Technical White Paper for Traversal of Huawei Videoconferencing Systems Between Private and Public Networks

Transcription

1 Technical White Paper for Traversal of Huawei Videoconferencing Systems Between Private and Public Networks Huawei Technologies Co., Ltd. All rights reserved.

2 Contents Contents 1 Overview H Firewall Concept Basic Functions Packet Filtering Proxy Service State Inspection NAT Concept NAT Implementation Static NAT Dynamic NAT NAPT SBC Concept Implementation Principles for the Proxy Solution Basic Principles for Implementing NAT Traversal in the Proxy Solution Difference Between the Proxy and NAT H Concept Implementation Mode Signaling Interworking Process Interworking Process of Media Streams Problems and Current Situation of Traversal Problems Enabling Ports on the Firewall Address Translation for H.323 Packets HTTP Proxy Server Mode Current Situation i

3 Contents Static NAT NAT Device Supporting H Traversal Using H.323 Proxy Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks Traversal Using SNP Implementation Principle Networking Applications Firewall Traversal in Static NAT Mode Network Topology Implementation Principle Solution Analysis FW/NAT Devices (Eudemon) Supporting Transparent H.323 Transmission Network Topology Implementation Principle Solution Analysis Traversal by Adding Proxy (SE2000) Proxy Mode UDP Tunnel Traversal Mode Solution Analysis Interworking Between Private Networks by Adding VP 8520 MG Devices Network Topology Implementation Principle Solution Analysis Interworking Between Private Networks Using Existing MCU Devices Network Topology Implementation Principle Solution Analysis Traversal by Adding the H.460 GK Server Function Network Topology Implementation Principle Solution Comparison and Proposals ii

4 1 Overview 1 Overview Network address translation (NAT)/Firewall devices are configured in the egress of the Intranet to resolve the IPv4 address shortage problem and network security problem. During the deployment of videoconferencing services, the IP addresses in the signaling protocol are private addresses because the media stream addresses in the H.323 protocol are dynamically negotiated in the signaling protocol. Private addresses cannot be routed on a public network. In this case, the IP addresses in the signaling protocol must be translated. However, many NAT/firewall devices do not support address translation, leading to difficulty in deploying videoconferencing services. Therefore, the NAT/firewall traversal must be implemented. At present, multiple solutions for NAT traversal are available, for example, application layer gateway (ALG), simple traversal of UDP through NAT (STUN), Middlebox communications (MIDCOM), session border controller (SBC) proxy, supper network passport (SNP), tunnel, and H.460. As a leading network solution provider, Huawei implements the NAT traversal for videoconferencing by using the ALG (Eudemon firewall), SNP, SE2000, MG8520, MCU supporting the video firewall function, and gatekeeper (GK) supporting H

5 2 H H.323 Most videoconferencing systems currently use the H.323 protocol suite (including H.225, H.245, and Q.931) specified by the International Telecommunications Union (ITU) Telecommunication Standardization Sector (ITU-T). H.323 is defined early and has found wide commercial application. For example, Microsoft Corporation's NetMeeting uses the mature H.323 protocol; telecom enterprises in China usually use the H.323 protocol during the implementation of voice over Internet Protocol (VoIP). H.323 defines a protocol set for flexible, real-time, and interactive multimedia communication on a packet based network (PBN). H.323 describes the protocols and devices that provide multimedia communication services (including real-time audio and data communication) on PBNs without QoS guarantee. H.323 defines four types of components: terminal, gateway, GK, and multipoint control unit (MCU). H.323 is a major protocol for video communication. H.323 networks include terminals, gateways, GKs, and MCUs. The functions of gateways, GKs, and MCUs are as follows: GKs monitor all H.323 calls in its area on the local area network (LAN). The GK provides two major services: call admission and address resolution. All H.323 clients in the area of the GK originate calls at the assistance of the GK. In addition, the GK determines whether a call is allowed based on the current available bandwidth. Gateways provide the capability of operations between heterogeneous networks. For example, a gateway must be configured between a PSN and a telephone network to translate protocols and data. MCUs provide the multimedia conferencing capability for multiple participants. MCUs coordinate the media communication capability of all participants and provide audio mixing and video selection for endpoints. This document describes the H.323 communication process using the point-to-point H.323 communication as an example. A and B are two endpoints of H.323 communication. Endpoint A is located outside the firewall, and endpoint B is located inside the firewall. Figure 2-1 shows the H.323 communication process. 2

6 2 H.323 Figure 2-1 H.323 communication process A Setup(openlogicalchannel) B CallProceeding Alerting Q.931 OVER TCP Connect(H.245 Address) Capability exchange Master-slave determination OpenLogicalChannel(RTCP Address) OpenLogicalChannelAck(RTCP&RTP Address) Rtcp Stream Rtp Stream H.245 OVER TCP RTP OVER UDP The process is as follows: 1. A connection is established from endpoint A to the well-known H.323 port (1720) of endpoint B. 2. Endpoint B and endpoint A transmit Q.931 packets on this connection. Endpoint B sends packets containing dynamic ports used for establishing an H.245 connection (that is, the H.245 Address field carried by the CONNECT packet) to endpoint A. 3. Endpoint A establishes an H.245 connection in the temporary ports negotiated in the Q.931 code stream. H.245 processes the negotiation of all call parameters, for example, the encoding and decoding algorithms. After negotiation, the H.245 session starts the OpenLogicalChannel process. This process negotiates the Real-Time Transport Protocol (RTP) and Real-Time Transport Control Protocol (RTCP) addresses (that is, the RTP Address field and the RTCP&RTP Address field carried by the OpenLogicalChannel and OpenLogicalChannelAck packets respectively) used for transmitting specified media streams (such as audio or video). 4. Media streams can be transmitted between the two endpoints until the session is complete. 3

7 3 Firewall 3 Firewall 3.1 Concept A firewall prevents unauthorized or un-verified accesses of the Internet from the protected network, and allows users in the internal network to visit web pages or receiving and sending s on the Internet. A firewall can be used as a permission control unit for Internet access. For example, a firewall allows specific persons in an organization to visit the Internet. Now many firewalls have other features, such as identification authentication, and information security (encryption) processing. Figure 3-1 shows the position of the firewall. Figure 3-1 Position of the firewall Internet Firewall Ethernet PC PC PC PC Server Firewalls are used for not only connecting to the Internet, but also protecting important devices and important resources (data) in an organization. Access to protected data must be filtered by firewalls, even though the access is from inside of the organization. When an external user accesses the resources on an Intranet, the firewall attempts to authenticate the access. When a user on the Intranet accesses external resources, the firewall 4

8 3 Firewall also attempts to authenticate the access. Therefore, a firewall is a guide, which can discard packets that are prohibited. 3.2 Basic Functions Packet Filtering Proxy Service State Inspection Packet filtering refers to the method for filtering IP packet headers. The firewall determines whether to allow the pass of a packet by detecting the IP packet header including the TCP or UDP packet header. You can define to allow or prohibit the pass of packets with the source address or destination address of X, define to allow or prohibit the pass of packets of certain ports, or define criteria based on the two filtering policies. Packet filtering costs much manpower during firewall configurations. Configuration methods vary with firewalls. Certain firewalls are configured by using command lines, and certain by using graphical interfaces. However, the contents are similar, which can be reflected as follows: permit/prohibit Source address Destination address Protocol (tcp/udp) Port (Destination port) For example, permit host udp In the preceding example, only three of the four consecutive factors (source address, source port, destination address, and destination port) are available, because most source ports are randomly allocated during connection establishment. Therefore, the firewall does not filter packets based on source ports. For a packet to be forwarded by a router, the firewall performs the following processing: Obtains the information about the packet header, including the protocol number of the upper-layer protocol carried by the IP layer, the source address, destination address, source port, and destination port of the packet. Compares the obtained information with the configured rules. Forwards or discards the packet based on the comparison result. Firewalls are configured with the proxy function. Certain firewalls implement the application-layer proxy (similar to the web proxy), and certain firewalls are configured with the common NAT or port address translation (NAPT). Although most firewalls are configured with the NAT or NAPT function, a firewall does not necessarily implement the NAT function. When people say that a device is located behind a firewall, NAT translation may not be performed. State inspection means that firewalls filter packets not only based on the application-layer information, but also based on the protocol at layers upper than layer four. The state inspection is called application specific packet filter (ASPF) or context-based access control (CBAC). 5

9 3 Firewall At present, most firewalls provide the state inspection function. For example, if you want an FTP server in the firewall to provide external services, enable port 21 that supports TCP because other port ares dynamically enabled in the FTP session. 6

10 4 NAT 4 NAT 4.1 Concept With the widely use of IP networks, more and more devices run TCP/IP. As a result, IPv4 addresses are seriously insufficient. NAT is used to implement the translation between private addresses and public addresses. A private address refers to a host address inside a network (inside the LAN), and a public address refers to an external address of the LAN (the globally unique IP address on the Internet). Internet Corporation for Assigned Names and Numbers (ICANN) specifies the following three network segments as private addresses: That is, the addresses in the three network segments are not allocated on the Internet; however, the addresses can be used inside an enterprise (LAN). 4.2 Implementation Static NAT Static NAT refers to translating private addresses into Internet addresses in one-to-one mode. An address on a private network is always translated to a fixed Internet address. Figure 4-1 shows the translation in static NAT mode. 7

11 4 NAT Figure 4-1 Translation in static NAT mode Dynamic NAT Private addresses , , and are translated to , , and respectively. In static NAT mode, source addresses change whereas source ports do not change. In addition, the address mapping relationship is fixed. Dynamic NAT refers to translating multiple private addresses to multiple public addresses; however, the address mapping relationship is not fixed and a private address may be translated to another public address the next time. These public addresses are usually called NAT pool. Figure 4-2 shows the translation in dynamic NAT mode. Figure 4-2 Translation in dynamic NAT mode The public address pool is available. Private addresses , , and are translated to the addresses in the public address pool. In dynamic NAT mode, source addresses change whereas source ports do not change. In addition, the address mapping relationship changes. 8

12 4 NAT NAPT NAPT, also known as NAT overloading, refers to translating multiple private addresses to a public address with different source ports. The ports are used to differentiate connections. Figure 4-3 shows the translation in NAPT mode. Figure 4-3 Translation in NAPT mode Private addresses , , and are mapped to the public address Communication connections are differentiated by using port numbers. In NAPT mode, source addresses and source ports change. In addition, the address mapping relationship and port mapping relationship change. 9

13 5 SBC 5 SBC 5.1 Concept An SBC is a gateway that is based on the proxy solution and support IP services. The SBC provides the proxy for signaling and media steams (the SBC supports H.323 and can parse and process H.323 packets for H.323-based videoconferencing services). The SBC processes all call packets and media streams, forwards the packets and media streams in a specified direction, and re-assigns receiving addresses and ports of users on the internal network/external network. The SBC implements the address translation between network domains, including the translation between private and public addresses in the NAT environment. In conjunction with GKs and MCUs, the SBC provides the functions required for the deployment of videoconferencing services, such as NAT traversal, security, QoS, and connectivity. As a convergence-layer device, the SBC provides functions such as security protection, QoS assurance, and terminal access management for important devices. 5.2 Implementation Principles for the Proxy Solution Figure 5-1 shows the basic principles for the proxy solution. Figure 5-1 Basic principles for the proxy solution Application layer Application layer Application layer Transport layer Transport layer Transport layer Network layer Network layer Network layer Data link layer Physical layer Data link layer Physical layer Data link layer Physical layer Network user Proxy server Destination server 10

14 5 SBC Usually the proxy operates at the application layer and processes specific application protocols. When a client accesses the destination server using the proxy, the communication process is as follows: 1. The client communicates with the proxy. The proxy receives data sent from the client and processes the data. 2. The proxy sends the processed data to the destination server. When the destination server returns data to the client, the communication process is as follows: 3. The destination server returns data to the proxy. 4. The proxy sends the data to the client. That is, the proxy is always the device that the client and the destination server can directly communicate with. 5.3 Basic Principles for Implementing NAT Traversal in the Proxy Solution Based on the implementation principle for the proxy solution, if the proxy is placed in the position of the NAT device, the user and the proxy are located on the same network and the destination server and the proxy are located on the same network. In this way, the NAT traversal is implemented using the proxy (processing related service data). As shown in Figure 5-2, the SBC (proxy) is located in the boundary served by the public network and the private network (that is, the position of the NAT device); terminals are located on the private network; the MCU and the GK are located on the public network. Figure 5-2 shows the networking for implementing NAT traversal using the proxy. Figure 5-2 Networking for implementing NAT traversal using the proxy Terminal 1 Terminal 2 11

15 5 SBC In H.323-based videoconferencing services, the processing process of the proxy is as follows: 1. Terminals are registered with the GK using the proxy. Note that according to the basic principles of the proxy, the actual GK address configured on terminals is the SBC (proxy) address and the actual terminal address displayed on the GK is the SBC (proxy) address. 2. When a terminal on the private network places a call to the MCU, the call reaches the proxy according to H.323. The proxy parses the call signaling. The proxy parses and processes the address and port of the audio and video media streams (that is, RTP/RTCP) carried in the call signaling as follows: The proxy records the RTP/RTCP address and port number of the terminal on the private network. The proxy changes the RTP/RTCP private address to a public IP address of the proxy and changes the port of the media stream to the external port allocated on the proxy. The proxy maps the RTP/RTCP address/port on the private network to the RTP/RTCP address/port on the public network of the proxy. The proxy sends the call signaling to the MCU. 3. The MCU receives the call signaling that carries the proxy address reflecting the address and port of the audio and video media stream. 4. After signaling processing, the terminal on the private network sends media streams to the proxy. The proxy sends the media streams to the MCU based on the RTP/RTCP address mapping relationship. In the same way, the MCU sends media streams to the terminal on the private network by using the proxy. In this way, the NAT traversal using the proxy is completed. The SBC (proxy) can be used with the tunnel technology to further improve the solution for NAT traversal. Figure 5-3 shows the typical networking for implementing NAT traversal using the proxy and the tunnel technology. Figure 5-3 Typical networking for implementing NAT traversal using the proxy and the tunnel technology Terminal 1 Terminal 2 12

16 5 SBC 5.4 Difference Between the Proxy and NAT The proxy and NAT devices are placed in the same position; however, the implementation principles are different. 1. The NAT device operates at the network layer and implements the translation of IP addresses and port numbers. The proxy operates at the application layer and must support specific application protocols, for example, H The NAT device is transparent in the actual application. For example, video terminals cannot detect the NAT device. The proxy device is not transparent in the actual application. Video terminals must know the address of the proxy device. On terminals, the GK IP address must be configured as the proxy IP address. 3. For users, the proxy is configured with the NAT function. 13

17 6 H H Concept H.460 is a firewall/nat traversal standard approved by ITU and includes H (defined by Tandberg) and H (defined by Radvision). H is responsible for the traversal of H.323 call signaling, and H is responsible for the traversal of media data. H.460 is a series of extensions to the functions of the H.323 protocol stack and helps H.323 calls to traverse the firewall/nat without changing ANS.1 descriptions in H.225. Before the emergence of H.460, the H.323-based modem over IP (MoIP) applications traverse network boundaries. Enterprises have their own firewall/nat traversal solutions, which are incompatible with each other. Therefore, IP communication between enterprises is difficult. H.460 resolves the compatibility problem. IP communication between enterprises is easy due to unified standards. Wide selection space, flexible deployment solutions, and low investment and maintenance cost are provided for network service providers of MoIP applications and users of MoIP services. 6.2 Implementation H.460 implements the multi-boundary traversal and simplifies the network interconnection of MoIP applications, without changing the original firewall/nat. H.460 must be implemented on the client and server. The client is placed on the internal network of the firewall. The client can be a standalone device or be integrated into standard H.323 terminals. The client serves as a proxy that is responsible for sending the registration and call signaling of H.323 terminals on the internal network to the server on the external network. In addition, the client establishes and maintains a signaling and control channel to the server. The server is placed on the public network outside the firewall. The server can be located on the demilitarized zone (DMZ) of the Intranet or the networks of the service provider. The server serves as the GK proxy that is responsible for forwarding registration and call signaling (sent from the client) to the central GK. 14

18 6 H Signaling Interworking Process Figure 6-1 shows the signaling interworking process. Figure 6-1 Signaling interworking process Terminal on the private network Terminal on the public network Standard SCI message A notification message informing the private network of a call from the public network and requesting the private network to establish a TCP channel Standard SCR message I have got the message. I will establish a TCP channel Establishing the TCP connection for the calling channel ARQ message for placing a call to the private network Standard ACF message The TS receives the message. The TS sends a TS calling address. You can place a call to me. SETUP message for placing a call to the TS Standard Facility message A TCP connection has been established. You can call me now. SETUP message for placing a call to the private network CONNECT message of the private network Standard Facility message CONNECT message of the TS I tell you an H.245 address. You establish an H.245 TCP channel based on the H.245 address. Establishing the H.245 TCP connection H.245 indication message The terminal on the private network notifies the TS that the H.245 channel is based on a certain call. TCS and MSD of the TS and public network TCS and MSD of the TS and private network Huawei implements calls between private and public networks according to H.460. TCP channels for calls are established by terminals on the private network. Terminals on private and public networks adopt standard H.323 call signaling. 15

19 6 H Interworking Process of Media Streams Figure 6-2 shows the interworking process of media streams. Figure 6-2 Interworking process of media streams Terminal on the private network NAT/NAPT Terminal on the public network OLC message for enabling the logic channel from the public network to the private network The message contains the keepalive field, keepalive port, and keepalive duration. RTP keepalive code streams The code streams are sent from the port of the terminal on the private network to the port of the terminal on the public network. Media code streams from the public network to the private network Keepalive duration RTP keepalive code streams The code streams are sent from the port of the terminal on the private network to the port of the terminal on the public network. RR and SR packets of the RTCP from the private network to the public network RR and SR packets of the RTCP from the public network to the private network A port for code streams between the public network and the private network is established by using H.460 keepalive packets, and the port is maintained by subsequent timing keepalive packets. 16

20 7 Problems and Current Situation of Traversal Between Private and Public Networks 7 Problems and Current Situation of Traversal 7.1 Problems This section describes the problems faced by users in LAN access mode if they expect to deploy videoconferencing services Enabling Ports on the Firewall Firewalls are configured with the packet filtering and state inspection functions. Therefore, when the firewall on the user side accesses the configurations, other ports are disabled except well-known ports required for providing Intranet services (such as HTTP port 80). This ensures the network security. For video communication, firewalls must support H.323. If the firewall supports H.323, you must enable the support of the firewall for H.323. When the firewall receives a call from the public network, the firewall dynamically enables ports required for H.323 communication. After the call is complete (the firewall can automatically discover the completion using the H.323 signaling), the firewall automatically disables all ports that are dynamically enabled during the call. This ensures the network security and hackers cannot attack the network. If the firewall does not support H.323, the following service ports must be enabled on the firewall to ensure that media streams can be transmitted to the network: RAS registration signaling: based on UDP and requires port Q.931 call signaling: based on TCP and requires port H.245 control signaling: based on TCP and requires ports ranging from port 1320 to port For IP voice and video media streams, many other ports must be enabled to receive call control information used for establishing voice and video channels. These ports are dynamically allocated. That is, network administrators have to enable all ports on the firewall for audio and video communication. In this case, the firewall is meaningless. Few enterprises enable all ports on their firewalls due to the network security. 17

21 7 Problems and Current Situation of Traversal Between Private and Public Networks Address Translation for H.323 Packets On a private network, the access of common services is implemented by firewalls. However, the structure of H.323 IP packets in videoconferencing applications is different from that in other applications. In H.323 IP packets, the IP addresses contained in the packet header and the packet body must be translated. If a firewall supports H.323, the firewall automatically translates the addresses contained in H.323 packets. However, most firewalls do not fully support H.323 in the actual application, leading to H.323 communication problems after the H.323 function of the firewall is enabled HTTP Proxy Server Mode Certain LANs provide Internet access services using only the HTTP proxy server. The HTTP proxy uses the buffer technology to store HTTP web pages. The limitations are as follows: The real-time storage is inapplicable. The TCP connection between internal and external networks is not supported. Transmission of UDP packets is not supported. These limitations affect the transmission of H.323 packets. Therefore, an enterprise is advised to use the direct router configuring with NAT access mode and configure firewall devices (such as NetScreen, Checkpoint, and Huawei Eudemon) on the internal network side of the egress router to implement IP videoconferencing services. 7.2 Current Situation Static NAT The preceding problems challenge the traversal between private and public networks in H.323 video communication. This section describes the common methods in the industry. When there is only a small number of video terminals on the private network and the corresponding public addresses can be provided, the static NAT mode is available. Based on the static NAT, IP addresses of terminals on the private network are mapped to public addresses in one-to-one mode. 1. Application scope Terminals on the private network can interwork with terminals on the public network, and terminals on a private network can interwork with terminals on another private network. 2. Limitations and requirements The limitations and requirements are as follows: Terminals support static NAT. The number of IP addresses in the public address pool of the firewall is larger than or equal to the total number of terminals on the private network That is, a large number of public addresses must be used for a private network using videoconferencing services. The firewall must be configured as follows: IP addresses of terminals on the private network are mapped to public addresses in one-to-one mode. 18

22 7 Problems and Current Situation of Traversal Between Private and Public Networks The related ports of public IP addresses that have been mapped to private address must be enabled NAT Device Supporting H.323 A large number of networks on the user side use the dynamic NAT or NAPT mode. In this networking mode, the use of common NAT devices will cause problems when a terminal on the private network places a call to a terminal on the public network or a terminal on the private network places a call to a terminal on the public network. Terminal 2 RTP transmitting port RTP receiving port RTP receiving port Common NAT device Terminal 1 RTP transmitting port (port 1) Public network Private network 1. A terminal on the private network places a call to a terminal on the public network. The terminal on the private network can obtain the IP address of the terminal on the public network from the GK. However, the RTP receiving port is configured in a place whereas the transmitting port is configured in other place on the terminals due to limitations of H.323 for video and audio RTP code streams. In this case, the terminal on the public network (public IP address) can receive RTP code streams sent by the terminal on the private network; however, the RTP code streams sent by the terminal on the public network cannot pass the NAT device because the NAT device does not translate the IP address. In this case, one-way audio occurs. 2. A terminal on the public network places a call to a terminal on the private network. The address of the call is the public address mapped to the address of the terminal on the private network. The NAT device does not support the translation for H.323. Therefore, the call cannot be established. Conclusion: If two terminals are located inside the firewall and outside the firewall respectively and the firewall is configured with a common NAT, one-way audio occurs for calls from the terminal on the private network to the terminal on the public network and calls from the terminal on the public network to the terminal on the private network cannot be established. Huawei Eudemon supports dynamic NAT for H.323 and can translate H.323 IP code streams. The advantages are as follows: Terminals on the LAN of the enterprise serve as terminals on the public network. In this way, terminals inside the enterprise can interwork with external terminals. The network security is ensured. The network structure with parallel or series connections does not affect the original network security structure. 19

23 7 Problems and Current Situation of Traversal Between Private and Public Networks Traversal Using H.323 Proxy At present, free H.323 proxy software is available on the Internet. That is, a PC is used as the proxy device in the egress of the firewall. In this mode, an H.323 proxy must be configured outside each firewall and the proxy must be configured with the public IP address, as shown in Figure 7-1. Figure 7-1 Traversal between private and public networks using H.323 proxy Operation support system Private network Convergence layer Private network Private network On the firewall, configurations must be performed to allow the proxy to communicate with the external. The proxy must know the public addresses of other proxies, and can determine the proxy that manages the terminal based on the broadband number of the terminal. To improve the private network security, the private network side of the proxy device can be configured as limited known port numbers. On the private network, the H.323 entity and the proxy communicates by using the known ports. The H.323 proxy can be used to resolve the NAT translation problem; however, the H.323 proxy brings the following problems: 1. Each private network must be configured with an H.323 proxy. Proxies are located on user networks. Therefore, telecom operators cannot maintain proxies. 2. All H.323 proxies must be configured with public addresses and must know the public addresses of other proxies. This brings difficulties to telecom operators and the operation cannot be performed. 3. Usually common PCs serve as H.323 proxies and audio and video code streams pass the H.323 proxy simultaneously. In this case, the transmission of code streams may be delayed on the proxy and affected by the PC performance. 20

24 7 Problems and Current Situation of Traversal Between Private and Public Networks 4. H.323 proxies use PC systems. Therefore, H.323 proxies are vulnerable to attacks from virus and hackers. In addition, the system is weak due to security weakness of the Windows system. 21

25 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks 8.1 Traversal Using SNP Huawei uses the super network passport (SNP) technology to implement the traversal between private and public networks without deploying additional network devices Implementation Principle Figure 8-1 shows the implementation principle of traversal using SNP. Figure 8-1 Implementation principle of traversal using SNP Private Network 1 Public Network 1 Terminal Terminal F W N A T Public IP Network Terminal Terminal FW MCU GK Normal call Service Provider Redirected call Redirected code stream 22

26 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks Basic principle Terminals on private and public networks communicate with each other as required by the protocol. When a terminal on the private network places a call to a terminal on the public network and the call is established, the terminal on the public network can properly receive the RTP code stream from the terminal on the private network. However, the terminal on the private network cannot receive the RTP code stream from the terminal on the public network within a certain period. During this period, the terminal on the private network sends a request for private communication from the public network by using a proprietary protocol. The network devices process the request and redirect the code stream establishment process. In this way, the media stream communication process between the private and public networks is established Networking Applications Point-to-point networking without a GK Figure 8-2 shows the point-to-point networking without a GK. Figure 8-2 Point-to-point networking without a GK Terminal C Public network Firewire Terminal A Private network Solution The SNP technology enables terminal A on the private network to call terminal C on the public network through the IP address. In this way, no change to terminals and networks is required (some communication ports specified in the protocol must be enabled in the case of firewalls with a high security level). Point-to-point networking with a GK Figure 8-3 shows the point-to-point networking with a GK. Figure 8-3 Point-to-point networking with a GK Terminal C Firewire GK Public network Terminal A Private network Solution Terminals on both private network and public- network register with the GK using the SNP technology. In this way, the terminal on the private network can resister with the GK on the public network, and terminals A and C can call each other without obstruction. In addition, no change to the terminals and networks is required. 23

27 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks Networking with one private network and two public networks Figure 8-4 shows the networking with one private network and two public networks. Figure 8-4 Networking with one private network and two public networks Terminal D Public network Terminal C Firewire GK MCU Public network Terminal A Terminal B Private network Solution The point-to-point communications between terminals on private and public networks can be implemented using the SNP technology. That is, the point-to-point communications between terminals A &B and terminal C, and that between terminal D and terminal C. In this way, a conference with the participation of terminals from multiple private and public networks can be held using the Multipoint Control Unit (MCU). This solution applies to operation networks. Networking with two private networks and one public network Figure 8-5 shows the networking with two private networks and one public network. Figure 8-5 Networking with two private networks and one public network Terminal D Private network Eudemon1 Firewire Terminal C GK MCU Public network Firewire Eudemon2 Terminal A Terminal B Private network 24

28 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks Solution Due to restrictions on direct routing between private networks, point-to-point calls between terminals on different private networks cannot be implemented using the SNP technology (can be implemented using the MCU). In this case, the Eudemon device can be added in the networking, and such a networking solution is regarded as a standard IP address operation solution. In this networking mode, Eudemon 1 can serve as a standby device. When the terminal D communicates with terminals A and B, Eudemon 1 is not required. When the terminal D communicates with other terminals on the same private network and there is no Eudemon device on the egress of the private network, Eudemon 1 must be used. With this solution, any terminals can communicate with each other and participate in a multipoint conference held using the MCU. In addition, the Eudemon device can serve as a firewall if no firewall is available. Therefore, the networking becomes simpler and more cost-effective. 8.2 Firewall Traversal in Static NAT Mode If the FW/NAT cannot identify H.323, terminals can be connected to the network in static NAT mode Network Topology Figure 8-6 shows the network topology in static NAT mode. Figure 8-6 Network topology in static NAT mode 25

29 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks Implementation Principle In both routers, the IP addresses of terminals on private networks are translated to the public network address, and settings related to static mapping are performed for ports TCP and UDP. In this way, point-to-point calls between terminals can be implemented, and multipoint conferences between different private networks can be held. Huawei video terminals support static NAT. With this function, terminals can be easily connected to public networks to participate in video conferences Solution Analysis Advantages: This solution can be easily implemented by modifying the configuration without adding a peripheral device. Disadvantages: The network configuration is complex, and a variety of network devices must be configured on each private network. Generally, the public network interface of a router must have multiple public IP addresses. When there is only one public IP address, only one terminal on the private network can be connected to the public network. As a result, other terminals on the private network cannot be connected to the public network. 8.3 FW/NAT Devices (Eudemon) Supporting Transparent H.323 Transmission In NAT or NAPT mode, the traversal problem between private and public networks can be resolved if firewall devices (for example, Huawei Eudemon series firewalls) can support H.323. In addition, terminals from different private networks can participate in video conferences. Huawei video terminals closely cooperate with Eudemon devices to implement all videoconferencing functions, which resolve all traversal problems between private networks Network Topology Figure 8-7 shows the network topology of FW/NAT devices (Eudemon) supporting transparent H.323 transmission. 26

30 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks Figure 8-7 Network topology of FW/NAT devices (Eudemon) supporting transparent H.323 transmission Public network Private network Private network Implementation Principle The Eudemon firewall works at a protocol layer higher than layer 3 and can understand H.323. In addition, The Eudemon firewall performs direct protocol translation for IP code streams of H.323. In this way, terminals on an Intranet can work in the same way as terminals on a public network, and can communicate with external terminals without obstruction. Figure 8-8 shows the implementation principle of Eudemon supporting transparent H.323 transmission. Figure 8-8 Implementation principle of Eudemon supporting transparent H.323 transmission Eudemon records terminal information. Eudemon forwards call signaling and modifies related address information in the signaling based on the recorded terminal information. Eudemon forwards media streams based on the recorded call information. Public network Private network 27

31 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks If a firewall device is already configured on the customer premises network, a Eudemon device can also be added to serve as an H.323 gateway and support H.323. In this case, the Eudemon gateway only performs protocol translation for the IP code streams of the H.323 protocol, and other Internet access services, such as HTTP and FTP services, are not affected. When a non-h.323 IP packet is identified, the Eudemon gateway automatically forwards the packet in a transparent manner and does not process the packet. Therefore, functions of the firewall are not affected. If no firewall device is configured on the customer premises network, a Eudemon device can serve as a standard firewall. H.323 applications are filtered on the Eudemon device using the access control list (ACL) rule. That is, H.323 applications are forwarded to the firewall after the NAT translation is complete on the Eudemon device. Non-H.323 applications are directly forwarded to the firewall, which implements the NAT translation. In this way, the original user security policy, network access mode, and private network remain unchanged Solution Analysis This solution has the following advantages: This solution does not require any change to the network and supports video conferences with a large capacity. This solution does not affect any services and guarantees the security and quality of video conferences. All video terminals can be used on the customer premises network. This solution has the following disadvantages: Eudemon devices must be added if no Eudemon device is configured on the original network. 28

32 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks 8.4 Traversal by Adding Proxy (SE2000) Proxy Mode Based on the SBC (proxy) implementation principle, there are two NAT traversal solutions: proxy mode and UDP tunnel traversal mode. Figure 8-9 shows the proxy mode. Figure 8-9 Proxy mode Service software GK MCU Network 2 Network 1 Network 3 Networking description 1. The SBC proxy solution does not require any change to the network and firewall. In addition, terminals on a private network can be connected to a public network using this solution, and terminals on a public network can be connected to a videoconferencing system on a private network. 2. An SBC device is configured on the egress of network 1. The uplink and downlink ports are respectively connected to network 2 and network 3 (there can be multiple uplink and downlink ports). 3. On terminals of network 2 and network 3, the GK address is configured as the downlink network port address of the SBC. On the SBC, the server address is configured as the GK address of network 1. In this way, signaling and media streams of network 2 and network 3 can communicate with the GK and MCU of network 1 by using the SBC. This solution has the following advantages: 1. The live network does not need any changes and is easy to deploy. 2. The existing devices do not need any changes and have a powerful compatibility, including terminals, GK, and MCU. 3. The GK and MCU are indivisible to terminals, providing a high-level security. 4. All packets pass the SBC. Therefore, you can select proper QoS policies for the SBC on the network. 5. Interworking of videoconferencing services on multiple networks can be implemented using only one SBC device, featuring a low cost. 29

33 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks 6. This solution has the following disadvantages: The proxy device cannot implement traversal through a firewall device. Therefore, the proxy device is regarded as a concurrent device of the firewall device on the network. The proxy device must be used together with a GK UDP Tunnel Traversal Mode This mode applies to a large enterprise that deploys a firewall on the Intranet. The enterprise does not want to use the SBC proxy solution and does not want to modify the configuration of the firewall frequently. In this mode, you need to enable only one or two UDP ports on the firewall. The tunneling function is established in the SBC. In this way, the NAT traversal of videoconferencing services is implemented. Figure 8-10 shows the UDP tunnel traversal mode. Figure 8-10 UDP tunnel traversal mode Terminal supporting H.323 Intranet Bearer network Intranet Media stream Terminal supporting H.323 Signaling stream Networking description 1. Two SBCs are added to the network and are respectively used by the customer premises network and network side. Customer premises network: An SBC is added to the user network to serve as a client of the UPD tunnel. Network side: An SBC is added to the network side to serve as the server of the UDP tunnel. 2. The internal SBC integrates clients (UTC) of the UDP tunnel. The external SBC integrates the server (UTS) of the UDP tunnel. The UDP tunnel is located between the UTC and UTS, and is used to transmit various packets (including signaling and audio/video media streams) from external networks to internal networks. 3. In this mode, the GK address of terminals on the private network is configured as the internal-sbc address. The address of the external proxy configured in the internal SBC is configured as the address of the SBC on the public network. 30

34 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks This solution has the following advantages: 1. There is no restriction on terminals and servers. This solution can be used for firewall NAT traversal. 2. The existing devices do not need any changes and have a powerful compatibility, including terminals, GK, and MCU. 3. The security level is high. The GK and MCU are indivisible to terminals. After the packets sent by terminals are encapsulated and decapsulated by the tunnel, the proxy performs the security check for these packets. 4. All packets pass the SBC. Therefore, you can select proper quality of service (QoS) policies for the SBC on the network. 5. This solution has the following disadvantages: Multiple SBCs are required, which increases the implementation cost. The network deployment is relatively complex. Routing between the UTC and UTS must be considered. In addition, the existing configuration of the firewall must be modified. Media streams must be transmitted as follows: UTC NAT/FW UTS. Therefore, the network performance of the media stream is restricted. Huawei Quidway SessionEngine2000 (SE2000) aims at session boundary controllers (SBCs), and is a proxy-based IP service gateway. SE2000 is used for deployment of videoconferencing services on an IP network. SE2000 is also used to help videoconferencing GKs and terminals resolve problems concerning NAT traversal, security, QoS, and interworking. SE2000 uses the signaling and media proxy technology to process and forward call packets and media streams in a directional manner. In addition, SE2000 is used to redirect the RTP stream receive address and port of private and public network users. In this way, address translation between network domains (including address translation between a public network and a private network) can be easily implemented. This ensures the traversal from media streams to NAT gateways. Different from a NAT application layer gateway (ALG), SE2000 uses the full-proxy mode to transmit media streams in a direct manner. There is no special requirement on NAT devices. Therefore, the existing devices on the live network do not need reconstruction. This provides convenience for telecom operators to deploy services Solution Analysis This solution has the following advantages: SE2000 uses the full-proxy mode to transmit media streams in a directional manner. There is no special requirement on NAT devices. Therefore, the existing devices on the live network do not need reconstruction. This provides convenience for telecom operators to deploy services. This solution does not affect any services and guarantees the security and quality of video conferences. All video terminals can be used on the customer premises network. As a convergence-layer device, the SBC can prevent terminals from accessing important devices such as GKs. This provides functions such as security protection, QoS guarantee, and terminal access management for important devices. This solution has the following disadvantages: SE2000 series devices must be added to the original network. 31

35 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks 8.5 Interworking Between Private Networks by Adding VP 8520 MG Devices Network Topology Figure 8-11 shows the network topology of the VP 8520 MG solution. Figure 8-11 Network topology of the VP 8520 MG solution NAT device 1 NAT device 2 Videoconferencing terminal Videoconferencing terminal Networking description SwitchCentre: a GK of the ViewPoint 8000 videoconferencing system, used for address resolution, access control, territory management, bandwidth control, and call authentication. The configuration and management of the SwitchCentre are performed on the SwitchManager. ResourceManager: a core device of the ViewPoint 8000 videoconferencing system, used for allocation and management of conference resources. MCU: a core device of the ViewPoint 8000 videoconferencing system, used for video switching, audio mixing, and data processing. Video terminal: a terminal of the ViewPoint 8000 videoconferencing system manufactured by Huawei, supporting SNP of Huawei. For example, video phone and Openeye. 32

36 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks NAT device: a firewall or a router that supports and is configured with the dynamic NAT or port address translation (PAT), used for isolation of terminals on a private network. 8520: ViewPoint 8520, used for call connection and media stream forwarding between private networks Implementation Principle Terminal on a private network places a call to terminal on another private network. Due to translation of ports and addresses on NAT, the users on different private networks fail to establish the video/audio communication. The 8520 is deployed to address this issue. The 8520 can connect calls from different private networks, establish video/audio media stream channels with different private networks, and forwards the transmitted/received media streams in a transparent manner. The 8520 is used as follows: Prerequisite The terminals ( and ) and the 8520 are successfully registered with the SwitchCentre (GK). Procedure for implementing a call using the 8520 Figure 8-12 shows the procedure for implementing a call using the Figure 8-12 Procedure for implementing a call using the 8520 Terminal Common NAT device 2 Private network 2 Public network Common NAT device 1 Private network 1 Terminal Terminal connects to the 8520 located on the public network. 2. The 8520 connects to terminal Terminal communicates properly with terminal using the Solution Analysis This solution has the following advantages: 33

37 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks Using the 8520, terminals on a private network can unrestrictedly communicate with terminals on a public network and terminals on another private network in common NAT mode. This solution does not affect any services and guarantees the security and quality of video conferences. As a convergence-layer device, the 8520 can prevent terminals from accessing important devices such as GKs. This provides functions such as security protection, QoS assurance, and terminal access management for important devices. This solution has the following disadvantages: The 8520 series devices must be added to the original network. In the 8520 network environment, terminals on private networks must support the SNP (a token protocol developed by Huawei to resolve traversal problem between private and public networks). If terminals on public networks do not support the SNP, a firewall must be configured to support the H.323 ALG (Huawei Eudemon firewall series can be used). 8.6 Interworking Between Private Networks Using Existing MCU Devices Network Topology Figure 8-13 shows the network topology of the MCU solution. Figure 8-13 Network topology of the MCU solution Networking description The video firewall solution is an easy mode to implement the traversal between private and public networks, and is currently used by most Huawei competitors. In this solution, a variety of networks are connected using different network ports so that terminals from private and public networks can participate in the same video conferences. For users on the dedicated 34

38 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks network, an additional MCU is required to allow access from terminals on the private and public networks Implementation Principle The work mode of the GE1 port on the MCU's central control board is set to 4: NetFirewallMode to implement video firewall. Number of the board in which the video firewall function is to be enabled The configuration must be saved. Video firewall function Then a route to GE1 on the MCU's central control board is added. Destination address (in the same network segment as that of the GE1 network port of the board supporting the video firewall function) Mask (consistent with that of the GE1 network port of the board supporting the video firewall function) GE1 network port In this way, the signaling board and media board are allocated to the site on the GE1 side, which is connected to the GE1 port. When the node on the GE0 side places a call to the node on the GE1 side, the GE1 port receives the call. Therefore, the traversal between private and public networks is implemented. 35

39 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks Solution Analysis This solution has the following advantages: The traversal between private and public networks is implemented using the existing MCUs, featuring simple networking. No change to the original firewall of the customer is required (for example, open port). No change to H.323 is required, and any terminals from private and public networks can interwork with each other. This solution has the following disadvantages: The MCU supports networking with two networks, but does not support networking with multiple networks. The MCU must use GE0 to register with the GK, and GE1 must use IP addresses to place calls. Point-to-point calls between terminals on private and public networks cannot be implemented using an MCU IP route configuration can be performed (there are multiple network segments on a public network). The IP route is designated to use GE1 to receive and transmit data. When no matching route is available, GE0 is used to receive and transmit data. The site connected to GE1 does not support service switchover (media module switchover). The GE0 IP address and GE1 IP address of all boards must be respectively configured in the same network segment. This must be ensured in networking configuration. 8.7 Traversal by Adding the H.460 GK Server Function Currently, Huawei high definition (HD) terminals support the H /19 Client function. Videoconferencing system solutions can be improved by adding the H Traversal Server and H Server function to the existing GK (standard GK). The GK that provides the H.460 function (H.460 GK for short) can help terminals on a private network and MCUs to implement the signaling/media traversal and NAT/FW traversal. When a call between terminals on private and public networks is placed, the H.460 GK uses the route call mode. For example, the H.460 GK can route Q.931 call signaling, H.245 signaling, and media streams. The H.460 GK routes H.245 signaling and media streams. However, the H.460 GK provides only the channel of the trunk transparent transmission, and does not support the logical functions of nodes (terminals and MCUs). (Logical functions include capability comparison, active/standby node determination, channel format selection, and video/audio data codec). 36

40 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks Network Topology Figure 8-14 shows the simple networking for the traversal between private and public networks using H.460. Figure 8-14 Simple networking for the traversal between private and public networks using H.460 Terminal Terminal Simple networking for the traversal between private and public networks using H.460 Terminal supporting H.460 Figure 8-15 shows the cross-domain networking for the traversal between private and public networks using H.460. Figure 8-15 Cross-domain networking for the traversal between private and public networks using H.460 Terminal Terminal Cross-domain networking for the traversal between private and public networks using H.460 Terminal supporting H

41 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks Networking description 1. A GK is configured in the DMZ of the firewall. The IP addresses of terminals on a private network are translated to the public network address in NAT mode. 2. Terminals are registered with the GK using the private and public network address of the GK. 3. A private network must be defined as the local network, which is used for call address setting of the GK Implementation Principle Figure 8-16 shows the implementation principle for the cross-domain traversal between private and public networks using H.460. Figure 8-16 Implementation principle for the cross-domain traversal between private and public networks using H.460 As shown in Figure 8-16, node A is located on the public network, and node B supports H.460 and is located on the private network. The procedure for placing a call from node A to node B is as follows: 1. Node A sends a request to the GK for communication with B. When the GK finds that node B is located in the firewall, the GK enables the H.460 traversal and sends a request to B for a new firewall traversal connection. 2. Node B attempts to establish a new connection to the GK, and the GK sends a message instructing node A to transmit signaling streams to node A. 3. Node A sends the message to the GK. After a new connection is established, the GK forwards signaling streams to node B using the new connection. 38

42 8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks When the RAS channel, H.245 channel, Q931 listening port, and media channel port are enabled, all media streams between node A and node B must be forwarded by the GK. 39

43 9 Solution Comparison and Proposals 9 Solution Comparison and Proposals Table 9-1 lists comparison of all traversal solutions. Table 9-1 Comparison of all traversal solutions Technology Type Static NAT Solution ALG Solution SNP Solution Tunnel Solution Proxy Solution Deployment location The NAT can be deployed anywhere, but occupies the public network IP address. The ALG is deployed at the edge of private and public networks. The SNP can be deployed anywhere. The UDP can be deployed anywhere. The BSC is deployed at the edge of the private and public networks. Requirement on the existing NAT/FW devices NAT/FW devices must be configured with the static NAT. NAT/FW devices can be replaced or updated to support the ALG. No change is required. Ports on NAT/FW devices must be enabled as required by the tunnel. No change is required. Multilevel NAT Not supported. Each level of NAT must support the ALG. Supported. The client device must be located behind the final NAT device. Each level of NAT must have a proxy device. Impact on the original network None. The original network must be added with router None. The customer premises network must be added with client devices. None. Requirement on terminals Terminals must support the static NAT function. There is no special requirement. The protocol must be modified. There is no special requirement. There is no special requirement. (Terminal must have server devices.) 40

44 9 Solution Comparison and Proposals Technology Type Static NAT Solution ALG Solution SNP Solution Tunnel Solution Proxy Solution Requirement on servers There is no special requirement. There is no special requirement. The protocol must be modified. There is no special requirement. There is no special requirement. (The server must have server devices.) Security protection None. None. None. Security protection can be implemented. Security protection can be implemented. QoS control None. None. It is difficult to implement the QoS control. The QoS control can be implemented. The QoS can be implemented. As shown in the preceding table, these traversal solutions have their own features and are applied to different networking scenarios. For existing networks, the traversal between private and public networks can be implemented using the MCU, MG8520, SE2000, or static NAT solution. In addition, the existing GK or a new GK with the H.460 Server function enabled can be used. For networks under construction, the Eudemon solution can be used to implement the NAT traversal between private and public networks without deploying additional devices. 41