Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1524
Views
0
Helpful
9
Replies

Configure my VCSc with VCSe on Public IP

Go to solution
Saurabh Gupta
Level 3
Level 3

‎07-05-2012 03:11 AM - edited ‎03-17-2019 11:25 PM

Hi Guys,

I have a VCS control sitting under my company's Private IP and I have my Customer's VCSe on Public IP.

Will it be possible to configure my VCSc with the VCSe after configuring Traversal Zones ?

What ports needs to be open by my firewall team in this scenario ?

Any other thing which I need to keep in Mind.

FYI, this is only for testing purpose.

Will Appreciate any response.

Thanks,

Saurabh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tomonori Taniguchi
Cisco Employee
Cisco Employee

‎07-05-2012 08:39 AM

> So, Practically there are no as such risk involved and my Customer can use Public IP on VCSe

> without going for Dual Network Option Key. ( which is used to make VCSe more secure).

Cisco highly recommend VCS-E deploy under DMZ however it also true many customer does deploy VCS-E on public network directly.

Please refer https://supportforums.cisco.com/thread/2154738?tstart=150 for additional VCS security information.

Next VCS software release, X7.2, plan to be supported build-in basic firewall feature what allow to configuring allow/deny list base on IP address/Port(s)/Protocol which should help to improve security level even VCS-E deployment on public network directly.

> So, Shall I ask my Customer to just buy a Public IP , thats it and we are good to go?

One public IP will require on VCS Expressway, VCS Control can be use shard NAT address (i.e share internet access from office network).

Also you will need SRV DNS management (if small deployment probably best to use external DNS service, there are many company provide DNS hosting service both as charged service and as free service).

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Tomonori Taniguchi
Cisco Employee
Cisco Employee

‎07-05-2012 03:30 AM

Yes, it does support VCS-C and VCS-E traversal link even those VCS located in separate location.

Please download latest VCS-C and VCS-E deployment guide from,

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf

Appendix 1 should provide sample configuration for both VCS-C and VCS-E.

Appendix 3 should provide ports information that should allow by firewall for traversal link.

0 Helpful

Go to solution
Tomonori Taniguchi
Cisco Employee
Cisco Employee

‎07-05-2012 03:34 AM

Also the document “VCS IP port usage for firewall traversal” may become handy to understand port requirement in both direction. This document is available from,

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X4_to_X7.pdf

0 Helpful

Go to solution
Saurabh Gupta
Level 3
Level 3
In response to Tomonori Taniguchi

‎07-05-2012 04:01 AM

So, in a way different companies can use 1 VCSexpressway located in a remote location and on Public IP?

Is there any risk involved in it?

And for accomplishing it, we have two create different Traversal Zones for linking different VCSc with one VCSe?

Thanks

Saurabh

0 Helpful

Go to solution
Saurabh Gupta
Level 3
Level 3
In response to Saurabh Gupta

‎07-05-2012 04:09 AM

Also, since there is no Physical Layer 1 connection between VCSc and VCSe ? How will routing of packets , call signalling and end to end data will flow?

Do you mean, that Traversal Zone will accomplish it after I am done with Traversal zone setup?

Regards,

Saurabh

0 Helpful

Go to solution
Tomonori Taniguchi
Cisco Employee
Cisco Employee
In response to Saurabh Gupta

‎07-05-2012 06:42 AM

> So, in a way different companies can use 1 VCSexpressway located in a remote location and on Public IP?

VCS support multiple SIP/H323 domains and also you able to create subzone per such domain to manage registration separately.

SRV DNS will help have multiple domains but pointing to same VCS E which has a single public IP address.

> Is there any risk involved in it?

If search rules doesn't manage properly, possibly other company may failing to different company infrastructure resource (i.e. using other company MCU resource) or calling to other company Endpoint.

From next VCS software release version, X7.2, you may configure subzone level for calling source on search rule which will help this challenge.

> And for accomplishing it, we have two create different Traversal Zones for linking different VCSc with one VCSe?

You will need to create traversal zone per VCS-C and VCS-E link (if cluster, you able to add all cluster VCS information in same traversal zone configuration).

So for example, assume you nave VCS-C1 and VCS-C2 and shared VCS-E, then you will need to create following traversal zone.

1) traversal client zone on VCS-C1 pointing to VCS-E

2) traversal clinet zone on VCS-C2 pointing to VCS-E

3) traversal server zone on VCS-E for VCS-C1

4) traversal server zone on VCS-E for VCS-C2

Also you will need search rule on each VCS.

0 Helpful

Go to solution
Tomonori Taniguchi
Cisco Employee
Cisco Employee
In response to Tomonori Taniguchi

‎07-05-2012 06:47 AM

> Also, since there is no Physical Layer 1 connection between VCSc and VCSe ? How will routing of packets , call signalling and end to end data will flow?

VCS-C and VCS-E will keep one signal link alive once traversal link establish.

VCS-E will communicate VCS-C using this link (i.e. when VCS-E receive incoming call, VCS-E inform VCS-C to make out-going call to establish firewall traversal call).

> Do you mean, that Traversal Zone will accomplish it after I am done with Traversal zone setup?

Yes, traversal management link will remain alive once traversal zone configure and establish the link.

Port information is available on guide I mention in earlier reply.

0 Helpful

Go to solution
Saurabh Gupta
Level 3
Level 3
In response to Tomonori Taniguchi

‎07-05-2012 07:24 AM

Thanks Tomo for the reply.

So, Practically there are no as such risk involved and my Customer can use Public IP on VCSe without going for Dual Network Option Key. ( which is used to make VCSe more secure).

So, Shall I ask my Customer to just buy a Public IP , thats it and we are good to go?

Thanks,

Saurabh

0 Helpful

Go to solution
Tomonori Taniguchi
Cisco Employee
Cisco Employee

‎07-05-2012 08:39 AM

> So, Practically there are no as such risk involved and my Customer can use Public IP on VCSe

> without going for Dual Network Option Key. ( which is used to make VCSe more secure).

Cisco highly recommend VCS-E deploy under DMZ however it also true many customer does deploy VCS-E on public network directly.

Please refer https://supportforums.cisco.com/thread/2154738?tstart=150 for additional VCS security information.

Next VCS software release, X7.2, plan to be supported build-in basic firewall feature what allow to configuring allow/deny list base on IP address/Port(s)/Protocol which should help to improve security level even VCS-E deployment on public network directly.

> So, Shall I ask my Customer to just buy a Public IP , thats it and we are good to go?

One public IP will require on VCS Expressway, VCS Control can be use shard NAT address (i.e share internet access from office network).

Also you will need SRV DNS management (if small deployment probably best to use external DNS service, there are many company provide DNS hosting service both as charged service and as free service).

0 Helpful

Go to solution
Saurabh Gupta
Level 3
Level 3
In response to Tomonori Taniguchi

‎07-06-2012 02:07 AM

Thanks Tomo for replying every time ....

Appreciate your response.

Regards,

Saurabh

0 Helpful
Customers Also Viewed These Support Documents