Plantronics + Polycom. Now together as Poly Logo

Reccomendations on HDX outside the firewall

Occasional Contributor

Reccomendations on HDX outside the firewall

Hello,

We have 3 HDX Units in our company all which sit inside our LAN and talk to one another across our private MPLS network.  they work perfectly and we have zero problems.  Our company is interested in using the iPad Polycom software so our users can connect to the polycom when they are outside the company or to use PVX or HDX units from other companies without having to use a 3rd party codec.

1. Have any of you used these products and what has your experience been?

2. What recommendations do any of you have regarding setup of an HDX unit for general internet access?  Do we move it to the DMZ, NAT, proxy? 

Some of our chief concerns are related to device security.  If we open this device to the internet, what risks does that pose and how to we minimize them.

Any help people can provide would be much appreciated.

Thanks!
 

Paul

Message 1 of 5
4 REPLIES 4
Frequent Advisor

Re: Reccomendations on HDX outside the firewall

The Polycom endpoints typically work through almost any firewall out there. Generally there are TCP & UDP ports that need to be opened on the FW. Depending on the FW you may need to use the NAT configuration settings of the Polycom endpoint. In a perfect world the FW would handle all of the H.323 traffic, the NAT traversal etc. without having to configure the Polycom. Just as an FYI the M500 application DOES NOT have NAT capabilites but as long as these clients are out on the public internet such as a Wi-Fi hot spot or 3G then it wouldn't matter. One recommendation I would have is to consider using the Polycom VBP 4350 E for example. http://support.polycom.com/PolycomService/support/us/support/network/security_firewall_traversal/vbp...

 

Here is a brief comparison as I know it:

Polycom VBP                                                                                                            Cisco ASA/PIX

  • 1 to many NAT                                                                                                          1 to 1 NAT
  • 1 WAN address                                                                                            1 WAN address per endpoint
  • Endpoints register to embeded Gatekeeper using an E.164                         No Gatekeeper
  • Can dial using Annex O (E.164@IP addreess)                                                 Unknown
  • Provides the security as the VBP is a Firewall                                                       Same 

                      

 

 

 

 

 

Message 2 of 5
Highlighted
Occasional Advisor

Re: Reccomendations on HDX outside the firewall

You may want to think about adding some infrastructure.  The IPAD software is H.460 compliant. 

 

What this means is that you could install a VBP S series ALG at the edge of your network and register your external clients through its built in access proxy.  H.460 will handle the FW traversal as it uses server/client pinholing approach to firewall traversal.  You wouldnt need to worry which network the IPAD was currently using as long as it had access to the cloud, the NAT would cease to matter. You would need a gatekeeper as well,  an E series VBP would fit the bill for this or if you wanted to expand your infrastructure further you can look into the CMA appliance, which would also give you access to CMA desktop clients, which are also H.460 compliant. 

 

A+ Net+ CVE APSS ACSS RSACSP CTS
Message 3 of 5
Frequent Advisor

Re: Reccomendations on HDX outside the firewall

Overkill

you have three codecs, if you NAT them on the codec you'll break the internal calls (return will come from internet)

Get a VBP E series, use it as a gatekeeper internally, job done.

Message 4 of 5
Trusted Contributor

Re: Reccomendations on HDX outside the firewall

The VBP-E series is the quick & easy way of doing this.  Zero cost option would be to NAT your end points to 3 external IP addresses or DMZ them.  Point being, we have has VSX/HDX/Sony PCS on public IP addresses for customer testing use for years & I have never seen any of them show any signs of being tampered with.  Turn off any protocols you don't need in Admin/General/Security.

Aply a decent Admin password & Bobs your Uncle!

Pete

Message 5 of 5