VCON SecureConnect

1
VCON SecureConnect

• Solutions for Secure Firewall Traversal
  Encrypted Communications

2
SecureConnect Family Overview

• Extends the benefits of IP-based communications
  safely beyond the edges of the managed data
  network
• Remote branch offices
• Home office workers
• Customers and business partners
• Solves the connectivity problems associated with
  firewalls and NAT servers without jeopardizing
  security
• Encryption option for securing media and
  signaling streams
• Highly scalable and centrally manageable

3
Hurdles with Firewalls and IP-Based
Communications

• Firewalls
• Most are closed to inbound traffic.
• Minimize or eliminate open ports.
• NAT
• Used on LANs to create private IP addresses
• Addresses cant be reached from outside the LAN.

4
The VCON ALG Proxy Server

• Overcomes Firewall and NAT Hurdles
• Firewall cooperation and synergy
• No firewall ports are opened in the inward
  direction
• Firewall does not need to accommodate requests to
  open random or dynamic ports
• External devices never connect directly to the
  inside network
• Internal devices never connect directly to the
  outside network
• Seamless Address Resolution
• Creates reachable addresses for endpoints on
  the LAN

5
The VCON ALG Proxy Server

• Able to securely proxy
• Gatekeeper registration
• Call setup messages signaling
• Media streams (audio video)
• Neighbor gatekeeper messages
• VCON Interactive Multicast streams
• MXM admin console login andremote device
  administration
• Far-end camera control messages
• Scalable up to 100 concurrent video calls per
  server
• Available encryption option

6
ALG Proxy Server - continued

• Supports any standard H.323 device (endpoint,
  MCU, gateway)
• Media streams pass directly between conference
  participants
• Configurable QoS (DiffServ or IP Precedence) for
  audio, video and data streams
• Single and dual-server configurationsavailable

7
Single vs Dual-Server Config
Dual-Server Config
Single-Server Config
Public Network
Private Network
Private Network
Inside Proxy
Outside Proxy
Firewall or NAT
Inside Outside Proxy

• Inside outside proxy elements of the ALG can be
  combined or split
• Both configurations prevent direct connections
  between private and public network entities
• With either configuration, the outside proxy can
  be encrypted for added security

8
Typical Headquarter / NOC Configuration
PC-Based Endpoints
ALG Proxy (Inside)
ALG Proxy (Outside)
Public Network
MXM
Firewall/NAT
Settop Appliance
Video Directory
MCU
9
Typical Branch Office or Small-Medium Business
Configuration
PC-Based Endpoints
ALG Proxy (Inside)
ALG Proxy (Outside)
Public Network
Firewall/NAT
Settop Appliance
MCU

• Local devices point to the inside proxy for GK
  registration
• Calls between local devices does not result in
  mediastreams passing through the ALG Proxy

10
Endpoints in the Public Address Space
ALG Proxy
Firewall/NAT

• Remote devices point to the outside ALG Proxy for
  GK registration
• Calls between outside devices does not result in
  mediastreams passing through the ALG Proxy

11
Multi-Zone Gatekeeper Configuration
Peer-to-Peer or Meshed
Hierarchical
MXM
ALG Proxy

• Neighbor gatekeeper zone definitions utilize
  thepublic IP address of the outside ALG Proxy
  component

12
The VCON Advanced Encryption Server

• Supports DES, 3DES AES encryption standards
• Establishes peer-to-peer encryptedtunnels
  between authenticated users
• Combine with ALG Proxy to encrypt all traffic
  that leavesthe proxy
• Scalable up to 10,000 concurrently logged in
  clients and 1,000 concurrent calls per server
• Remote users only have access to pre-determined,
  application-specific resources
• Versus traditional VPN solutions, which give
  theuser full access to the enterprise or service
  provider network

13
The VCON Encryption Client

• Supports PC-based devices
• Windows 98, NT, 2000, XP
• UserID and Password authentication to the
  Encryption Server
• Encrypts signaling and media streams immediately
  as they leave the PC-based device
• DES, 3DES, AES encryption standards

• No charge downloadable client
• Give to customers or business partners for access
  to video network
• Downloadable from the VCON website

14
All PC-Based Devices Configuration
Advanced Encryption Server
Encryption Client
PC-Based Endpoints
Public Network
MXM
Firewall/NAT
VCB (MCU)

• All PC-based devices running the Encryption
  Client are logged in to the Advanced Encryption
  Server
• Data streams flow directly between the devices
  withoutpassing through the Encryption Server
• Unless both participants have private IP addresses

15
Leveraging the ALG Proxy for Encryption
Advanced Encryption Server
Encryption Client
PC-Based Endpoints
ALG Proxy (Inside)
ALG Proxy (Outside)
Public Network
Firewall/NAT
Non-PC Devices
MCU

• The outside proxy is enabled with encryption
• This proxy only counts as a single client login
  on the Encryption Server
• Allows encryption for non-PC devices, including
  MCUs
• All traffic across the public network is encrypted

16
Versatility of the SecureConnect Solution
Branch Office or Small Business
Headquarter / NOC
Encryption Server
ALG Proxy
MXM
Public Network
ALG Proxy
Home Office
VCB
Road Warriors
17
High Availability Features
Dual NIC cards
RAID controller mirrored hard drives
Dual memory modules
Software watchdog for services
18
Other SecureConnect Features

• 1 year software subscription included with all
  SecureConnect servers
• Access to all SW enhancements for a period of 1
  year
• Scalability upgrades accomplished via a license
  key
• No need to take the system out of service