Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

MCU 4501 deployment question

Just about to embark on a pretty simple video deployment for a customer next week and I have a couple questions about the 4501 and also encrypting traffic.

8 Quickset C20's at remote locations

VCS Control, 4501 MCU, TMS - installed on common vlan at central site.

dedicated MPLS WAN for connectivity between all locations - no other traffic on these links but telepresence.

the network admin at my customer site made comment about potentially installing the bridge outside the firewall apart from the endpoints.

In all the reading material I can find, there's not much documentation on video bridges living outside of a firewall.  My thought is dont do it...why complicate matters. 

Other question is about the merits of enabling encryption between the C20's and the VCS, as well as the C20's and the MCU.

If all the equipment ends up on a private IP cloud - my goal is to push the customer to deploy everything behind a firewall so as not to complicate the deployment.  But if he insists, we would have to poke holes through firewall for the sip signalling and the range of dynamic ports for the rtp media.

Does anyone have any strong opinion about this one way or the other?

Thanks,
Paul

1 REPLY

MCU 4501 deployment question

Hi

As you sated it is better not to have the firewall in the video path

However if the customer want to then it is possible by making sure you have the right nat and inspection co figured in the firewall

Below link for pix old version of Asa but the concept still apply

http://www.cisco.com/en/US/docs/telepresence/infrastructure/articles/cisco_telepresence_pix_firewall_configurations_h323_video_endpoints_kb_105.shtml

By default Port B is disabled on the Cisco TelePresence product. The activation of the video firewall feature allows Port B to be enabled. In a video firewall deployment, one of the ports is connected to the local network (typically Port A) and the other (typically Port B because Port B cannot use DHCP) is connected to the Internet. This allows the MCU to host conferences with a mix of participants from the internal and external networks. This does not compromise your network security because the MCU will never route packets between the two ports, not even media packets.

http://www.cisco.com/en/US/docs/telepresence/infrastructure/articles/mcu_ip_vcr_configure_video_firewall_27.shtml

Ports:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/articles/conferencing_products_conferenceme_ports_used_kb_3.shtml

Hope this help

If helpful rate

531
Views
0
Helpful
1
Replies
CreatePlease to create content