The benefits of placing a Cisco TelePresence Video Communication Server (Cisco VCS) Expressway in a DMZ rather than in the public internet
Operationally a Cisco VCS Expressway can be placed either in a DMZ or in the public internet and it will communicate with a Cisco VCS Control in the Private Network. However, putting the Cisco VCS Expressway in a DMZ has the following benefits:
- Usually the Cisco VCS Expressway is managed from the Private Network or from a specified IP address or subnet only. By placing the Cisco VCS Expressway in a DMZ, the external firewall can be used to block unwanted IP traffic, including management access requests (for example, http, https, ssh).
- If the DMZ is such that no direct IP connections are permitted between inside and outside networks, requiring dedicated servers to handle traffic that traverses the DMZ, the Cisco VCS can act as that server for SIP and H.323 video and voice traffic. In this case, you would use the Dual Network Interfaces option which allows the Cisco VCS to have two different IP addresses, one for traffic to and from the external firewall, and one for traffic to and from the internal firewall.
- If the Cisco VCS Expressway is in the DMZ, the outside IP address of the Cisco VCS Expressway must be a public IP address, or if static NAT mode is enabled, the static NAT address must be publicly accessible.
- LAN 2 should be used as the public interface of the Cisco VCS Expressway (if the Cisco VCS Expressway is ever clustered, LAN 1 must be used for clustering, and the clustering interface must not be mapped through a NAT).
- The Cisco VCS Expressway may also be used to traverse internal firewalls within an enterprise. In this case the "public" IP address may not be publicly accessible, but is an IP address accessible to other parts of the enterprise.
For more information, see the "Static NAT and Dual Network Interface architectures" section in Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway) Deployment Guide
This article applies to the following products:
- Cisco Video Communication Server
|June 21st, 2012||TAA_KB_196|