Since last week appeared to be the week of Firewall Traversal according to Wainhouse, I am surprised nobody has brought up this subject. So I will :)

Any thoughts around the whole subject? There is a tremendous buzz on the topic and would like to get some input from you guys on it.

I think its quite possible this is the first thread that I have started on this forum :)

Thanks,

Sean

Sean,
I saw the Expressway Webinar on Wednesday but I had a question for you; How much support does TMS have for the boarder controler (I'm assuming 9.6 only)?

I was unable to view the Tandberg announcement, my thoughts are that firewall traversal will start the video over IP market rolling. The firewall has always been the limiting factor on IP calls between different sites. Most of our current calls are between company offices using ISDN. We would like to move towards IP both for company and client calls. We will be reviewing this with our supplier to determine the way forward.

Mark

Lets see if I understand it correctly,

IF we want to communicate between my network wich has a Border Controller outside our firewalls and a MXP system on the internet.

Then all I have to do is call mysystem@mydnsname.com.

The MXP doesn't have to be configured in any way to do this?

But how do I call that MXP from my network?

Or do I have to set the border controllers IP on that MXP... like a Gatekeeper?

--------------------------------------

Next question is.

If I have legacy products, we have to configure gatekeepers to talk to each other and the border controller?

So company A wants to talk to Company B, both of the companies gatekeepers has to be configured?

I have tried to read some documents about this... but the material seams to be alittle too much "sales-talk" and not as much actual "this is how it works" :^D

It's possible the Expressway makes firewall traversal easier, but still one of the problem seams to be that IF I want to have a conference with someone else, we have to configure the gatekeepers first... it's not just to dial a number :)

//Robert

Sean,
I saw the Expressway Webinar on Wednesday but I had a question for you; How much support does TMS have for the boarder controler (I'm assuming 9.6 only)?
The BC is managed by TMS just as the TANDBERG GK is.

Sean

Lets see if I understand it correctly,

IF we want to communicate between my network wich has a Border Controller outside our firewalls and a MXP system on the internet.

Then all I have to do is call mysystem@mydnsname.com.

The MXP doesn't have to be configured in any way to do this?

But how do I call that MXP from my network?

Or do I have to set the border controllers IP on that MXP... like a Gatekeeper?

--------------------------------------

Next question is.

If I have legacy products, we have to configure gatekeepers to talk to each other and the border controller?

So company A wants to talk to Company B, both of the companies gatekeepers has to be configured?

I have tried to read some documents about this... but the material seams to be alittle too much "sales-talk" and not as much actual "this is how it works" :^D

It's possible the Expressway makes firewall traversal easier, but still one of the problem seams to be that IF I want to have a conference with someone else, we have to configure the gatekeepers first... it's not just to dial a number :)

//Robert
There are two methods for firewall traversal under the Expressway heading in the first version.

GK --> BC

MXP --> BC

In the GK-->BC setup, any endpoint (and vendor) that registers to the TANDBERG GK will have access to the firewall traversal resources provided by the Expressway solution. If you already have a GK that you prefer to use, you can neighbor that GK to the TANDBERG GK on the inside of the firewall to have the best of both worlds: all the features of your selected GK and the FWT of the TANDBERG Expressway solution -- its completely additive and does not require you to replace any equipment. On the WAN side, you can register directly to the BC as your Gatekeeper only if you have a MXP, because the MXP has the embedded Expressway technology. You can neighbor any vendor's gatekeeper to the BC on the outside of the firewall and allow any vendor's endpoint to make use of that GKs features and also have access to FWT resources from the outside of the firewall through the natural behavior of neighbored gatekeepers (the TANDBERG BC will neighbor just as a gatekeeper does).

In the MXP-->BC model, the BC is put somewhere between the 2 firewalls (i.e. public internet in most cases) and the MXP at the far end behind its own firewall can also traverse its firewall. In this way, Expressway will solve the firewall issue at both ends.

Example deployment (there are many different ways to deploy)

ANY EP -----> ANY GK <---> TGK ---FW--->TBC <---FW---MXP

Both the BC and GK support DNS lookup for URI dialing. This means you can register your TGK with DNS (i.e. companyXYZ.com points to their GK) and company123.com points to their GK, details in the manual).

This means you have a scenario like:

EndpointABC -----> TGK (companyABC.com) TGK (company123.com)<----Endpoint123

Two GKs that are not neighbored.

Person at company123 dials EndpointABC@companyABC.com, the TGK(company123) asks DNS for the location of companyABC and sends a LRQ for EndpointABC to TGK(companyABC). Imagine it as a 'dynamic' neighbor using DNS. Now the process of firewall traversal takes place.

Since both the TGK and TBC support E.164 and H.323 IDs you can take it one step further. Assign the H.323 of your system to be sean.lessman. Now company123 dials sean.lessman@companyABC.com. Once the LRQ reaches TGK (companyABC) it resolves the H.323 ID of sean.lessman.

So, in TANDBERG we are deploying this and you can now dial the 10 digit telephone number of anyone's office number or dial URI using firstname.lastname and reach anyone inside TANDBERG regardless if they are behind a firewall or not. Firewalls have become transparent.

Hope that helps.

Sean

Hi Sean,

Anything that manufacturers can do to make things easier for businesses to call each other over IP can only be a good thing. I also think that it's a brave move for Tandberg to use DNS as it's address resolution method, given it's obvious flaws (i.e. dialling numbers :D ), however it's about time someone stuck their neck out and tried to do something about this.

I'd like to see support for ENUM at some point, i've seen some rumblings in the open source community about supporting this on their gatekeepers. I think this would make a lot of sense, although maybe it's a bit early yet.

One thing I would say is that for firewall traversal to work properly, you need both the GK and BC, and I do think that this makes the solution very expensive. With UK prices, this means £15,000 for 5 calls to systems outside the network. Whilst I always appreciate good money from a sale, I think still that this is a high figure, almost prohibitively high. I guess only sales of the product will tell if this is right or not.

Well done to Tandberg for grasping the nettle though, hopefully we'll see a standard for this sort of thing soon to take some of the sting out of this problem (pun intended :laugh: )

now if we could just get everyone to use gatekeepers!

some of the 'universal dial plan' stuff works pretty well.. some of the stuff out of internet2.. but standardizing any of it has always bogged down. Mainly due to service provider type needs.

pure h323 URLs is interesting.. but to be successful the remote sites need to pony up as well. hopefully some of these with commercial backing will start gaining traction.

'whats your IP address?' is getting a really tired question