|
General Questions
Question: What specific products make up the VCON SecureConnect family?
The SecureConnect family consists of two server products and one client product.
- VCON ALG Proxy Server - This application level gateway (ALG) is a proxy server that is specialized in secure firewall/NAT traversal of H.323 traffic (both signaling streams and media streams). It overcomes the connectivity problems that are presented by firewalls and NAT servers.
- VCON Advanced Encryption Server - This server works in conjunction with the ALG and/or the VCON Encryption Client in order to fully encrypt videoconferences or other data transmissions across public or private networks.
- VCON Encryption Client - This software application can be installed on PC-based devices such as endpoints, MCUs or other servers in order to encrypt all data transmissions between them, including videoconferences. This client works in conjunction with the VCON Advanced Encryption Server.
Question: Which environments does the SecureConnect family of products apply to?
There are multiple environments where the VCON SecureConnect family of products can be highly beneficial.
- Firewalls - Firewalls create numerous connectivity problems for interactive multimedia applications like IP-based videoconferencing or voice-over-IP.
- Network Address Translation (NAT) - Similar to firewalls, NAT and NAPT also cause their own set of connectivity problems for voice and video-over-IP.
- Security - Some environments require all media traffic (audio, video, data) to be fully encrypted for security reasons
Question: What are the primary benefits of the SecureConnect family of product?
- Connectivity - SecureConnect allows you to securely connection with endpoints, gatekeepers and MCUs that would otherwise be unreachable because of connectivity hurdles.
- Savings - Keeping the traffic on IP eliminates ISDN usage charges. Additionally, the ability to share existing gatekeepers and MCUs reduces network infrastructure costs.
- Master Directory - Establish a single, organization-wide "phone directory" listing all video endpoints on the network.
- Policy/Management - By registering all endpoints with a master gatekeeper, you'll be able to implement network-wide policies, tracking and management
- Simplified Dialing - Standardize on a network-wide dialing plan to avoid confusion and streamline the addition of new endpoints.
Question: What types of traffic can be proxied through the ALG Proxy Server?
- Gatekeeper registration
- Call setup messages
- RTP-based media streams (audio & video)
- VCON interactive multicast streams
- MXM administrator's console login
- Remote endpoint/device configuration (from MXM)
- Annex Q (far end camera control)
- Neighbor gatekeeper and directory gatekeeper messages (between MXM servers or to non-MXM gatekeepers that are not behind an ALG Proxy)
Question: Are the SecureConnect family of products designed for enterprise use or service provider use?
The ALG Proxy Server and the Encryption Server are ideally suited for both enterprise and service provider use. Essentially, any environment where firewall/NAT traversal is required or encrypted videoconferences are needed is a suitable target for the SecureConnect family of products.
Question: How are the ALG Proxy Server and Advanced Encryption Server licensed and priced?
- ALG Proxy Server - licensing and pricing are based on the number of concurrent calls that are needed through the local firewall/NAT border. Calls that remain on the private network and do not pass through the firewall/NAT border have no bearing on the licensing of the ALG. If the 2-server configuration is selected (see later question for more information), then there is an extra charge for the second server. However, the licensing remains based on the number of concurrent calls that are needed through the pair of servers.
- Advanced Encryption Server - licensing and pricing are based on the number of concurrent logins. Each ALG only counts as one login, even if there are many devices behind it utilizing the encryption functionality. Standalone users running the Encryption Client also count as a single login.
- Encryption Client - this Windows-based application is no charge and can be downloaded from the VCON website.
Question: Which vendors' firewalls are compatible with the VCON SecureConnect family of products?
The SecureConnect products work with any firewall.
Question: Do the SecureConnect products work with both PC-based and embedded appliance devices for videoconferencing (endpoints, MCUs, gateways)?
Yes, with the ALG Proxy Server present at a location that has a firewall/NAT border, any standard H.323 device (endpoint, MCU, gateway) is able to safely traverse the firewall/NAT border, including the option to encrypt all traffic across the public network. Locations with all PC-based devices (endpoints, MCUs) may utilize the Encryption Client (requires one Encryption Server somewhere on the network).
Question: Are there any high-availability features configured into the ALG Proxy Server and Advanced Encryption Server?
Yes, the following features are included with the SecureConnect family of server products for this purpose:
- Dual hard drives on a RAID controller, configured for mirroring
- Dual memory modules, allowing failure of one with continued operation
- Dual NIC cards
- Software watchdog to restart services in the event they stop abnormally
Questions about the VCON ALG Proxy Server
Question: How scalable is the ALG Proxy Server?
Each ALG Proxy Server (or inside/outside pair of servers) is able to handle up to 100 concurrent video calls. A service provider or very large enterprise that needs more than this at a given location can install multiple ALG Proxy Servers, all centrally managed by the VCON Media Xchange Manager (MXM).
Question: What changes are necessary in the firewall to support the ALG Proxy Server?
No changes are required, provided the firewall allows outbound connections via the specified ports. As an additional security measure, all traffic that comes into the outside proxy (from the public network) is passed exclusively to the inside proxy through the firewall.
The firewall does not need to open any new ports in the inward direction and it does not need to accommodate requests to open random or dynamic ports. One key benefit of the ALG Proxy architecture is that external devices never connect directly to the private network and internal devices never connect directly to the public network.
The firewall ports used by the ALG Proxy can be further protected by the following control mechanisms:
- Protocol - each port used can be configured to allow only the specific protocol that is needed
- Destination - the ports only need to allow traffic to/from the IP addresses of the two proxy components (inside and outside)
- Application - the proxies will only process H.323-related traffic
- Proprietary Wrapper - the ALG Proxies puts a proprietary wrapper around the messages passed between them. Only messages with this wrapper are processed.
Question: Can the ALG Proxy Server be used in conjunction with advanced VCON technologies like Interactive Multicast and PacketAssist (QoS)?
Yes. The ALG Proxy can be used to allow Interactive Multicast traffic to pass through firewalls and NAT servers. However, all data network segments that need to carry the Interactive Multicast traffic must be multicast-enabled. With regards to PacketAssist features, most of them will work unaffected. Additionally, the ALG Proxy can be configured to set DiffServ or IP Precendence QoS values on the media streams that pass through it. Unique QoS settings can be made for audio, video and data traffic types.
Question: VCON allows a customer to separate the inside versus outside proxy functions of the ALG Proxy Server by splitting these functions across two physical servers (a VCON-provided option). Does VCON recommend one approach over another?
When the Advanced Encryption server is NOT also being used in conjunction with the ALG, the most secure approach is to select the 2-server configuration, which splits the inside versus outside proxy functions - one on either side of the firewall. In this setup, 3 specific ports are used for communication between the proxies.
The decision to use a single ALG Proxy Server with both proxy functions running inside involves using the two NIC interfaces in this server, one connected to the public network and one to the private network. The most common reason to use this approach is cost savings. When the Advanced Encryption Server is being used, many network administrators will likely be more comfortable with the single server approach for the ALG. The reason is because all traffic coming from the public network into the ALG is encrypted (assuming it's the public side of the network that is chosen to be encrypted).
Question: Must traffic always flow through the ALG Proxy?
This is one of the major advantages of the ALG Proxy architecture. In almost all cases, the audio and video streams take the most direct path between the conference participants. If any of these participants are protected behind a local ALG Proxy, then the traffic will flow through the proxy. However, this is very different than some firewall traversal solutions, which require the media streams to first pass through a centralized server before proceeding on to the destination, thereby creating a potential bottleneck and adding un-needed latency to the videoconference.
Question: Will the ALG Proxy Server work with other gatekeepers (non-MXM)? If so, are there any specific requirements or limitations?
It can work with any gatekeeper but with some limitations. As a general rule, the following features will not work with a non-VCON gatekeeper located behind a local VCON ALG Proxy Server:
- Neighbor gatekeeper
- The non-VCON gatekeeper will probably not see the true IP address for the endpoint/device being registered (rather, will see the ALG's IP address).
- Accord's Meeting Room feature will probably not be usable if the Accord MCU is registered to the non-MXM gatekeeper.
Question: What is the relationship between the ALG Proxy Server and the Advanced Encryption Server?
If an ALG is configured for encryption, it is able to serve as a gateway between the encrypted side of the network and the non-encrypted side. A remote location that has multiple endpoints, some PC-based and some settop appliances, can have all of these endpoints behind a local ALG. All traffic across the WAN will be encrypted. Additionally, such a location only counts as a single login on the Encryption Server, which can help reduce the cost of the Encryption Server license, since it is based on concurrent logins.
Question: How much additional latency is added when media streams flow through the ALG Proxy Server?
The added latency from the ALG Proxy is very low. With no encryption, the average latency is approximately 2ms. With the encryption option enabled in the proxy, the average latency is approximately 5ms.
Questions about Encryption
Question: How scalable is the Advanced Encryption Server?
The Encryption Server is able to handle up to 10,000 concurrently logged in clients and 1,000 concurrent calls. A client is either a PC-based device running the Encryption Client application or an ALG Proxy Server enabled with the encryption option. Remembering that each ALG Proxy Server enabled with encryption can have tens or hundreds of devices behind it, it is possible that the total number of actual devices that have concurrent access to encryption is considerably more than 10,000. Additionally, the limit of 10,000 pertains to concurrently logged in clients, which means that many more clients could have the Encryption Client installed but not actively logged in.
Question: Are there any benefits to using the VCON Advanced Encryption Server versus one of the many encrypted VPN solutions in the market?
Yes. VPN solutions typically involve having the remote user authenticate with a VPN server (sometimes co-located in the firewall device), which results in them being logged in to the enterprise or service provider network just as if they were local on the LAN. Many times it is not desirable to have remote users fully logged into the enterprise or service provider network just for the need to access application-specific resources (like a videoconferencing gatekeeper, MCU, gateway, or endpoint). With the VCON SecureConnect architecture (both the Advanced Encryption Server and the ALG Proxy), a specific workgroup or community can be uniquely authorized without also giving them full access to all of the rest of the network resources. Authentication, signaling streams, and media streams can only be exchanged with specifically authorized devices - all fully encrypted where needed.
Question: What methods of encryption are available? Also, can the user select which method of encryption is used (DES, 3DES, AES) or is this fully controlled via the Advanced Encryption Server that these clients login to?
The Encryption Server supports the DES, 3DES and AES encryption standards. The method of encryption is centrally configured and controlled via the server.
Question: What protection is provided for the user login to the Encryption Server and the exchange of the public/private encryption keys?
The command channel (used for authentication, monitoring, key exchange and control) is encrypted using a Secure Socket Layer (SSL) connection. Having the authentication and key exchange processes take place over a separate encrypted communications channel than the encrypted data stream channel provides an additional level of security.
Question: Is there any way to encrypt the traffic from embedded settop videoconferencing appliances (or other non-PC based devices)?
Yes. If there is a location of such devices with an ALG installed, the outside proxy of this ALG can be enabled with the encryption option (which also requires the Advanced Encryption Server) and all traffic across the WAN will be encrypted. However, the traffic across the LAN would not be encrypted for these embedded appliance devices. PC-based devices with the Encryption Client installed will have fully encrypted traffic, even across the LAN.
Question: What is involved from the end user's point of view in order to have encrypted communications when using the Encryption Client on their PC?
The end user's PC desktop will have an icon that logs into the Advanced Encryption Server when executed. The Encryption Client only has a couple of basic configuration parameters. The login procedure requires a UserID and Password to be provided for authentication. Once logged in, any application on the PC that is configured to utilize the virtual IP address created by the Encryption Client will have its data encrypted as it leaves the PC. For example, if the VCON vPoint application sees two active IP addresses when it is launched, it will prompt the user to select the one that should be used for operation. If the encrypted virtual IP address is selected, then videoconferences using vPoint will be encrypted.
Question: If endpoints have the Encryption Client installed, can they still participate in multipoint conferences with the VCON Conference Bridge (VCB)?
Yes, the VCB simply needs to have the Encryption Client installed or be located behind a local ALG Proxy that is configured for the encryption option.
Question: Can T.120 data collaboration traffic be encrypted?
Yes, provided encryption clients are installed on the PCs and they are logged into the Advanced Encryption Server. This scenario requires that the T.120 application be capable of using a virtual (private) IP address.
|
