I'm pretty sure we found the issue, we will be testing it tomorrow. Our solution is always to have Asterisk on public IP and the handsets behind NAT, that's a huge difference to how most peoples labs are.
On the LAN we can get it to work via direct IP with 2 vvx 500s and 1 camera.
We even tested over layer 3 with a router between 2 different subnets.
We put 1 phone on public IP and 1 phone behind NAT and could not establish video. Camera less phone was on public IP and camera phone was behind NAT. We hoped that the camera phone would have opened ports on the NAT/Firewall and the public IP phone would see the video from the camera phone, however it wouldn't connect. Our assumption is that the public IP phone is trying to reply to the internal IP in the SIP header vs the public IP since the public IP phone doesn't know about the NAT.
So my guess is that, with a camera the VVX 500 setups an audio channel and video channel so that's why it works via NAT behind a firewall. However, without a video camera the phone won't setup an outgoing video port and thus it won't get the incoming video from the public server.
We are the provider who set this up. We were polycom certified in Soundpoint and Video solutions.
I assume others are doing NAT, but most are not.
being a certified Polycom reseller simply get this into support if you believe our phones are violating an RFC or this being a bug.
You may have to pay a PPI / Pay Per Incident fee if the phone in question is out of warranty.
Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.
Polycom Global Services
The issue is that a Polycom phone without a camera will not send out a video request. It assumes you are not behind NAT.
A simple fix would be for Polycom to have a setting on the VVX 500 to always send a video call, thus the firewall its behind would open a port for it and the phone without a camera would receive video.
While the cost of the USB camera isn't a lot, it is ~50% of the VVX 500. That being said, most offices don't want to see each other, but they do want to see the doorbox - like an Algo 8039 or Algo 8036... thus having the ability to see video without a camera behind NAT would be welcome.
anakaoka I think you are on the right path. There's no video traffic sent from the VVX without a camera so the NAT/FW sees the incoming video RTP as unsolicited traffic. With video sent out from the VVX with a camera the FW sees this incoming traffic as expected (source and destination ports) and allows it.
The only suggestion I have is to possibly whitelist the source IP for the incoming video.
And like Steffen said, I think you'd need a support ticket if it is anything other than that.