Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
711
Views
0
Helpful
1
Replies

MCU 4501 deployment question

pdinapoli
Level 1
Level 1

‎12-07-2011 04:36 PM - edited ‎03-17-2019 10:39 PM

Just about to embark on a pretty simple video deployment for a customer next week and I have a couple questions about the 4501 and also encrypting traffic.

8 Quickset C20's at remote locations

VCS Control, 4501 MCU, TMS - installed on common vlan at central site.

dedicated MPLS WAN for connectivity between all locations - no other traffic on these links but telepresence.

the network admin at my customer site made comment about potentially installing the bridge outside the firewall apart from the endpoints.

In all the reading material I can find, there's not much documentation on video bridges living outside of a firewall.  My thought is dont do it...why complicate matters. 

Other question is about the merits of enabling encryption between the C20's and the VCS, as well as the C20's and the MCU.

If all the equipment ends up on a private IP cloud - my goal is to push the customer to deploy everything behind a firewall so as not to complicate the deployment.  But if he insists, we would have to poke holes through firewall for the sip signalling and the range of dynamic ports for the rtp media.

Does anyone have any strong opinion about this one way or the other?

Thanks,
Paul

Labels:
0 Helpful
1 Reply 1

Marwan ALshawi
VIP Alumni
VIP Alumni

‎12-08-2011 02:11 AM

Hi

As you sated it is better not to have the firewall in the video path

However if the customer want to then it is possible by making sure you have the right nat and inspection co figured in the firewall

Below link for pix old version of Asa but the concept still apply

http://www.cisco.com/en/US/docs/telepresence/infrastructure/articles/cisco_telepresence_pix_firewall_configurations_h323_video_endpoints_kb_105.shtml

By default Port B is disabled on the Cisco TelePresence product. The activation of the video firewall feature allows Port B to be enabled. In a video firewall deployment, one of the ports is connected to the local network (typically Port A) and the other (typically Port B because Port B cannot use DHCP) is connected to the Internet. This allows the MCU to host conferences with a mix of participants from the internal and external networks. This does not compromise your network security because the MCU will never route packets between the two ports, not even media packets.

http://www.cisco.com/en/US/docs/telepresence/infrastructure/articles/mcu_ip_vcr_configure_video_firewall_27.shtml

Ports:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/articles/conferencing_products_conferenceme_ports_used_kb_3.shtml

Hope this help

If helpful rate

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents