Business to Business Video with Cisco Video Communication Server Expressway TM

Business to Business Video with Cisco Video Communication Server Expressway TM John Burnett

TelePresence/Video Sessions TECEVT-2674 Monday 14:15 Conferencing and Scheduling Design for Cisco Telepresence BRKARC- BRKEVT-2804 1006 BRKEVT-2802 BRKEVT-2800 LTREVT-2300 BRKEVT-2801 BRKEVT-2805 Tuesday 11:15 Tuesday 14:15 Tuesday 14:15 Tuesday 16:15 Wednesday 9:00 Wednesday 14:00 Wednesday 16:30 Planning, Building & Deploying Cisco's Remote Expert Solution Monitoring and Troubleshooting Network Impairments in Video Deployments Deploying TelePresence and Video Endpoints on Unified Communications Manager Overview of Cisco TelePresence Solution and Deployments Enterprise Medianet: Video Applications and Network Design Lab Integrating Voice and Video Call Routing and Dial Plans Understanding and Troubleshooting EX-Series Personal Telepresence Systems and C-Series Codecs COCEVT-2577 BRKEVT-2803 Thursday 9:00 Thursday 11:30 Thursday 14:00 Business to Business Video Inside Cisco IT: The Do s, Don ts and Lessons Learned during Five Years of Video Deployment Designing and Deploying Multipoint Conferencing for Telepresence Video BRKEVT-2317 BRKEVT-2400 Friday 9:00 Friday 11:30 Video Content: Unlock the Power of Video with "Capture, Transform, Share" Solution Scheduling Best Practices for Cisco Telepresence 3

Agenda Introduction (objectives, scope, content) Introduction of Business Use Cases Design Principles Expressway Solution Overview Active FW/NAT traversal Signaling & Secure Media Calling Business to Business Solving the Media Routing Problem Interworking Scalability and Redundancy Business to Business Use Cases Closing Comments, References, Questions 4

Introduction

Session Objectives At the end of this course participants will have an understanding of how Business to Business video works, capabilities available, and the challenges inherent to extra-enterprise video communications They will gain a working knowledge of the Cisco VCS Expressway solution. They will gain a working knowledge of firewall traversal technologies implemented in the VCS Expressway. The participant will gain an understanding of use cases of the Expressway solution. 6

Scope and Content This presentation covers Cisco VCS Expressway and it s associated functions and protocols This presentation does not cover VCS Control or integration with Cisco Unified Communications Manager. However, all use cases extend to both CUCM and VCS. 7

What is Business to Business Video? Business to business video is the applications and technologies that enable separate organizations to communicate with each other using video teleconferencing (This includes TelePresence). 8

Business to Business Video Options VCS-C VCS-E Video Trunk Peer-to-Peer (Internet) VCS Devices Voice Trunk CUBE Private, Exchange SP Video Other VCS- Expressways UCM/SME Video Trunk IP Voice Service Jabber Video + other remote endpoints CUCM Devices Gateway PSTN Service Type Video Voice

Business to Business Video Scope for this Discussion VCS Devices VCS-C Video Trunk VCS-E Peer-to-Peer (Internet) Other VCS- Expressways Cloud Service UCM/SME Jabber Video + other remote endpoints CUCM Devices Service Type Video Voice

Business to Business Use Cases Video Federation Use Case 1: Technology Company with Many Sales Partners Unified CM Global Enterprise VCS VCS-E The Challenge An enterprise with a large and numerous partner sales force needs to communicate at many levels sales, marketing, management. APAC Sales Partner VCS-E VCS EMEA Sales Partner VCS-E VCS Conferencing Management Scheduling Gateway Internet Multipoint Unity Connection Unified Presence Global Sales Partner VCS-E VCS VCS-E NA Sales Partner VCS 12

Business to Business Use Cases Video Federation Use Case 3: Banking Alliance Bank of X Bank of Y Unified CM VCS Conferencing Scheduling Management Gateway VCS-E Unified CM VCS Conferencing Scheduling Management Gateway VCS-E The Challenge Global bank executives and select management need to communicate securely with other banks through ad hoc and scheduled events. Multipoint Unity Unified Connection Presence Internet Multipoint Unity Unified Connection Presence Royal Bank Z Bank Unified CM VCS VCS-E Unified CM VCS VCS-E Conferencing Scheduling Gateway Conferencing Scheduling Gateway Management Management Multipoint Unity Unified Connection Presence Multipoint Unity Unified Connection Presence

Business to Business Use Cases Video Cloud Service Use Case 4: High Value Clients EMEA Enterprise The Challenge An enterprise wants to offer B2B video and other services to highly valued clients Unified CM VCS VCS-E Conferencing Management Scheduling Gateway Internet Cloud Service Client Home Multipoint Unity Connection Unified Presence Client at Coffee shop 15

Design Principles

Design Principles for the VCS Solution must not break any existing network functionality Must be flexible enough to accommodate new application requirements Low impact easy to deploy, use, and manage Must work with existing FW / DMZ topology Media should take least impaired path between endpoints Must be secure and comply with regulatory constraints System must be fault tolerant and scalable 18

Expressway Solution Overview

Expressway Solution Overview How Expressway Works Inside Network DMZ Outside Network Internet A VCS Firewall VCS Control Expressway 1. VCS Expressway is the traversal server installed in DMZ. VCS Control is the traversal client installed inside the enterprise network. 2. VCS Control connects via the firewall to a specific port on the VCS Expressway with secure login credentials. 3. Once the connection has been established, the VCS Control sends keep-alive packets to the VCS Expressway 4. When VCS Expressway receives an incoming call, it issues an incoming call request to VCS Control. 5. The VCS Control then initiates a connection to the internal endpoint 6. The call is established and media traverses the firewall securely Firewall B

Expressway Solution Overview Signaling Functions Active FW Traversal via H460.18/19, Assent Endpoint location & call routing services H.323 - SIP Interworking H.239 - BFCP interworking IPv4 IPv6 interworking VCS-C VCS-E Internet FW FW Video Endpoint Conference Resource DMZ Conference Resource 22

Expressway Solution Overview +1(408)867-5309 joe@a.com 7035551212 CUCM Function / Attribute Call control Interworking Scale FW Traversal Protocols Call Routing Management Support H.323 and SIP SIP / H.323 and IPv4 / IPV6 interworking 500 local, 100 traversal calls per VCS H.460.18/19; SIP traversal; ICE E.164, H.323 ID, or SIP URI; DNS SRV, ENUM, Local HTTPS admin, CLI, Event / Call Logging, SNMP Traversal Client Traversal Server alice@b.com bob@a.com Video Endpoint A.com Conference Resource VCS FW VCS Expressway A.com DMZ FW Cloud Conference Resource Internet bob.jabbevideo@a.com 23

Active FW/NAT Traversal

Active FW/NAT Traversal Firewall Traversal and Signaling H.323 firewall traversal protocols The VCS supports two different firewall traversal protocols for H.323: Assent and H.460.18/H.460.19. Assent is Cisco s proprietary protocol. H.460.18/19 are ITU standards which define protocols for the firewall traversal of signaling and media respectively. These standards are based on the original Assent protocol. SIP firewall traversal protocols The VCS supports the Assent protocol for firewall traversal of media. The signaling is traversed through a TCP/TLS connection established from the client to the server. A traversal server and traversal client must use the same protocol in order to communicate. SIP & H.323 each use a different specific port for the traversal connection 26

Active FW/NAT Traversal Traversal Port Summary Protocol Call Signaling Media H.323 Assent H.323 H.460.18/19 UDP/6001: listening for RAS TCP/2776: listening for H.225 and H.245 UDP/6001: listening for RAS TCP/1720: listening for H.225 TCP/2777: listening for H.245 UDP/2776: RTP media port UDP/2777: RTCP media control UDP/2776: RTP media port UDP/2777: RTCP media control UDP/50000-54999: de-multiplex media port range SIP Assent TCP or TLS/7001: listening for signaling SIP media uses Assent to traverse the firewall. The default ports are the same as for H.323: UDP/2776: RTP media port UDP/2777: RTCP media control 27

Active FW/NAT Traversal Applications Traversed H.460.18/.19 (Assent) Active Firewall Traversal Video Endpoint VCS-C VCS-E Internet FW FW Conference Resource SIP, H.323 DMZ Conference Resource Video Endpoint RTP main video Aux RTP Presentation Audio FECC 28

Active FW/NAT Traversal VCS Firewall traversal (recommended most secure) A FW / NAT Private IP address FW / NAT B Internet VCS Control No ports inbound need to be opened on the internal firewall Allows DMZ to have non-public/private IP Static NAT on VCS Expressway VCS Expressway Needs Dual Network interface option Minimize ports that need to be opened inbound through public facing firewall Endpoints can register directly to VCS Expressway Non-registered endpoints can send calls to VCS Expressway 3 legged firewalls not shown are also supported 29

Active FW/NAT Traversal VCS Firewall traversal (least secure) A FW / NAT Public IP address B Internet VCS Control No ports inbound need to be opened on the internal firewall Minimize ports that need to be accessible on the Expressway Traverse only known ports VCS Expressway Endpoints can register directly to VCS Expressway Non-registered endpoints can send calls to VCS Expressway 30

Agenda Introduction (objectives, scope, content) Introduction of Business Use Cases Design Principles Expressway Solution Overview Active FW/NAT traversal Secure Signaling & Media Calling Business to Business Solving the Media Routing Problem Interworking Scalability and Redundancy Business to Business Use Cases Closing Comments, References, Questions 31

Secure Signaling & Media

Secure Signaling and Media SIP with (Assent) traversal point to point VCS-C FW VCS-E FW B A Internet (5061) SIP/TLS Traversal Client (Source) (25000:29999) SIP/TLS keep-alive (Listening) (7001) (50000:54999) (2776) Media RTP Traversal Server (5061) SIP/TLS (50000:54999) (2777) Media RTCP SDES/SRTP(RFC4568) SDES/SRTCP(RFC4568) Traversal client generates outgoing keep-alive messages acknowledged by VCS-E SRTP/SRTCP are negotiated and established between A-B 33

Secure Signaling and Media H.323 with (H460.18/19) traversal point to point A VCS-C FW VCS-E FW Internet B Initial RAS Q.931/H.225 H.245 Traversal Client (Source) (1719) (Listening) Keep-alive (6001) Traversal Server (1719) (15000:19999) (1720) (1720) Q.931/H.225 (2777) (2777) H.245 (50000:52399) (2776) Media RTP (50000:52399) (2777) Media RTCP Initial RAS Q.931/H.225 H.245 H.235 AES-128 H.235 AES-128 Traversal client generates outgoing keep-alive messages acknowledged back by VCS-E Q.931/H.225 signaled outbound on 1720 H.235 encryption negotiated and established between A-B 34

Secure Signaling and Media VCS Media Encryption RTP to SRTP A VCS-C VCS-E VCS-E VCS-C B Internet Media Encryption mode: Off Media Encryption mode: On Media Encryption mode: Auto Media Encryption mode: Best Effort RTP SDES/SRTP(RFC4568) RTP SDES/SRTP(RFC4568) Auto: No media encryption policy applied by the VCS Best Effort: Use encryption if available otherwise fallback to unencrypted Force Encrypted: All media must be encrypted Force Unencrypted: All outgoing media will be unencrypted Encryption Policy applies to SIP and SIP<>H323 interworked calls 35

Calling Business to Business

Calling Business to Business Zone Options VCS Expressway Neighbor zone Neighbor zone VCS Expressway Neighbor or Trunk Default Subzone Local Zone Traversal Subzone Default zone DNS zone Internet DNS Default zone VCS - C Traversal Client Subzones Traversal Server zone Traversal Client zone ENUM zone

Calling Business to Business URI Dialing with DNS companya.com DNS server DNS Heirarchy companya.com VCS-C CompanyB.com DNS replies with IP address of companyb.com s registered VCS-E. companyb.com DNS server Endpoint register with VCS-C Calls x.y@companyb.com companya.com VCS-E Forward SIP Invite to companyb.com using IP address recieved via DNS Sends SIP 200 OK companyb.com VCS-E Endpoint register with VCS-E Any companya.com codec INTERNAL EXTERNAL x.y@company B.com 39

Calling Business to Business URI Dialing with DNS SRV (or Service) Records define the priority, weight, port number and hostname of VCS Expressway SRV records are required in the authoritative public DNS system Priority and weight can be allocated to many IN SRV records. Provides some basic fault recovery capability. SRV-record examples for the domain jadewindow.com: _h323ls._udp.jadewindow.com _h323ls._udp.jadewindow.com _h323cs._tcp.jadewindow.com _h323cs._tcp.jadewindow.com _sip._tcp.jadewindow.com _sip._tcp.jadewindow.com _sips._tcp.jadewindow.com _sips._tcp.jadewindow.com service = 1 50 1719 sjc-vcse02.jadewindow.com. service = 0 50 1719 sjc-vcse01.jadewindow.com. service = 1 50 1720 sjc-vcse02.jadewindow.com. service = 0 50 1720 sjc-vcse01.jadewindow.com. service = 0 50 5060 sjc-vcse01.jadewindow.com. service = 1 50 5060 sjc-vcse02.jadewindow.com. service = 0 50 5061 sjc-vcse01.jadewindow.com. service = 1 50 5061 sjc-vcse02.jadewindow.com. A-records to resolve sjc-vcsexx.jadewindow.com are required: sjc-vcse01.jadewindow.com in a 128.107.82.103 sjc-vcse02.jadewindow.com in a 128.107.82.104 Verification / Record Retrieval: Windows: nslookup -type=srv _h323ls._udp.jadewindow.com Mac: dig _sip._tcp.jadewindow.com SRV 40

DNS SRV Format SRV records for SIP and H.323 (RFC 2782) _sips. _tcp.example.com 86400 IN 10 60 5061 vcs.example.com SRV Name of the service Protocol and domain name (TCP, UDP...) DNS Class. Always IN DNS Time-To-Live: how much time the server caches the record before it flushes the cache Priority: Lowest priority means preferred. If connection fails, client fallback to the higher priority record Weight: for records with same Priority, it is used for load-balancing Port: TCP or UDP port for the service Target: hostname or IP Address for the host Providing the service 41

What is GEO DNS or Split-Horizon DNS? Wikipedia says: In computer networking, split-horizon DNS, split-view DNS, or splitbrain DNS is the facility of a Domain Name System (DNS) implementation to provide different sets of DNS information, selected by, usually, the source address of the DNS request. 42

What does Geo DNS do for me? Allows a single global domain presence. With the assumption that nearer is better the nearest point of entry (Expressway) is returned based on where the query came from. Supports multiple site deployments of Expressway 43

Geo DNS Multiple site deployment Incoming Calls Tomo@companyA.com Susan@companyA.com VCS-E VCS-E VCS-E VCS-C VCS-C VCS-C Americas HQ Europe HQ Asia HQ 44

Solving the Media Routing Problem

Solving the Media Routing Problem Why is media latching needed? RTP was designed for media initiation from both sides. This requires both source / destination IP addresses of endpoints are routable. Address in signaling is not reachable if call initiator uses non-routable (RFC 1918) address VCS Expressway SDP v=0 o=cisco 1 2 IN IP4 192.168.1.119 s=c=in IP4 192.168.1.119 b=as:256 t=0 0 m=audio 21628 RTP/AVP 127 120 121 8 0 11 100 b=tias:256000 a=rtpmap:127 MP4A-LATM/90000 a=fmtp:127 profile-level-id=24;object=23;bitrate=64000 a=rtpmap:11 L16/48000 a=rtpmap:100 telephone-event/8000 a=fmtp:100 0-15 a=sendrecv m=video 21630 RTP/AVP 123 122 97 34 110 47

Solving the Media Routing Problem VCS Media Latching VCS determined destination is NAT d Contact address differs from source IP address Media (RTP&RTCP) is sent to remote end after media packet is received (this opens up the NAT binding). Media sent to network address from which the media packet is received Public Address + port VCS Expressway Interenet Private Address + port 48

Solving the Media Routing Problem Address Comparison 49

What is ICE? Interactive Connectivity Establishment as described by RFC 5245 ICE provides a mechanism for SIP client NAT traversal ICE is a framework which makes use of the Session Traversal Utilities for NAT (STUN) protocol and its extension, Traversal Using Relay NAT (TURN) ICE allows the clients to discover enough information about their topologies to potentially find one or more paths by which they can communicate. 50

Solving the Media Routing Problem SIP ICE Interactive Connectivity Establishment Choose method of connecting media Direct, server reflexive, and TURN relay paths VCS Expressway TURN Server TURN Relay Server Reflexive Direct 51

Solving the Media Routing Problem SIP ICE - Candidates Relay Reflexive Host 52

Solving the Media Routing Problem SIP ICE Offer / Answer SDP offer (INVITE or OK) SDP answer (OK or ACK) SDP offer containing ICE candidate info, ICE-ufrag (ICE ID) ICE-pwd INVITE 200 OK SDP answer containing ICE candidate info, ICE-ufrag (ICE ID) ICE-pwd 53

Solving the Media Routing Problem SIP ICE TURN establishment Request: CreatePermission: IP addresses of destinations Request: CreatePermission: IP addresses of destinations CreatePermission success CreatePermission success 54

Solving the Media Routing Problem SIP ICE Direct connection STUN Bind request, ICE-ufrag STUN Bind success Your ICE-ufrag:My ICE-ufrag Media STUN Bind request, ICE-ufrag STUN Bind success Your ICE-ufrag:My ICE-ufrag 55

Solving the Media Routing Problem SIP ICE Server reflexive connection For full cone or restrictive cone firewalls This request gets in due to previous outbound message STUN Bind request #1 ICE-ufrag STUN Bind request #2 ICE-ufrag STUN Bind success Your ICE-ufrag:My ICE-ufrag Media STUN Bind request, ICE-ufrag Second one goes through due to outbound message to other firewall STUN Bind success Your ICE-ufrag:My ICE-ufrag 56

Solving the Media Routing Problem SIP ICE TURN relay connection If no paths can be built, media will traverse via TURN server on VCS Expressway (Relay candidate) VCS Expressway TURN Server Media TURN Relay 58

Solving the Media Routing Problem SIP ICE Firewall types Some firewalls allow any responses to be returned from the device that had the message sent to it: Full cone Restricted Cone Others restrict to messages coming from the same IP port: Port restricted Symmetric A good reference on firewall types, see: https://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html 59

Solving the Media Routing Problem SIP ICE Will Cisco VCS take the media, or will ICE control the media flow? ICE can only work with the VCS if the VCS does not have to take the media VCS has to take the media if the call is a traversal call. EXCEPTION: VCS does not need to take the media when the endpoint supports ICE even if behind a firewall. If the two ICE devices are registered to a VCS Expressway or Expressway cluster ICE will control the media flow If only 1 device is registered to the Cisco VCS Expressway, Cisco VCS uses its do I need to take media decision Cisco VCS takes media if: Destination is non-ice endpoint only reachable via a traversal zone Any interworking is required (SIP / H.323 or IPv4 / IPv6) Endpoint is non-ice behind a firewall (apparent address <> contact address) ICE will work if a nonregistered device makes a call and the other device is registered. 60

Interworking

Interworking Lots of products are migrating towards SIP, yet the majority of deployed video products are still H.323 Encryption schema for these protocols also require interworking IPv4 address starvation is real, but migration to IPv6 will not happen overnight Interworking requires media to traverse the VCS platform The VCS tries to route the call using the incoming protocol, then attempts the other protocol Interworking is a configurable option in VCS-E 63

H323/SIP Interworking Call RFC 4123 Functionalities Mapping of the call setup and teardown sequences Registering H.323 and SIP endpoints with SIP registrars and H.323 gatekeepers Resolving H.323 and SIP addresses Maintaining the H.323 and SIP state machines Negotiating terminal capabilities Opening and closing media channels Mapping media-coding algorithms for H.323 and SIP networks Reserving and releasing call-related resources Processing of mid-call signaling messages Handling of services and features 64

VCS Interworking Why media must traverse the VCS SIP vs. H.323 signaling (Paraphrase) Ask vs Tell SIP - This is what I can receive. H.323 - This is what I am going to send. Recieve h.264 (106) Sending h.264 (121) SIP H.323 X SIP Recieve h.264 (106) Sending h.264 (121) H.323 RTP (106) Recieve h.264 (121) RTP (121) Sending h.264 (106) RTP (121) RTP (106) Signaling Media 65

VCS Interworking IPv4-IPv6 Signaling VCS-C/E Signaling B A Media Media IPv4 IPv4 VCS-E IPv6 Signaling & Media Internet VCS-E IPv6 IPv4 VCS Control FW FW IPv6 VCS Control IPv6 Interworking between IPv4 and IPv6 registered devices VCS-E configured for both IPv4 &v6 and can receive calls in either protocol VCS eases migration to IPv6 by managing legacy IPv4 equipment Media is proxied through VCS-E for firewall traversal 67

VCS Interworking IPv4-IPv6 The VCS supports IPv4 only, IPv6 only, or both for registration and calling of endpoints. (Both is the default) The VCS communicates in the protocol native to the endpoints registration. This means the VCS acts as a native IPv4 to IPv6 gateway and vice versa Calls that are interworked between IPv4 and IPv6 are traversal calls and signaling and media with traverse the VCS. The VCS supports the assignment of an IPv6 unicast address and an IPv6 gateway address 68

Scalability and Redundancy VCS Cluster Capacities 10,000 Registrations 1000 External Zones N+2 Redundancy 2000 concurrent calls 400 concurrent traversal calls Each member is a fully active VCS. N+2 means you can lose up to 2 VCS s and still maintain full functionality 70

VCS Cluster Capabilities All VCS s can take registrations H.323 endpts receive up to (6) alternate gatekeeper addresses in random order Endpts failover registration to alternate peers The SIP standard does not have the same alternate gatekeeper functionality SIP endpts can use SIP Outbound and is preferred if supported by the endpoint SIP endpts can use DNS SRV or DNS round-robin to reregister to peers Must use FQDN for VCS address on SIP endpt. All VCS s can take calls Bandwidth usage is shared across VCS s in the cluster Inter VCS routing to the lowest loaded VCS. 71

Scalability and Redundancy Cluster Call Licensing Management VCS is aware of cluster peers and can share call licenses within cluster. VCS Cluster 250 non-traversal calls 250 non-traversal calls If VCS connectivity fails, its call licenses are available to peer VCS for 2 weeks 250 non-traversal calls VCS Cluster 250 non-traversal calls Limit to maximum total number of call licenses on a VCS is 500 nontraversal 100 VCS Cluster traversal 250 calls non-traversal calls 250 non-traversal calls VCS Fails 250 non- traversal calls 250 non-traversal calls VCS Fails 250 non-traversal calls VCS Fails Combined 750 non-traversal calls Combined 750 non-traversal calls Combined 500 non-traversal call license, due to 500 limit per VCS 72

Business to Business Use Cases 74

Business to Business Use Cases Video Federation Use Case 1: Technology Company with Many Sales Partners Unified CM Global Enterprise VCS VCS-E The Challenge An enterprise with a large and numerous partner sales force needs to communicate at many levels sales, marketing, management. The Solution Expressway Cluster for scale URI Dialing over DNS DNS Zone for federation Geo DNS for theater Expressway clusters APAC Sales Partner VCS-E VCS EMEA Sales Partner VCS-E VCS Conferencing Management Scheduling Gateway Internet Multipoint Unity Connection Unified Presence Global Sales Partner VCS-E VCS VCS-E NA Sales Partner VCS 75

Business to Business Use Cases Video Federation Use Case 2: Manufacturing Partnership EMEA Enterprise The Challenge An enterprise in EMEA with a manufacturing partner in APAC needs to keep a close watch on manufacturing processes. Unified CM Conferencing Management VCS Scheduling Gateway VCS-E The Solution Expressway Traversal Traversal Neighbor Zone Do not Check Credentials: All calls are treated as unauthenticated from Partner Media Latching (Endpoints only solution) APAC Partner VCS Multipoint Unity Connection Unified Presence Internet 76

Business to Business Use Cases Video Federation Use Case 3: Banking Alliance Bank of X Bank of Y Unified CM VCS Conferencing Scheduling Management Gateway VCS-E Unified CM VCS Conferencing Scheduling Management Gateway VCS-E The Challenge Bank executives and select management need to communicate securely with other banks ad hoc and scheduled events. Multipoint Royal Bank Unified CM Unity Unified Connection Presence VCS VCS-E Internet Multipoint Z Bank Unified CM Unity Unified Connection Presence VCS VCS-E The Solution Dedicated neighbor zones Certificate trust relationship Enforced Encryption on Expressway URI Dialing preferred but not necessary Check Credentials: Credentialed call are authenticated Conferencing Scheduling Gateway Conferencing Scheduling Gateway Management Management Multipoint Unity Unified Connection Presence Multipoint Unity Unified Connection Presence

Business to Business Use Cases Video Cloud Service Use Case 4: High Value Clients EMEA Enterprise The Challenge An enterprise wants to offer B2B video and other services to highly valued clients Unified CM VCS VCS-E The Solution DNS Zone Active FW/NAT Traversal ICE for media routing optimization Conferencing Management Scheduling Gateway Internet Cloud Service Client Home Multipoint Unity Connection Unified Presence Client at Coffee shop 78

Active FW/NAT Traversal VCS Firewall traversal (remote) VCS FW FW alice.home.ex90@a.com Internet alice.office.ex90@a.com VCS Expressway H.323 Endpoints are H.460 18/19 traversal clients SIP endpoints use ICE if ICE enabled VCS uses media latching for SIP endpoints without ICE alice.jabbervideo@a.com 79

Call to Action Visit the Cisco Campus at the World of Solutions to experience Cisco innovations in action Get hands-on experience attending one of the Walk-in Labs Schedule face to face meeting with one of Cisco s engineers at the Meet the Engineer center Discuss your project s challenges at the Technical Solutions Clinics 80

Backup Slides