VCS expressway firewall rules

Similar Questions

• VCS Expressway outside to endpoints internal call

  I have a new implementation where internal control 1 to VCS in LAN and VCS Expressway in DMZ 1.

  VCS Expressway has an IP public address/NAT.

  Currently, we have a group of VC endpoint, each endpoint has a public IP/NAT to the local network, to allow internet to make H.323 call directly by public IP address of the composition of the endpoint.

  My question is, after having implemented VCS Expressway in DMZ, how do the numbering plan at each endpoint internal VCS Highway outside call? Do I still need to give to each endpoint an ip/NAT publich.

  Thank you very much.

  A much simpler and in my opinion, more elegant and more scalable solution would be not to use IP addresses for calls, but to allocate and register outcomes with E.164 alias. That way you all you need is the internal IP address.

  So the outer ends may, in this case, call your settings using the [email protected] / * / or [email protected] / * /-E_IP_address.

  Internal assessment criteria can call each other using alias only for as long you have the rules of research in place, and cannot therefore have the external ends you will allow to record with you VCS-E for one reason or another.

  If you have the outcomes of Polycom external with the old version of the software that does not support Annex O URI component, then it's very simple to include a transformation of prior research on the VCS-E which will allow these settings call using owners 'numbering URI "; VCS-E_IP_address ##Alias - and if you, on the odd occasion, a final point which cannot use anything other than IP addresses, you can configure the alias of relief on the VCS-E to point to a specific or a standard automatic on a MCU, purpose etc.

  A dial plan using as above will also allow you to use DHCP addresses, the alias remains static, and that's what counts, addresses much simpler to give to people. e.g. 123456 is much easier to remember than 202.138.98.23 etc, not to mention the IPv6 addresses, and because you save your settings with domain name, and then customers SIP will also be able to connect very easily.

  /Jens

• VCS Expressway - Possible use of CPL script to block incoming IP?

  Hello

  Is it possible to control the incoming call to a motorway of VCS on a known IP address? I know that I can block traffic UN-auth/auth as a source alias, but I want to allow incoming calls from only a gatekeeper (s) specific.

  Is this possible? I looked through the CPL of the admin guide section and I don't see anything pretaining to the IP, just alias resolution.

  D.

  Hi Darren,

  I think you can use CPL for this question, however, that you need to block traffic based on a specific source ip address, I suggest you use the built-in firewall of VCS Exoressway, this resource is available in the latest version of VCS, you can create firewall rules in VCS in to allow or deny certain traffic.

  Concerning

  Paulo Souza

  My answer was helpful? Please note the useful answers and do not forget to mark questions resolved as "responded."

• VCS Expressway, highway

  Hello

  Gently, I confused, what are the differences between VCS Expressway and Freeway?

  -Don't need Expressway a HW (server), it is only allowed in CUCM I need to buy?

  -pre sales engineer, when can I choose VCS-E? and when can I take the freeway?

  Thanks and greetings

  There is a thread here:

  https://supportforums.Cisco.com/discussion/12699961/Expressway-series-vs-VCs-control-Expressway

  To summarize:

  What are the differences between VCS Expressway and Freeway?

  -VCS expressway or the Server Traversal is the 'legacy' that supports local recording of external H323/SIP based endpoints by using its features of Registrar Gatekeeper h.323 and SIP. It also serves as the traversal server for VCS (client of crossing) control to support for firewall traversal calls and B2B.

  -Highway consists of Core Expressway and the highway, or they call it 'Collaboration Edge'. The concept of highway is the same as the 'life' VCS control + VCS Expressway to provide firewall route, B2B calls. Channel Express is an extension for CUCM controlled environment for Mobile and remote access. With Highway, external clients/video endpoints can register on the CUCM without using VPN. Expressway in this case do not support the records the of endpoints. Endpoints will locally save on CUCM using technology of firewall Expressway (Core + Edge) courses.

  Expressway takes a HW (server), it is only allowed in CUCM I need to buy?

  -  Highway needs a server and it can be deployed in a virtual environment.

  You can take a look at offerings Cisco Business Edition 6000 (BE6K):

  http://www.Cisco.com/c/en/us/products/collateral/Unified-Communications/Business-Edition-6000/data_sheet_c78-717454.html?CacheMode=refresh

  as when can pre sales engineer, I choose VCS-E? and when can I take the freeway?

  -I suggest to contact your Cisco representative helping you find the right solution for your customer.

  Kind regards

  Acevirgil

• VCS Expressway & movi 4.2 configuration

  Hi all

  I created movi account manually in the TMS and it work perfectly with VCS - control.

  However, it cannot register for VCS expressway. Is it mandatory to have a name authority pointer record in DNS?

  For example, configure us abc.com as the domain name SIP Highway VCS, is mandatory to fix abc.com as public highway VCS by DNS server IP address?

  Thank you

  Ben

  That is to say you do not originate in the AMZ comes directly to the public IP address of the VCSE

  If that's the case at least, you should see registration tent if nothing can be seen then you need to look at the firewall

  is he ASA? try tp packets capture and see why you arew not hitting the VCSE using SIP

  as it could be firewall issue!

  HTH

• Highway-C and highway-E and VCS Expressway

  Hello

  I'm confused by these three

  I know that expressway-E is used with Express-C track

  Their function is like VCS Expressway? or am I wrong?

  Please help to know when to use each one?

  Also why use us next to the firewall? What is the average of the crossing of firewall?

  Also, when I connect external with Jabber, is there any type of registration with each of them? I see a number taken in charge of registeration of 2500 and 5000 in the VCS Expressway data sheet

  Thank you

  Haitham

  Hi Haitham,

  In general, a point of endpoints/client must register for a 'device' so that it can be used as part of a company dial plan. This 'device' could be CUCM or a VCS and will determine if an endpoint/client is used to connect, or how the calls and form, it can be done.

  If the endpoint does NOT have one of these devices (CUCM or VCS), it could still be used (for example, a videoconferencing device stand alone), it's just that we do not see within the company structure of appeal. It may not appear in the directories, it cannot give priority to call outside, etc etc. The Jabber client has to register with CUCM either a VCS to make it work at all.

  If you use CUCM with a VCS-E, endpoints will record to CUCM. If the endpoints are internal to the company, they apply directly to the CUCM and if are external, then they will be connect via VCS-E and the recording will be dug through CUCM, so still save with CUCM.

  VCS-C/e with environment of TMS, endpoints will record VCS - c when internal and again use the VCS-E for tunnel applications from external device to the VCS - C. Depending on how you want to deploy these devices, external devices/clients could actually register directly with VCS-E, but I'm getting ahead of things. Jabber in this environment use of TMS to provide authentication of the user, even if the actual recording takes place on the VCS.

  Does that help?

  Chris

• VCS Expressway Starter Pack

  Hi all

  First of all, let me say that I am the kind again in part "Tandberg" telepresence.

  I'll put up a VCS Expressway Starter Pack (with the option to double network interface) the week next to our customers.

  I read the VCS Expressway SP deployment guide, but I still have a few questions:

  -What is the best place to place the SP VCSe?  (inside the DMZ, or the Public network)

  Tomorrow we will hear whether or not the customer has a demilitarized area.

  -I understand that the external firewall must redirect the ports 5060, 5061 and range 50000/52399 to SP VCSe

  If there is a demilitarized zone we need to open the ports on the firewall inside as well?

  -Is possible with MS VCSe to receive video calls to (locally) the ends registred? (For example: an E20 to another company) If so, we need to open additional ports on the firewall?

  Thank you in advance,

  Wouter

  Hi Wouter,

  Check out the link for more information below.

  http://www.Cisco.com/en/us/prod/collateral/ps7060/ps11305/ps11315/ps11337/data_sheet_c78-697075.html

  It gives answer to some of your questions, like which is the best place to install the VCS - SP network.

  Normally, we have seen many customers put the box in the DMZ and use for incoming and outgoing calls.

  Although the deployment either specifically depends on requirement and network design once.

  Also see VCS starter pack deployment guide.

  http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/VCs/config_guide/Cisco_VCS_Expressway_Starter_Pack_Deployment_Guide_X7-1.PDF

  He gave the port information and also check the document use of port at the link below.

  http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/VCs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X4_to_X7.PDF

  and answer your last questions, yes its possible to receive video call of endpoint not locally registered in VCS - SP, but then you need of DNS SRV records for your video field or you must call using ip address-SP-VCS.

  SRV DNS is the preferred method.

  Thank you

  Alok

• How to make or VCS Expressway TURN illustrated works?

  Hi, Experts.

  My VCS Expressway equipped Tower, and I found for TOWER configuration is pretty simple, it allow just under VCS Configuration > Expressway > turn ON, but no matter, I tried, licenses of relay TOWER always indicated '0' in the 'current' line under the VCS Expressway dashboard.

  I took my test in this way, two Jabber client video (v4.5, MAC edition) reside in a different network behind NAT (no firewall), they call each other and regardless I turn on or turn off the TOWER, still good video quality services mine. (VCS Highway away from the two movi), I assumed that in both cases, the media traffic send directly between the two Movi, rather than climb up to the VCS Highway and then return, normally called us "Hairpin" traffic.

  The result is not I have enabled or disabled the service of the TOWER, it always not-pinned hair, and still no license relay TOWER was used.

  What happens here? something wrong? I'm quite confused.

  You have to turn on the feature of ice on the Jabber video model?

  

  On the model of commissioning, you must configure the address of TurnServer, TurnAuthUsername and TurnAuthPassword.

  You must also configure the authentication domain in VCS - E who use to run the server (you must set the match name and user password with TurnAuthUsername and TurnAuthPassword set up on the model of commissioning).

• Jabber VCS Expressway - DNS resolution internal Highway itself

  Much of community support.

  I am currently configuration solution VCS Expressway (Highway E both Expressway C servers). Due to some restrictions of firewall that I need to resolve the fqdn Expressway C directly from the highway E server which means that I need to Hwy E resolve C Expressway fqdn withoout using the DNS server. I was wondering if there is a way to edit the VCS Expressway hosts file (if such a thing exists in the VCS) as anyone can do in the operating systems such as linux. I make this question because I took a capture .pcap of VCS and there saw the DNS query process but option number one was 127.0.0.1, which is the highway itself. Perhaps this connection attempt is just the highway to research in its DNS cache, but I'm not sure.

  Best regards

  Roberto Lopez.

  Ah, this is the reason why I asked. You don't need DNS for it.

  The way it will work is when the Traversal (in your case Expressway-C) client tries to connect to the server of course (in your case Expressway-E), the Traversal server will look at the common name on the cert that was produced by the customer of the crossing. He sees if the highway E would be there with what is specified when you configure the zone crossing on the highway e.

  Basically, DNS is not necessary. You just need to make sure that the domain Highway C FULL name is what is specified in the "TLS check name of the topic." Also make sure that if the certificates are signed by a CA, root/intermediate certificates must be downloaded to the two C/E Expressway. also, make sure you put the FULL name of the motorway E in the crossing area on the fast track C, and not the IP address.

  HTH

• 2 MCU and VCS Expressway, routing problem

  Hi all

  We have a design with a group of control VCS (2 members), cluster VCS Expressway (2 members), and a couple of microcontrollers (registred H.323 on VCS control cluster with the same prefix: 90).

  Each highway has a public IP address and incoming calls from outside can only be routed to microcontrollers:

  [email protected]/ * / for MCU_1 and [email protected]/ * / for MCU_2 (we don't have external DNS resolution).

  I put a conversion into motorway of VCS to change [email protected]/ * / to [email protected] / * / and [email protected]/ * / to [email protected] / * /.

  The problem is when someone calls [email protected]/ * / sometimes (randomly) the call is routed to MCU_2 (instead of MCU_1) and if the appellant see the auto attendant.

  The occcurs even then of the appeal [email protected]/ * / (MCU_2), sometimes the call is routed to MCU_1.

  Any idea what can cause this device or a way to make it work well?

  Thanks for help.

  José

  I think still that separate prefix would work, but here are a few ideas:

  Are incoming calls which do not possibly using SIP that is being interoperability H323 or incoming calls all certainly the H323?

  If you want to keep pure H323, you could perhaps just have a search rule/turn on your VCS-E who changed [email protected] to an E164 e.g. 90... and had a search on your VCS - C rule that says 90... stop at the local area.

  I also noticed that you direct calls to [number]@MCU-IP - have you tried to direct all calls to [number]@VCS-C IP instead?  If the VCS is the holder of a registration for a number, it should be able to deliver accordingly.

• review during deployment - VCS Expressway

  Hello world!!!

  We knew the benefits of deployment - VCS Expressway. After reading "Cisco TelePresence video Communication Server Configuration of base (control with Highway) - Deployment Guide", I and my team are faced with the following:

  1 - if we do not "Advanced Networking option key", we are not able to use the static NATing feature of the VCS Expressway, but also the interfaces network double. This is why we need this firewall do NAT reflection (it allows to control VCs access the IP public VCSexpressway) and the deep Inspection (to change the IP address that is part of the SIP header). This statement is correct?

  2. - If in my deployment, I'll open some ports in the firewall, is it means that my network is exposed to external threats? There are a few Considerations to keep in mind the safety on the end points that will be in the Internet?

  I also leaves a small attached file, in this file, you can get an idea of what I'm doing. I will seek in advance for your comments. Thank you for all.

  The same concept applies to the least.

  If you already have a DMZ with public IPs, you should be fine. If not, you could split the existing subnet you have, get a new ISP, use proxy arp...

  Not sure how are your details if you are unsure how to configure what I told you in the message before you may need to ask a guy to additional network.

  As you say yourself, if you can not prevent NAT (course, which is a nice way to deploy, but it would require double interface, now known as enhanced networking key).
  Also remember that you must not share the VCS-E IP with other services.

  Another option may be to accommodate the VCS-E to an ISP or there is also some providers that offer an area crossing of VCS (at least the non-cucm style) as a service.

  That you have developed a computer user, do you plan to use jabber-video (old style of tms) or jabber (cucm)?

  Please note the messages with the stars below and define the thread if it's an answer!

• VCS Expressway

  Hello

  • Is attached design, pls confirm if it is correct?
  • Actually my boss want to have a video conference with the xyz company that is have a VCS highway up and it works direct, we ordered the new switch Express VCS and 1 not old codec C20 it asked me to install, and unfortunately, I'm not able to configure, want to know the concept how URI dialing , and how do I register endpoints TP in VCS, I am recording Codec C20 for VCS and it shows in the registration of newspapers rejected and failed on C20.
  • Very new to VCS and desperately want to know how the flow of calls will be in 2 our separate entities for example, mycompany.com and xyz.com
  • There is no default gateway for LAN2 option so how traffic will be routed to other areas, we can add a route in VCS.

  Thank you

  Usually, there are two components - control and VCS VCS Expressway. VCS control is located on the internal network and VCS Expressway is located on the external/DMZ network. Endpoints register control VCS. VCS control build a "Zone of crossing" VCS Expressway and when endpoint route tent yells, he's going to Control of VCS VCS Expressway and then.

  You may be able to register endpoint for VCS Highway if you supply on this device license. You must configure a domain on the VCS to accept records. You must define this area even on the endpoint as well.

  Take a look at this to resolve endpoint records. http://www.Cisco.com/c/en/us/TD/docs/Telepresence/infrastructure/article...

  This can also be caused by firewall as well.

  You can see the documentation below for how to configure the outgoing VCS-C/VCS-e call.

  http://www.Cisco.com/c/en/us/TD/docs/Telepresence/infrastructure/article...

• FVS336Gv3 multi-NAT inbound firewall rules does not

  I have about 30 Netgear FVS338 and a few FVS336Gv2 routers in use. I use for firewall and provide multi-NAT between industrial machines and WAN. The configuration was changed on Gv3 models and I can't get an answer behind the firewall or router in the diagnostics page when you use the WAN address.

  In the examples below the WAN is 10.62.

  

  Figure 1. Two different devices with two different configuration options.

  

  Figures 2 and 3. The first is bad - it would only connect from this address. Have I set up another correctly to the NAT WAN to LAN 10.3.110.215 address 10.62.31.55 address?

  Q1: Is Figure 3 configured correctly?

  Q2: Why is it forcing me to create a range of addresses? On the older routers, I had the opportunity to address.

  Q3: Is anyone aware of any problem with this router?

  For anyone having the same problem, the FVS336Gv3 requires the manual addition of each new address WAN-side. He is buried in the menu structure:

  

  Figure 1. Network configuration | WAN settings | WAN configuration. WAN1 - Edit.

  

  Figure 2. Select the secondary addresses.

  

  Figure 3. Add the required WAN addresses.

  Now configure the inbound firewall rules:

  

  Figure 4. Security | Firewall rules. Add or change. Note that the WAN secondary addresses are available in the drop-down list address WAN IP.

  Password

  There seems to be a problem with this router about the session timeout. I got them several times on the navigation menu and log on again and renavigate. Idle time-out is set to 90 minutes. I never saw this problem on routers earlier.

  Also, note that the password field now has a limited character set. for example, it does not accept ' $'.

• quick way to add multiple subnets of Server 2008 firewall rules?

  I set up a firewall in windows server 2008.  I need to add several subnets to a rule for inbound traffic, but it is making me add subnets one at a time.  Is it possible to add several subnets simultaneously?  I tried separating them by commas and add them via the GUI, but he wouldn't take it (he said that specify an address valid).  Also if you have already entered a long list of subnets in a firewall rule is it possible to copy it to another firewall rule?

  Hi Goatberg,

  Your question of Windows Server 2008 is more complex than what is typically covered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Technet Forum. You can follow the link to your question:

  http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer

• RVL200 - SSL VPN and firewall rules

  Forgive my ignorance, but I have been immersed in the configuration of this device RVL200 to allow Remoting SSL VPN to a customer site, sight unseen.  I have the basics of the VPN set up in config, but now move the firewall rules.  We want to block all internal devices to access the Internet, but I don't want to cripple the remote clients that will be borrowed by blocking their return via the SSL VPN traffic.  This leads to my questions:

  (1) a rule of DENIAL of coverage for all traffic OUTBOUND will prevent the primary function of the VPN (to allow the administration away from machines on the local network)?

  (2) if the answer to #1 is 'Yes', what ports/services do I need to open the side LAN?

  (3) building # 2, configuring authorized outbound rules apply only for VPN clients, rather than all the hosts on LAN?

  (4) as the default INCOMING traffic rule is to REFUSE EVERYTHING, do I have to create a rule to allow the VPN tunnel, or guess that in the configuration of the router?

  Here are some other details:

  • The LAN behind the RVL200 is also isolated LAN in a manufacturing environment
  • All hosts on this network have a static IP address on a single subnet.
  • The RVL200 has been configured with a static, public IP on the WAN/INTERNET side.
  • DHCP has been disabled on the RVL200
  • Authentication to the device will use a local database.
  • There is no such thing as no DNS server on the local network
  • The device upstream of the RVL200 is a modem using PPPoE DSL, and the device has been configured for this setting.
  • Several database of local users accounts were created to facilitate the SSL VPN access.

  I worked with other aspects of it for a long time, but limited experience with VPN and the associated firewall rules and zero with this family of aircraft.  Any help will be greatly appreciated.

  aponikikay, there is no port forwarding necessary to the function of the RVL200 SSL - VPN.

  Topic 1. That is not proven. It shouldn't do. The router should automatically make sure that the SSL - VPN router service is functional and accessible.

  Re 2. No transfer necessary. In addition, never before TCP/UDP port 47 or 50 for VPN functions. The TCP 1723 port is used for PPTP. UDP 500 is used for ISAKMP. You usually also to transmit TCP/UDP 4500 port for IPSec encapsulation.

  Let's not port 47. ERM is an IP protocol that is used for virtual private networks. It is a TCP or UDP protocol. GRE has 47 IP protocol number. It has nothing to do with TCP or UDP port 47. TCP and UDP are completely different protocols of free WILL.

  It goes the same for 50: ESP is the payload for IPSec tunnels. ESP is the Protocol IP 50. It has nothing to do with TCP or UDP port 50.

  'Transfer' of the GRE is configured with PPTP passthrough option.

  'Transfer' of the ESP is configured with IPSec passthrough option.