Cisco TelePresence IP VCR Series

Configuring the video firewall in an MCU/IP VCR

How do I configure the video firewall in a Cisco TelePresence MCU/IP VCR?

The correct configuration of the video firewall depends very much on the layout of the rest of your network, but here is a basic description.

By default Port B is disabled on the Cisco TelePresence product. The activation of the video firewall feature allows Port B to be enabled. In a video firewall deployment, one of the ports is connected to the local network (typically Port A) and the other (typically Port B because Port B cannot use DHCP) is connected to the Internet. This allows the MCU to host conferences with a mix of participants from the internal and external networks. This does not compromise your network security because the MCU will never route packets between the two ports, not even media packets.

Note: To get H.239 working across the video firewall you do not need to open any special ports: ports for the H.239 logical channel will be chosen from the same range as those for the regular video and audio channels.

Configuring the video firewall

Step one: Activate the video firewall feature
This step is not necessary if you purchased your unit with the feature already activated.

  1. Purchase a video firewall activation key from your reseller.
  2. Log in to the web interface of your unit and go to Settings > Upgrade.
  3. In the Feature management section, enter the activation code and click Update features.

Step two: Configure Port B
This step presumes that you will use Port A to connect to the local network and Port B to connect to the Internet; that is the typical configuration. However,you can connect Port A to the Internet and Port B to the local network (but note that you cannot use DHCP to acquire an IP address on Port B).

For more information about the options in this step, see the online help topic Configuring network settings.

  1. In the web interface of your unit, go to Network > Port B and enable Port B.
  2. Optionally enter a host name for the port. This can make it easier for external users to access the unit. (Note that you would also have to register the chosenname with your DNS server or Internet Service Provider).
  3. Manually configure the IP settings:
    1. Enter a public IP address and the subnet mask, provided by your Internet Service Provider.
    2. Enter the default gateway, provided by your Internet Service Provider.
    3. Enter DNS details as required.
    4. Click Update IP configuration.

Step three: Configure IP routes
For more information about the options in this step, see the online help topic Configuring IP routes settings.

  1. In the web interface of your unit, go to Network > Routes.
  2. Select the port for DNS preference. Typically this will become Port B.
  3. For traffic which will not go to the default gateway (typically local traffic), create static routes:
    1. Enter the IP address and mask length for the address range of the route.
    2. Select the port to which the route applies (this will usually be port A, and later you will set port B to be the default gateway).
    3. Click Add IP route.
    4. Repeat the previous steps as required.
  4. Select which port will be the default gateway for the unit. Typically this is Port B.

You can also define which MCU services (e.g. web interface, incoming H.323 calls, etc.) are available on which ports using the Network > Services page.

This article applies to the following products:

  • Cisco TelePresence IP VCR 2200 / MSE VCR blade
  • Cisco TelePresence MCU 4200 / MSE 8420
  • Cisco TelePresence MCU 4500
  • Cisco TelePresence MSE 8510 blade

April 12th, 2011 TAA_KB_27