polycomm video border proxy solution overview

Polycom VBP Video Border Proxy

*Polycom VSG Infrastructure Certification

VC2 Network DiagramExecutive officeLarge Meeting HallConference RoomCMAGatekeeper, Scheduling & ManagementDMAMultipoint Call Management and DistributionRMX 1000 and RMX 2000Conferencing PlatformsVBPVideo Border ProxyRemote Sales officeHome OfficeRSS 2000Recording and StreamingVMC 1000Video Content ManagementCMA ClientDesktop Videoconferencing


*Two Primary Issues for Internet Video conferencingFirewalls / NATBuilt to handle data not videoBreaks AES and H.239 / People and ContentInteroperability with videoconferencing infrastructure

Interoperability with Legacy Endpoints Legacy H.323 endpoints


*Videoconferencing using IP

IP Cloud


*Videoconferencing using IPFirewalls break Video calls!

Due to firewalls Network Address Translation (NAT), video connections are Lost in Translation

Symptoms are: one-way video and/or audio (He can see/hear me, but I cant see/hear him)

IP Cloud


*Problem: Firewalls Block IP Calls CustomerA firewall is a device that protects the resources of a private network from users from other networks. A firewall can be opened for video calls but usually against security policies and leaves your network vulnerable to attacksEnterprise


Avoid the Video-Firewall problem by Use Public IPsPro: Unencumbered video callingCon: Not secure

Use Virtual Private Networks (VPN) to tunnel callsPro: Creates a tunnel and encrypts the call through a firewallCon: Requires both ends to be on VPN, limited calling

Use a proxy to connect callsPro: Proxied calls meet in the middle, secureCon: Expense, limited calling


*Videoconferencing using IPPublic IP addressAllows in / out callingPublic IP addresses are NOT secure

IP Cloud


*VBP Installation: Conferencing Made EasyWorks with existing H.323 gatekeepers or as an embedded gatekeeperSimple dialing plans (email, IP address)Interoperates with existing firewalls or acts as a standalone firewallCustomerEnterprise


Security Firewall Traversal - Extending video conferencing to remote users without interference from inter-company firewalls, Polycom's VBP NAT/Firewall traversal solutions provide trusted routes to any corporate network. The VBPalso provides optimized video quality by prioritizing video traffic over data traffic, and providing both shortest path routing and traffic shaping.


*Simple and Standards-basedWorks with: Polycom and Legacy H.323 EquipmentGatekeeperEndpointsMCUs

Full featuredH.264 People and Content (H.239)Quality Of Service (QOS) Shortest path routing Encryption (AES)H.460 for mobile workers / central registration Easily deployedThe VBP Solution is:


Solving the problem with a Polycom VBPVBP permits inbound / outbound callingMaintains security

IP Cloud


Solving the problem with a Polycom VBPDE-CENTRALIZED approach

Eliminates video translation issuesMaintains security policiesProvides for simplified and flexible dialing plansFull feature conferencing support (H.239, AES)Enables call qualityTraffic shaping / QoSVideo/audio streams utilize shortest paths


Solving the problem with a Polycom VBP877015877030877115877215The VBP provides for simplified dialing by allowing users to dial Alias@IP_AddressorExtension@IP_AddressExample:[email protected]

IP Cloud


Solving the problem with a Polycom VBPCENTRALIZED Approach

Traversal Server at centralized (HQ?) locationBased upon ITU Standard H.460Endpoints must be comply with standard (H.460)Allows for IP calling with legacy firewallsIP and Port issues resolved at Traversal ServerSimplistic for registered H.460 endpointsIdeal for mobile users (road warriors / hot spots / home users)


Company HQTraversal ServerSolving the problem with a Polycom VBPRemote users use Traversal Server for call connection. All calls are outbound and meet at the Traversal Server.SOHO UsersRoad Warriors

VSX 3000

IP Cloud

VSX 3000


Company HQTraversal ServerSolving the problem with a Polycom VBPRemote to Remote Dialing uses two Bandwidths at the Traversal Server.

VSX 3000

IP Cloud

VSX 3000


VBP H.460 Traversal ServerH.460 BenefitsAllows for IP calling with legacy firewallsIP and Port issues resolved at Traversal ServerSimplistic for registered H.460 endpointsSolves the problem of conferencing with users that are behind a firewall and there is no VBPH.460 ConsiderationsExtra bandwidth may be needed at Traversal Server locationRequires endpoints to register with the Traversal ServerRequires endpoints that support H.460 to work


Complete Polycom Solution


Polycom VBPSimplifies - Inter-company video conferencing Resolves - NAT/Firewall traversal problems for Video over IPProtects - Video and Voice devices with an application aware firewallFlexible Can be deployed as an ALG or Traversal Server (H.460) VBP Product Family Voice and Video Interface Unit

6400 Series85 Meg5300 Series10 Meg or 25 Meg4350 3 Meg200 EW1 Meg


VBP Features ReviewLayer 7 H.323 video and voice aware SPI firewall using ALG technology (application layer gateway)Shortest Path RTP mediaRouter (static routing)Traffic shaping (QOS)H.323 Bandwidth managementVideo/data aware NAT server


VBP Application Layer GatewayDynamic clients access list (DACL)Dynamic provisioning occurs when the endpoint gatekeeper parameters are set to the LAN IP address of the VBP.This registration is then proxied to the PathNavigator for registration confirmation; upon successful registration, the endpoint is now a trusted device on the network.Together with the DACL, the SPI Firewall applies security policies to ensure that only traffic destined for an endpoint in the DACL reaches this endpoint from a trusted Public connectionThe PathNavigator is a trusted device; this devices IP address is configured in the ALG page. Call setup requests will be allowed as long as the final destination is an endpoint in the DACL.IP address and port management for Video NATIP address and IP ports will be changed at Layer 3, 4 and 7Shortest Path RTP media routing


Layer 7 video aware SPI firewallDuring Q.931 call set-up, TCP port 1720 is opened dynamically in the VBP, and NAT is performedDuring H.245 logical channel assignment, ports for RTP media are negotiated and reservedAt this time the ALG identifies the source/destination IP and ports associated with the RTP session. It creates an expected state and dynamically opens and then closes these RTP media ports when the session is completed.Provides security for the H.323 core network components and video endpoints


VBP Application Layer Gateway (ALG)ALG ProsSecurity (intrinsic Firewall)Less costly no extra bandwidthIdeal for fixed video installations Video endpoint registration not mandatoryFlexible dialing

ALG ConsRequires a VBP where there is a Firewall /NAT issue


*Route Media Shortest PathEdmontonCalgaryTorontoMontrealShared GatekeeperLegendSignaling pathMedia path


VBP Traffic ShapingClass based queuesVideo or voice: high priority receives poll service over low priority dataDevices can be manually placed in high priority queue; however, do this cautiously to ensure you do not oversubscribe the queueTraffic Scheduler to service the queuesTraffic Shaper to rate-limit low priority trafficTOS and Diffserv packet marking on egress WAN video RTP packets. TOS value is re-written to 0xb8 and Diffserv AF46Registered H.323 endpoints are classed and marked at layer 3 values, shaped as high priorityData endpoint values are re-written to 0x00 and shaped as low priority.TOS and Diffserv values are hard coded today


VBP Traffic Shaping, contdCongestion management with TCPLAN to WAN: the VBP buffers the received traffic into low-pri queues; when a burst condition occurs, packets are delayed and then droppedWAN to LAN: packets received at a rate higher than the configured value are buffered and delayed to the egress LAN;data to the egress WAN are buffered, delayed and dropped; the result causes the sender and receiver to renegotiate TCP windowing sizes and slow the transmission rates


VBP Product Family Traffic ManagementTraffic shapingPriority queuingDiffserv packet markingCall Admission ControlVoice and VideoDataT1 WAN Link1.544Mbits/SecVoIP calls establishedData shapedNew calls are blockedData not starvedcompletelyData allowed to consume available bandwidth as calls are completedHigh Priority QueueLow Priority QueuetimeHigh PriorityQueueLow PriorityQueueWAN/LAN Link


VBP H.323 Bandwidth Management H.323 bandwidth controls (Call Admission Control - CAC)Configures maximum allowed bandwidth for video traffic to egress to the WANH.323 CAC decrements this value by the bus request (BRQ)This value is configured in the VoIP ALG page and remaining bandwidth can be displayed20% IP over head safety margin is also calculated and the remaining usable bandwidth is displayed Working together with classing, queuing and the trafficshaper, H.323 CAC ensures the WAN link will not be over-subscribed by having too many endpoints requesting WAN access


*In Summary The Polycom Video Border Proxy (VBP) allows customers toEnable secure VideoBypass firewalls securelyManage bandwidthConnect to remote officesConnect to outside vendors / partnersConnect to telecommutersScale seamlessly

Thank You

****Depicts general function of VBP.**Easy to dialNo registration from the outsideJust dial the extension and the IP address

****Double the bandwidth,Minimize latency******

polycomm video border proxy solution overview

Documents

polycom vbpvbp

video traffic

polycom vbp video border

video connections

videofirewall problem

optimized video quality

unencumbered video callingcon

ipfirewalls break video