TP infrastrucutre behind firewall

KRISHNA K V · ‎09-21-2012

Hi

I would like to know is it adivisable to place the vcs control, TMS, MCU behind the Data Center Firewall. I have see only documents related to vcs expressway behind fireall. Please let me know the best practice

Krishna.

Jens Didriksen · ‎09-22-2012

Most common type of deployment would be TMS, MCU, end-points and VCS-C behind firewall with VCS-E outside the firewall either in DMZ or public. Then you create a firewall traversal zone between the VCS-C and VCS-E.

Additonal security can be achieved by using VCS-E with double NIC configuration.

Also see:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.pdf

/jens

Please rate replies and mark question(s) as "answered" if applicable.

prakashj · ‎09-22-2012

Hi Jens,

Thanks for your reply. Customer would like to have VCS CONTROL, MCU AND TMS behind Data Center firewall. I would like to know if this is recommended.

Krishna.

Alok Jaiswal · ‎09-22-2012

Hi Prakash,

can you be more clear about your requirement.

do you want this devices to put behind the firewall just for the security purpose ?? if yes, then it could be done but then you need to open the ports for proper communciation and media to pass thorugh the firewall.

Rgds,

Alok

Jens Didriksen · ‎09-22-2012

I would personally use the VCS-C/VCS-E combination which will give you, among other things, secure firewall traversal.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Alok Jaiswal · ‎09-22-2012

Jena,

i think what prakash is looking for just for internal communication. they don't have a requirement for communication on public.

Lot of customers do this for security and even there internal endpoints in lan communicate to devices like MCU, VCS-C and TMS through the firewall.

If Prakash can elaborate what is his requirement that would be good for giving more recommendation.

cheers

Alok

KRISHNA K V · ‎09-22-2012

Dear Alok,

the cusotmer requirement is to protect the MCU, VCS- C, TMS and they want to put them behind the firewall. so that endpoint commuicate through the internal datacenter firewall. is this recommened?

Krishna.

Alok Jaiswal · ‎09-22-2012

Hi Krishna,

I got the scenario what end customer is looking for.

I won't say is it recomended or not because no where specifically written that it can't be. I know couple of customers running same kind of setup. Specially i have seen this kind of implementation in India.

Considering your scenario, you need

- open the signaling ports for the endpoints so that it can communicate to VCS

- you also would like to consider a scenario where some one dial to MCU directly. for that as well you have to open the port

- you need to open the media ports

a) when the endpoint dial to MCU and media is send to MCU

b) when the endpoint 1 dial to endpoint 2 and its a traversal call or your forced the encryption through subzone. in this case the medai would be traversed through the VCS

c) for any communication to Lync server

- you need to open the ports for endpoint managment via TMS

Thnx

Alok