cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2077
Views
0
Helpful
8
Replies

Managing EX-series over Internet - Reverse Proxy?

Hi All

I have a requirement to manage a number of EX90's over the Internet.

One option would be to use Reverse Proxy to a Bluecoat Proxy server in our DMZ.

-  EX90's communicate inbound towards the TMS (https only)

-  Bluecoat Proxy does it's work (Hoping the EX90's can use certificate with the Bluecoat)

-  Communication set up between TMS and EX90 (https only)

The primary reason to require TMS to manage devices over the Internet is to push out a common Directory to end users.  Don't fancy telling the Execs to manually enter the Directory which is the other solution.

Any advice greatly appreciated.

Thanks

John Mc

8 Replies 8

epicolo
Level 3
Level 3

I don´t know if using proxy wiith https with certificates will work.

Search on TMS help for System Conectivity to configure systems and Remote Systems. Maybe you don´t need to use the proxy.

Behind Firewall: This alternative will only be shown if TMS supports communicating with systems of this type when it is behind a firewall.

System is placed (relative to the TMS server) behind a router or firewall that uses network address translation (NAT). TMS can therefore not initiate any communication with the system, but system may communicate with TMS using TMS' public network address. For systems supporting this feature, the system may request configuration updates and software upgrades that have been scheduled on the TMS server. These settings/upgrades are applied from the TMS server upon boots and on regular intervals.

Reachable on Public Internet: System is located outside the LAN but is reachable on a public network address. The System must be configured to use the public network address of Cisco TMS. Cisco TMS will communicate with the system to get system configuration and status. If configured, the system will report events and call status to Cisco TMS.

Remote systems support

Remote systems are supported for booking, getting software upgrades, receiving phonebooks and being part of the statistics created in TMS.

Tandberg recommends that the remote system be on a DNS compatible network to ensure proper communication with TMS.

Before you can use a system as a remote system in TMS, you must be sure to have set a public DNS address on the TMS server. This can be done in Administrative Tools > Configuration > Network Settings.

Take a look at this doc:

http://www.tandberg.com/support/dl.php?id=1343&dir=Deployment_Guides&fn=Cisco_TelePresence_Implementing_Secure_Management_Config_Guide.pdf

Regards

Elter

nick.mueller
Level 6
Level 6

What did you end up doing for your EX90s?  Did you implement a proxy server or go with two TMS, one database?

There are some options outlined in the TMS Admin Guide (though not in-depth instructions).

NPM

Hi Nick

Firstly I must thank Elter for a comprehensive answer.

Due to the complexity of our Global Network we are holding out for 'Provisioining' to be supported on the EX90's.  Dispite provisioining being on v4.1 it is not yet supported by Cisco/Tandberg.  Our current workaround is NO Directory for Internet EX90 Users.  As you can imagine this is not ideal but there we are.

Happy to update you when 'Provisioning' becomes available.

Thanks all

John Mc

What do you mean when you say Directory?

About to push configuration, depending on the TMS communication type with endpoint you can force some configuration templates, to have common configuration for all your EX90.

If you mean Corporate Directory, you can also use TMS to provide Phonebooks to the EXs.

EX Provisioning will arrive soon.

Regards.

Hi Elter

The key issue here is pushing out the Phone Book (directory) to our EX90's on Internet connections.

Our Cisco/Tandberg SE does indeed assure me that Provisioning will arrive soon.  We just have to wait. 

Would you know where I can read about setting up Provisioning.  As far a EX90/TMS user guided go I can see very little details on set up and troubleshooting.

Thanks

John Mc

maybe these ones can help you...

http://www.tandberg.com/support/dl.php?id=1374&dir=Deployment_Guides&fn=Cisco_TMS_Provisioning_Guide_13_and_12-6.pdf

http://www.tandberg.com/support/dl.php?id=1346&dir=Deployment_Guides&fn=Cisco_TMS_Provisioning_Troubleshooting_Guide_13-0.pdf

PS: When the Phonebook are seted up, TMS don´t send phonebooks to endpoints, TMS just control the access to the phonebooks.

The endpoint send HTTP gets to the TMS phonebook FQDN to a specific Phonebook Path and then retrieve the phonebook information...

Martin Koch
VIP Alumni
VIP Alumni

Hi John!

Just saw this thread, in general I do not see an issue to use the old style TMS "behind firewall",

as your main goal is to use phonebooks.

What is the main intention of the revere proxy, to filter malicious requests or just to pipe the

request into the TMS? I assume the first, if not a port 443 forward to the real TMS could be a quick fix.

The EX90 supports verification of client and server certificates, so you could secure the access to port 443

even more.

As you wrote one option is the reverse proxy, an other would be for example to use an additional

TMS frontend in the DMZ. More deplotments are described in the TMS documentation.

I think for endpoints I currently like the old style system navigator better then the provisioning, but

my mind is not settled yet, as the provisioning also evolves and has advantages.

Please remember to rate helpful responses and identify

Hi Martin,

I think the main intent of proxy is to pipe the request securely to TMS.  A forward of 443, while quick, is not really secure and many of the security folks at institutions I work with would throw a fit.

To be truly secure, you'd really need to have some sort of "push/pull" architecture, where there is a device in the DMZ, and the TMS in the secure network can "push" phonebooks to it (which can then be accessed by remote units) and "pull" CDR-type information from it.

Just pipelining through is not secure, and running a TMS in the DMZ but accessing a secure database just isn't that secure either.  Someone could own the DMZ TMS, then potentially own your SQL server inside.

I am a fan of provisioning as it gets around a lot of these issues.  I'll be interested to see what Cisco does with many Tandberg endpoints and CUCM call control for remote/far-flung endpoints.  Only solution now seems to be throwing out a router with DMVPN or something.  It'd be nice if PhoneVPN were supported like a 7900 phone.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: