cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Finding IP address of telepresence system from internet address

Hello! My situation is as follows.

 

  1. One standalone SX-20 system natted to a public IP address.
  2. The system can successfully place/receive video calls to and fro other telepresence systems on the internet by dialling IP addresses.

 

Problem:

For security reasons my client does not use default routes so they manually add the routes to any given IP address whenever they want to place calls to specific telepresence systems. Now they want to make calls to a system for which we only have internet address (e.g. boardroom@cisco.com) and not the IP address. Given that no IP route has been configured, the call won't go through. So now the challenge is to find IP address which we can use to dial to that system.

 

Question:

Where can I find the IP address from having just the internet address? I need to manually configure the route to that system.

 

I look forward to your response. Suggestions are also accepted

2 REPLIES 2

Jens Didriksen
Engager
Engager

Systems using the format of Alias@domain such as your example will normally be registered to a gatekeeper and/or a SIP registrar; i.e. VCS, CUCM etc and will normally not be reachable by using an IP address.

(We use this dialling format and you will not be able to connect to us using the IP address of any of our systems).

If they are using a VCS-E, then they have the ability to provide a "fall-back alias function" which allows an external user to dial the ip address of the VCS-E, which will then send the call to a predetermined alias, but you'll need to contact them to get that information.

Systems registered with a GK etc might not even have a public IP address (ours don't), so you wouldn't be able to do anything with it anyway, even if you did know the IP address.

You should be able to find the IP address of the device they are registered to, if that is of any help, by looking up their h.323 and/or SIP SRV records.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

 

 

Please rate replies and mark question(s) as "answered" if applicable.

Martin Koch
Advocate
Advocate

I assume that Jens did not fully understood the question (or maybe I did not ;-)

 

From how I see it he is not necessary asking for the IP address to dial it, but for the IP address

to call it.

 

Cisco is a quite complex example.

 

The endpoint supports SRV dialing, even without being registered. That means he could dial

broadroom@cisco.com.

 

As long as a DNS server is present it would look up the SRV records of Cisco

(which goes only to the DNS servers which are configured on the endpoint).

This (most likely a VCS) IP address returned by the SRV request would need to be present in the route / firewall configuration.

If you are lucky that one is enough, but that first VCS might even redirect him to a different one(s) which also need to be present in the routes. And if the call is finally established media (and in some scenario maybe even signaling) might then in addition come form an other ip.

In addition these IP addresses might be different on different calls, even to the same destination (load balancing, different routes, ...)

You can see parts of these IPs in the DNS answers the rest in the signaling, so you could figure out the ports by looking at traces or sniffing on the endpoint or on your router.

 

 

Regards IP dialing, did not check but Cisco might even have First of all they might have DN (Tandberg Naming e164) numbers for all endpoints, which then even might be directly dial able, but anyhow, besides the DNS lookup its the same issue with possible multiple IPs.

 

It also might behave different depending on the protocol used and some other parameters, ...

 

If they have a non firewalled route in from the internet to the endpoint, anyhow inbound packets will

arrive at that endpoint, if its ICMP, TCP-SYN or possibly worst UDP, which might already be enough

to try a DOS or to exploit some bug if present.

 

To be honest, I do not think that this is a real clever security approach, neither a clever way to do video conferencing.  Either I would put a firewall upfront and completely separate the device form the network or place it behind a firewall and register
it to a call control (like a VCS-E or CUCM+Expressway) which could also be provided by a third party as a service,  or if he has plenty of endpoints do a proper call control implementation on site.

These could control as well which addresses are allowed to call / be called.

 

 

Please remember to rate helpful responses and identify

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: