Solved: VCS Expressway external to internal endpoints call

curtishu19 · ‎05-26-2012

I have an new implementation where have 1 VCS Control in internal LAN and 1 VCS Expressway in DMZ.

VCS Expressway has a public ip address/NAT.

Currently, we have a group of VC endpoint, each endpoint has a public IP/NAT to LAN, to allow internet to make H.323 call by dialing endpoint's public IP directly.

My question is, after implemented VCS Expressway in DMZ, how do I make the dial plan to allow outside call each internal endpoint via VCS Expressway? Do I still need to give each endpoint a publich ip/NAT.

Thanks much.

Jens Didriksen · ‎05-27-2012

Much simpler, and in my opinion, more elegant and scalable solution would be to not use IP addresses for calling, but allocate and register you end-points with E.164 Aliases. That way you all you need is the internal IP address.

So external end-points can, in this case, call your end-points by using Alias@domain or Alias@VCS-E_IP_address.

Internal end-points can call each other using alias only as long as you have the appropriate search rules in place, and so can external end-points you allow to register with you VCS-E for one reason or another.

If you have external Polycom end-points with older software version which does not support Annex O URI dialling, then it's very simple to include a pre-search transform on the VCS-E which will allow these end-points to call using proprietary "URI dialling"; VCS-E_IP_address##Alias - and if you have, on the odd occasion, an end-point which cannot use anything but IP addresses, then you can configure the fallback alias on the VCS-E to point to a specific end-point or to an auto-attendant on a MCU etc.

Using a dial-plan like the above will also allow you to use DHCP addresses, as the alias stays static, and that is what counts, much simpler addresses to give to people; i.e. 123456 is much easier to remember than 202.138.98.23 etc, not to mention IPv6 addresses, and, since you are registering your end-points with domain, then SIP clients will also be able to connect quite easily.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

View solution in original post

Martin Koch · ‎05-27-2012

Hello Curtis,

The VCS documentation is a good source. You will also find plenty of information under:

http://www.cisco.com/en/US/products/ps11337/tsd_products_support_series_home.html

In your case its more "how do I design a number/address plan".

Ine intention to use a VCS is to be able to use URIs (email like addresses) instead of using

IPs to dial and with the VCS-E the capability to have endpoints behind a generic NAT without

a specific port forward to the inside.

So or your case it should be more

endpoint1@domain.com

endpoint2@domain.com

which can then be reached from the outside if you add the proper (srv) domain records.

If its a fixed requirement that you need to dial up ip addresses you could also add a Cisco IPGW

http://www.cisco.com/en/US/products/ps11343/index.html

Which could for example be set up to be reached by dialing the external VCS-E ip address

It would get you a menu where you could either configure your endpoints or have a field where you can dial

the wanted internal IP.

This being said, the local VCS-E IP has anyhow not to be NATed (like you do) unless you have the

dual interface option key. Even if you only use one interface, if you use NAT its a requirement.

I would recommend you to get some help to review your network and give you some advise!

Curtis: please rate the messages using the stars below!

Please remember to rate helpful responses and identify

View solution in original post

Alok Jaiswal · ‎05-27-2012

Hi Curtis,

two things i want to say..however its already been put by Martin also.

One thing is when you say calling to internal endpoints registered on vcs control it would in a form of a URI. for. e.g.

alok.jaiswal@cisco.com or may be 12345@cisco.com.

or alok.jaiswal@ or 12345@.

when the outside endpoint calls internal endpoint the call will hit you expressway and then to control and finally to the endpoint. In this case media also travel in same fashion as thats the basic idea behind a traversal setup so that you don't expose your whole internal network.

For a NAT on vcs-expressway you need the dual nic option key, and it will enable static nat configuration on expressway, without this key the media flow will not work.

Thanks

Alok

View solution in original post

Alok Jaiswal · ‎05-26-2012

Hi Curtis,

for outside endpoints to call internal endpoints registered on control you do not require any NAT for the endpoints.

The call setup plus the media would be flowed via expressway to control and then to endpoint. Thats the whole point of traversal setup in the organization.

go through the below documentation for more details

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf

Check Appendix 4.

only thing you need is proper search rules and ports need to be opened on firewall.

Please ensure you do not have packet inspection on firewall .

Thanks

alok

curtishu19 · ‎05-26-2012

Hi Alok,

Thank you very much, I don't use the dual network option. I read the document and it seems didn't explain the actual call flow from outside to internal endpoint.

For example, In the following case, if an outside endpoint want to call Internal endpoint 1, which IP address should to dial?

Internal endpoint 1: 10.10.10.100

Internal endpoint 2: 10.10.10.101

VCS-C: 10.10.1.10

VCS-E: 10.11.1.10 (NAT Public IP: 69.10.10.100)

Jens Didriksen · ‎05-27-2012

Much simpler, and in my opinion, more elegant and scalable solution would be to not use IP addresses for calling, but allocate and register you end-points with E.164 Aliases. That way you all you need is the internal IP address.

So external end-points can, in this case, call your end-points by using Alias@domain or Alias@VCS-E_IP_address.

Internal end-points can call each other using alias only as long as you have the appropriate search rules in place, and so can external end-points you allow to register with you VCS-E for one reason or another.

If you have external Polycom end-points with older software version which does not support Annex O URI dialling, then it's very simple to include a pre-search transform on the VCS-E which will allow these end-points to call using proprietary "URI dialling"; VCS-E_IP_address##Alias - and if you have, on the odd occasion, an end-point which cannot use anything but IP addresses, then you can configure the fallback alias on the VCS-E to point to a specific end-point or to an auto-attendant on a MCU etc.

Using a dial-plan like the above will also allow you to use DHCP addresses, as the alias stays static, and that is what counts, much simpler addresses to give to people; i.e. 123456 is much easier to remember than 202.138.98.23 etc, not to mention IPv6 addresses, and, since you are registering your end-points with domain, then SIP clients will also be able to connect quite easily.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Martin Koch · ‎05-27-2012

Hello Curtis,

The VCS documentation is a good source. You will also find plenty of information under:

http://www.cisco.com/en/US/products/ps11337/tsd_products_support_series_home.html

In your case its more "how do I design a number/address plan".

Ine intention to use a VCS is to be able to use URIs (email like addresses) instead of using

IPs to dial and with the VCS-E the capability to have endpoints behind a generic NAT without

a specific port forward to the inside.

So or your case it should be more

endpoint1@domain.com

endpoint2@domain.com

which can then be reached from the outside if you add the proper (srv) domain records.

If its a fixed requirement that you need to dial up ip addresses you could also add a Cisco IPGW

http://www.cisco.com/en/US/products/ps11343/index.html

Which could for example be set up to be reached by dialing the external VCS-E ip address

It would get you a menu where you could either configure your endpoints or have a field where you can dial

the wanted internal IP.

This being said, the local VCS-E IP has anyhow not to be NATed (like you do) unless you have the

dual interface option key. Even if you only use one interface, if you use NAT its a requirement.

I would recommend you to get some help to review your network and give you some advise!

Curtis: please rate the messages using the stars below!

Please remember to rate helpful responses and identify

Alok Jaiswal · ‎05-27-2012

Hi Curtis,

two things i want to say..however its already been put by Martin also.

One thing is when you say calling to internal endpoints registered on vcs control it would in a form of a URI. for. e.g.

alok.jaiswal@cisco.com or may be 12345@cisco.com.

or alok.jaiswal@ or 12345@.

when the outside endpoint calls internal endpoint the call will hit you expressway and then to control and finally to the endpoint. In this case media also travel in same fashion as thats the basic idea behind a traversal setup so that you don't expose your whole internal network.

For a NAT on vcs-expressway you need the dual nic option key, and it will enable static nat configuration on expressway, without this key the media flow will not work.

Thanks

Alok

curtishu19 · ‎05-28-2012

Thanks all for the great help, now I understand how's that works.

Much appreciated.

Martin Koch · ‎05-29-2012

Thank you for rating and setting the thread to answered. +5 for you!

Good success!

Please remember to rate helpful responses and identify