Introducing Cisco TelePresence
As the languid look showed, building a network for video communications is not a trivial task: here the solutions are different, the levels of interaction, and the Internet are different everywhere, and there are dangerous places above the roof. The strangest thing is that there are no Russian-language guides for planning, design and finer tuning. There is a middle, the so-called “Basic setup”, which the sophisticated network administrator will not be pleased with. Depending on the situation and requirements, completely unexpected solutions may appear. Even for one organization with a set of requirements, finding the right solution right away will be problematic, and to be universal and cover the full range of services provided by Cisco TelePresence equipment, you will need more than one unit. If you buy all the tsiskovskie pieces of iron and stick everything into each other - maybe it will turn out "Universally."
Under the cut a lot of text.
The idea of organizing in one network all the available means of transmitting information, such as telephone, telegraph and communication networks, is not new, and appeared in the second half of the 20th century. This concept has survived under the name ISDN, however, the development of IP networks and the emergence of new services have not given life to the proposed concept. It was replaced by solutions that were called New Generation Network (NGN) - a new generation network. Using the concept of next-generation networks for multimedia data transmission, Cisco TelePresence implements its control components separately. Those. the signaling information necessary for setting up / disconnecting the connection and determining the route of the multimedia stream is transmitted through one device. And directly multimedia data, i.e. voice and video are switched by other devices.
Video conferencing is based on the following 5 “elephants” (using sisko-terminology):
1. VideoNetworkServices, which control the controlplane components, are involved in routing calls, including to “other” networks. Manage signaling information;
2. Videoservices, the so-called userplane components, which are directly responsible for the transmission of multimedia. The abbreviation MCU (Multipoint Control Unit) is often used, based on the terminology of h.323;
3. endpoints, in Russian, end devices: maybe a TV or a mobile phone, well, everything in between (iPod is not yet supported) .;
4. Managers: without them, nowhere. If the camera does not work in Bugulma, the last who touched it will have to go there;
5. of course the network.
There are two types of them: call control and gateways.
• CallControl - the so-called Video Communication Server (VCS), registers endpoints (SIP and H.323), routes calls, monitors, has nothing to do with multimedia. You can collect several pieces in a cluster, if one is hard. There are VCS Control, for connecting clients from your network, and there are VCS Expressway with NAT support, transfer firewall etc, for external connections. Expressway is hosted at DMZ.
• Gateway - access to “other” networks, for example ISDN, PSTN. Business-to-business there.
VCS Tandberg
Video services are not required, but are an important part of planning the infrastructure of the videoconferencing. It’s worth starting with the answers to the questions: will there be conferences with more than 2 participants, do I need video streaming and do I need a recording? Accordingly, there are two types of devices:
• Conferencing- equipment for combining 3 or more participants. Provides switching and transcoding. Switching involves transferring a video / audio stream from one end device to many others. Transcoding is the encoding and decoding of a media stream between endpoints. In H.323 terminology, it is called the MCU (MultipointControlUnit). Cisco provides its list of existing solutions: Cisco Telepresence Multipoint Switch, MCU 4000, Cisco Integrated Service Router (ISR), as well as cluster solutions based on MSE 8000 with several blade servers on board.
MCU 4500
• Streaming & Recording- Many MCUs, in addition to conference, have a video broadcast server on board. And if they are not there are two types of pieces of iron. One, however, is only recording, Cisco TelePresence Recording Server. And the second one writes and broadcasts simultaneously, Cisco TelePresence Content Server. Powered by Cisco Media Services Engine (MSE)
You can use the following devices:
• Soft clients: LifeSize Clear C (available for Android devices), Cisco Jabber (available for iPads, Mac Windows and Android). In this case, the computer / tablet / phone will be the codec device;
• Personal stations: EX60, DX650, E20 - the most popular. Set up simply, web-muzzle or directly on the screen. All the terminal needs is to select a codec and give the server address. By the way, the DX650 has a VPN client on board, i.e. you can cling not to Expressway, but first to the working network, and through the tunnel to the Control;
• Meeting rooms and conference rooms. The solutions are correctly called Collaboration Room Endpoints (MX and Profile Series) and Immersive TelePresence (TX Series). In them, the codec is a box into which screens, microphones and cameras are wound.
Soft-based contraption with a huge number of functions, so far, however, is mainly used for monitoring. The fact is that almost every piece of hardware has a convenient web face. The console, by the way, is also available. However, if you know how to configure Cisco routers and switches, this will not help you, the syntax is completely different there. And yet, the managers:
• Cisco TMS - TelePresence Management Suite. Server-based system, i.e. under it you need a piece of iron. Convenient and intuitive monitoring, the main feature is scheduled video conferencing. Those. at a certain moment, a call is made to all participants. Integrates into AD, in particular, the MicrosoftExchange calendar;
• Cisco TelePresence Manager and Cisco Prime Collaboration Manager- What is the real difference from the first, honestly, I do not know. I touched only the first. But in prime colaboration there is real-time monitoring, for which, undoubtedly, respect.
Basically, all network requirements for transmitting a stream depend on the stream itself. For example, at least 2 Mbps is recommended for h.264 video transmission. for one client. Delays, jitter, losses - everything is like everyone else. The most interesting question is connecting remote clients. Whether a VPN is needed or not, one network for all clients, or / 30 and PPTP, or NAT. Encryption implemented in Cisco TelePresence is discussed later.
Now that we’ve got a little acquainted with the functionalities of various products (this is not all at all), we can start planning client connections, accessing the network, seeing the root of the implementation, etc.
There are several options for establishing a call connection (skinny did not consider):
• h.323 - a set of protocols, communication users cling to the gatekeeper (aka zone controller, a gatekeeper, implemented in VCS) - call handler. Gatekeeper clings to h.323 MCU;
• sip - session initialization protocol. We need a sip server (which is in VCS). Will register users, aka SIP-proxy. Clings to the MCU (for calls from 3 participants).
That sip that h.323 - are equally useful. It should be noted that h.323 is not a protocol, but recommendations for the protocols used. And these protocols have the character of a standard. The functions are the same. Although the sip wins by the following criteria:
• it is more convenient to scale;
• the connection is established in 1 handshake, when in h.323 there will be 100500;
• Many will notice the similarity of SIP with the notorious HTTP protocol. True, similar, understandable.
To begin with, it will be important for us to define the topology, or topologies, which we want to scatter. Suppose the simplest scheme, we definitely need telepresence, h.264 video communications and SIP + h.323 conferences. A set of VCS for registering participants and a sip server on board, an MCU for conference, endpoints with HD cameras and an Internet channel will cope with this.
Lyrical digression : Working with Cisco TelePresence will have to deal with a large number of NOT cis-devices: these include Tandberg and Codian. Things are as follows: once in the recent past, they were all independent of each other. Thunderbert was considered a video communications giant, and Codian specialized in the production of MCU-shek. In 2007, British Cordian became (for 270 million Baku) a part of the giant Tandberg, and in 2010 Tandberg became part of the giant Cisco (for 3.3 billion). Tandberg now manufactures its equipment under the TANDBERG Cisco brand, and Kodian maintains and manufactures its equipment with the supply of Tsiski under the old Codian brand. Those. speaking of the Codians, etc., we mean Cisco "Om-nom-nom" corp.
The circuit will look like:
We ask a question of licensing. Since users live and register on VCS, and the union of three or more clients takes place on the MCU, it is logical to assume that Cisco is unlikely to give its customers unlimited possibilities for connecting conference participants. Limitation number of times, this is the maximum available number of user registrations. Initially, the machine (VCS) has capabilities for 2500 registrations (depending on the configuration of the purchase). You can assemble a cluster (maximum 6 devices). The cluster can expand the number of MAXIMUM registrations to 10,000. Less than it should be - this is due to redundancy, i.e. if one piece of iron fails users can be ported to the second. Limitations number 2 and 3 are traversal and non-traversal calls. Traversal calls are:
• Calls from H.323 to sip (and vice versa);
• Firewall traversal call Assent;
• Firewall traversal call h.460;
• IPv4-ipv6;
• Expressway receiving a call but not having an extended license for local calls can use one traversal license for one call.
Non-traversal is a call inside an ipv4 network, from sip to sip, calls between VCSs, i.e. simple calls that do not require tricky manipulations. Traverse license can be bought in 10, 20, 50, 100, 200 and 300 pieces. By the way, if you assemble a cluster (also 6 pieces), you can get 2,000 non-traverse and 400 traverse licenses. Also, many additional features are subject to licensing for VCS, such as FindMe, Advanced Account Security, Device Provisioning, and much more. Unfortunately, I didn’t find a word on expanding the number of created sip domains (by default there are 200, but much more!).
MCU licensing is the number of participants in a conference. Consider the Codian MCU-4210 Series MCU 4200 as an example: it has the ability to include up to 20 participants in a video conference, and has an additional 20 licenses for audio participants. For comparison, the Codian MCU-4220 can only 40 each (video and additional audio). Here, 20 participants mean that there are 20 virtual ports on the device that the device is switching among themselves. Those. more than 20 - no way. A cluster can only be assembled if you have one of the super-evil pieces of hardware, the Supervisor MCU MSE 8050 stuffed with MCU MSE 8510 blades. By the way, on the same MCU-shke (4210) there is a video broadcast server.
Let's figure out what is encrypted: firstly, the alarm. It is encrypted with AES (DES, 3DES), the key is selected according to Diffie-Hellman. Turned on by pressing a button in a beautiful web-muzzle. Secondly, the transmitted traffic (media data) is encrypted with the same AES, a key according to the same Diffie-Hellman. And it turns on in the same way.
If secrecy seems insufficient, then you can raise VPN tunnels to clients, write ACLs, configure Firewalls, etc. Let's turn on paranoia:
• if SIP, then SIPS (the same sip, but with TLS. The address is not sip: <> @ ..., but sips: <> @ ...)
• if TCP / UDP, then TLS
• if RTP, then SRTP
• if the client is far away, then GRE / IPsec
• well, that's all we come up with
It is clear that this will increase the packetization time and overall overhead.
The firmware itself is very convenient (X7.2.2), it has a manual for itself on board, it opens with the Help button in the upper right corner. The help that opens in the window provides reference information about the subsystem in which you are currently located (both theoretical and practical). Input fields are also highlighted with a miniature help.
Do not worry if something is not clear, or you do not remember what field to write in. Help will fulfill its purpose. Software buns include a powerful set of regulars (relatively powerful within the scope of their task).
We’ll lower the basic setting, that's something, but “how to quickly set VCSe + VCSc + MCU” on the Internet is full, but the most interesting can be discovered only in kilometers of guides (it took me a little less than a month with “below absolute zero "). Suppose that we performed the basic settings, set the neighborhood with the MCU, Traversal zones, set the time, etc. Now we’ll deal with “like a boss” call management, who these neighbors are, and why Traversal is needed.
Muddy haze begins here. A zone is an abstract set of anything (domains, ip-addresses, devices, services) to which a certain set of rules applies. Zones are needed to control bandwidth, authentication and call routing, and this applies immediately to everything in the zone. When creating Dial plans, you need to specify from which zone to which to transfer the call (and not to which domain). It’s easier to control everything that happens, however, setting up this disgrace may seem dreary.
All end devices, VCSs and MCUs, in general all your devices, are included in the Local Zone ( LocalZone ). The local zone can be divided into subzones ( Subzones) Therefore, for management flexibility, you can create a separate subzone for the new sip domain. You can create them up to 1000. The domain that will belong to a particular subzone needs to be determined using the "Subzone membership rules".
Zones are neighboring ( Neighbor ), redirecting ( Traversal (client-server presentation)), ENUM and DNS. The last two for ENUM and DNS queries, they need to show which servers to ask for names and E.164. Traversal zone is needed to route calls between the separated firewall VCS Control and Expressway. Let's say half of the clients inside will make a call through VCS Control, and half, which is located remotely, will use the Expressway tools. VCS Control– client, Expressway– server. Neighbor zone is needed, for example, to communicate with the MCU, or other VCS. Those who did not fall into any zone fall into DefaultZone , and work according to the rules of the default zone, which, generally speaking, can be left out by the rules, and everyone will simply be redirected.
I’ll upload smaller screenshots so as not to clog the text with half-empty browser windows. It’s easier to say in words.
Create Subzone(for bandwidth management, encryption and authentication) can be in the menu VCS Configuration -> Localzone -> Subzones . Click New , in the Policy area, allow registration Registration policy - Allow, and be sure to authorize: Authentication policy - Check Credentials. In the SIP Media encryption mode area, you can determine if encryption is necessary. Bandwidth limits are optional. This tool allows you to manage calls between zones.
Create SIP-domain ( VCS Configurations -> Protocols -> SIP -> Domains ). Click New , enter the domain name. You can create up to 200 pieces.
Creating membership rules to establish domain membership in the subzone (VCS Configuration -> Local zone -> Subzones membership rules ). The rule must contain the Name, priority, regular expression, under which the domain name and subzone will fall, the rules of which will be used in this domain.
After the sender of the recipient and sender has been determined, call processing begins on VCS (or VCS), according to the call policy Call policy ( VCS Configuration-> Call policy-> Rules ). First, turn them on, and secondly write the rules. Anyone familiar with ACLs will see a lot of similarities. From-to-where-politics - a simple scheme, only 3 points of the rule. The rule that is higher - works earlier, you can change the position with up-down arrows.
With this rule, we allow / deny calls to number 123456 from the domain newdomain.ru, for example. Is there an implicit Deny at the end or not, unfortunately, I did not check, but just in case, at the end I set the rule “. * ->. * Reject” ie block from anywhere and anywhere. Naturally, permitting rules were written earlier. Generally speaking, you can not enable Call Policy, and steer calls at the level of dial plans. But with the rules turned on, you won’t even get to dial plans, and if you have a lot of them, you don’t need to run through the list of rules andfrantically look for the dial plan that your call falls into.
Now we have come close to Dial-plan , things important and necessary, without which nothing will work. Call processing at the stage of Dial-plans occurs in stages. First, rules like “Transform . " They allow you to do anything with addresses: cut off the domain part, add the domain part, change the name of the recipient, sender. Let's say you want to call from Sisko-background to a thieves number, "666666" for example, and get into the conference, you have lots of rooms, and there’s no need to create another one. So, we are writing a transform already in the existing room and deal with the end. Here is an example of how to make 639801 from 666666.
After the transform is completed and the transformation rules applicable to the call are over, processing begins according to the search rules . We create Search Rule for dial plans, for routing search requests to certain zones ( VCSConfiguration -> Dial-Plan -> SearchRules ). An example rule for a subzone domain is below.
We draw attention to the fact that the rule is created for the outgoing zone specified in the Source name; it searches for Pattern string in the request , specified as the suffix of the receiver ( Suffix ) URI “nik”. In other words, if the call from the nik zone has the destination address nik, then you need to look for this address in the local zone ( Local Zone ). The rule is turned on in the drop-down field State to the Enable position .
Now a couple word Pattern matching variables. Yes, but the best part is that these things work everywhere, if you look for a regular, suffix or prefix. These are variables of the form% pattern%, which are used in regulars, Search Rules, and generally wherever you work with IP addresses or sip domains.
A short but useful list of variables:
% localdomains% - all local sip domains
% ip% - all ipv4 and ipv6 addresses
% ipv4%,% ipv6% the same, but individually
% localdomain1% - sip domain with index 1 (varies from 1 to 200)
% systemname% - systemname
Question - who will call? There are several ways to create a sip user. The first obvious one is to create a local user directly in VCS (VCS Configuration -> Authentication -> Devices -> Local Database) The second option is to create a user in TMS (we also have a manager). To create users of end devices (registered from devices) go to the menu System -> Regulation -> Users . On the left in the Create Group and Users menu ( Add Group , Add users) In the same menu on the left, from the bottom, select the Configuration Template and create a template for the group. It is worth mentioning that for different terminal devices the templates will be different, but, in fact, with the same set of options. For example, domain, SIP server address, phone book address, etc ... A set of schemes is downloaded to TMS, all schemes are filled in by the administrator. Filling out the template is understandable intuitively, but the schemes of this template for end devices (whether it is a jabber client or E20 terminal) must be downloaded from the site beforehand.
It is possible to authenticate after integration into AD or LDAP, but we did not need it.
Now Expressway. Create a SIP domain in the same way as on Control. Since TMS and Expressway are in different networks and are separated by an ACL, the user must also be entered into the Local Database (in the same way, create a subzone and membership Rule for membership in the subzone). For authentication to work, enable Search Rule over SIP with the DefaultZone source , you need to search using the following regular line ^ (. +) @ Domain \ .ru $ , and send it to the Traversal Zone on VCS Control. For what and why - it turned out only empirically: before registration, since it is NOT a control, no one falls under “his” network, the user is not listed in the domain, he is not in the subzone, i.e. all NOT registered persons fall into DefaultZone.
You can create 2 universal rules, Call's to Traversal zoneand Call's from Traversal zone for calls between VCSs (can we now operate with such concepts?). It is not difficult to guess what kind they will be, but if you do not need to allow end-to-end calls, then it’s better not to write this general rule, but to do it for each domain separately.
Briefly about the MCU. Actually, the Conference itself, as we recall, is organized at the MCU. Conference management is simple, we establish a h.323 VCS connection with the MCU (wagon and cart guides on the Internet on this topic) and create the conference itself. The features of the MCU help are the same as on VCS, but nevertheless: a conference is created in the Conferences tab with the button “ Add a new conference”". When creating a conference, most of the fields will be filled out from a template (pre-configured), you will need to fill in only the following fields:
• Name - sign identifier
• Digital identifier - numbers added to the prefix for registration
• PIN code, if necessary
• Guest ID
• Guest PIN .
Templates provide automatic filling of some fields, they can be changed in the menu Home -> Conferences -> Templates . In addition to the basic settings, a user layout will be available for configuration ( Main page: -> Conferences -> Conference "name" -> User layout ). It determines the location of video conference participants on the screen.
So from scratch, you can configure a dialer-conference from a bunch of expensive pieces of iron. Thank you for surviving and happy new year to you!
Sources
habrahabr.ru
www.cisco.com
www.anticisco.ru
linkmeup.ru
mcu.dc.codian.com
Under the cut a lot of text.
Introduction
The idea of organizing in one network all the available means of transmitting information, such as telephone, telegraph and communication networks, is not new, and appeared in the second half of the 20th century. This concept has survived under the name ISDN, however, the development of IP networks and the emergence of new services have not given life to the proposed concept. It was replaced by solutions that were called New Generation Network (NGN) - a new generation network. Using the concept of next-generation networks for multimedia data transmission, Cisco TelePresence implements its control components separately. Those. the signaling information necessary for setting up / disconnecting the connection and determining the route of the multimedia stream is transmitted through one device. And directly multimedia data, i.e. voice and video are switched by other devices.
Video conferencing is based on the following 5 “elephants” (using sisko-terminology):
1. VideoNetworkServices, which control the controlplane components, are involved in routing calls, including to “other” networks. Manage signaling information;
2. Videoservices, the so-called userplane components, which are directly responsible for the transmission of multimedia. The abbreviation MCU (Multipoint Control Unit) is often used, based on the terminology of h.323;
3. endpoints, in Russian, end devices: maybe a TV or a mobile phone, well, everything in between (iPod is not yet supported) .;
4. Managers: without them, nowhere. If the camera does not work in Bugulma, the last who touched it will have to go there;
5. of course the network.
VideoNetworkServices
There are two types of them: call control and gateways.
• CallControl - the so-called Video Communication Server (VCS), registers endpoints (SIP and H.323), routes calls, monitors, has nothing to do with multimedia. You can collect several pieces in a cluster, if one is hard. There are VCS Control, for connecting clients from your network, and there are VCS Expressway with NAT support, transfer firewall etc, for external connections. Expressway is hosted at DMZ.
• Gateway - access to “other” networks, for example ISDN, PSTN. Business-to-business there.
VCS Tandberg
Videoservices
Video services are not required, but are an important part of planning the infrastructure of the videoconferencing. It’s worth starting with the answers to the questions: will there be conferences with more than 2 participants, do I need video streaming and do I need a recording? Accordingly, there are two types of devices:
• Conferencing- equipment for combining 3 or more participants. Provides switching and transcoding. Switching involves transferring a video / audio stream from one end device to many others. Transcoding is the encoding and decoding of a media stream between endpoints. In H.323 terminology, it is called the MCU (MultipointControlUnit). Cisco provides its list of existing solutions: Cisco Telepresence Multipoint Switch, MCU 4000, Cisco Integrated Service Router (ISR), as well as cluster solutions based on MSE 8000 with several blade servers on board.
MCU 4500
• Streaming & Recording- Many MCUs, in addition to conference, have a video broadcast server on board. And if they are not there are two types of pieces of iron. One, however, is only recording, Cisco TelePresence Recording Server. And the second one writes and broadcasts simultaneously, Cisco TelePresence Content Server. Powered by Cisco Media Services Engine (MSE)
Endpoints
You can use the following devices:
• Soft clients: LifeSize Clear C (available for Android devices), Cisco Jabber (available for iPads, Mac Windows and Android). In this case, the computer / tablet / phone will be the codec device;
• Personal stations: EX60, DX650, E20 - the most popular. Set up simply, web-muzzle or directly on the screen. All the terminal needs is to select a codec and give the server address. By the way, the DX650 has a VPN client on board, i.e. you can cling not to Expressway, but first to the working network, and through the tunnel to the Control;
• Meeting rooms and conference rooms. The solutions are correctly called Collaboration Room Endpoints (MX and Profile Series) and Immersive TelePresence (TX Series). In them, the codec is a box into which screens, microphones and cameras are wound.
Management
Soft-based contraption with a huge number of functions, so far, however, is mainly used for monitoring. The fact is that almost every piece of hardware has a convenient web face. The console, by the way, is also available. However, if you know how to configure Cisco routers and switches, this will not help you, the syntax is completely different there. And yet, the managers:
• Cisco TMS - TelePresence Management Suite. Server-based system, i.e. under it you need a piece of iron. Convenient and intuitive monitoring, the main feature is scheduled video conferencing. Those. at a certain moment, a call is made to all participants. Integrates into AD, in particular, the MicrosoftExchange calendar;
• Cisco TelePresence Manager and Cisco Prime Collaboration Manager- What is the real difference from the first, honestly, I do not know. I touched only the first. But in prime colaboration there is real-time monitoring, for which, undoubtedly, respect.
Network
Basically, all network requirements for transmitting a stream depend on the stream itself. For example, at least 2 Mbps is recommended for h.264 video transmission. for one client. Delays, jitter, losses - everything is like everyone else. The most interesting question is connecting remote clients. Whether a VPN is needed or not, one network for all clients, or / 30 and PPTP, or NAT. Encryption implemented in Cisco TelePresence is discussed later.
Now that we’ve got a little acquainted with the functionalities of various products (this is not all at all), we can start planning client connections, accessing the network, seeing the root of the implementation, etc.
There are several options for establishing a call connection (skinny did not consider):
• h.323 - a set of protocols, communication users cling to the gatekeeper (aka zone controller, a gatekeeper, implemented in VCS) - call handler. Gatekeeper clings to h.323 MCU;
• sip - session initialization protocol. We need a sip server (which is in VCS). Will register users, aka SIP-proxy. Clings to the MCU (for calls from 3 participants).
You can quote the Cisco Video and TelePresence Architecture Design Guide:
In many regards, SIP is better categorized as a communications session signaling protocol than a telecommunications signaling protocol because SIP enables more than just the establishment of voice and video communications. SIP can enable instant messaging, presence, and so forth, whereas SCCP and H.323 are purely telecommunications protocols. Part of the strength of the SIP protocol specification to support a myriad of services comes from the fact that UAS and UAC elements must ignore what they do not understand or support. On occasion, however, this strength becomes one of SIP's disadvantages because it complicates interoperation between vendors. Furthermore, SIP is less detailed in its specification than SCCP or H.323, making vendor interoperation somewhat challenging at times. For example, in SIP there is more than one way to implement some features. If different vendors implement the same feature in different ways, they would be incompatible.
That sip that h.323 - are equally useful. It should be noted that h.323 is not a protocol, but recommendations for the protocols used. And these protocols have the character of a standard. The functions are the same. Although the sip wins by the following criteria:
• it is more convenient to scale;
• the connection is established in 1 handshake, when in h.323 there will be 100500;
• Many will notice the similarity of SIP with the notorious HTTP protocol. True, similar, understandable.
To begin with, it will be important for us to define the topology, or topologies, which we want to scatter. Suppose the simplest scheme, we definitely need telepresence, h.264 video communications and SIP + h.323 conferences. A set of VCS for registering participants and a sip server on board, an MCU for conference, endpoints with HD cameras and an Internet channel will cope with this.
Lyrical digression : Working with Cisco TelePresence will have to deal with a large number of NOT cis-devices: these include Tandberg and Codian. Things are as follows: once in the recent past, they were all independent of each other. Thunderbert was considered a video communications giant, and Codian specialized in the production of MCU-shek. In 2007, British Cordian became (for 270 million Baku) a part of the giant Tandberg, and in 2010 Tandberg became part of the giant Cisco (for 3.3 billion). Tandberg now manufactures its equipment under the TANDBERG Cisco brand, and Kodian maintains and manufactures its equipment with the supply of Tsiski under the old Codian brand. Those. speaking of the Codians, etc., we mean Cisco "Om-nom-nom" corp.
The circuit will look like:
Licensing
We ask a question of licensing. Since users live and register on VCS, and the union of three or more clients takes place on the MCU, it is logical to assume that Cisco is unlikely to give its customers unlimited possibilities for connecting conference participants. Limitation number of times, this is the maximum available number of user registrations. Initially, the machine (VCS) has capabilities for 2500 registrations (depending on the configuration of the purchase). You can assemble a cluster (maximum 6 devices). The cluster can expand the number of MAXIMUM registrations to 10,000. Less than it should be - this is due to redundancy, i.e. if one piece of iron fails users can be ported to the second. Limitations number 2 and 3 are traversal and non-traversal calls. Traversal calls are:
• Calls from H.323 to sip (and vice versa);
• Firewall traversal call Assent;
• Firewall traversal call h.460;
• IPv4-ipv6;
• Expressway receiving a call but not having an extended license for local calls can use one traversal license for one call.
Non-traversal is a call inside an ipv4 network, from sip to sip, calls between VCSs, i.e. simple calls that do not require tricky manipulations. Traverse license can be bought in 10, 20, 50, 100, 200 and 300 pieces. By the way, if you assemble a cluster (also 6 pieces), you can get 2,000 non-traverse and 400 traverse licenses. Also, many additional features are subject to licensing for VCS, such as FindMe, Advanced Account Security, Device Provisioning, and much more. Unfortunately, I didn’t find a word on expanding the number of created sip domains (by default there are 200, but much more!).
MCU licensing is the number of participants in a conference. Consider the Codian MCU-4210 Series MCU 4200 as an example: it has the ability to include up to 20 participants in a video conference, and has an additional 20 licenses for audio participants. For comparison, the Codian MCU-4220 can only 40 each (video and additional audio). Here, 20 participants mean that there are 20 virtual ports on the device that the device is switching among themselves. Those. more than 20 - no way. A cluster can only be assembled if you have one of the super-evil pieces of hardware, the Supervisor MCU MSE 8050 stuffed with MCU MSE 8510 blades. By the way, on the same MCU-shke (4210) there is a video broadcast server.
Encryption
Let's figure out what is encrypted: firstly, the alarm. It is encrypted with AES (DES, 3DES), the key is selected according to Diffie-Hellman. Turned on by pressing a button in a beautiful web-muzzle. Secondly, the transmitted traffic (media data) is encrypted with the same AES, a key according to the same Diffie-Hellman. And it turns on in the same way.
If secrecy seems insufficient, then you can raise VPN tunnels to clients, write ACLs, configure Firewalls, etc. Let's turn on paranoia:
• if SIP, then SIPS (the same sip, but with TLS. The address is not sip: <> @ ..., but sips: <> @ ...)
• if TCP / UDP, then TLS
• if RTP, then SRTP
• if the client is far away, then GRE / IPsec
• well, that's all we come up with
It is clear that this will increase the packetization time and overall overhead.
VCS Software Overview
The firmware itself is very convenient (X7.2.2), it has a manual for itself on board, it opens with the Help button in the upper right corner. The help that opens in the window provides reference information about the subsystem in which you are currently located (both theoretical and practical). Input fields are also highlighted with a miniature help.
Do not worry if something is not clear, or you do not remember what field to write in. Help will fulfill its purpose. Software buns include a powerful set of regulars (relatively powerful within the scope of their task).
Customization
We’ll lower the basic setting, that's something, but “how to quickly set VCSe + VCSc + MCU” on the Internet is full, but the most interesting can be discovered only in kilometers of guides (it took me a little less than a month with “below absolute zero "). Suppose that we performed the basic settings, set the neighborhood with the MCU, Traversal zones, set the time, etc. Now we’ll deal with “like a boss” call management, who these neighbors are, and why Traversal is needed.
Zones
Muddy haze begins here. A zone is an abstract set of anything (domains, ip-addresses, devices, services) to which a certain set of rules applies. Zones are needed to control bandwidth, authentication and call routing, and this applies immediately to everything in the zone. When creating Dial plans, you need to specify from which zone to which to transfer the call (and not to which domain). It’s easier to control everything that happens, however, setting up this disgrace may seem dreary.
All end devices, VCSs and MCUs, in general all your devices, are included in the Local Zone ( LocalZone ). The local zone can be divided into subzones ( Subzones) Therefore, for management flexibility, you can create a separate subzone for the new sip domain. You can create them up to 1000. The domain that will belong to a particular subzone needs to be determined using the "Subzone membership rules".
Zones are neighboring ( Neighbor ), redirecting ( Traversal (client-server presentation)), ENUM and DNS. The last two for ENUM and DNS queries, they need to show which servers to ask for names and E.164. Traversal zone is needed to route calls between the separated firewall VCS Control and Expressway. Let's say half of the clients inside will make a call through VCS Control, and half, which is located remotely, will use the Expressway tools. VCS Control– client, Expressway– server. Neighbor zone is needed, for example, to communicate with the MCU, or other VCS. Those who did not fall into any zone fall into DefaultZone , and work according to the rules of the default zone, which, generally speaking, can be left out by the rules, and everyone will simply be redirected.
I’ll upload smaller screenshots so as not to clog the text with half-empty browser windows. It’s easier to say in words.
Create Subzone(for bandwidth management, encryption and authentication) can be in the menu VCS Configuration -> Localzone -> Subzones . Click New , in the Policy area, allow registration Registration policy - Allow, and be sure to authorize: Authentication policy - Check Credentials. In the SIP Media encryption mode area, you can determine if encryption is necessary. Bandwidth limits are optional. This tool allows you to manage calls between zones.
Create SIP-domain ( VCS Configurations -> Protocols -> SIP -> Domains ). Click New , enter the domain name. You can create up to 200 pieces.
Creating membership rules to establish domain membership in the subzone (VCS Configuration -> Local zone -> Subzones membership rules ). The rule must contain the Name, priority, regular expression, under which the domain name and subzone will fall, the rules of which will be used in this domain.
After the sender of the recipient and sender has been determined, call processing begins on VCS (or VCS), according to the call policy Call policy ( VCS Configuration-> Call policy-> Rules ). First, turn them on, and secondly write the rules. Anyone familiar with ACLs will see a lot of similarities. From-to-where-politics - a simple scheme, only 3 points of the rule. The rule that is higher - works earlier, you can change the position with up-down arrows.
With this rule, we allow / deny calls to number 123456 from the domain newdomain.ru, for example. Is there an implicit Deny at the end or not, unfortunately, I did not check, but just in case, at the end I set the rule “. * ->. * Reject” ie block from anywhere and anywhere. Naturally, permitting rules were written earlier. Generally speaking, you can not enable Call Policy, and steer calls at the level of dial plans. But with the rules turned on, you won’t even get to dial plans, and if you have a lot of them, you don’t need to run through the list of rules and
Now we have come close to Dial-plan , things important and necessary, without which nothing will work. Call processing at the stage of Dial-plans occurs in stages. First, rules like “Transform . " They allow you to do anything with addresses: cut off the domain part, add the domain part, change the name of the recipient, sender. Let's say you want to call from Sisko-background to a thieves number, "666666" for example, and get into the conference, you have lots of rooms, and there’s no need to create another one. So, we are writing a transform already in the existing room and deal with the end. Here is an example of how to make 639801 from 666666.
After the transform is completed and the transformation rules applicable to the call are over, processing begins according to the search rules . We create Search Rule for dial plans, for routing search requests to certain zones ( VCSConfiguration -> Dial-Plan -> SearchRules ). An example rule for a subzone domain is below.
We draw attention to the fact that the rule is created for the outgoing zone specified in the Source name; it searches for Pattern string in the request , specified as the suffix of the receiver ( Suffix ) URI “nik”. In other words, if the call from the nik zone has the destination address nik, then you need to look for this address in the local zone ( Local Zone ). The rule is turned on in the drop-down field State to the Enable position .
Now a couple word Pattern matching variables. Yes, but the best part is that these things work everywhere, if you look for a regular, suffix or prefix. These are variables of the form% pattern%, which are used in regulars, Search Rules, and generally wherever you work with IP addresses or sip domains.
A short but useful list of variables:
% localdomains% - all local sip domains
% ip% - all ipv4 and ipv6 addresses
% ipv4%,% ipv6% the same, but individually
% localdomain1% - sip domain with index 1 (varies from 1 to 200)
% systemname% - systemname
Question - who will call? There are several ways to create a sip user. The first obvious one is to create a local user directly in VCS (VCS Configuration -> Authentication -> Devices -> Local Database) The second option is to create a user in TMS (we also have a manager). To create users of end devices (registered from devices) go to the menu System -> Regulation -> Users . On the left in the Create Group and Users menu ( Add Group , Add users) In the same menu on the left, from the bottom, select the Configuration Template and create a template for the group. It is worth mentioning that for different terminal devices the templates will be different, but, in fact, with the same set of options. For example, domain, SIP server address, phone book address, etc ... A set of schemes is downloaded to TMS, all schemes are filled in by the administrator. Filling out the template is understandable intuitively, but the schemes of this template for end devices (whether it is a jabber client or E20 terminal) must be downloaded from the site beforehand.
It is possible to authenticate after integration into AD or LDAP, but we did not need it.
Now Expressway. Create a SIP domain in the same way as on Control. Since TMS and Expressway are in different networks and are separated by an ACL, the user must also be entered into the Local Database (in the same way, create a subzone and membership Rule for membership in the subzone). For authentication to work, enable Search Rule over SIP with the DefaultZone source , you need to search using the following regular line ^ (. +) @ Domain \ .ru $ , and send it to the Traversal Zone on VCS Control. For what and why - it turned out only empirically: before registration, since it is NOT a control, no one falls under “his” network, the user is not listed in the domain, he is not in the subzone, i.e. all NOT registered persons fall into DefaultZone.
You can create 2 universal rules, Call's to Traversal zoneand Call's from Traversal zone for calls between VCSs (can we now operate with such concepts?). It is not difficult to guess what kind they will be, but if you do not need to allow end-to-end calls, then it’s better not to write this general rule, but to do it for each domain separately.
Briefly about the MCU. Actually, the Conference itself, as we recall, is organized at the MCU. Conference management is simple, we establish a h.323 VCS connection with the MCU (wagon and cart guides on the Internet on this topic) and create the conference itself. The features of the MCU help are the same as on VCS, but nevertheless: a conference is created in the Conferences tab with the button “ Add a new conference”". When creating a conference, most of the fields will be filled out from a template (pre-configured), you will need to fill in only the following fields:
• Name - sign identifier
• Digital identifier - numbers added to the prefix for registration
• PIN code, if necessary
• Guest ID
• Guest PIN .
Templates provide automatic filling of some fields, they can be changed in the menu Home -> Conferences -> Templates . In addition to the basic settings, a user layout will be available for configuration ( Main page: -> Conferences -> Conference "name" -> User layout ). It determines the location of video conference participants on the screen.
So from scratch, you can configure a dialer-conference from a bunch of expensive pieces of iron. Thank you for surviving and happy new year to you!
Sources
habrahabr.ru
www.cisco.com
www.anticisco.ru
linkmeup.ru
mcu.dc.codian.com