 'Active', that only means that there is connectivity on the H323 and/or SIP keepalive portions of the traversal zone (Default 6001/UDP and 7001/TCP, respectively), and does not indicate whether or not the firewall in between have all the required ports open for enabling calls to be placed over this traversal zone.

Please consult

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X4_to_X7.pdf for a detailed description of all port usage for VCS Control and Expressway in terms of firewall traversal and TMS management.

Regards

Andreas


What about not having a DMZ?  That's what confuses me.  We have an ISA firewall and not really sure what rules to set up inside.  As far as what ports need to listen to what.

Jeremy,

if you have a single firewall sitting in between your VCS-C and VCS-E, for the traversal zone itself you normally would allow outbound traffic on UDP 1719,6001,2776,2777 and TCP 7001,2776,2777 if using a single traversal zone with the default ports. In addition, you will likely have to allow other traffic types as well, for instance DNS, NTP, HTTPS (For TMS management of VCS-E) etc.

The document I linked to in my previous point will break all this into a lot more detail, so I recommend you take a closer look.

Best regards

Andreas

Guys,

Do you know if there is a guide on how to configure external video calls?

I have a VCSc and a VCSe incoming calls are working correctly but I cannot do outgoing calls.... any idea?

Hi Alejandro,

you most likely want to add a DNS zone to your Expressway.

You can find information on how to do so (And a lot of other useful information for basic VCS-C/VCS-E configuration) in the document called '

Cisco TelePresence Video Communication Server Basic Configuration Cisco VCS Control with Cisco VCS Expressway Deployment Guide' which is available for X7.0 at www.cisco.com/support.

Regards

Andreas

Andreas,

Thanks for your responce. It looks like I have a DNS issue because also the NTP is failing:

StateFailed
ReasonDNS resolution failed
Address1.tandberg.pool.ntp.org
Port123

Is there any way to troubleshoot this? or any specific public DNS that we need to use for the VCSe.

BTW I can dial out if I use the external IP address but if I use the uri it is not working, it is reaching the DNS zone but is not resolving the URI.

If you're running X7 there is a DNS lookup utility under the Maintenance menu section of the VCS which will help in troibleshooting.

You could try using some public DNS servers such as Google's, which are 8.8.8.8 and 8.8.4.4.

If those don't work either, you most likely have a firewall issue between the VCS and the DNS servers.

Regards

Andreas

Sent from Cisco Technical Support iPhone App

It is Version: X6.1. I also tried with the google DNS but I got the same result. Is there any way to do ping or traceroute to see if this is resolving I did not find the commands

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: