About Firewall Traversal
The purpose of a firewall is to control IP traffic entering your network. Firewalls generally block unsolicited incoming requests, meaning that any calls originating from outside your network will be prevented. However, firewalls can be configured to allow outgoing requests to certain trusted destinations, and to allow responses from those destinations. This principle is used by Cisco's Expressway technology to enable secure traversal of any firewall.
The Expressway Solution
The Expressway solution consists of:
-
An Expressway-E located outside the firewall on the public network or in the DMZ, which acts as the firewall traversal server.
-
An Expressway-C or other traversal-enabled endpoint located in a private network, which acts as the firewall traversal client.
The two systems work together to create an environment where all connections between the two are outbound. That is, established from the client to the server. And so able to successfully traverse the firewall.
Chained firewall traversal
For business-to-business Expressway deployments, you can configure firewall traversal chaining. As well as acting as a traversal server, Expressway-E can act as a traversal client to another Expressway-E.
If you chain two Expressway-Es for example (pictured), the first Expressway-E is a traversal server for the Expressway-C. That first Expressway-E is also a traversal client of the second Expressway-E. The second Expressway-E is a traversal server for the first Expressway-E.
Note |
|
Recommendations and Prerequisites
Note |
We recommend that both the Expressway-E and the Expressway-C run the same software version. |
Do not use a shared address for the Expressway-E and the Expressway-C, as the firewall cannot distinguish between them. If you use static NAT for IP addressing on the Expressway-E, make sure that any NAT operation on the Expressway-C does not resolve to the same traffic IP address. We do not support shared NAT addresses between Expressway-E and Expressway-C.
How Does it Work?
The traversal client constantly maintains a connection through the firewall to a designated port on the traversal server. This connection is kept alive by the client sending packets at regular intervals to the server. When the traversal server receives an incoming call for the traversal client, it uses this existing connection to send an incoming call request to the client. The client then initiates the necessary outbound connections required for the call media and/or signaling.
This process ensures that from the firewall’s point of view, all connections are initiated from the traversal client inside the firewall out to the traversal server.
For firewall traversal to function correctly, the Expressway-E must have one traversal server zone configured on it for each client system that is connecting to it (this does not include traversal-enabled endpoints which register directly with the Expressway-E; the settings for these connections are configured in a different way). Likewise, each Expressway client must have one traversal client zone configured on it for each server that it is connecting to.
The ports and protocols configured for each pair of client-server zones must be the same. See the Configuring a Traversal Client and Server for a summary of the required configuration on each system. Because the Expressway-E listens for connections from the client on a specific port, you are recommended to create the traversal server zone on the Expressway-E before you create the traversal client zone on the Expressway-C.
Both the traversal client and the traversal server must be Cisco Expressway systems (neither can be a Cisco VCS).
Endpoint Traversal Technology Requirements
The "far end" (at home or at a hotel, for example) endpoint requirements to support firewall traversal are summarized below:
-
For H.323, the endpoint needs to support Assent or H460.18 and H460.19.
-
For SIP, the endpoint just needs to support standard SIP.
-
Registration messages will keep the "far end" firewall ports open for Expressway to send messages to that endpoint. The Expressway waits for media from the endpoint behind the firewall, before returning media to it on that same port – the endpoint does have to support media transmission and reception on the same port.
-
The Expressway also supports SIP outbound, which is an alternative method of keeping firewalls open without the overhead of using the full registration message.
-
-
SIP and H.323 endpoints can register to the Expressway-E or they can just send calls to the Expressway-E as the local "DMZ" firewall has relevant ports open to allow communication to the Expressway-E over SIP and H.323 ports.
Endpoints can also use ICE to find the optimal (in their view of what optimal is) path for media communications between themselves. Media can be sent directly from endpoint to endpoint, from endpoint via the outside IP address of the destination firewall to the destination endpoint, or from the endpoint via a TURN server to destination endpoint.
-
The Expressway supports ICE for calls where the Expressway does not have to traverse media (for example if there is no IPv4/IPv6 conversion or SIP / H.323 conversion required); typically this means 2 endpoints which are able to support ICE, directly communicating to an Expressway-E cluster.
-
The Expressway-E has its own built-in TURN server to support ICE-enabled endpoints.
H.323 Firewall Traversal Protocols
The Expressway supports two different firewall traversal protocols for H.323: Assent and H.460.18/H.460.19.
-
Assent is Cisco’s proprietary protocol.
-
H.460.18 and H.460.19 are ITU standards which define protocols for the firewall traversal of signaling and media respectively. These standards are based on the original Assent protocol.
A traversal server and traversal client must use the same protocol in order to communicate. The two protocols each use a different range of ports.
SIP Firewall Traversal Protocols
The Expressway supports the Assent protocol for SIP firewall traversal of media.
The signaling is traversed through a TCP/TLS connection established from the client to the server.
Media Demultiplexing
The Expressway-E uses media demultiplexing in the following call scenarios:
-
Any H.323 or SIP call leg to/from an Expressway-C through a traversal zone configured to use Assent.
-
Any H.323 call leg to/from an Expressway-C through a traversal server zone configured to use H460.19 in demultiplexing mode.
-
H.323 call legs between an Expressway-E and an Assent or H.460.19 enabled endpoint.
The Expressway-E uses non-demultiplexed media for call legs directly to/from SIP endpoints (that is endpoints which do not support Assent or H.460.19), or if the traversal server zone is not configured to use H.460.19 in demultiplexing mode.
Media demultiplexing ports on the Expressway-E are allocated from the general range of traversal media ports. This applies to all RTP/RTCP media, regardless of whether it is H.323 or SIP.
The default media traversal port range is 36000 to 59999, and is set on the Expressway-C at
. In Large Expressway systems the first 12 ports in the range – 36000 to 36011 by default – are always reserved for multiplexed traffic. The Expressway-E listens on these ports. You cannot configure a distinct range of demultiplex listening ports on Large systems: they always use the first 6 pairs in the media port range. On Small/Medium systems you can explicitly specify which 2 ports listen for multiplexed RTP/RTCP traffic, on the Expressway-E ( ). If you choose not to configure a particular pair of ports (Use configured demultiplexing ports = No), then the Expressway-E will listen on the first pair of ports in the media traversal port range (36000 and 36001 by default).Note |
Changes to the Use configured demultiplexing ports setting need a system restart to take effect. |
For example, in a SIP call from within an enterprise to an endpoint at home through an Expressway-C/Expressway-E pair, the only demultiplexing that would occur would be on the Expressway-E ports facing the Expressway-C:
Enterprise endpoint |
|
Expressway-C |
|
Expressway-E |
|
Home endpoint |
||
Non- demuxed |
Non- demuxed |
Demuxed |
Non- demuxed |
|||||
RTP ports |
36002 |
36004 |
36000 |
36002 |
||||
RTCP ports |
36003 |
36005 |
36001 |
36003 |
However, an H.323 call from within an enterprise to an Assent capable H.323 endpoint at home through the same Expressway-C/Expressway-E would perform demultiplexing on both sides of the Expressway-E:
Enterprise endpoint |
|
Expressway-C |
|
Expressway-E |
|
Home endpoint |
||
Non- demuxed |
Non- demuxed |
Demuxed |
Demuxed |
|||||
RTP ports |
36002 |
36004 |
36000 |
36000 |
||||
RTCP ports |
36003 |
36005 |
36001 |
36001 |
If the Expressway-E has Advanced Networking, it will still use the same port numbers as described above, but they will be assigned to the internal and external IP addresses.