cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1639
Views
10
Helpful
15
Replies

Slow down Jabber connection on after a PC resume? Or ability to connect Jabber to VCS-E behind another insitutions firewall

Chris Swinney
Level 5
Level 5

I have re-titled this thread as the conversation moved on from the inital idea of stopping Jabber to access to the Home VCS-E when on site, to actually need to access a VCS-E when at a remote site.

Hi all,

VSC-C and E : x7.2.2

Jabber Video: 4.6

This is an odd question as we have an odd problem. We have a sample deployment as shown in the diagram below:

Basic Single site operation 3.png

This all works fine - assuming the roaming users Jabber client registers to the correct VCS. The problem comes when the remote users puts their laptop to sleep, brings it into work, connects it to the dock and wakes the machine up. It seem that the Jabber tries to connect before the Ethernet connection is fully active, therefore the connection to the local VCS-C for provisioning info fails. However, I believe the Ethernet connection then comes up as Jabber then attempts to contact the VCS-E (as it would do when offsite). This mean that the provisioning info fed to Jabber is that for an external connection so Jabber then registers quite happily to the VCS-E :

Basic Single site operation 2.png

The problem comes then when attempting to make or receive a call - the Jabber client connects but the user doesn't receive any audio and video. I suspect that the problem lies in the institution firewall as the call is essentially routed to the client via the VCS-E and so the firewall is blocking the UDP traffic to the client.

If there was a way to slow down the Jabber client after a system "wake" (all is Ok from a boot), then this would resolve this problem.

However, after thinking about this - maybe the best way would be to block outbound access to the VCS-E on port 5060 and 5061 at the firewall?

Comments please?

Cheers Chris

15 Replies 15

I have been pondering this predicament over the past few days and have come to the conclusion that Cisco probably could offer a solution:

As the VCE-E acts as a traversal server, it supports the Assent firewall traversal protocol for SIP as well as H.323. An Cisco MXP endpoint using H.323 could register to a VCS-E locally using assent - meaning that only a small number of out bound port need to be opened to allow full two-way communication (UDP/1719, TCP/2776, UDP/2776 and UDP/2777). We use this for institutions that have a only one endpoint and so a VCS-C would be a bit of an overkill.

According to the VCS Admin guide for x7.2 (page 234), SIP assent uses the same media ports as H.323 and default SIP signaling ports. However, I don't know if the Jabber Video client supports this type of firewall traversal. I know it support ICE/TURN, but according to the Jabber 4.6 Admin Guide (page 36), it says:

"Note that firewall traversal using TCP relay is not supported when using Cisco VCS as a TURN server at this time."

Maybe this is something that will change in the future - it would make this kind of implementation a lot simpler and  network admin's a lot less twitchy.

------------

In the mean time, the VCS admin guide (page 217) goes on to say that a a single traversal call can have 5 streams and this means a minimum to 20 ports are required, 40 with encryption (inbound and outbound - but of course, I am only really concerning myself with the outbound ports, so essentially we have 10 outbound port normally, and 20 with encryption). It then says that this port rang need to be large enough to be able to cope with the potential number of traversal licences we have. This is 50 per VCS-E, but if we cluster 4, then that rises to 200! So 200 x 40 = potentially 8000 open ports!!!!!!

The Jabber Admin guide (pages 18 and 32) say that a minimum to 10 ports need to be defined in the provisioning template (although this refer to inbound ports as I assume Jabber will user the ephemeral port range to establish an outbound media connection). I also assume that this minimum would needed would rise to 20 ports if encryption was use - to tally with the VCS guide). However, whilst each client is only liable to be in only one call at any given time, potentially, there maybe additional calls that come in and are put on hold - and I'm assuming that if a second call was taken and a different set of ports would need to be allocated. Still, I would limit this rang significantly from the default (21,000-21,900 - 900 ports) to maybe 40-60 ports (this allowing 2-3 simultaneous calls per client).

In which case we wouldl define an inbound rule such that:

Source FQDN

Source TCP/IP Port

Destination FQDN

Destination TCP/IP Port

Rule

FQDN_VCS-E(s)

UDP   50000-57999

All Visiting Eduroam Users 

UDP 21000-21060

Allow

This, of course, also assumes that no other application is using the UDP ports on the client at the time of the calls!!!!

All a bit tricksy!

-----------

So back to my first point (in this post!) - Cisco - wouldn't it be nice if you could get firewall traversal inbuilt into the Jabber client and supported on the VCS-E?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: