We have 3 HDX Units in our company all which sit inside our LAN and talk to one another across our private MPLS network. they work perfectly and we have zero problems. Our company is interested in using the iPad Polycom software so our users can connect to the polycom when they are outside the company or to use PVX or HDX units from other companies without having to use a 3rd party codec.
1. Have any of you used these products and what has your experience been?
2. What recommendations do any of you have regarding setup of an HDX unit for general internet access? Do we move it to the DMZ, NAT, proxy?
Some of our chief concerns are related to device security. If we open this device to the internet, what risks does that pose and how to we minimize them.
Any help people can provide would be much appreciated.
The Polycom endpoints typically work through almost any firewall out there. Generally there are TCP & UDP ports that need to be opened on the FW. Depending on the FW you may need to use the NAT configuration settings of the Polycom endpoint. In a perfect world the FW would handle all of the H.323 traffic, the NAT traversal etc. without having to configure the Polycom. Just as an FYI the M500 application DOES NOT have NAT capabilites but as long as these clients are out on the public internet such as a Wi-Fi hot spot or 3G then it wouldn't matter. One recommendation I would have is to consider using the Polycom VBP 4350 E for example. http://support.polycom.com/PolycomService/support/us/support/network/security_firewall_traversal/vbp...
Here is a brief comparison as I know it:
Polycom VBP Cisco ASA/PIX
You may want to think about adding some infrastructure. The IPAD software is H.460 compliant.
What this means is that you could install a VBP S series ALG at the edge of your network and register your external clients through its built in access proxy. H.460 will handle the FW traversal as it uses server/client pinholing approach to firewall traversal. You wouldnt need to worry which network the IPAD was currently using as long as it had access to the cloud, the NAT would cease to matter. You would need a gatekeeper as well, an E series VBP would fit the bill for this or if you wanted to expand your infrastructure further you can look into the CMA appliance, which would also give you access to CMA desktop clients, which are also H.460 compliant.
you have three codecs, if you NAT them on the codec you'll break the internal calls (return will come from internet)
Get a VBP E series, use it as a gatekeeper internally, job done.
The VBP-E series is the quick & easy way of doing this. Zero cost option would be to NAT your end points to 3 external IP addresses or DMZ them. Point being, we have has VSX/HDX/Sony PCS on public IP addresses for customer testing use for years & I have never seen any of them show any signs of being tampered with. Turn off any protocols you don't need in Admin/General/Security.
Aply a decent Admin password & Bobs your Uncle!