Академический Документы
Профессиональный Документы
Культура Документы
Document Overview
This document provides an
overview of how to effectively
and securely provide IP-based
videoconferencing applications
between multiple locations
within a corporate enterprise,
using dynamically created
Virtual Private Networks
across the Internet.
Page 1
Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks Solutions Guide
TABLE OF CONTENTS
Introduction 3
The Standards
NAT
Network Basics 4
Call Flow 6
Usage Scenarios 7
Benefits 7
Limitations 8
Conclusion 8
Page 2
Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks Solutions Guide
IP-based videoconferencing, however, seeks to create In this example, note that each geographic location
a real-time session between two or more endpoints, has its own individual NAT-based firewall solution to
at more than one secure location. This creates secure the corporate enterprise.
real-world issues that are not addressed in today’s
firewall technologies. This issue is not easily resolved Although some firewall manufacturers offer H.323
by NAT-enabled firewalls or H.323-enabled firewalls, options, they do not realistically solve real-world IP
even within a single enterprise with multiple video applications involving or spanning more than
geographic locations. one firewall.
Location A
Firewall
Firewall
IP Video Terminal
Page 4
Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks Solutions Guide
VPN Basics For IP Videoconferencing Figure 2 demonstrates how the VPN tunnel
creates an overlay to the existing data network
Technologies from Polycom, in conjunction with VPN
as illustrated earlier.
technologies from companies such as Checkpoint and
Microsoft, allow corporations to deploy secure IP
Virtual Private Network tunnels provide a unique
videoconferencing applications to multiple locations
and scaleable means to easily deploy IP-based H.323
while using the Internet as the public transport
videoconferencing within a corporate enterprise.
mechanism.
Easier deployment and scaleability allows greater
usage and improved productivity.
A VPN typically allows the network administrator to
create a secure, policy-based overlay network within
The deployment becomes very straightforward
the Internet. Imagine a VPN using the Internet as a
when using Polycom’s video terminal and network
transport while creating a secured tunnel within it.
equipment in conjunction with Checkpoint’s
The key is that the tunnels are always to a trusted
Firewall-1 firewall systems.
destination such as another geographic location
within the same enterprise.
Location A
Page 5
Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks Solutions Guide
As shown in Figure 2, all locations are trusted Note that this all happens within the three ports
domains between the Checkpoint Firewall-1 systems, (50, 51, & 500) described in Figure 3.
all with the same internal NAT-based IP structure.
Call Flow
■ The local video system, initiating the call, Figure 3 shows a typical H.323 call flow using VPN
sends TCP and UDP data to the local tunneling over the wide area network. Notice how
Checkpoint firewall. the normal call flow is intercepted by the local
■ The local Checkpoint Firewall–1 system then sets enterprise firewall/VPN service. It is then rerouted
up a layer 2 tunnel, an ISAKMP key exchange, across three ports dedicated to securing, authenticating
an MD5 hash authentication scheme and DES and encrypting the VPN link to the far end VPN/firewall
encryption algorithm to the trusted firewall at the service for the enterprise. This type of solution does
far end location. not require that multiple dynamic TCP and UDP
ports be opened, which is the normal case for H.323
■ The local Checkpoint Firewall-1 forwards the
IP video communications crossing data firewalls.
encrypted data to the remote trusted Checkpoint
Firewall–1 system.
The number of simultaneous calls and call
■ The remote Checkpoint Firewall-1 system receives quality is affected by several factors:
the encrypted data and compares it to the key 1) Appropriated bandwidth and network infrastructure
exchange and authentication measures, then 2) The amount of processing power of the
decrypts the TCP and UDP data and sends it to Firewall/VPN service
the requested video system. 3) The ability to process multiple authenticated
and encrypted streams of real-time IP-based
videoconferencing data
TCP H.245 Open Media Port 51 - Authentication (MD5) H.245 Open Media
H.245
Request to EP B Request to EP B
Messaging
H.245 Open Media H.245 Open Media
OK from EP B OK from EP B
Port 50 - encryption (DES, triple DES)
UDP
Send Audio and Video Send Audio and Video
Media
Ports
Page 6
Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks Solutions Guide
■ IP Point-To-Point Conferences
Benefits
Point-to-point calls may be placed between any
Polycom H.323 IP desktop and/or group system in a This type of deployment creates the ability for an
point-to-point conference using the VPN technologies enterprise to rapidly implement real-time video
described above. solutions within the enterprise. The benefits of
real-time video include:
■ IP Multipoint Conferences
H.323 IP-based Multipoint conferences to and from
■ Increased Productivity
any Polycom desktop and/or group system may be
■ Improved Resource Efficiency
placed using Polycom’s MGC and IP-based MCU
■ Less Travel
products.
■ Reduced Travel Costs
■IP & ISDN Mixed Conferences ■ Improved Morale
IP & ISDN mixed point-to-point conferences may be
placed to or from any Polycom H.323 IP-based This implementation also marks the convergence of
desktop and or group system. Polycom MGC-based video services and data within the same network
MCUs and Gateways may also provide internal IP to infrastructure. Video equipment and resources can
ISDN point-to-point and multipoint services to or be managed using the same platform as other
from any Polycom desktop or group system network components.
supporting VPN service.
Using VPNs provides an easy-to-use connectivity
■Secure Gateway Conferences Outside
model. The user can simply call another person much
of the Corporate Enterprise
as they would use the phone. Products such as
It is important to remember that deploying VPN
gatekeepers and directory managers allow users
service only provides IP-based video deployments
even more freedom. Colleagues can be called using
for internal or inter-company calls. The VPN security
their phone number, extension or email address.
only provides access to multiple geographic locations
This solution is governed by the enterprise network’s
within an enterprise.
security and policy since all geographic locations are
linked via the secure VPN tunnel.
Enterprise VPN configurations using Polycom
desktop and group video systems can also provide
IP-based videoconferencing outside the secure
enterprise while maintaining the same security and
policies internally. This is accomplished by deploying
Polycom’s Firewall Gateway/Proxy technologies that
Page 7
Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks Solutions Guide
Limitations Conclusion
The quality and quantity of calls are determined by As enterprises better utilize and advance their
the processing power of the firewall/VPN solution. IP-based Internet services, VPN tunneling is an
Network administrators must plan how many option that provides a means of sharing the public
simultaneous video sessions will be required to Internet backbone, while maintaining the privacy
run across the VPN, as well as current data capacity of a dedicated internal network. VPN tunnels
that would run via the tunnel. Scaleability and provide scaleable and secure services for internal
performance are directly impacted by the processing videoconferencing in enterprises that need to
power on the firewall/VPN server. communicate effectively between multiple
physical locations.
This solution does not address the use of IP-based
videoconferencing to other enterprises; rather, internal Using Polycom endpoints, MCUs, gateways
IP video communications for a single enterprise to and management platforms within the internal
multiple locations only. VPN service provides seamless end-to-end
videoconferencing solutions for both internal and
For information on how to provide secure IP external IP-based videoconferencing applications.
videocommunications outside a secure corporate
enterprise, without compromising the integrity of
the network, see our related White Papers on: Notes & Assumptions
– Polycom’s Certified Firewall Gateway/Proxy This document assumes the appropriate IP
Technologies, ‘Addressing Issues with H.323 bandwidth, network equipment and network
as it relates to Security, Firewalls, NAT & PAT’ resources have been accurately calculated,
– ‘MGC Firewall Certification Report’ designed and implemented to sustain the desired
service level, quality and capacity requirements
These documents can be accessed on for IP-based videoconferencing applications.
Polycom’s website, www.polycom.com, at
North America/Products/Network Systems It also assumes the typical issues of security,
Products/Technical Documents. capacity, latency and jitter have all been assessed
and designed to meet the needs of
Polycom’s Firewall Gateway/Proxy technologies allow real-time applications.
network managers to combine VPN solutions, such as
those described in this document, with secure IP video For further assistance with assessing load
communications to other enterprises, organizations or requirements, preparing your network for video
partners that are vital to your business. and/or video specific consultation, contact your
local Polycom representative to schedule an
initial networking analysis.
Page 8
Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks Solutions Guide
© 2001 Polycom Corporation. All rights reserved. The information contained in this document reflects the current view of
Polycom Network Systems as it relates to the technologies, issues and topics as of the date of publication. Because Polycom
Corporation must respond to changing and evolving technologies and market conditions, interpretation of the information
contained within this document should be thoroughly validated on the part of the reader and should not be interpreted as a
commitment on the part of Polycom. Polycom and the Polycom Logo are registered trademarks of Polycom, Inc. in the US
and their various countries. All other trademarks are the property of their respective companies.
Page 9