Best Practices for VidConf with external parties

markanthony · ‎01-14-2008

We currently use Sony Video conference units for our end units. On the backend, we use a Cisco 3515 for multipoint conferences.

We now need to be able to do video conferences with external parties using our MCU.

Since there are many ways of doing this, are there solutions that work better than others? Basically I need to publish a doc that says 'here is what you will need. This port open on your firewall, a public IP address that is not NATd....'

Any help would be appreciated.

smahbub · ‎01-22-2008

A site has a link capacity of 1.544 Mbps and contains two video terminals that support a maximum data rate of 256 kbps each. Although the rate of the two video calls equals 512 kbps, add 20 percent to the data rate of the call to account for overhead. Twenty percent is a conservative percentage that ensures proper capacity planning in most environments. You can start with an extra 20 percent for overhead and then adjust this value, higher or lower, with the results of your monitor as a basis.

http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080094968.shtml

gsroberts · ‎01-23-2008

You may choose to approach each external party on a case-by-case basis, but I would recommend you consider implementing an H.460.x-compliant firewall traversal solution at your enterprise. H.460.17, .18 & .19 is the standard approach to traversing NATs & firewalls with H.323 traffic.

Since the "server" side of the solution would reside outside your enterprise security, any H.323 end-points (Tandberg MXP, Polycom HDX and Polycom VSX--with the right s/w release) from external parties can traverse their security and register directly with the external side of your H.460.x traversal solution. Ideally, though, any enterprise using H.323 to transport video, should be moving to this standard method of traversal, so then you simply "neighbor" session border controllers (SBCs -- the external portion of the traversal solution).

If you try to address this problem in your and external parties networks at the network layer or in the security solution, you will soon realize why a standards-compliant solution implemented within the h.323 service is the best approach.

I'm currently dealing with external parties who do everything from H.460.x to codecs outside the firewall to custom written filters in their security solution. The first is the right way to do it, the second is careless and the third is just brutal (the latter have Sony codecs, btw)

Tandberg has a white paper that covers some of this (read pg. 8): http://www.tandberg.com/collateral/white_papers/whitepaper_employing_IT-level_security_for_IP_conferencing.pdf

Regards,

Greg Roberts

____________________

State of TN Video Group

greg.roberts@state.tn.us

Report Inappropriate Content · ‎06-25-2008

Hi Greg, I have a customer with this requirement for videoconferencing through a firewall with NAT. Currently considering H.460 firewall traversal but can't find any documentation on a Cisco solution for this (Tandberg appear to be the best from research).

They have a Cisco video infrastructure at the moment (gatekeeper, MCU) and looking for the most cost-effective solution for conferencing with external parties.

Do you know if this has been done with Cisco technology? Do you know if the Tandberg Border Controller will partner with a Cisco IOS device for H.460.x traversal?

many thanks

David

gsroberts · ‎06-25-2008

David,

Unfortunately, Cisco has not (currently) chosen to implement H.460.x in their H.323 infrastructure solutions, so a Cisco GK could not be used in combination with a Tandberg SBC (session border controller). However, we currently use Cisco gatekeepers for everything but firewall traversal. For traversal, the Tandberg GK functions as the inside portion of the traversal solution and proxies for all my codecs (a mix of six different Tandberg and Polycom product lines)--even those that are H.460-capable. Combined with the SBC (session border controller is a Cisco MCM (25xx router) setting on the public side of the firewall and neighbored to the session border controller.

The "public" GK is for the entities who write custom policies in their firewalls or set their codecs on the public side of their security. If not H.460 compliant, they have to register with a GK, they can't register directly with the SBC, hence, the public GK which is simply neighbored to the SBC.

I would encourage you to closely look at the Polycom V2IU as well. It has come a LONG way since it was introduced a couple of years ago.

Personally, I still don't feel like the V2IU has as much flexibility nor does it implement a dialing methodology best suited for converging networks. It is an ALG (App Layer GW) that has been tweaked to support H.323 traversal, so I don't think it will ever truly match the Tandberg Expressway solution apples-apples, but it is dramatically less expensive and thus worth considering.

We tested both the Tandberg and Polycom traversal solutions with our internal CAC (call admission and control infrastructure), which is made up of multiple Cisco GK products in a fully meshed neighboring scenario prior to purchase of a traversal solution, and the Cisco products interoperated with both traversal solutions.

Cisco did present a solution that proposed a Layer 3 solution, but we felt it best to pursue something based within the H.323 umbrella standard.

If you want to talk more, please email me at 76cb400f@gmail.com w/ direct contact info and I'll be happy to assist you in any way I can.

Greg