×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Some issues about video conference via public network

Answered Question
Jul 23rd, 2012
User Badges:

Hi all,

I have some queries that need your help:

1. Normally, I connect endpoints to MCU via local network (WAN) so everything is OK. But if I'd like to connect them to MCU via public network (for example Internet FTTH), do I need any more equipment or settings on MCU? Is Video Firewall Option neccessary?

2. Does Cisco Telepresence support VPN for remote endpoint to join video conference?

Thanks

Correct Answer by Michael Boscia about 5 years 3 weeks ago

While you "could" do what you are suggesting, I don't think you would find many people here that would recommend it.


That would be a very un-secure deployment, and you would be setting yourself up to be the victim of a security breach.


From an architecture or a best-practices standpoint, you should not allow direct connectivity to infrastructure from the Internet. It would not be overly difficult to attack those devices if they are simply NATed to the Internet.


Look into getting the VCS devices and doing a more secure implementation. It will be the right thing in the long run.



Sent from Cisco Technical Support iPhone App

Correct Answer by Martin Koch about 5 years 4 weeks ago

Hi Tien!


1) If you are looking into public connectivity I would recomend you talk to a cisco (partner) sales person

to tell you a bit more about the VCS-E and VCS-C deployment.


You would need something to do proper firewall/nat traversal, not only for nat in your organization,

but also for remote users with endpoints behind a home nat router, ...


2) the endpoints and infrastrucutre do not have a vpn client, but you can sure use VPN router in between.

But be aware that video uses quite some bandwidth and packets per second so the vpn-router might

get in trouble and a vpn also adds ip overhead so you might get MTU issues.

But yes, I have seen people using Cisco Telepresence via VPNs.


Tien: Please rate the answers using the stars below!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Martin Koch Mon, 07/23/2012 - 14:07
User Badges:
  • Red, 2250 points or more

Hi Tien!


1) If you are looking into public connectivity I would recomend you talk to a cisco (partner) sales person

to tell you a bit more about the VCS-E and VCS-C deployment.


You would need something to do proper firewall/nat traversal, not only for nat in your organization,

but also for remote users with endpoints behind a home nat router, ...


2) the endpoints and infrastrucutre do not have a vpn client, but you can sure use VPN router in between.

But be aware that video uses quite some bandwidth and packets per second so the vpn-router might

get in trouble and a vpn also adds ip overhead so you might get MTU issues.

But yes, I have seen people using Cisco Telepresence via VPNs.


Tien: Please rate the answers using the stars below!

Nguyentiendung Wed, 07/25/2012 - 20:45
User Badges:

Hi Martin,

Thanks for your reply.

As I know about VCS-C and VCS-E, they are used to connect endpoints from public network into local network (for example: WAN). But I mean that MCU and all endpoints connect together via internet (FTTH) as follows:


So is it neccessary to implement VCS-C and VCS-E?

I think we only need NAT on router at each site (both center and branch) (???)

Correct Answer
Michael Boscia Thu, 07/26/2012 - 03:39
User Badges:

While you "could" do what you are suggesting, I don't think you would find many people here that would recommend it.


That would be a very un-secure deployment, and you would be setting yourself up to be the victim of a security breach.


From an architecture or a best-practices standpoint, you should not allow direct connectivity to infrastructure from the Internet. It would not be overly difficult to attack those devices if they are simply NATed to the Internet.


Look into getting the VCS devices and doing a more secure implementation. It will be the right thing in the long run.



Sent from Cisco Technical Support iPhone App

Nguyentiendung Thu, 07/26/2012 - 23:34
User Badges:

Hi Michael,

I fully understand what you said. The only problem is it's very  costly if I implement VCS-C and VCS-E. Do you know a better solution? I  read the catalog of Cisco Telepresence Video Communication Server and  see that Starter Pack Express is an alternative solution of SMBs but I'm  not sure it meets my demand.

Please give me some advice.

Thanks.

Michael Boscia Fri, 07/27/2012 - 03:33
User Badges:

While the starter pack isn't my favorite piece of gear, it will be much better than what you were suggesting.


If you can get VCS Starter Pack, then do that.


Sent from Cisco Technical Support iPhone App

Nguyentiendung Fri, 07/27/2012 - 19:05
User Badges:

Thanks Michael,

I'd like to ask you one more question: have you ever used Video Firewall Option on MCU. What's the matter if I enable second Ethernet port (port B) on MCU and directly connect all endpoints to MCU via this port. Do you think VFO can solve the issue I mentioned above?

Oleksandr Yurchenko Sun, 07/29/2012 - 12:29
User Badges:
  • Silver, 250 points or more

Hi Tien


Yes. You can solve your issue then used second port of MCU (VFO).

You must purchase VFO option and assign Public IP address for second port MCU.


And on your router you will need to set up a filter of IP addresses authorized to access from the public network to the second port MCU for security and prevent ddos.


br Oleksandr


.

Michael Boscia Sun, 07/29/2012 - 16:11
User Badges:

Martin took the words out of my mouth.


Personally, I would recommend the VCS-SP instead of the VFO option.


Talk to your partner or your Cisco rep and they'll make sure you get what you need.


Sent from Cisco Technical Support iPad App

Martin Koch Sun, 07/29/2012 - 16:08
User Badges:
  • Red, 2250 points or more

Hi Tien!


It is important to check what your needs / requirements are, how the network looks like,

what might needs to be changed and how everything can be implemented.


I would really recomend that you talk to your cisco partner or representative to check what

is really the best kind of deployment for you.



Martin

Actions

This Discussion