Inorder to do successful VTC over IP, your network should be reliable. Firewall, nat, pat - they are not friendly when it comes to VTC. My experience tells me you need to have both technical knoweldge in networking as well as interpersonal skill to work out with Network Engineers.

I want to hear \ share both pain and pleasure of working with Network folks. For networking folks, as long if you could ping , network is good. For us we need more than being able to ping and trace.

What tools do you guys use to convince networking guys to tailor networking to VTC need?

Please share both technical and non-technical tricks.


Thank you.

In my experiences it has generally come down to two things. Education and control. Our company is involved mostly with business to business customers with a few colleges and hospitals thrown in the mix. If the network folks are not initially involved in the idea and VC is new to them its like anything, thier space is being invaded and you are indeed the enemy. I learned the hard way OFTEN when video over IP came onto the scene. Not only was I asking them to put something that in thier mind would suck the life out of thier network, but I am also a female asking them to do this :o . (talk about having credibility issues...) Personally I don't like having to fight my way on the network so I began making sure that the networks folks were aware of "the plan" prior to any installations and ensuring that they were educated on H323.

For those that insist on being difficult do the only thing you can....shake ya tailfeather!! :P

I seem to be one of the lucky ones that has dealt with a network staff that is somewhat excited about video. I think the network folks look at video as another service that justifies building a very beefy and robust network. Now having said that I can also tell you that having a little bit (enough to be dangerous) of knowledge about the networking side is sometimes necessary. Basically it seems like you need to have at least a basic understanding of the network so you can have an intelligent conversation when talking to them.
As for diagnostic tools, I’m also always on the lookout. At this point I generally tend to find problems in the network when pushing very large video streams around the place.
BTW taking the network guys to lunch every once in a while is also a good idea :lol:

Hello ssmith26 and welcome to the forums.

Yeah imagine going through all that you've been through AND having to convinve them that it will be "secure" on their network as well.

Security?? Kidding...

Thank you for the welcome George! I actually read this forum just about everyday. I was waiting for the right moment to make an appearance. :ph34r:

I KNOW everyone is thinking this... I'll just be the one to say it...

VERY CAREFULLY

or

With a 12 Gage.






B)

Gary Miyakawa

Originally posted by Gary Miyakawa@Jun 16 2004, 02:05 PM
I KNOW everyone is thinking this... I'll just be the one to say it...

VERY CAREFULLY

or

With a 12 Gage.






B)

Gary Miyakawa
Whoa..........that actually was what I was thinking. You are starting to freak me out with the mind reading Gary. :ph34r:

Approach our network's self-proclaimed "gurus" about H.323....not gonna do it....there's only one person here who can do that, and he's got two stars over me....

Oh, yeah, and he's much more effective than a 12-gauge... :D

I have found that the best way to deal with them is to know as much or more than they do. I have gone out and become Cisco certified, wirless certified, and security certified on top of VTC certified. They will listen to you if you know what you are talking about. H.this or G.that means nothing to them all they want to know is how much bandwidth are you going to take and will email still work.

I am SO GLAD this topic has come out...I have been in this industry for 14 years and have played on many "sides of the fence" from sales, to writing user manuals specific to custom integration, to training end users, to servicing customers both via call center and on site...now, for the past 3 1/2 years i have been an "end user".....initially a "one person team" in bringing this technology to the forefront for largely diversified, multi-campus healthcare facility.

i can confess that up until the the past 9 months, our group (now we are four) and the technology were not recognized as a key player in the fastly growing dependance on video communications for all facets of meetings, education, etc *****. Iit was extremely difficult in the earlier days to work with the IS Telecom Team in resolving the numerous ISDN issues we faced, let alone the network providers' denials of where the problems were......it took a lot of educating and proving that it was not "our equipment". Once I finally achieved the respect from Telecom that I knew what I was doing..it did get easier (internally...the network provider will always be troublesome).

As for the IP.Network and Server teams in IS...another story. I had communicated with, and kept all in tune with what what I was building (upon arriving here, there were 6 old Intel Teamstations and a PTEL H323 MCU that was bought from a "box house" and as we all know....never had any support, installation, training, etc...and therefore never used). Before I came, this technology was handled by the IS Desktop Team for each site.....basically....very low on the side of priorities and attention.

I got rid of all that crap and now we are growing fast and furious with Polycom FX's and VS surrounding the Accord (Polycom) MGC 100. For all the obvious reasons, VC was immediately removed from IS, as I was put in a world all my own...IS thought they washed their hands of it. In deploying the new systems...following procedure to have set static IPs was constantly questioned...I had to grin and bear it...always positive...but always "covering my a**" in keeping the teams in the loop as to what was going to be in the future for this technology as it began to grow significantly.....I never got much attention in return.....but could never be accused of "holding out" or "surprising" when our LAN was being used more and more for vinternal video.

We have finally reached the point of not return with the IS Network Team and they have been reluctant to view our technology as a necessity for bumping up bandwidth to some locations. it was not until we began experiencing detrimental, conference ending problems over the LAN and had unpleasant experiences with high level administators, medical education lectures,and executives that we came head to head and put them up against the wall. It also helped that our Vice President of Corporate Services is our "big boss" and theirs....and he is a visionary in this technology.

It still gets bumpy...our systems being blamed for LAN traffic issues they get from other areas...but being that I have been here long enough and have the technical responisibilities for our vc network, our merging together is beginning to solidify. We just began a "VLAN" deployment for two of sites and taking our systems out of the mainstream of traffic has proven to be a great leap forward in shared successes in the face of the entire enterprise. We cannot do QOS simply because they do not want to prioritize ...the enterprise-wide constant "go lives" for various new and updated patient-related software systems and file management.

As a matter of fact....i will be attending technical training on PathNavigator....which we are strongly encouring they have someone be part of in order for us to implement this powerful tool....I am promoting it as the fundemental means of truly monitoring, reporting and documenting just how our VC's behave over the LAN and that all the questions going back on forth about the actualities of VC over IP technology will be right in the "palm of our hands".

it has been a long road...and still is....but the technology is merging no matter what either side said no we have no choice....just smile, buy lunches, and treat this environment like it an opportunity for successes all around....

you are all working for the same thing...same company....providing a service to the people in that company.

if you a a reseller, rep, etc....getting the IS or IT folks involved will be even harder...BUT....it is NOT your sole responsibility...the key thing is to educate the customer in such a way as they can approach their IS/IT and get them involved with you....

Just remember..."The train aint stoppen'"and you both are on board....I wouldn'* jump off..or push them off...although you may want to!!

GOOD LUCK

I agree with Mike.
I joined the VC industry after having experience in computers
and after doing my MCSE way back in 1997.
And now due to the hassles of NAT ,Firewall..etc.,
I have decided to get myself Cisco certified...,
Now a days i am attending classes oc Cisco
along with my other collegues.
I feel that being in VC industry doesnot mean
we are out of IT.
Un fortunately the networking folks feel that
routers,switches and CAT5 are the only things
which belong to Networking or I.T means computers only.
Actually VC equipments are also Computers which talk
I.P or H.323 and on I.S.D.N they talk H.320.
So we V.C engineers are also very part of I.T
In fact we know better.
Regards
Hari

H.this or G.that means nothing to them all they want to know is how much bandwidth are you going to take and will email still work.
LOL, Now that... is a true statement :laugh:

Hariharan.I.D, you hit it right on the nose as well. I can't tell you how many times in my career I've talked to network people about VTC over IP and they start comparing it to VoIP. Network people know their networks. True enough. But when you start talking about video on the network I've found their knowledge to be generally lacking (except our current network guys actually).

I guess for them it's kind of like hiring a financial planner. They have been doing fine with their money so it's kind of hard to step aside and put their money in the hands of someone who deep down they know knows the subject better.

Well here we go, My first post (and I hope I dont get any visits from 12 bores)!!!!!
I think I can look upon this subject with a very open mind, I started in the IT industry 6 years ago and I done all the cisco exams and managed to get a very good job designing, running and upgrading a network.
Then the Tandberg 6000 arrived and the team I work in was given the job of looking after it. That was 5 years ago and considering that all we had to do was give it an IP address and plug it in (Our private LAN covers all sites form Germany to South America) there was not a whole lot to get worried about.
I can however look at the present day situation where I am now going to install an MCU, the group leader for the network declared that "he was not going to allow this peice of kit in to HIS!! network without thorough commisioning, Ok there you have it, we have been doing VC support for 5 years in the same office and also doing the network support and guess what? now the team leader is on a mission!!!!!
My experience is that the whole problem boils down to paranioia (think thats how you spell it) and territory.
Some of these people (not all) beleive in their own minds that they are on a different plain to all the rest of the world.....its POWER!!!!! cross that with human nature and a Cisco certificate and in the wrong hands can turn someone from Arnie in Terminator 2 back in to Arnie in Terminator 1 but with worse dress sense and serious halitosis!!!(has anyone else out there heard of a Curry shirt)?
Think of it like this, it started off with UNIX gurus, now its Networks turn, guys and girls of the VC world, "We will have our day"!!!!
End trans!

I keep stumbling upon old threads and wanting to join in on them...

I think valid points have been made by all. My most recent headache with VTC and firewalls has boiled down to their network engineer telling me, "Why doesn't this device act like every other IP-enabled device on the network? Why doesn't it just work when we plug it in?" Of course I'm paraphrasing, but you get the idea. They look at VTC as something entirely separate from the rest of the network infrastructure, but really, they should start looking at how to incorporate this new technology.

IP networks are complicated. A lot of the configuration on the codec depends on the network topology. Also, if the network is locked down so tightly, how can they hope to get any practical use out of it? I'm not faulting security here, I just want the network engineers to acknowledge that the codec is a high-bandwidth multimedia telephony device, and its resource requirements are greater than say than that of a web browser.

What is the VTC certification? I havent heard anything about it b4.

thx

What is the VTC certification? I havent heard anything about it b4.

thx

IT is a certification that tells everyone that you know all the basics and more of Video Conferencing and all it entails , audio,video, algorithms, bandwidths, ISDN and IP.

If you go to the Polycom website you can find it, It is the Certified Video Engineer course. THey have a course, and you can challenge the test as well. Although the course is conducted by Polycom it is not a Polycom course, it is a generic course based on the things you need to know to successfully deal with video confernecing from the ground up.

Wow good topic. I started as desktop support then cable installer then network tech then network engineer then network security engineer then VTC/VIS engineer all over the past 11 or so years mostly in the goverment community and I can tell you that bringing in the network and security folks from or before the project starts is the only way to ensure a smooth install and continued support. Without doing that it will be an uphill battle all the way, and then they will not take ownership if any network problem cause the VTC sessions to fail. As soon as the word VTC/Tandberg/Polycom/MCU/etc. is mentioned in the trouble ticket they will percieve it as not their issue and you as the VTC guy will have to expend resources to prove it was a network problem that needs to be looked at.

Yes, coordination with the network folks is essential. It is hard when they don't really comprehend video conferencing. That's where the course, I believe can help as well. Also, the new standards which will be coming out at the beginning of the year, which will standardize video through firewalls so, that all manufacturers whether PIX or what, will have the same standard for putting video through firewalls will certainly help. I think this will galvanize the migration to IP for many folks.

As a video network engineer I can see it from both sides. I was a Data network guy for along time then I switched to video and now I can see it from both angles, Data is very bursty and errors are no big deal because they can be retransmitted so even a weak network can operate very well. most data is very low bandwidth( I know there are exceptions) so network congestion is not a big issue but with video, a lost packet cant be resent and used so a free flowing network is a nessecity and that is what data people dont seem to get. Also alot of it is pride, when you design, build, and maintain a network you pretty much put your heart and soul into it, its almost like a digital child and when someone comes along and tells you that your hard work is a peice of sh** of course your going to take offence to it and go on the defencive. as for me I have the luxary of having a dedicated video network so I dont really have to deal with this with the exception of a few remote sites that I have to share a T1 with the IS dept but their traffic is so minimal that video has no affect on it. but anyway when dealing with network engineers take into account that they have worked very hard to build that network and have put much effort into maintaining it and dont take to kindly to people insulting it its like insulting them personally.

For the record, I am both the Network Manager and Video Conference lead in my organization. If you are receiving "attitude" from network types, you are dealing with less than professional individuals. As a network manager, my job is to provide reliable, secure services to my customers (all my organizations users). Data, voice, video - its all stuff my customers need. What it comes down to is customer service - it's my job to know the technical stuff not my customers. My job is to take a business need and apply technical solutions. I suggest being polite and professional, but also settle for nothing less from the gekes you have to deal with. Some will tend to have little or no interpersonal skills, that's why they work with computers!

We were fortunate in that when we first began looking at videoconferencing over IP, IS was investigating migrating data and voice to IP. We were brought in to the decision making process to add video over ip to the groups mission. One thing I've found helps in relationships like this is to (not to be cliche) take every opportunity to make them feel important. If they offer to help, let them help. Ask questions.....show an interest in what they do. The network guys I work with seem to be willing to really jump through hoops when I have a request. Gotta love that!

Frank
http://www.jaxdistributing.com

1. VTC (A/V) Engineers/Technicians will become Network Engineers, due to the fact that we work on VTC over IP/SIP which requires network understanding and troubleshooting skills. Also traditional Video cabling in rooms is becoming network transmission mediums.

2. To properly assimilate yourself with Network Engineers bread from when they were young, you have to basically become friends and get close and personal, at the same time you need to listen and give them the respect they so often are hungry for. I was born in this Field as a Communications Electrician in the Navy, and my dealings with IT type folks is always the same from the military to the civilian world. ITs arent Electricians because most can not grasp electrical circuit therory and most Electricians can grasp Network theory and applications, so with that being said, IT Engineers need extra love and comfort for them to give you respect knowing that they really wont ever enter the electronics field. sorry if this doesnt make sense, but I think from my experiences this is what it boils down to.

Also, If any take offense to this I'm sorry in advance.

I love this thread!

So, are videoconference appliances a risk to network security?

If not, how do you convince a network security guy to ease up on some of the firewall rules for videoconferencing?

One of our IT directors posed this question today:

“I am wondering if someone could articulate good reasons (not personal preferences) for putting VC codecs behind a firewall. If security is the main concern, are there instances that can be cited where these devices have been compromised. While having the codecs behind a firewall makes us sleep better at night, is the concern realistic? I really want to know. If not, then why should it be necessary to introduce yet another layer in the way of the traffic -- since regardless of how well firewalls play with VC, they still add overhead and delay which to video traffic is very significant.”

I can’t think of any benefit for putting codecs behind a firewall.

Nor can I find any evidence of firewall exempt codecs causing security issues.

Can any of you?

If there is a reason, great. But if not, why do we do this?

THX
DON
Donald Robert Dover - Videoconference Operations Manager
Washington State University Academic Media Services
dover@wsu.edu / 509-335-6535 / www.ams.wsu.edu

Technically ANY statically opened hole in a firewall can be viewed as a security risk - though it's debatable how severe a breach can actually occur if it only leads to a videoconferencing device. I'm aware of some hacks that have used industry products (codecs, MCUs, management servers) as FTP servers, but never as a foothold to intrude into other portions of the network. Though theoretically I guess it could happen, it would be pretty difficult to do, and the people smart enough to do so are typically making a lot of money already writing code to prevent these sort of attacks. A NAT statement pointing to a video codec or a typical server is much harder to exploit than the average NAT statement on a home-use firewall pointing to a home-use Windows PC.

Some admins run their entire video network on public IPs, for ease of accessiblity. Hacks of these setups typically are based on compromised or easily-guessed passwords and are focused on utilizing conferencing resources for free and not on an attack of any kind. And even those are, really, pretty rare. An enforced password-usage rule across the enterprise typically secures a video deployment just fine. And even if someone does hose up a codec, what's really in there? Reload the software back to factory fresh, punch in its IP address and/or ISDN number, register to the gatekeeper and global directory if used, put a password on access to settings, and you're placing calls again.

Realistically, FWIW IMHO, there is no compelling security reason to place video codecs behind a firewall - nor is there a compelling security reason to place everything outside the firewall. The decision typically comes down to a tradeoff between cost and ease of use. It's cheaper to not own public IP addresses for every codec, or to keep someone on staff who understands how the NAT statements work and where they point to - so there's a driver for situating codecs inside the firewall and mostly talking internally on the LAN. But it's easier to place and receive calls from users outside the enterprise if you aren't having to navigate NAT statements and adding another layer of troubleshoot complexity - a driver to put codecs on public IPs. Most deployments have combined the two approaches by putting most codecs on the LAN, and having access to the WAN via an MCU or gateway. Some setups require users to change settings on the codec on a call-by-call basis depending on whether a LAN or WAN call is being placed. This has, quite often, led to confusion and frustration.

And frankly, a lot of times someone who doesn't understand security gets put in charge of security policy, blusters about putting everything behind the firewall because they went to a 2-day seminar and heard that was safer, and everyone who reports to that person complies whether the orders make sense or not.

Application Layer Gateways (ALGs) like the V2IU solve nearly all the security, cost, and ease of use problems. When a call is placed from a LAN codec registered to the ALG, the ALG analyzes the IP address or E.164 extension being dialed. If it's a LAN call, the ALG keeps the call on the LAN - otherwise the call is assumed to be going to the internet and goes out the default gateway heading toward the WAN. Ports are opened in real-time on an as-needed basis, for inbound calls from the WAN or outbound calls to the WAN. No NAT statements, no call-by-call config changes, no more pulling your hair out. And the V2IU can act as a stateful inspection data firewall as well, with typical firewall features like configurable NAT statements and VPN setup for non-H323 applications.

I have found that the best way to deal with them is to know as much or more than they do. I have gone out and become Cisco certified, wirless certified, and security certified on top of VTC certified. They will listen to you if you know what you are talking about. H.this or G.that means nothing to them all they want to know is how much bandwidth are you going to take and will email still work.

Good point!