Release Notes | Manualzz

Technical White Paper for Traversal of Huawei
Videoconferencing Systems Between Private and
Public Networks
Huawei Technologies Co., Ltd.
All rights reserved.
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
Contents
Contents
1 Overview......................................................................................................................................... 1
2 H.323 ................................................................................................................................................ 2
3 Firewall............................................................................................................................................ 4
3.1 Concept ............................................................................................................................................................ 4
3.2 Basic Functions ................................................................................................................................................ 5
3.2.1 Packet Filtering ....................................................................................................................................... 5
3.2.2 Proxy Service .......................................................................................................................................... 5
3.2.3 State Inspection ....................................................................................................................................... 5
4 NAT.................................................................................................................................................. 7
4.1 Concept ............................................................................................................................................................ 7
4.2 NAT Implementation ........................................................................................................................................ 7
4.2.1 Static NAT ............................................................................................................................................... 7
4.2.2 Dynamic NAT ......................................................................................................................................... 8
4.2.3 NAPT ...................................................................................................................................................... 9
5 SBC ................................................................................................................................................. 10
5.1 Concept .......................................................................................................................................................... 10
5.2 Implementation Principles for the Proxy Solution ......................................................................................... 10
5.3 Basic Principles for Implementing NAT Traversal in the Proxy Solution ...................................................... 11
5.4 Difference Between the Proxy and NAT ........................................................................................................ 13
6 H.460 .............................................................................................................................................. 14
6.1 Concept .......................................................................................................................................................... 14
6.2 Implementation Mode .................................................................................................................................... 14
6.3 Signaling Interworking Process...................................................................................................................... 15
6.4 Interworking Process of Media Streams ......................................................................................................... 16
7 Problems and Current Situation of Traversal Between Private and Public Networks . 17
7.1 Problems......................................................................................................................................................... 17
7.1.1 Enabling Ports on the Firewall .............................................................................................................. 17
7.1.2 Address Translation for H.323 Packets ................................................................................................. 18
7.1.3 HTTP Proxy Server Mode .................................................................................................................... 18
7.2 Current Situation ............................................................................................................................................ 18
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
i
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
Contents
7.2.1 Static NAT ............................................................................................................................................. 18
7.2.2 NAT Device Supporting H.323 ............................................................................................................. 19
7.2.3 Traversal Between Private and Public Networks Using H.323 Proxy .................................................. 20
8 Huawei Videoconferencing System's Solution to Traversal Between Private and
Public Networks ............................................................................................................................. 22
8.1 Traversal Between Private and Public Networks Using SNP ......................................................................... 22
8.1.1 Implementation Principle ...................................................................................................................... 22
8.1.2 Networking Applications ...................................................................................................................... 23
8.2 Firewall Traversal in Static NAT Mode .......................................................................................................... 25
8.2.1 Network Topology ................................................................................................................................ 25
8.2.2 Implementation Principle ...................................................................................................................... 26
8.2.3 Solution Analysis .................................................................................................................................. 26
8.3 FW/NAT Devices (Eudemon) Supporting Transparent H.323 Transmission ................................................. 26
8.3.1 Network Topology ................................................................................................................................ 26
8.3.2 Implementation Principle ...................................................................................................................... 27
8.3.3 Solution Analysis .................................................................................................................................. 28
8.4 Traversal Between Private and Public Networks by Adding Proxy (SE2000) ............................................... 29
8.4.1 Proxy Mode ........................................................................................................................................... 29
8.4.2 UDP Tunnel Traversal Mode................................................................................................................. 30
8.4.3 Solution Analysis .................................................................................................................................. 31
8.5 Interworking Between Private Networks by Adding VP 8520 MG Devices .................................................. 32
8.5.1 Network Topology ................................................................................................................................ 32
8.5.2 Implementation Principle ...................................................................................................................... 33
8.5.3 Solution Analysis .................................................................................................................................. 33
8.6 Interworking Between Private Networks Using Existing MCU Devices ....................................................... 34
8.6.1 Network Topology ................................................................................................................................ 34
8.6.2 Implementation Principle ...................................................................................................................... 35
8.6.3 Solution Analysis .................................................................................................................................. 36
8.7 Traversal Between Private and Public Networks by Adding the H.460 GK Server Function ........................ 36
8.7.1 Network Topology ................................................................................................................................ 37
8.7.2 Implementation Principle ...................................................................................................................... 38
9 Solution Comparison and Proposals ....................................................................................... 40
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ii
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
1 Overview
1
Overview
Network address translation (NAT)/Firewall devices are configured in the egress of the
Intranet to resolve the IPv4 address shortage problem and network security problem. During
the deployment of videoconferencing services, the IP addresses in the signaling protocol are
private addresses because the media stream addresses in the H.323 protocol are dynamically
negotiated in the signaling protocol. Private addresses cannot be routed on a public network.
In this case, the IP addresses in the signaling protocol must be translated. However, many
NAT/firewall devices do not support address translation, leading to difficulty in deploying
videoconferencing services. Therefore, the NAT/firewall traversal must be implemented.
At present, multiple solutions for NAT traversal are available, for example, application layer
gateway (ALG), simple traversal of UDP through NAT (STUN), Middlebox communications
(MIDCOM), session border controller (SBC) proxy, supper network passport (SNP), tunnel,
and H.460. As a leading network solution provider, Huawei implements the NAT traversal for
videoconferencing by using the ALG (Eudemon firewall), SNP, SE2000, MG8520, MCU
supporting the video firewall function, and gatekeeper (GK) supporting H.460.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
2 H.323
2
H.323
Most videoconferencing systems currently use the H.323 protocol suite (including H.225,
H.245, and Q.931) specified by the International Telecommunications Union (ITU)
Telecommunication Standardization Sector (ITU-T). H.323 is defined early and has found
wide commercial application. For example, Microsoft Corporation's NetMeeting uses the
mature H.323 protocol; telecom enterprises in China usually use the H.323 protocol during
the implementation of voice over Internet Protocol (VoIP).
H.323 defines a protocol set for flexible, real-time, and interactive multimedia communication
on a packet based network (PBN).
H.323 describes the protocols and devices that provide multimedia communication services
(including real-time audio and data communication) on PBNs without QoS guarantee. H.323
defines four types of components: terminal, gateway, GK, and multipoint control unit (MCU).
H.323 is a major protocol for video communication.
H.323 networks include terminals, gateways, GKs, and MCUs. The functions of gateways,
GKs, and MCUs are as follows:

GKs monitor all H.323 calls in its area on the local area network (LAN). The GK
provides two major services: call admission and address resolution. All H.323 clients in
the area of the GK originate calls at the assistance of the GK. In addition, the GK
determines whether a call is allowed based on the current available bandwidth.

Gateways provide the capability of operations between heterogeneous networks. For
example, a gateway must be configured between a PSN and a telephone network to
translate protocols and data.

MCUs provide the multimedia conferencing capability for multiple participants. MCUs
coordinate the media communication capability of all participants and provide audio
mixing and video selection for endpoints.
This document describes the H.323 communication process using the point-to-point H.323
communication as an example. A and B are two endpoints of H.323 communication. Endpoint
A is located outside the firewall, and endpoint B is located inside the firewall.
Figure 2-1 shows the H.323 communication process.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
2 H.323
Figure 2-1 H.323 communication process
A
B
Setup(openlogicalchannel)
CallProceeding
Alerting
Q.931
OVER TCP
Connect(H.245 Address)
Capability exchange
Master-slave determination
OpenLogicalChannel(RTCP Address)
H.245 OVER
TCP
OpenLogicalChannelAck(RTCP&RTP
Address)
Rtcp Stream
Rtp Stream
RTP
OVER UDP
The process is as follows:
1.
A connection is established from endpoint A to the well-known H.323 port (1720) of
endpoint B.
2.
Endpoint B and endpoint A transmit Q.931 packets on this connection. Endpoint B sends
packets containing dynamic ports used for establishing an H.245 connection (that is, the
H.245 Address field carried by the CONNECT packet) to endpoint A.
3.
Endpoint A establishes an H.245 connection in the temporary ports negotiated in the
Q.931 code stream. H.245 processes the negotiation of all call parameters, for example,
the encoding and decoding algorithms. After negotiation, the H.245 session starts the
OpenLogicalChannel process. This process negotiates the Real-Time Transport Protocol
(RTP) and Real-Time Transport Control Protocol (RTCP) addresses (that is, the RTP
Address field and the RTCP&RTP Address field carried by the OpenLogicalChannel
and OpenLogicalChannelAck packets respectively) used for transmitting specified media
streams (such as audio or video).
4.
Media streams can be transmitted between the two endpoints until the session is
complete.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
3 Firewall
3
Firewall
3.1 Concept
A firewall prevents unauthorized or un-verified accesses of the Internet from the protected
network, and allows users in the internal network to visit web pages or receiving and sending
emails on the Internet. A firewall can be used as a permission control unit for Internet access.
For example, a firewall allows specific persons in an organization to visit the Internet. Now
many firewalls have other features, such as identification authentication, and information
security (encryption) processing.
Figure 3-1 shows the position of the firewall.
Figure 3-1 Position of the firewall
Internet
Firewall
Ethernet
PC
PC
PC
Server
PC
Firewalls are used for not only connecting to the Internet, but also protecting important
devices and important resources (data) in an organization. Access to protected data must be
filtered by firewalls, even though the access is from inside of the organization.
When an external user accesses the resources on an Intranet, the firewall attempts to
authenticate the access. When a user on the Intranet accesses external resources, the firewall
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
3 Firewall
also attempts to authenticate the access. Therefore, a firewall is a guide, which can discard
packets that are prohibited.
3.2 Basic Functions
3.2.1 Packet Filtering
Packet filtering refers to the method for filtering IP packet headers. The firewall determines
whether to allow the pass of a packet by detecting the IP packet header including the TCP or
UDP packet header. You can define to allow or prohibit the pass of packets with the source
address or destination address of X, define to allow or prohibit the pass of packets of certain
ports, or define criteria based on the two filtering policies.
Packet filtering costs much manpower during firewall configurations. Configuration methods
vary with firewalls. Certain firewalls are configured by using command lines, and certain by
using graphical interfaces. However, the contents are similar, which can be reflected as
follows:
permit/prohibit Source address Destination address Protocol (tcp/udp) Port (Destination port)
For example, permit host 10.11.15.1 210.51.10.52 udp 1719.
In the preceding example, only three of the four consecutive factors (source address, source
port, destination address, and destination port) are available, because most source ports are
randomly allocated during connection establishment. Therefore, the firewall does not filter
packets based on source ports.
For a packet to be forwarded by a router, the firewall performs the following processing:

Obtains the information about the packet header, including the protocol number of the
upper-layer protocol carried by the IP layer, the source address, destination address,
source port, and destination port of the packet.

Compares the obtained information with the configured rules.

Forwards or discards the packet based on the comparison result.
3.2.2 Proxy Service
Firewalls are configured with the proxy function. Certain firewalls implement the
application-layer proxy (similar to the web proxy), and certain firewalls are configured with
the common NAT or port address translation (NAPT).
Although most firewalls are configured with the NAT or NAPT function, a firewall does not
necessarily implement the NAT function. When people say that a device is located behind a
firewall, NAT translation may not be performed.
3.2.3 State Inspection
State inspection means that firewalls filter packets not only based on the application-layer
information, but also based on the protocol at layers upper than layer four. The state
inspection is called application specific packet filter (ASPF) or context-based access control
(CBAC).
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
3 Firewall
At present, most firewalls provide the state inspection function. For example, if you want an
FTP server in the firewall to provide external services, enable port 21 that supports TCP
because other port ares dynamically enabled in the FTP session.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
4 NAT
4
NAT
4.1 Concept
With the widely use of IP networks, more and more devices run TCP/IP. As a result, IPv4
addresses are seriously insufficient.
NAT is used to implement the translation between private addresses and public addresses.
A private address refers to a host address inside a network (inside the LAN), and a public
address refers to an external address of the LAN (the globally unique IP address on the
Internet). Internet Corporation for Assigned Names and Numbers (ICANN) specifies the
following three network segments as private addresses:
10.0.0.0–10.255.255.255
172.16.0.0–172.31.255.255
192.168.0.0–192.168.255.255
That is, the addresses in the three network segments are not allocated on the Internet; however,
the addresses can be used inside an enterprise (LAN).
4.2 Implementation
4.2.1 Static NAT
Static NAT refers to translating private addresses into Internet addresses in one-to-one mode.
An address on a private network is always translated to a fixed Internet address.
Figure 4-1 shows the translation in static NAT mode.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
4 NAT
Figure 4-1 Translation in static NAT mode
Private addresses 192.168.32.10, 192.168.32.12, and 192.168.32.15 are translated to
213.18.123.110, 213.18.123.111, and 213.168.32.112 respectively.
In static NAT mode, source addresses change whereas source ports do not change. In addition,
the address mapping relationship is fixed.
4.2.2 Dynamic NAT
Dynamic NAT refers to translating multiple private addresses to multiple public addresses;
however, the address mapping relationship is not fixed and a private address may be
translated to another public address the next time.
These public addresses are usually called NAT pool.
Figure 4-2 shows the translation in dynamic NAT mode.
Figure 4-2 Translation in dynamic NAT mode
The public address pool is available. Private addresses 192.168.32.10, 192.168.32.12, and
192.168.32.15 are translated to the addresses in the public address pool.
In dynamic NAT mode, source addresses change whereas source ports do not change. In
addition, the address mapping relationship changes.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
4 NAT
4.2.3 NAPT
NAPT, also known as NAT overloading, refers to translating multiple private addresses to a
public address with different source ports. The ports are used to differentiate connections.
Figure 4-3 shows the translation in NAPT mode.
Figure 4-3 Translation in NAPT mode
Private addresses 192.168.32.10, 192.168.32.12, and 192.168.32.15 are mapped to the public
address 213.18.123.100. Communication connections are differentiated by using port
numbers.
In NAPT mode, source addresses and source ports change. In addition, the address mapping
relationship and port mapping relationship change.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
5 SBC
5
SBC
5.1 Concept
An SBC is a gateway that is based on the proxy solution and support IP services. The SBC
provides the proxy for signaling and media steams (the SBC supports H.323 and can parse
and process H.323 packets for H.323-based videoconferencing services). The SBC processes
all call packets and media streams, forwards the packets and media streams in a specified
direction, and re-assigns receiving addresses and ports of users on the internal
network/external network. The SBC implements the address translation between network
domains, including the translation between private and public addresses in the NAT
environment.
In conjunction with GKs and MCUs, the SBC provides the functions required for the
deployment of videoconferencing services, such as NAT traversal, security, QoS, and
connectivity. As a convergence-layer device, the SBC provides functions such as security
protection, QoS assurance, and terminal access management for important devices.
5.2 Implementation Principles for the Proxy Solution
Figure 5-1 shows the basic principles for the proxy solution.
Figure 5-1 Basic principles for the proxy solution
Application layer
Application layer
Transport layer
Transport layer
Transport layer
Network layer
Network layer
Network layer
Data link layer
Physical layer
Data link layer
Physical layer
Data link layer
Physical layer
Network user
Issue 01 (2012-03-07)
Proxy server
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Application layer
Destination server
10
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
5 SBC
Usually the proxy operates at the application layer and processes specific application
protocols.
When a client accesses the destination server using the proxy, the communication process is
as follows:
1.
The client communicates with the proxy. The proxy receives data sent from the client
and processes the data.
2.
The proxy sends the processed data to the destination server.
When the destination server returns data to the client, the communication process is as
follows:
3.
The destination server returns data to the proxy.
4.
The proxy sends the data to the client.
That is, the proxy is always the device that the client and the destination server can directly
communicate with.
5.3 Basic Principles for Implementing NAT Traversal in
the Proxy Solution
Based on the implementation principle for the proxy solution, if the proxy is placed in the
position of the NAT device, the user and the proxy are located on the same network and the
destination server and the proxy are located on the same network. In this way, the NAT
traversal is implemented using the proxy (processing related service data).
As shown in Figure 5-2, the SBC (proxy) is located in the boundary served by the public
network and the private network (that is, the position of the NAT device); terminals are
located on the private network; the MCU and the GK are located on the public network.
Figure 5-2 shows the networking for implementing NAT traversal using the proxy.
Figure 5-2 Networking for implementing NAT traversal using the proxy
Terminal 1
Terminal 2
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
11
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
5 SBC
In H.323-based videoconferencing services, the processing process of the proxy is as follows:
1.
Terminals are registered with the GK using the proxy. Note that according to the basic
principles of the proxy, the actual GK address configured on terminals is the SBC (proxy)
address and the actual terminal address displayed on the GK is the SBC (proxy) address.
2.
When a terminal on the private network places a call to the MCU, the call reaches the
proxy according to H.323. The proxy parses the call signaling. The proxy parses and
processes the address and port of the audio and video media streams (that is, RTP/RTCP)
carried in the call signaling as follows:
−
The proxy records the RTP/RTCP address and port number of the terminal on the
private network.
−
The proxy changes the RTP/RTCP private address to a public IP address of the proxy
and changes the port of the media stream to the external port allocated on the proxy.
−
The proxy maps the RTP/RTCP address/port on the private network to the RTP/RTCP
address/port on the public network of the proxy.
−
The proxy sends the call signaling to the MCU.
3.
The MCU receives the call signaling that carries the proxy address reflecting the address
and port of the audio and video media stream.
4.
After signaling processing, the terminal on the private network sends media streams to
the proxy. The proxy sends the media streams to the MCU based on the RTP/RTCP
address mapping relationship. In the same way, the MCU sends media streams to the
terminal on the private network by using the proxy.
In this way, the NAT traversal using the proxy is completed.
The SBC (proxy) can be used with the tunnel technology to further improve the solution for
NAT traversal.
Figure 5-3 shows the typical networking for implementing NAT traversal using the proxy and
the tunnel technology.
Figure 5-3 Typical networking for implementing NAT traversal using the proxy and the tunnel
technology
Terminal 1
Terminal 2
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
5 SBC
5.4 Difference Between the Proxy and NAT
The proxy and NAT devices are placed in the same position; however, the implementation
principles are different.
1.
The NAT device operates at the network layer and implements the translation of IP
addresses and port numbers. The proxy operates at the application layer and must
support specific application protocols, for example, H.323.
2.
The NAT device is transparent in the actual application. For example, video terminals
cannot detect the NAT device. The proxy device is not transparent in the actual
application. Video terminals must know the address of the proxy device. On terminals,
the GK IP address must be configured as the proxy IP address.
3.
For users, the proxy is configured with the NAT function.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
13
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
6 H.460
6
H.460
6.1 Concept
H.460 is a firewall/NAT traversal standard approved by ITU and includes H.460.18 (defined
by Tandberg) and H.460.19 (defined by Radvision). H.460.18 is responsible for the traversal
of H.323 call signaling, and H.460.19 is responsible for the traversal of media data. H.460 is a
series of extensions to the functions of the H.323 protocol stack and helps H.323 calls to
traverse the firewall/NAT without changing ANS.1 descriptions in H.225.
Before the emergence of H.460, the H.323-based modem over IP (MoIP) applications traverse
network boundaries. Enterprises have their own firewall/NAT traversal solutions, which are
incompatible with each other. Therefore, IP communication between enterprises is difficult.
H.460 resolves the compatibility problem.
IP communication between enterprises is easy due to unified standards. Wide selection space,
flexible deployment solutions, and low investment and maintenance cost are provided for
network service providers of MoIP applications and users of MoIP services.
6.2 Implementation
H.460 implements the multi-boundary traversal and simplifies the network interconnection of
MoIP applications, without changing the original firewall/NAT. H.460 must be implemented
on the client and server.
The client is placed on the internal network of the firewall. The client can be a standalone
device or be integrated into standard H.323 terminals. The client serves as a proxy that is
responsible for sending the registration and call signaling of H.323 terminals on the internal
network to the server on the external network. In addition, the client establishes and maintains
a signaling and control channel to the server. The server is placed on the public network
outside the firewall. The server can be located on the demilitarized zone (DMZ) of the
Intranet or the networks of the service provider. The server serves as the GK proxy that is
responsible for forwarding registration and call signaling (sent from the client) to the central
GK.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
6 H.460
6.3 Signaling Interworking Process
Figure 6-1 shows the signaling interworking process.
Figure 6-1 Signaling interworking process
Terminal on the
private network
Terminal on the
public network
Standard SCI message
A notification message informing the private
network of a call from the public network and
requesting the private network to establish a TCP
channel
Standard SCR message
I have got the message. I will establish a TCP
channel
Establishing the TCP connection for the calling
channel
ARQ message for placing a call to the
private network
Standard ACF message
The TS receives the message. The TS
sends a TS calling address. You can
place a call to me.
SETUP message for placing a call to the TS
Standard Facility message
A TCP connection has been established. You can
call me now.
SETUP message for placing a call to the private
network
CONNECT message of the private network
Standard Facility message
CONNECT message of the TS
I tell you an H.245 address. You establish an H.245
TCP channel based on the H.245 address.
Establishing the H.245 TCP connection
H.245 indication message
The terminal on the private network notifies the TS
that the H.245 channel is based on a certain call.
TCS and MSD of the TS and public network
TCS and MSD of the TS and private network
Huawei implements calls between private and public networks according to H.460. TCP
channels for calls are established by terminals on the private network. Terminals on private
and public networks adopt standard H.323 call signaling.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
15
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
6 H.460
6.4 Interworking Process of Media Streams
Figure 6-2 shows the interworking process of media streams.
Figure 6-2 Interworking process of media streams
Terminal on the
private network
NAT/NAPT
Terminal on the
public network
OLC message for enabling the logic channel from the public network to the private network
The message contains the keepalive field, keepalive port, and keepalive duration.
RTP keepalive code streams
The code streams are sent from the port of the terminal on the private network to the port of the terminal on
the public network.
Media code streams from the public network to the private network
Keepalive
duration
RTP keepalive code streams
The code streams are sent from the port of the terminal on the private network to the port of the terminal on
the public network.
RR and SR packets of the RTCP from the private network to the public network
RR and SR packets of the RTCP from the public network to the private network
A port for code streams between the public network and the private network is established by
using H.460 keepalive packets, and the port is maintained by subsequent timing keepalive
packets.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
16
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
7 Problems and Current Situation of
Traversal Between Private and Public
Networks
7
Problems and Current Situation of
Traversal Between Private and Public Networks
7.1 Problems
This section describes the problems faced by users in LAN access mode if they expect to
deploy videoconferencing services.
7.1.1 Enabling Ports on the Firewall
Firewalls are configured with the packet filtering and state inspection functions. Therefore,
when the firewall on the user side accesses the configurations, other ports are disabled except
well-known ports required for providing Intranet services (such as HTTP port 80). This
ensures the network security. For video communication, firewalls must support H.323.
If the firewall supports H.323, you must enable the support of the firewall for H.323. When
the firewall receives a call from the public network, the firewall dynamically enables ports
required for H.323 communication. After the call is complete (the firewall can automatically
discover the completion using the H.323 signaling), the firewall automatically disables all
ports that are dynamically enabled during the call. This ensures the network security and
hackers cannot attack the network.
If the firewall does not support H.323, the following service ports must be enabled on the
firewall to ensure that media streams can be transmitted to the network:

RAS registration signaling: based on UDP and requires port 1719.

Q.931 call signaling: based on TCP and requires port 1720.

H.245 control signaling: based on TCP and requires ports ranging from port 1320 to port
1327.
For IP voice and video media streams, many other ports must be enabled to receive call
control information used for establishing voice and video channels. These ports are
dynamically allocated. That is, network administrators have to enable all ports on the firewall
for audio and video communication. In this case, the firewall is meaningless. Few enterprises
enable all ports on their firewalls due to the network security.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
17
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
7 Problems and Current Situation of
Traversal Between Private and Public
Networks
7.1.2 Address Translation for H.323 Packets
On a private network, the access of common services is implemented by firewalls. However,
the structure of H.323 IP packets in videoconferencing applications is different from that in
other applications. In H.323 IP packets, the IP addresses contained in the packet header and
the packet body must be translated. If a firewall supports H.323, the firewall automatically
translates the addresses contained in H.323 packets. However, most firewalls do not fully
support H.323 in the actual application, leading to H.323 communication problems after the
H.323 function of the firewall is enabled.
7.1.3 HTTP Proxy Server Mode
Certain LANs provide Internet access services using only the HTTP proxy server. The HTTP
proxy uses the buffer technology to store HTTP web pages. The limitations are as follows:

The real-time storage is inapplicable.

The TCP connection between internal and external networks is not supported.

Transmission of UDP packets is not supported.
These limitations affect the transmission of H.323 packets. Therefore, an enterprise is advised
to use the direct router configuring with NAT access mode and configure firewall devices
(such as NetScreen, Checkpoint, and Huawei Eudemon) on the internal network side of the
egress router to implement IP videoconferencing services.
7.2 Current Situation
The preceding problems challenge the traversal between private and public networks in H.323
video communication. This section describes the common methods in the industry.
7.2.1 Static NAT
When there is only a small number of video terminals on the private network and the
corresponding public addresses can be provided, the static NAT mode is available. Based on
the static NAT, IP addresses of terminals on the private network are mapped to public
addresses in one-to-one mode.
1.
Application scope
Terminals on the private network can interwork with terminals on the public network,
and terminals on a private network can interwork with terminals on another private
network.
2.
Limitations and requirements
The limitations and requirements are as follows:

Terminals support static NAT.

The number of IP addresses in the public address pool of the firewall is larger than or
equal to the total number of terminals on the private network
That is, a large number of public addresses must be used for a private network using
videoconferencing services.

The firewall must be configured as follows:
−
Issue 01 (2012-03-07)
IP addresses of terminals on the private network are mapped to public addresses in
one-to-one mode.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
18
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
−
7 Problems and Current Situation of
Traversal Between Private and Public
Networks
The related ports of public IP addresses that have been mapped to private address
must be enabled.
7.2.2 NAT Device Supporting H.323
A large number of networks on the user side use the dynamic NAT or NAPT mode. In this
networking mode, the use of common NAT devices will cause problems when a terminal on
the private network places a call to a terminal on the public network or a terminal on the
private network places a call to a terminal on the public network.
Terminal 2
RTP transmitting
port
RTP receiving
port
Public
network
Common NAT device
Private
network
RTP transmitting port
(port 1)
RTP receiving
port
Terminal 1
1.
A terminal on the private network places a call to a terminal on the public network.
The terminal on the private network can obtain the IP address of the terminal on the
public network from the GK. However, the RTP receiving port is configured in a place
whereas the transmitting port is configured in other place on the terminals due to
limitations of H.323 for video and audio RTP code streams. In this case, the terminal on
the public network (public IP address) can receive RTP code streams sent by the terminal
on the private network; however, the RTP code streams sent by the terminal on the public
network cannot pass the NAT device because the NAT device does not translate the IP
address. In this case, one-way audio occurs.
2.
A terminal on the public network places a call to a terminal on the private network.
The address of the call is the public address mapped to the address of the terminal on the
private network. The NAT device does not support the translation for H.323. Therefore,
the call cannot be established.
Conclusion: If two terminals are located inside the firewall and outside the firewall
respectively and the firewall is configured with a common NAT, one-way audio occurs
for calls from the terminal on the private network to the terminal on the public network
and calls from the terminal on the public network to the terminal on the private network
cannot be established.
Huawei Eudemon supports dynamic NAT for H.323 and can translate H.323 IP code streams.
The advantages are as follows:

Terminals on the LAN of the enterprise serve as terminals on the public network. In this
way, terminals inside the enterprise can interwork with external terminals.

The network security is ensured.

The network structure with parallel or series connections does not affect the original
network security structure.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
19
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
7 Problems and Current Situation of
Traversal Between Private and Public
Networks
7.2.3 Traversal Between Private and Public Networks Using H.323
Proxy
At present, free H.323 proxy software is available on the Internet. That is, a PC is used as the
proxy device in the egress of the firewall. In this mode, an H.323 proxy must be configured
outside each firewall and the proxy must be configured with the public IP address, as shown
in Figure 7-1.
Figure 7-1 Traversal between private and public networks using H.323 proxy
Operation support system
Private network
Convergence layer
Private network
Private network
On the firewall, configurations must be performed to allow the proxy to communicate with
the external. The proxy must know the public addresses of other proxies, and can determine
the proxy that manages the terminal based on the broadband number of the terminal. To
improve the private network security, the private network side of the proxy device can be
configured as limited known port numbers. On the private network, the H.323 entity and the
proxy communicates by using the known ports.
The H.323 proxy can be used to resolve the NAT translation problem; however, the H.323
proxy brings the following problems:
1.
Each private network must be configured with an H.323 proxy. Proxies are located on
user networks. Therefore, telecom operators cannot maintain proxies.
2.
All H.323 proxies must be configured with public addresses and must know the public
addresses of other proxies. This brings difficulties to telecom operators and the operation
cannot be performed.
3.
Usually common PCs serve as H.323 proxies and audio and video code streams pass the
H.323 proxy simultaneously. In this case, the transmission of code streams may be
delayed on the proxy and affected by the PC performance.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
20
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
4.
Issue 01 (2012-03-07)
7 Problems and Current Situation of
Traversal Between Private and Public
Networks
H.323 proxies use PC systems. Therefore, H.323 proxies are vulnerable to attacks from
virus and hackers. In addition, the system is weak due to security weakness of the
Windows system.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
21
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8
Huawei Videoconferencing System's
Solution to Traversal Between Private and
Public Networks
8.1 Traversal Between Private and Public Networks Using
SNP
Huawei uses the super network passport (SNP) technology to implement the traversal
between private and public networks without deploying additional network devices.
8.1.1 Implementation Principle
Figure 8-1 shows the implementation principle of traversal using SNP.
Figure 8-1 Implementation principle of traversal using SNP
Private Network 1
Terminal
Terminal
F
W
Public Network 1
N
A
T
Terminal
Public IP Network
Terminal
FW
MCU
GK
Service Provider
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Normal call
Redirected call
Redirected
code stream
22
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
Basic principle
Terminals on private and public networks communicate with each other as required by the
protocol. When a terminal on the private network places a call to a terminal on the public
network and the call is established, the terminal on the public network can properly receive
the RTP code stream from the terminal on the private network. However, the terminal on the
private network cannot receive the RTP code stream from the terminal on the public network
within a certain period. During this period, the terminal on the private network sends a request
for private communication from the public network by using a proprietary protocol. The
network devices process the request and redirect the code stream establishment process. In
this way, the media stream communication process between the private and public networks is
established.
8.1.2 Networking Applications

Point-to-point networking without a GK
Figure 8-2 shows the point-to-point networking without a GK.
Figure 8-2 Point-to-point networking without a GK
Terminal C
Public network
Firewire
Terminal A
Private network
Solution
The SNP technology enables terminal A on the private network to call terminal C on the
public network through the IP address. In this way, no change to terminals and networks
is required (some communication ports specified in the protocol must be enabled in the
case of firewalls with a high security level).

Point-to-point networking with a GK
Figure 8-3 shows the point-to-point networking with a GK.
Figure 8-3 Point-to-point networking with a GK
GK
Terminal C
Public network
Firewire
Terminal A
Private network
Solution
Terminals on both private network and public- network register with the GK using the
SNP technology. In this way, the terminal on the private network can resister with the
GK on the public network, and terminals A and C can call each other without obstruction.
In addition, no change to the terminals and networks is required.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
23
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks

8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
Networking with one private network and two public networks
Figure 8-4 shows the networking with one private network and two public networks.
Figure 8-4 Networking with one private network and two public networks
Terminal D
Terminal C
Public network
GK
MCU
Public network
Firewire
Terminal A
Private network
Terminal B
Solution
The point-to-point communications between terminals on private and public networks
can be implemented using the SNP technology. That is, the point-to-point
communications between terminals A &B and terminal C, and that between terminal D
and terminal C. In this way, a conference with the participation of terminals from
multiple private and public networks can be held using the Multipoint Control Unit
(MCU). This solution applies to operation networks.

Networking with two private networks and one public network
Figure 8-5 shows the networking with two private networks and one public network.
Figure 8-5 Networking with two private networks and one public network
Terminal D
Private network
Eudemon1
Firewire
Terminal C
GK
MCU
Public network
Firewire
Eudemon2
Terminal A
Issue 01 (2012-03-07)
Terminal B
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Private network
24
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
Solution
Due to restrictions on direct routing between private networks, point-to-point calls
between terminals on different private networks cannot be implemented using the SNP
technology (can be implemented using the MCU). In this case, the Eudemon device can
be added in the networking, and such a networking solution is regarded as a standard IP
address operation solution. In this networking mode, Eudemon 1 can serve as a standby
device. When the terminal D communicates with terminals A and B, Eudemon 1 is not
required. When the terminal D communicates with other terminals on the same private
network and there is no Eudemon device on the egress of the private network, Eudemon
1 must be used.
With this solution, any terminals can communicate with each other and participate in a
multipoint conference held using the MCU. In addition, the Eudemon device can serve
as a firewall if no firewall is available. Therefore, the networking becomes simpler and
more cost-effective.
8.2 Firewall Traversal in Static NAT Mode
If the FW/NAT cannot identify H.323, terminals can be connected to the network in static
NAT mode.
8.2.1 Network Topology
Figure 8-6 shows the network topology in static NAT mode.
Figure 8-6 Network topology in static NAT mode
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
25
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
8.2.2 Implementation Principle
In both routers, the IP addresses of terminals on private networks are translated to the public
network address, and settings related to static mapping are performed for ports TCP and UDP.
In this way, point-to-point calls between terminals can be implemented, and multipoint
conferences between different private networks can be held. Huawei video terminals support
static NAT. With this function, terminals can be easily connected to public networks to
participate in video conferences.
8.2.3 Solution Analysis

Advantages:
This solution can be easily implemented by modifying the configuration without adding
a peripheral device.

Disadvantages:
−
The network configuration is complex, and a variety of network devices must be
configured on each private network.
−
Generally, the public network interface of a router must have multiple public IP
addresses. When there is only one public IP address, only one terminal on the private
network can be connected to the public network. As a result, other terminals on the
private network cannot be connected to the public network.
8.3 FW/NAT Devices (Eudemon) Supporting Transparent
H.323 Transmission
In NAT or NAPT mode, the traversal problem between private and public networks can be
resolved if firewall devices (for example, Huawei Eudemon series firewalls) can support
H.323. In addition, terminals from different private networks can participate in video
conferences. Huawei video terminals closely cooperate with Eudemon devices to implement
all videoconferencing functions, which resolve all traversal problems between private
networks.
8.3.1 Network Topology
Figure 8-7 shows the network topology of FW/NAT devices (Eudemon) supporting
transparent H.323 transmission.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
26
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
Figure 8-7 Network topology of FW/NAT devices (Eudemon) supporting transparent H.323
transmission
Public network
Private network
Private network
8.3.2 Implementation Principle
The Eudemon firewall works at a protocol layer higher than layer 3 and can understand H.323.
In addition, The Eudemon firewall performs direct protocol translation for IP code streams of
H.323. In this way, terminals on an Intranet can work in the same way as terminals on a public
network, and can communicate with external terminals without obstruction.
Figure 8-8 shows the implementation principle of Eudemon supporting transparent H.323
transmission.
Figure 8-8 Implementation principle of Eudemon supporting transparent H.323 transmission
● Eudemon records terminal
information.
● Eudemon forwards call
signaling and modifies
related address information
in the signaling based on
the recorded terminal
information.
● Eudemon forwards media
streams based on the
recorded call information.
Issue 01 (2012-03-07)
Public network
Private network
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
27
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
If a firewall device is already configured on the customer premises network, a Eudemon
device can also be added to serve as an H.323 gateway and support H.323. In this case, the
Eudemon gateway only performs protocol translation for the IP code streams of the H.323
protocol, and other Internet access services, such as HTTP and FTP services, are not affected.
When a non-H.323 IP packet is identified, the Eudemon gateway automatically forwards the
packet in a transparent manner and does not process the packet. Therefore, functions of the
firewall are not affected.
If no firewall device is configured on the customer premises network, a Eudemon device can
serve as a standard firewall. H.323 applications are filtered on the Eudemon device using the
access control list (ACL) rule. That is, H.323 applications are forwarded to the firewall after
the NAT translation is complete on the Eudemon device. Non-H.323 applications are directly
forwarded to the firewall, which implements the NAT translation. In this way, the original
user security policy, network access mode, and private network remain unchanged.
8.3.3 Solution Analysis


This solution has the following advantages:
−
This solution does not require any change to the network and supports video
conferences with a large capacity.
−
This solution does not affect any services and guarantees the security and quality of
video conferences.
−
All video terminals can be used on the customer premises network.
This solution has the following disadvantages:
Eudemon devices must be added if no Eudemon device is configured on the original
network.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
28
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
8.4 Traversal Between Private and Public Networks by
Adding Proxy (SE2000)
Based on the SBC (proxy) implementation principle, there are two NAT traversal solutions:
proxy mode and UDP tunnel traversal mode.
8.4.1 Proxy Mode
Figure 8-9 shows the proxy mode.
Figure 8-9 Proxy mode
Service software
GK
MCU
Network 2
Network 1
Network 3
Networking description
1.
The SBC proxy solution does not require any change to the network and firewall. In
addition, terminals on a private network can be connected to a public network using this
solution, and terminals on a public network can be connected to a videoconferencing
system on a private network.
2.
An SBC device is configured on the egress of network 1. The uplink and downlink ports
are respectively connected to network 2 and network 3 (there can be multiple uplink and
downlink ports).
3.
On terminals of network 2 and network 3, the GK address is configured as the downlink
network port address of the SBC. On the SBC, the server address is configured as the
GK address of network 1. In this way, signaling and media streams of network 2 and
network 3 can communicate with the GK and MCU of network 1 by using the SBC.
This solution has the following advantages:
1.
The live network does not need any changes and is easy to deploy.
2.
The existing devices do not need any changes and have a powerful compatibility,
including terminals, GK, and MCU.
3.
The GK and MCU are indivisible to terminals, providing a high-level security.
4.
All packets pass the SBC. Therefore, you can select proper QoS policies for the SBC on
the network.
5.
Interworking of videoconferencing services on multiple networks can be implemented
using only one SBC device, featuring a low cost.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
29
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
6.
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
This solution has the following disadvantages:
−
The proxy device cannot implement traversal through a firewall device. Therefore,
the proxy device is regarded as a concurrent device of the firewall device on the
network.
−
The proxy device must be used together with a GK.
8.4.2 UDP Tunnel Traversal Mode
This mode applies to a large enterprise that deploys a firewall on the Intranet. The enterprise
does not want to use the SBC proxy solution and does not want to modify the configuration of
the firewall frequently. In this mode, you need to enable only one or two UDP ports on the
firewall. The tunneling function is established in the SBC. In this way, the NAT traversal of
videoconferencing services is implemented.
Figure 8-10 shows the UDP tunnel traversal mode.
Figure 8-10 UDP tunnel traversal mode
Terminal
supporting H.323
Intranet
Bearer network
Intranet
Media stream
Terminal
supporting H.323
Signaling stream
Networking description
1.
Two SBCs are added to the network and are respectively used by the customer premises
network and network side.
−
Customer premises network: An SBC is added to the user network to serve as a client
of the UPD tunnel.
−
Network side: An SBC is added to the network side to serve as the server of the UDP
tunnel.
2.
The internal SBC integrates clients (UTC) of the UDP tunnel. The external SBC
integrates the server (UTS) of the UDP tunnel. The UDP tunnel is located between the
UTC and UTS, and is used to transmit various packets (including signaling and
audio/video media streams) from external networks to internal networks.
3.
In this mode, the GK address of terminals on the private network is configured as the
internal-SBC address. The address of the external proxy configured in the internal SBC
is configured as the address of the SBC on the public network.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
30
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
This solution has the following advantages:
1.
There is no restriction on terminals and servers. This solution can be used for firewall
NAT traversal.
2.
The existing devices do not need any changes and have a powerful compatibility,
including terminals, GK, and MCU.
3.
The security level is high. The GK and MCU are indivisible to terminals. After the
packets sent by terminals are encapsulated and decapsulated by the tunnel, the proxy
performs the security check for these packets.
4.
All packets pass the SBC. Therefore, you can select proper quality of service (QoS)
policies for the SBC on the network.
5.
This solution has the following disadvantages:
−
Multiple SBCs are required, which increases the implementation cost.
−
The network deployment is relatively complex. Routing between the UTC and UTS
must be considered. In addition, the existing configuration of the firewall must be
modified.
−
Media streams must be transmitted as follows: UTCNAT/FWUTS.
Therefore, the network performance of the media stream is restricted.
Huawei Quidway SessionEngine2000 (SE2000) aims at session boundary controllers (SBCs),
and is a proxy-based IP service gateway. SE2000 is used for deployment of videoconferencing
services on an IP network. SE2000 is also used to help videoconferencing GKs and terminals
resolve problems concerning NAT traversal, security, QoS, and interworking.
SE2000 uses the signaling and media proxy technology to process and forward call packets
and media streams in a directional manner. In addition, SE2000 is used to redirect the RTP
stream receive address and port of private and public network users. In this way, address
translation between network domains (including address translation between a public network
and a private network) can be easily implemented. This ensures the traversal from media
streams to NAT gateways.
Different from a NAT application layer gateway (ALG), SE2000 uses the full-proxy mode to
transmit media streams in a direct manner. There is no special requirement on NAT devices.
Therefore, the existing devices on the live network do not need reconstruction. This provides
convenience for telecom operators to deploy services.
8.4.3 Solution Analysis


This solution has the following advantages:
−
SE2000 uses the full-proxy mode to transmit media streams in a directional manner.
There is no special requirement on NAT devices. Therefore, the existing devices on
the live network do not need reconstruction. This provides convenience for telecom
operators to deploy services.
−
This solution does not affect any services and guarantees the security and quality of
video conferences.
−
All video terminals can be used on the customer premises network.
−
As a convergence-layer device, the SBC can prevent terminals from accessing
important devices such as GKs. This provides functions such as security protection,
QoS guarantee, and terminal access management for important devices.
This solution has the following disadvantages:
SE2000 series devices must be added to the original network.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
31
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
8.5 Interworking Between Private Networks by Adding
VP 8520 MG Devices
8.5.1 Network Topology
Figure 8-11 shows the network topology of the VP 8520 MG solution.
Figure 8-11 Network topology of the VP 8520 MG solution
NAT device 1
Videoconferencing terminal
NAT device 2
Videoconferencing terminal
Networking description
SwitchCentre: a GK of the ViewPoint 8000 videoconferencing system, used for address
resolution, access control, territory management, bandwidth control, and call authentication.
The configuration and management of the SwitchCentre are performed on the
SwitchManager.
ResourceManager: a core device of the ViewPoint 8000 videoconferencing system, used for
allocation and management of conference resources.
MCU: a core device of the ViewPoint 8000 videoconferencing system, used for video
switching, audio mixing, and data processing.
Video terminal: a terminal of the ViewPoint 8000 videoconferencing system manufactured by
Huawei, supporting SNP of Huawei. For example, video phone and Openeye.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
32
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
NAT device: a firewall or a router that supports and is configured with the dynamic NAT or
port address translation (PAT), used for isolation of terminals on a private network.
8520: ViewPoint 8520, used for call connection and media stream forwarding between private
networks.
8.5.2 Implementation Principle
Terminal 010001 on a private network places a call to terminal 010002 on another private
network. Due to translation of ports and addresses on NAT, the users on different private
networks fail to establish the video/audio communication. The 8520 is deployed to address
this issue. The 8520 can connect calls from different private networks, establish video/audio
media stream channels with different private networks, and forwards the transmitted/received
media streams in a transparent manner.
The 8520 is used as follows:

Prerequisite
The terminals (010001 and 010002) and the 8520 are successfully registered with the
SwitchCentre (GK).

Procedure for implementing a call using the 8520
Figure 8-12 shows the procedure for implementing a call using the 8520.
Figure 8-12 Procedure for implementing a call using the 8520
Terminal 010002
Common NAT device 2
Private network 2
Public network
Common NAT device 1
Private network 1
Terminal 010001
1.
Terminal 010001 connects to the 8520 located on the public network.
2.
The 8520 connects to terminal 010002.
3.
Terminal 010001 communicates properly with terminal 010002 using the 8520.
8.5.3 Solution Analysis

Issue 01 (2012-03-07)
This solution has the following advantages:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
33
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks

8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
−
Using the 8520, terminals on a private network can unrestrictedly communicate with
terminals on a public network and terminals on another private network in common
NAT mode.
−
This solution does not affect any services and guarantees the security and quality of
video conferences.
−
As a convergence-layer device, the 8520 can prevent terminals from accessing
important devices such as GKs. This provides functions such as security protection,
QoS assurance, and terminal access management for important devices.
This solution has the following disadvantages:
−
The 8520 series devices must be added to the original network.
−
In the 8520 network environment, terminals on private networks must support the
SNP (a token protocol developed by Huawei to resolve traversal problem between
private and public networks). If terminals on public networks do not support the SNP,
a firewall must be configured to support the H.323 ALG (Huawei Eudemon firewall
series can be used).
8.6 Interworking Between Private Networks Using
Existing MCU Devices
8.6.1 Network Topology
Figure 8-13 shows the network topology of the MCU solution.
Figure 8-13 Network topology of the MCU solution
Networking description
The video firewall solution is an easy mode to implement the traversal between private and
public networks, and is currently used by most Huawei competitors. In this solution, a variety
of networks are connected using different network ports so that terminals from private and
public networks can participate in the same video conferences. For users on the dedicated
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
34
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
network, an additional MCU is required to allow access from terminals on the private and
public networks.
8.6.2 Implementation Principle
The work mode of the GE1 port on the MCU's central control board is set to 4:
NetFirewallMode to implement video firewall.
Number of the board in which the
video firewall function is to be enabled
Video firewall function
The configuration must be saved.
Then a route to GE1 on the MCU's central control board is added.
Destination address (in the
same network segment as that
of the GE1 network port of the
board supporting the video
firewall function)
Mask (consistent
with that of the GE1
network port of the
board supporting
the video firewall
function)
GE1 network port
In this way, the signaling board and media board are allocated to the site on the GE1 side,
which is connected to the GE1 port. When the node on the GE0 side places a call to the node
on the GE1 side, the GE1 port receives the call. Therefore, the traversal between private and
public networks is implemented.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
35
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
8.6.3 Solution Analysis


This solution has the following advantages:
−
The traversal between private and public networks is implemented using the existing
MCUs, featuring simple networking.
−
No change to the original firewall of the customer is required (for example, open
port).
−
No change to H.323 is required, and any terminals from private and public networks
can interwork with each other.
This solution has the following disadvantages:
−
The MCU supports networking with two networks, but does not support networking
with multiple networks.
−
The MCU must use GE0 to register with the GK, and GE1 must use IP addresses to
place calls.
−
Point-to-point calls between terminals on private and public networks cannot be
implemented using an MCU
−
IP route configuration can be performed (there are multiple network segments on a
public network). The IP route is designated to use GE1 to receive and transmit data.
When no matching route is available, GE0 is used to receive and transmit data.
−
The site connected to GE1 does not support service switchover (media module
switchover).
−
The GE0 IP address and GE1 IP address of all boards must be respectively configured
in the same network segment. This must be ensured in networking configuration.
8.7 Traversal Between Private and Public Networks by
Adding the H.460 GK Server Function
Currently, Huawei high definition (HD) terminals support the H.460.18/19 Client function.
Videoconferencing system solutions can be improved by adding the H.460.18 Traversal
Server and H.460.19 Server function to the existing GK (standard GK). The GK that provides
the H.460 function (H.460 GK for short) can help terminals on a private network and MCUs
to implement the signaling/media traversal and NAT/FW traversal. When a call between
terminals on private and public networks is placed, the H.460 GK uses the route call mode.
For example, the H.460 GK can route Q.931 call signaling, H.245 signaling, and media
streams.
The H.460 GK routes H.245 signaling and media streams. However, the H.460 GK provides only the
channel of the trunk transparent transmission, and does not support the logical functions of nodes
(terminals and MCUs). (Logical functions include capability comparison, active/standby node
determination, channel format selection, and video/audio data codec).
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
36
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
8.7.1 Network Topology
Figure 8-14 shows the simple networking for the traversal between private and public
networks using H.460.
Figure 8-14 Simple networking for the traversal between private and public networks using H.460
Terminal
Terminal
Simple networking for the traversal between
private and public networks using H.460
Terminal supporting H.460
Figure 8-15 shows the cross-domain networking for the traversal between private and public
networks using H.460.
Figure 8-15 Cross-domain networking for the traversal between private and public networks using
H.460
Terminal
Terminal
Cross-domain networking for the traversal
between private and public networks using H.460
Terminal supporting H.460
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
37
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
Networking description
1.
A GK is configured in the DMZ of the firewall. The IP addresses of terminals on a
private network are translated to the public network address in NAT mode.
2.
Terminals are registered with the GK using the private and public network address of the
GK.
3.
A private network must be defined as the local network, which is used for call address
setting of the GK.
8.7.2 Implementation Principle
Figure 8-16 shows the implementation principle for the cross-domain traversal between
private and public networks using H.460.
Figure 8-16 Implementation principle for the cross-domain traversal between private and public
networks using H.460
As shown in Figure 8-16, node A is located on the public network, and node B supports H.460
and is located on the private network. The procedure for placing a call from node A to node B
is as follows:
1.
Node A sends a request to the GK for communication with B. When the GK finds that
node B is located in the firewall, the GK enables the H.460 traversal and sends a request
to B for a new firewall traversal connection.
2.
Node B attempts to establish a new connection to the GK, and the GK sends a message
instructing node A to transmit signaling streams to node A.
3.
Node A sends the message to the GK. After a new connection is established, the GK
forwards signaling streams to node B using the new connection.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
38
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
8 Huawei Videoconferencing System's
Solution to Traversal Between Private
and Public Networks
When the RAS channel, H.245 channel, Q931 listening port, and media channel port are
enabled, all media streams between node A and node B must be forwarded by the GK.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
39
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
9
9 Solution Comparison and Proposals
Solution Comparison and Proposals
Table 9-1 lists comparison of all traversal solutions.
Table 9-1 Comparison of all traversal solutions
Technology
Type
Static NAT
Solution
ALG Solution
SNP Solution
Tunnel
Solution
Proxy Solution
Deployment
location
The NAT can be
deployed
anywhere, but
occupies the
public network
IP address.
The ALG is
deployed at the
edge of private
and public
networks.
The SNP can be
deployed
anywhere.
The UDP can be
deployed
anywhere.
The BSC is
deployed at the
edge of the
private and
public networks.
Requirement
on the
existing
NAT/FW
devices
NAT/FW
devices must be
configured with
the static NAT.
NAT/FW
devices can be
replaced or
updated to
support the
ALG.
No change is
required.
Ports on
NAT/FW
devices must be
enabled as
required by the
tunnel.
No change is
required.
Multilevel
NAT
Not supported.
Each level of
NAT must
support the
ALG.
Supported.
The client
device must be
located behind
the final NAT
device.
Each level of
NAT must have
a proxy device.
Impact on the
original
network
None.
The original
network must be
added with
router
None.
The customer
premises
network must be
added with
client devices.
None.
Requirement
on terminals
Terminals must
support the static
NAT function.
There is no
special
requirement.
The protocol
must be
modified.
There is no
special
requirement.
There is no
special
requirement.
(Terminal must
have server
devices.)
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
40
Technical White Paper for Traversal of Huawei Videoconferencing System
Between Private and Public Networks
9 Solution Comparison and Proposals
Technology
Type
Static NAT
Solution
ALG Solution
SNP Solution
Tunnel
Solution
Proxy Solution
Requirement
on servers
There is no
special
requirement.
There is no
special
requirement.
The protocol
must be
modified.
There is no
special
requirement.
There is no
special
requirement.
(The server must
have server
devices.)
Security
protection
None.
None.
None.
Security
protection can
be implemented.
Security
protection can
be implemented.
QoS control
None.
None.
It is difficult to
implement the
QoS control.
The QoS control
can be
implemented.
The QoS can be
implemented.
As shown in the preceding table, these traversal solutions have their own features and are
applied to different networking scenarios.
For existing networks, the traversal between private and public networks can be implemented
using the MCU, MG8520, SE2000, or static NAT solution. In addition, the existing GK or a
new GK with the H.460 Server function enabled can be used.
For networks under construction, the Eudemon solution can be used to implement the NAT
traversal between private and public networks without deploying additional devices.
Issue 01 (2012-03-07)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
41

Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project