Reccomendations on HDX outside the firewall

Anonymous · ‎01-13-2012

Hello,

We have 3 HDX Units in our company all which sit inside our LAN and talk to one another across our private MPLS network. they work perfectly and we have zero problems. Our company is interested in using the iPad Polycom software so our users can connect to the polycom when they are outside the company or to use PVX or HDX units from other companies without having to use a 3rd party codec.

1. Have any of you used these products and what has your experience been?

2. What recommendations do any of you have regarding setup of an HDX unit for general internet access? Do we move it to the DMZ, NAT, proxy?

Some of our chief concerns are related to device security. If we open this device to the internet, what risks does that pose and how to we minimize them.

Any help people can provide would be much appreciated.

Thanks!

Anonymous · ‎01-13-2012

Check out the documents on our website (here)

http://support.polycom.com/PolycomService/support/us/support/video/hdx_series/hdx8000.html

many customers have put the HDX outside the firewall with no security issues. The OS is locked down and there has never been a report of a 'pass thru' intrusion that I am aware of. Worst case is if someone learns the password of the Admin tools WebUI they could make configuration changes.

The best solution would be to use a NAT configuration so the units remain behind the firewall. With the right firewall and config, calls can be made outside as well as internal.

Here’s how I explain the function:

If the NAT is 323 compatible is checked, the unit is putting the ‘real’ (internal) IP address at both layer 3 and layer 7 of the packet.

If it is unchecked, the unit puts the ‘real’ IP address in L3 and the WAN IP in L7 of the packet.

NAT is compatible is extremely close, in real-world function, to having no NAT settings at all. When it is checked, the unit is depending on the firewall to intercept the packets & do the L3 NAT (change internal IP to external IP/vice-versa), as well as open the payload of the packet, determine if there is anything ‘to do’ (such as determine if it is an H245 packet and alter the IP address/port numbers contained therein) & do whatever is necessary.

When not checked, the codec has the simple thought process of: “the firewall here is dumb, so I have to put the WAN IP in the payload part so this call will work”

The layer 3 part of the packet, regardless of the NAT settings, is the same as it would not work otherwise.

There is a lot to discuss here so it might be best to give our support a call and we would be glad to chat with you.

(888) 248 4143

Anonymous · ‎01-19-2012

Plan B. Stick a VBP at your boundry with a single IP address. Some VBPs have a built-in inward facing Gatekeeper so your "LAN" units can dial each other with short E.164 extensions. People outside the network would dial VBP Public IP ## internal E.164 extension.

VBPs come with varying capacities, the current entry level is VBP4555 supporting 3MB concurrent traffic & 15 registrations to the GK.

Pete

Create an account on the HP Community to personalize your profile and ask a question