I have been writing about how to connect video conferencing between enterprises or other organizations over the last few weeks. The simplest way to establish connections over the Internet is via IP addresses. But IP addresses are often hidden behind a NAT firewall inside an organization, and cannot be reached from outside without some help.
One simple approach is to set up dedicated IP addresses on the public side of a firewall that are bound to the internal IP address of the video conferencing unit. I recently set this up for a client with many small offices that were only expected to have a maximum of two video units. This requires both the external and internal address to be static to work. Firewall rules allow the video traffic to pass and do the appropriate NAT translation. The firewall must be H.323 aware to translate not only the packet headers, but the embedded IP information in the H.225 and H.245 setup calls for this to work correctly. Alternatively the video conferencing systems can be set up to know that they are behind a firewall, and then can determine their external address through a protocol or through static assignment. This limits the endpoints to only communicate out through the firewall, not with each other.
Figure 1 - Dedicated Address for Video
Inside the enterprise, video can (ought to) use a gatekeeper. The gatekeeper is a centralized authority for video conferencing signaling. This means that each video conferencing endpoint registers with the gatekeeper, and the gatekeeper maintains a lookup table for translating between aliases and IP addresses. Aliases can be in the form of an E.164 number (e.g. 978-555-1212), or a SIP-style address (e.g. [email protected]). An endpoint wishing to connect with another endpoint consults the gatekeeper, who then passes back the current IP address. The media streams then connect directly using the IP address supplied by the gatekeeper.
Figure 2 - Enterprise Gatekeeper, Signaling and Media Flows
Connecting across the firewall with a border controller can make this address translation much easier for the users. In Figure 3 below, we see an external H.460 border controller. This device is managing the firewall transition as discussed in a prevous posting. But the H.460 server also has a gatekeeper function that keeps track of the E.164 address of internal video conferencing systems.
Figure 3 - External H.460 Border Controller Design
With this approach it is possible for the video unit in one enterprise to dial the other system only knowing its E.164 address or phone number. No static internal addresses are required, and no bound external addresses are required. The mobile unit shown here will have a different IP address wherever he connects, but still he can be reached at a single number.