Is the VCS Expressway better with DMZ or public internet?

Introduction

This article relates to Cisco TelePresence Video Communication Server Expressway.

Q. Is it best to put the VCS Expressway in a DMZ rather than in the public internet? Why?

A. Operationally a VCS Expressway can be placed either in a DMZ or in the public internet and it will communicate with a VCS Control in the Private Network. However, putting the VCS Expressway in a DMZ has the following benefits:

• Usually the VCS Expressway is managed from the Private Network or from a specified IP addresses or subnet only. By placing the VCS Expressway in a DMZ, the external firewall can be used to block unwanted IP traffic, including management access requests (e.g. http, http, ssh).

• If the DMZ is such that no direct IP connections are permitted between inside and outside networks, requiring dedicated servers to handle traffic that traverses the DMZ, the VCS can act as that server for SIP and H.323 video and voice traffic. In this case, you would use the Dual Network Interfaces option which allows the VCS to have two different IP addresses, one for traffic to and from the external firewall, and one for traffic to and from the internal firewall.

Note: if the VCS Expressway is in the DMZ, the outside IP address of the VCS Expressway must be a public IP address.

Related Information

• Technical Support & Documentation - Cisco Systems