Has anyone implemented a firewall traversal system based on the Frontier server and MXM server. Information we have is that only two ports (80 and 443) have to be opened in the firewall. Whereas the Tandberg Border controller requires 4 ports to be opened (1719,1720, 2776,2777). Also with the Tandberg BC only H460/18/19 endpoints can register with it which pretty much makes it useless for any other codecs (software and hardware) to register with it unless it's an MXP endpoint if your BC is restricted to the 4 ports mentioned above. We have been told the Frontier solution doesn't have this limitation. We have the Tanberg solution in place but are looking at the Frontier one to overcome the limitations with software based VC clients not being able to register directly with the BC.

why are you opening ports for traversal solutions? the whole point is to NOT have to open ports unless you block all outgoing traffic.

the tandberg BC only supports h.460 endpoints or tandberg systems to register directly to it. But because of this, it offers the most secure model. tandberg allows non-h.460 systems to work if you register them to a tandberg GK and it works like a 'proxy' for them.

these other solutions are client-server tunnels which aren't as secure.

are you trying to provide traversal solutions to the software clients, or are you trying to allow people to call into your network? IE, who's firewall are you trying to overcome.

Also with the Tandberg BC only H460/18/19 endpoints can register with it which pretty much makes it useless for any other codecs (software and hardware) to register with it unless it's an MXP endpoint ...

The Polycom VSX systems support H.460.18/19 in the latest revision of software. Although their implementation is not as flexible, it does work.

Sean

That clears up some things as the sales guy said we could register any web cam or personal system with the BC which obviously isn't true. This was something we didn't find out until we bought the BC.

The main part of my question was if anyone had experience with the frontier system as they say any personal system or web cam can register with their equivalent of the BC. Once bitten twice shy.

That clears up some things as the sales guy said we could register any web cam or personal system with the BC which obviously isn't true. This was something we didn't find out until we bought the BC.


No that was wrong, only H323 systems that supports the h460 standards can register with a Border Controller.

However, since yesterday Tandberg has a new product that does what you want!

TANDBERG movie!

http://www.tandberglaunchpad.com/

It should let you have a webcam on a M$ windows system connect to your internal VC systems and conduct a videoconference... I don't have more information then this, looking forward to get my hands on this product.


The main part of my question was if anyone had experience with the frontier system as they say any personal system or web cam can register with their equivalent of the BC. Once bitten twice shy.

No I have never heard of it... is it released? And I would think it's just a gatekeeper with added functionality like the bordercontroller :)


//Robert

Information we have is that only two ports (80 and 443) have to be opened in the firewall.

Looks like a tunneling solution which opens up a hole for anything to go through using port 80 (HTTP) or port 443 (HTTPS). This will cause problems with any application layer firewalls that inspect traffic as it will not appear to be HTML. Also, this solution isn't standards based which may or may not be of concern to you meaning you cannot rely on the clients that will be built into products in the near future.

Whereas the Tandberg Border controller requires 4 ports to be opened (1719,1720, 2776,2777)

Just to be clear the BC does not require you to 'open' any ports. All that is required is outbound traffic on those 4 ports to the BC.

Sean

That clears up some things as the sales guy said we could register any web cam or personal system with the BC which obviously isn't true. This was something we didn't find out until we bought the BC.

any of those systems can call you through your border controller, but your border controller can not traverse their firewall for them. For that, the system needs to be a h.460 client.

The solution everyone does for this is to put a 'client' behind the remote user's firewall too.. the difference is where is the client? built-in (h.460)? a proxy behind the firewall (h.460 enabled gatekeeper), or a client program (radvision, ridgeway, etc). The last solution typically creates a tunnel to the server rather then handling it on a pure call basis, and thats where the security story gets ugly.

Sounds like you had miscommunication in what you were looking to do. the border controller works with those systems, just not as a traversal server for them without a client of some sort

I'm working on this same kind of situation. I am looking to migrate from ISDN to IP video conferencing and I have been looking at the Tandberg Expressway to perform that function. If I have read this correctly I should be able to have external parties call into my video conference system as long as I have both a Border Controller and a Gatekeeper, correct?

Regardless of their endpoint situation?

I'm working on this same kind of situation. I am looking to migrate from ISDN to IP video conferencing and I have been looking at the Tandberg Expressway to perform that function. If I have read this correctly I should be able to have external parties call into my video conference system as long as I have both a Border Controller and a Gatekeeper, correct?

Regardless of their endpoint situation?

Easy way to think of it is as a client-server relationship. The Border Controller is the server and the client resides in any H.460.18/19 gatekeeper (i.e. TANDBERG Gatekeeper) or H.460.18/19 endpoint/MCU/gateway/streaming server etc (MXP, VSX, MPS, TANDBERG Gateway etc.)

Any client can talk to the server. If you do not have a H.460.18/19 client (i.e. Ipower, Accord, VCON, Codian, MCM, ECS etc) you must communicate through something that does have a client (i.e. H.460.18/19 gatekeeper).

So, any endpoint, MCU, gateway, streaming server, gatekeeper etc. that does not have a built in H.460.18/19 client can register/neighbor as a normal H.323 device to a H.460.18/19 enabled gatekeeper and use its client to talk to the server (Border Controller). This allows *any* non H.460.18/19, H.323 device to use the solution.

Hope that helps.

Sean

Easy way to think of it is as a client-server relationship. The Border Controller is the server and the client resides in any H.460.18/19 gatekeeper (i.e. TANDBERG Gatekeeper) or H.460.18/19 endpoint/MCU/gateway/streaming server etc (MXP, VSX, MPS, TANDBERG Gateway etc.)

Any client can talk to the server. If you do not have a H.460.18/19 client (i.e. Ipower, Accord, VCON, Codian, MCM, ECS etc) you must communicate through something that does have a client (i.e. H.460.18/19 gatekeeper).

So, any endpoint, MCU, gateway, streaming server, gatekeeper etc. that does not have a built in H.460.18/19 client can register/neighbor as a normal H.323 device to a H.460.18/19 enabled gatekeeper and use its client to talk to the server (Border Controller). This allows *any* non H.460.18/19, H.323 device to use the solution.

Hope that helps.

Sean

So if the participant only has Netmeeting will that register to a Tandberg Gatekeeper that would be able to connect to a Border Controller?

So if the participant only has Netmeeting will that register to a Tandberg Gatekeeper that would be able to connect to a Border Controller?

Yes, it should work. I haven't personally tried Netmeeting, but if it behaves like the nice H.323 client it is supposed to be, it should work.

Sean

Traditionaly the Gatekeeper sits inside the organisations firewall on the LAN. That is where we have it and netmeeting clients will register to it as long as they are also on the LAN. Netmeeting or any other H.323 client will not register with the Border controller and that box traditionaly sits out in a DMZ or internet space. So netmeeting clients on the outside will not be able to register with the BC so cannot talk to the internal clinets via the BC to GK connection. This is the same issue we are having.

I had a look at Tandbergs new Movi solution that isn't realeased as yet and it looks like a web based system similiar to the Frontier one.

If the netmeeting or other H.323 clients were registered to a gatekeeper to begin with, you could have that gatekeeper neighbor to the BC and then they could call in and out.

This is only a problem if your network was dial by IP address to begin with. If you had a proper h323 network.. the biggest change is if you keep your gatekeeper public or not.

The Tandberg people I spoke with recommended having an outside Gatekeeper as well as an internal gatekeeper.

What if your TB gatekeeper was inside the firewall, but you allow outside registrations? Would non H.460 codecs now work with the border controller?

What if your TB gatekeeper was inside the firewall, but you allow outside registrations? Would non H.460 codecs now work with the border controller?

To make this work you would need to open more ports than just registration (1719). You would also need to open 1720 and all of the random ports or H.245 and media to every IP address of every video system internally. In short, open up your firewall more than you have to.

With the Border Controller/GK solution everything gets squeezed down to a few ports and only between the BC and GK. It is more secure.

Sean