At our organisation we currently run a set of 4 Realpresence group 500 VC endpoints across 4 sites with one site having a multipoint licence.
For ease of admin we've had all four set up with dedicated ADSL/Cable internet connections (each with a static IP) and with the units in the DMZ/no firewall, so they could all contact each other and outside VC endpoints via the internet without any port filtering. This is obviously insecure but no other equipment was on those connections, only the VC units.
We've now restructured our network and have created a specific VLAN (behind a firewall) across our sites for our VC kit to connect to. Our problem is working out how to allow external connections to the VC endpoints over the internet (i.e. breaking out of the firewall)
First off, is there any way of sharing a single external IP between all four VC endpoints? We don't have any gatekeeper equipment, only cisco meraki firewalls.
Secondly, I've read the pinned/FAQ post regarding opening firewall ports for VC endpoints, but I'm now rather confused. Do I need to open all the inbound/outbound ports listed in this post (including the dynamic ranges)? We're using H.323 rather than SIP, does this make a difference?
you can´t use several GS500 behind one public IP without a gatekeeper like Polycom VBP. How should your Firewall/Router differentiate the calls and forward it to the right GS500?
All ports you realy need you´ll see under admin settings > network > ip network > firewall. Check "Fixed Ports" and use all ports you see there (In and Outgoing), plus 1720 TCP. That´s all for H.323. For SIP you must open either UDP port 5060, TCP 5060, or TCP 5061 depending on whether you are using UDP, TCP, or TLS as the SIP transport protocol.
Here are many threads about this topic, search for it.