Re: Tandberg Videoconferencing via ISA or NAT?

["William C. Moore II" <wcmoore () VALDOSTA EDU>]

Charlie,

We have several Tandberg and Polycom video conferencing units in place and
have been using them to connect to other institutions (private, higher ed.,
k-12, international, etc) for quite some time now.  While I am not
intimately familiar with unit setup, we have worked diligently on
troubleshooting connectivity problems.  Also, I am not sure if our techs
have worked with the 2500 series.

Now all that being said here are some items for you to look into:

1. Static IP for unit and static NAT.

2. Set all units (local and distance) to use static range of ports (default
setting with most units is dynamic range). Dynamic port ranges on video
conferencing equip. create more problems for firewall Admins than you can
possibly believe.  Setting the unit to "static ports" is usually a
predefined set of TCP and UDP ports.  Communicate these IPs and ports to the
firewall Admin for rule sets.

3. Check if traffic is crossing more than one firewall.  This is especially
true for Polycom units but packet fragmentation is a pain and while the PIX
has it's "fixup" settings some campuses are more creative with their
firewall iterations.  However, this issue is less frequent than it once was.

One campus that I am aware of has placed their video conferencing units
completely outside of their perimeter firewall to negate firewall/video
conferencing issues.  Their video conferencing network is completely
separate from their data network and this works very well for them.  

Our techs have been testing various newer Tandberg units such as the "Border
Controller" and "Gatekeeper" with mixed reviews.  We are doing this because
of our multipoint video conferencing needs.  One of our departments is
working with sign language training and interpretations to off campus areas
and latency or "jittering" video can completely change a phrase into
something different.  If anyone has suggestions for multipoint video
conferencing and can provide best practice information to help combat
latency I would be extremely grateful.


Bill





William C. Moore II, CISSP, MEd, MLIS
Assistant Director of Information Technology
Information Security
Valdosta State University
Valdosta, GA 31698
Phone:(229)333-5974
Fax:  (229)245-4349



***********************************************************************
The information transmitted is intended only for the person addressed.
Any unauthorized review, distribution or other use of or the taking of
any action in reliance upon this information is prohibited. If you
received this message in error, please contact the sender and delete or
destroy this message and any copies.
*********************************************************************** 
________________________________________
From: Charlie Prothero [mailto:Charlie.Prothero () KEYSTONE EDU] 
Sent: Wednesday, May 17, 2006 15:37
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Tandberg Videoconferencing via ISA or NAT?

Hi, all!  We have a couple of Tandberg 2500 videoconferencing systems that
are primarily used inside our private network to connect our main campus and
a remote (T1 connected) site 60 miles away.  They work great, but have never
needed to connect anywhere but to each other.  Now, we’re looking at
connecting to the outside world for the first time, and the documentation we
have isn’t clear on how to do that.  We use 10.x.x.x private addresses
inside our network and have MS NAT and ISA servers for connectivity to the
Internet.  We have tried simply turning on NAT in the Tandberg’s codec, and
supplying the address of our NAT box, but we’re obviously missing
something.  ISA seems to have a comprehensive H.323 gatekeeper module, but
all documentation I have on it is geared towards Netmeeting, and I don’t
know how applicable that would be.  

If anyone has a similar setup, I would most appreciate hearing how you made
it work…

Thanks!

- Charlie
 
 
Charlie Prothero
CIO
 
Keystone College
One College Green • La Plume, PA 18440
570-945-8015