This forum is the only one of its kind on the web and I greatly appreciate it. I'm currently head of our VTC project at my business. I am using some VSX7000's throughout the WAN and some VSX3000's at sites that belong to home users and offices overseas.

I have read through about 3 pages worth of posts here and it seems like I am seeing the same things over and over again regardless of what firewall or routing they use: "I can connect on LAN just fine but if I enter a publice IP address it doesn't work". Well, I'm in the same boat. The two common issues are 1. Sometimes a system will call another system and it will ring but there is no option to answer and 2. Sometimes a system will call another sytem and it will answer but only one side of the connection has audio and video.

Unfortunately, about a dozen posts in the last 3 pages of the IP Telephony area on the forum relate to the two issues that I'm having and none of them end with a rock solid solution.

I have been messing with admin settings for days now, unable to come up with the answer. My calls to polycom are randomly answered with either an "I can't help you, this is a routing issue" or "I can't help you, this is a firewall issue".

I knew VTC systems weren't going to be plug and play, but this is one of my most frustrating projects I've encountered.

The solution is simple, and probably one you don't want to hear. You will need to invest in a firewall traversal solution.

Firewall manufacturers purport to provide support for H.323, but when you delve into it further, you will find that the support is limited. They certainly don't keep up with the standards in the same way as the videoconferencing vendors do, and the result is exactly as you describe in your post. Even PIX and Checkpoint, the 2 most reputable firewall manufacturers (from an H.323 support perspective) cause untold issues unless you start to disable lots of capabilities on your system, or even downgrade your software.

It is for this very reason that the VC vendors took the bull by the horns, (and realised an opportunity), in creating firewall traversal technology.

Polycom have V2IU, a device that bypasses your firewall and has proper support for H.323, and Tandberg have 2 solutions, the Codian IP gateway which is similar in some respects to V2IU, and Expressway, a 2 device solution that flows through your firewall and also provides proper H.323 support. If you're in the UK, feel free to drop me a line and I'll talk you through it further.

Like Glen Sykes said, you can see the benefit from firewall solution.

As both of your terminals support H.460.18/19(refer to http://www.t2supply.com/site/ExternalResources/EmailTemplateResources/8.5_faq0506.pdf), you may try with a new released GNUGK, or you can use ECS 5.5 as a TS gatekeeper. After that you can make a decision to buy a firewall traversal equipment or not.

Just remember you will need a public ip for the TS gatekeeper.

I feel your pain. It took me months to work through the problems I had with the same types of issues. Nothing quite lead me to my solution and yours will probably be your own variant of some other solution someone posts. But here's the information I have.

A link to some helpful information that lead me to the solution in my environment. It was produced by the University of Wisconsin.

http://www.uwex.edu/ics/support/video/H323/index.html

My problem: I could get one endpoint to work dialing an external ip address and the next endpoint wouldn't work. I'd change a setting on my PIX firewall and then the first unit wouldn't work but the 2nd one would. Each of my Tandberg endpoints were running different versions of software. Here are all the things I had to do to get outbound ip calls working consistently in my environment.

1. I upgraded all the Tandberg endpoints to the same version of software.
2. Created a VLAN on my network and placed all VTC equipment in the VLAN.
2. Configured static NAT on my Pix firewall for each endpoint.
3. Configured NAT Auto on each endpoint. (Auto was required to switch automatically when calling internal units and external units.)
4. Upgraded my PIX firewall to current IOS version.
5. Modify the global config on the PIX to remove the fixup protocol for H.323 as follows:
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719

Voila! (Ok, so not "Voila!" after months of troubleshooting, it was more of an exaspertated "Yes, finally!")

Environment: Tandberg 3000MXPs, 1000MXPs, and 770MXPs
Using IP only. Units call each other via the internal lan. I do not have a gateway unit. If I need to call a remote site that has ISDN I utilize a gateway at the University of Wisconsin to bridge me to the ISDN site. Most remote sites I call are using Polycom.

the problem im running into is as follows:

i have Tandberg units operating with a BC, GK, GW, TMS, etc.

on the outside, i only have a border controller, so connecting to other Tandberg units is cake.

im trying to connect with another organization's polycom. we can both call polycom's test site, but cant connect with each other. i can ping their address but the connection never even tries to hook up, it immediately fails.

any ideas? i don't think they have firewall traversal, i believe they just stuck this one endpoint on the outside, but not entirely sure.

Whitebuffalo, this one should be pretty easy I think.

What is the model of the Polycom endpoint, and software version? If it's a VSX or HDX you're in luck, as both support H.460 (the VSX will need to be on version 8 software), meaning they can register to your Border controller and enjoy your firewall traversal services! So long as the remote site allows the VSX outbound (which it sounds like they do as they can connect to the Polycom test site), then get them to register with your border controller and call each other via E.164.

One final point, the remote side firewall should have any H.323 awareness disabled, it will screw with the H.460 messaging and possibly prevent you from calling.

glen,
sounds like i may be in business then, because its a vsx 7000 running 8.5.3. furthermore, this is even BETTER news because all their sites are VSX. i will try to register it and see what happens. thanks for the help!

Glen, you are absolutely my hero. i wish you were closer so i could buy you a beer. coming to Texas anytime soon? :)

You never know! I was in Austin 2 years ago, it's not unlikely I'll be back again sometime!

You can always click on my reputation link on here :-)

Glad I could help.

Please do not say any more nice things about Glen. I have to work with him, he is evil and he smells of old wee. ;)