You are on page 1of 31

Polycom VBP Video

Border Proxy

VC2 Network Diagram


CMA Client
Desktop Videoconferencing

RSS 2000

Executive office

Recording and Streaming

VMC 1000

CMA
Large Meeting Hall

Gatekeeper, Scheduling & Management

Video Content Management

DMA
Multipoint Call Management and Distribution
VBP
Conference Room

Remote Sales office

Video Border Proxy


RMX 1000 and RMX 2000
Conferencing Platforms

Polycom VSG Infrastructure Certification

Home Office

Two Primary Issues for Internet


Video conferencing
Firewalls / NAT
Built to handle data not video
Breaks AES and H.239 / People and Content
Interoperability with videoconferencing infrastructure

Interoperability with Legacy Endpoints


Legacy H.323 endpoints

Polycom VSG Infrastructure Certification

Videoconferencing using IP

Add a firewall to prevent


unwanted access to
video system and
computers
Polycom VSG Infrastructure Certification

Videoconferencing using IP

Firewalls break Video


calls!
Due to firewalls Network Address Translation
(NAT), video connections are Lost in Translation
Symptoms are: one-way video
and/or audio (He
Polycom VSG Infrastructure Certification
can see/hear me, but I cant see/hear him)

Problem: Firewalls Block IP Calls


Enterprise

Customer

A firewall is a device that protects the resources of a private network from


users from other networks.
A firewall can be opened for video calls but usually against security policies
and leaves your network vulnerable to attacks

Polycom VSG Infrastructure Certification

Avoid the Video-Firewall problem by


Use Public IPs
Pro: Unencumbered video calling
Con: Not secure

Use Virtual Private Networks (VPN) to tunnel calls


Pro: Creates a tunnel and encrypts the call through a firewall
Con: Requires both ends to be on VPN, limited calling

Use a proxy to connect calls


Pro: Proxied calls meet in the middle, secure
Con: Expense, limited calling
Polycom VSG Infrastructure Certification

Videoconferencing using IP

-Public IP
address

Public IP
addresses
are NOT
secure

-Allows in / out
calling

Polycom VSG Infrastructure Certification

VBP Installation: Conferencing Made Easy


Works with existing H.323 gatekeepers or as an embedded gatekeeper
Simple dialing plans (email, IP address)
Interoperates with existing firewalls or acts as a standalone firewall

Enterprise

Customer

VBP
Video Firewall

VBP
Video Firewall

Polycom VSG Infrastructure Certification

Security Firewall Traversal - Extending


video conferencing to remote users without
interference from inter-company firewalls, Polycom's
VBP NAT/Firewall traversal solutions provide trusted
routes to any corporate network. The VBP also
provides optimized video quality by prioritizing video
traffic over data traffic, and providing both shortest
path routing and traffic shaping.

Polycom VSG Infrastructure Certification

10

The VBP Solution is:


Simple and Standards-based
Works with: Polycom and Legacy H.323 Equipment
Gatekeeper
Endpoints
MCUs
Full featured
H.264
People and Content (H.239)
Quality Of Service (QOS)
Shortest path routing
Encryption (AES)
H.460 for mobile workers / central registration
Easily deployed

Polycom VSG Infrastructure Certification

11

Solving the problem with a Polycom VBP

VBP permits inbound / outbound calling


Maintains security

Polycom VSG Infrastructure Certification

12

Solving the problem with a Polycom VBP


Eliminates
video translation issues
DE-CENTRALIZED
approach
Maintains security policies
Provides for simplified and flexible dialing plans
Full feature conferencing support (H.239, AES)
Enables call quality
Traffic shaping / QoS
Video/audio streams utilize shortest paths

Polycom VSG Infrastructure Certification

13

Solving the problem with a Polycom VBP

877215

The VBP provides for


simplified dialing by
allowing users to dial

877115

Alias@IP_Address
or
Extension@IP_Addres
s

877030
877015

Example:
877215@71.14.2.158 14

Polycom VSG Infrastructure Certification

Solving the problem with a Polycom VBP


CENTRALIZED
Approach
Traversal
Server at centralized
(HQ?) location
Based upon ITU Standard H.460
Endpoints must be comply with standard (H.460)

Allows for IP calling with legacy firewalls


IP and Port issues resolved at Traversal Server

Simplistic for registered H.460 endpoints


Ideal for mobile users
(road warriors / hot spots / home users)

Polycom VSG Infrastructure Certification

15

Solving the problem with a Polycom VBP

SOHO Users

Traversa
l Server

Company HQ

Remote users use Traversal


Server for call connection. All
calls are outbound and
meet at the Traversal Server.

Polycom VSG Infrastructure Certification

Road
Warriors

16

Solving the problem with a Polycom VBP

Traversa
l Server

Company HQ

Remote to Remote Dialing


uses two Bandwidths at
the Traversal Server.

Polycom VSG Infrastructure Certification

17

VBP H.460 Traversal Server


H.460 Benefits
Allows for IP calling with legacy firewalls
IP and Port issues resolved at Traversal Server
Simplistic for registered H.460 endpoints
Solves the problem of conferencing with users that are
behind a firewall and there is no VBP

H.460 Considerations
Extra bandwidth may be needed at Traversal Server location
Requires endpoints to register with the Traversal Server
Requires endpoints that support H.460 to work

Polycom VSG Infrastructure Certification

18

Complete Polycom Solution

Polycom VSG Infrastructure Certification

19

Polycom VBP

6400 Series
85 Meg

5300 Series

10 Meg or 25 Meg

4350

3 Meg

200 EW
1 Meg

VBP Product Family Voice and Video Interface Unit

Simplifies - Inter-company video conferencing


Resolves - NAT/Firewall traversal problems for Video over IP
Protects - Video and Voice devices with an application aware
firewall

Flexible Can be deployed as an ALG or Traversal Server (H.460)


Polycom VSG Infrastructure Certification

20

VBP Features Review


Layer 7 H.323 video and voice aware SPI firewall
using ALG technology (application layer gateway)
Shortest Path RTP media
Router (static routing)
Traffic shaping (QOS)
H.323 Bandwidth management
Video/data aware NAT server

Polycom VSG Infrastructure Certification

21

VBP Application Layer Gateway


Dynamic clients access list (DACL)
Dynamic provisioning occurs when the endpoint gatekeeper
parameters are set to the LAN IP address of the VBP.
This registration is then proxied to the PathNavigator for registration
confirmation; upon successful registration, the endpoint is now a
trusted device on the network.

Together with the DACL, the SPI Firewall applies security policies
to ensure that only traffic destined for an endpoint in the DACL
reaches this endpoint from a trusted Public connection
The PathNavigator is a trusted device; this devices IP address is
configured in the ALG page. Call setup requests will be allowed as long
as the final destination is an endpoint in the DACL.

IP address and port management for Video NAT


IP address and IP ports will be changed at Layer 3, 4 and 7

Shortest Path RTP media routing


Polycom VSG Infrastructure Certification

22

Layer 7 video aware SPI firewall


During Q.931 call set-up, TCP port 1720 is opened
dynamically in the VBP, and NAT is performed
During H.245 logical channel assignment, ports for RTP
media are negotiated and reserved
At this time the ALG identifies the source/destination IP and ports
associated with the RTP session. It creates an expected state
and dynamically opens and then closes these RTP media ports
when the session is completed.

Provides security for the H.323 core network components


and video endpoints

Polycom VSG Infrastructure Certification

23

VBP Application Layer Gateway (ALG)


ALG Pros

Security (intrinsic Firewall)


Less costly no extra bandwidth
Ideal for fixed video installations
Video endpoint registration not mandatory
Flexible dialing

ALG Cons
Requires a VBP where there is a Firewall /NAT issue

Polycom VSG Infrastructure Certification

24

Route Media Shortest Path


Calgary
V2IU 4300T-E

Edmonton
Toronto
Shared
Gatekeeper

V2IU 5300-S

V2IU 4300T-E

Montreal
V2IU 4300T-E

Legend
Signaling path
Media path

Polycom VSG Infrastructure Certification

25

VBP Traffic Shaping


Class based queues
Video or voice: high priority receives poll service over low priority data
Devices can be manually placed in high priority queue; however, do
this cautiously to ensure you do not oversubscribe the queue
Traffic Scheduler to service the queues
Traffic Shaper to rate-limit low priority traffic

TOS and Diffserv packet marking on egress WAN video RTP


packets. TOS value is re-written to 0xb8 and Diffserv AF46
Registered H.323 endpoints are classed and marked at layer 3 values,
shaped as high priority
Data endpoint values are re-written to 0x00 and shaped as low priority.
TOS and Diffserv values are hard coded today

Polycom VSG Infrastructure Certification

26

VBP Traffic Shaping, contd


Congestion management with TCP
LAN to WAN:
the VBP buffers the received traffic into low-pri queues;
when a burst condition occurs, packets are delayed and then
dropped

WAN to LAN:
packets received at a rate higher than the configured value
are buffered and delayed to the egress LAN;
data to the egress WAN are buffered, delayed and dropped;
the result causes the sender and receiver to renegotiate TCP
windowing sizes and slow the transmission rates

Polycom VSG Infrastructure Certification

27

VBP Product Family Traffic Management


High Priority
Queue

Traffic shaping
Priority queuing
Diffserv packet marking
Call Admission Control

VoIP calls established


Data shaped

Low Priority
Queue

WAN/LAN Link

New calls are blocked


Data not starved
completely

Data allowed to consume


available bandwidth as calls are
completed

time
Low Priority Queue

ta
a
D

Voice and Video


High Priority Queue

T1 WAN Link
1.544Mbits/Sec
Polycom VSG Infrastructure Certification

28

VBP H.323 Bandwidth Management


H.323 bandwidth controls (Call Admission Control - CAC)
Configures maximum allowed bandwidth for video traffic to
egress to the WAN
H.323 CAC decrements this value by the bus request (BRQ)
This value is configured in the VoIP ALG page and remaining
bandwidth can be displayed
20% IP over head safety margin is also calculated and the
remaining usable bandwidth is displayed
Working together with classing, queuing and the traffic
shaper, H.323 CAC ensures the WAN link will not be oversubscribed by having too many endpoints requesting WAN access

Polycom VSG Infrastructure Certification

29

In Summary
The Polycom Video Border Proxy (VBP) allows
customers to
Enable secure Video
Bypass firewalls securely
Manage bandwidth
Connect to remote offices
Connect to outside vendors / partners
Connect to telecommuters
Scale seamlessly
Polycom VSG Infrastructure Certification

30

Thank You