Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1859
Views
0
Helpful
9
Replies

Internal SIP Endpoints Registered on VCSc with VCSe can dial Public IP address

Acevirgil de Ocampo
Level 7
Level 7

‎09-09-2013 02:12 AM - edited ‎03-18-2019 01:46 AM

Hi,

I have deployed VCSc with VCSe for traversal and works well. Internal endpoint/jabber registered on VCSc can make calls to external endpoints/jabber registered on the VCSe and vise versa.

Is it also possible for endpoints/jabber registered on any VCS (VCSc/VCSe) can make calls directly to endpoints with  public IP address (not registered on the VCSe)???

Are there configurations needed on the VCS servers? Also what are the additional firewall ports needed to open to allow this call set up?

Your help is really appreciated.

Thank you.

Best regards,

Acevirgil

Labels:
0 Helpful
9 Replies 9

Jens Didriksen
Level 9
Level 9

‎09-09-2013 02:40 AM

You need to configure a DNS zone on the VCS-E, see part 10 and 11 of the deployment guide:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.pdf

Also make sure "calls to unknown IP addresses" are set to "Indirect" on the VCS-C and to "Direct" on the VCS-E. You shouldn't have to do anything else on the firewall.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
0 Helpful

Alok Jaiswal
Cisco Employee
Cisco Employee
In response to Jens Didriksen

‎09-09-2013 08:00 AM

Hi Acevirgil,

actually for making calls to unknown ip-address you don't need a dns zone.

just a setting on VCS-E calls to unknown ip-address should be set to "direct". By default on VCS-E this setting is "direct" only.

Rgds

Alok

0 Helpful

Jens Didriksen
Level 9
Level 9
In response to Alok Jaiswal

‎09-09-2013 02:42 PM

This is true - just be aware not having a DNS zone will limit connectivity with external sites.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
0 Helpful

Acevirgil de Ocampo
Level 7
Level 7
In response to Jens Didriksen

‎09-10-2013 03:15 AM

Hi Jens,

Thank you for your response.

In our case, SIP ports are only allowed and being defined on the firewall. For now, inoreder for an endpoint to be able to connect or to be called it should register first to the VCS Expressway as SIP. This is working fine.

Since we are now allowing to call endpoints with unknown public IP addresses, SIP endpoints registered on the VCS servers can dial public IP addresses directly (SIP -----> H323). Interworking is involve on the VCS, so do we need to define also the H323 ports on the firewall?

To give you an overview on the network topology, VCS Expressway is on DMZ and dual NIC was enabled. LAN1 pointing internal network and LAN2 pointing external network NATed with public IP.

Thank you.

Best regards,

Acevirgil

0 Helpful

Paulo Souza
VIP Alumni
VIP Alumni
In response to Acevirgil de Ocampo

‎09-10-2013 04:04 AM

Hi Acevirgil,

If you are trying to call a remote system H323 by dialling IP address, so yes, you need to open H323 ports on  the firewall. To dial an IP address from Jabber client, you need need no special method, just dial the IP address and make sure that interowking is enable on VCS.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
0 Helpful

Acevirgil de Ocampo
Level 7
Level 7
In response to Paulo Souza

‎09-11-2013 03:35 AM

Hi Paulo,

Thank you for your response.

I have additional question.

In our case, the only endpoint that is allowed to initiate a call to public IP address is the  SIP endpoint registered on any of the VCS servers. So on the firewall definition we only need one way direction right?? DMZ to Internet??

Thank you for help.

Best regards,

Acevirgil

0 Helpful

Paulo Souza
VIP Alumni
VIP Alumni
In response to Acevirgil de Ocampo

‎09-11-2013 05:54 AM

Yeah! That's right!

You can block H323 traffic from internet to your VCS by using the firewall, and you can keep the traffic enabled only from VCSe to Internet.

And, as you probably know, you just need to allow the IP address of VCSE in the firewall, you don't need to allow the IP address of your internal endpoints.  =)

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
0 Helpful

Alok Jaiswal
Cisco Employee
Cisco Employee
In response to Acevirgil de Ocampo

‎09-11-2013 07:00 AM

Hi Acevirgl,

To make it a little more clear, for RTP you need to open ports bi-directionally for your expressway ip-address i.e. DMZ to internet and internet to DMZ.

Rgds

Alok

0 Helpful

Paulo Souza
VIP Alumni
VIP Alumni
In response to Alok Jaiswal

‎09-11-2013 07:05 AM

Hi Alok,

Thanks for adding this point. I missed it out.  =)

I addition, from VCSe to Internet, you must to allow Any/Any, because you don't know which RTP ports will be negotiated by the remote endpoint, and those ports are not standard like 1719, 1720, 5060 and 5061, that's you will need Any rule on the firewall.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
0 Helpful
Customers Also Viewed These Support Documents