Based on the SBC (proxy) implementation principle, there are two NAT traversal solutions:
proxy mode and UDP tunnel traversal mode.
8.4.1 Proxy Mode
Figure 8-9 shows the proxy mode.
Figure 8-9 Proxy mode
Service software
1. The SBC proxy solution does not require any change to the network and firewall. In addition, terminals on a private network can be connected to a public network using this solution, and terminals on a public network can be connected to a videoconferencing system on a private network.
2. An SBC device is configured on the egress of network 1. The uplink and downlink ports are respectively connected to network 2 and network 3 (there can be multiple uplink and downlink ports).
3. On terminals of network 2 and network 3, the GK address is configured as the downlink network port address of the SBC. On the SBC, the server address is configured as the GK address of network 1. In this way, signaling and media streams of network 2 and network 3 can communicate with the GK and MCU of network 1 by using the SBC.
This solution has the following advantages:
1. The live network does not need any changes and is easy to deploy.
2. The existing devices do not need any changes and have a powerful compatibility, including terminals, GK, and MCU.
3. The GK and MCU are indivisible to terminals, providing a high-level security.
4. All packets pass the SBC. Therefore, you can select proper QoS policies for the SBC on the network.
5. Interworking of videoconferencing services on multiple networks can be implemented using only one SBC device, featuring a low cost.
Technical White Paper for Traversal of Huawei Videoconferencing System Between Private and Public Networks
8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks 6. This solution has the following disadvantages:
− The proxy device cannot implement traversal through a firewall device. Therefore, the proxy device is regarded as a concurrent device of the firewall device on the network.
− The proxy device must be used together with a GK.
8.4.2 UDP Tunnel Traversal Mode
This mode applies to a large enterprise that deploys a firewall on the Intranet. The enterprise does not want to use the SBC proxy solution and does not want to modify the configuration of the firewall frequently. In this mode, you need to enable only one or two UDP ports on the firewall. The tunneling function is established in the SBC. In this way, the NAT traversal of videoconferencing services is implemented.
Figure 8-10 shows the UDP tunnel traversal mode.
Figure 8-10 UDP tunnel traversal mode
Terminal
1. Two SBCs are added to the network and are respectively used by the customer premises network and network side.
− Customer premises network: An SBC is added to the user network to serve as a client of the UPD tunnel.
− Network side: An SBC is added to the network side to serve as the server of the UDP tunnel.
2. The internal SBC integrates clients (UTC) of the UDP tunnel. The external SBC integrates the server (UTS) of the UDP tunnel. The UDP tunnel is located between the UTC and UTS, and is used to transmit various packets (including signaling and audio/video media streams) from external networks to internal networks.
3. In this mode, the GK address of terminals on the private network is configured as the internal-SBC address. The address of the external proxy configured in the internal SBC is configured as the address of the SBC on the public network.
Technical White Paper for Traversal of Huawei Videoconferencing System Between Private and Public Networks
8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks
This solution has the following advantages:
1. There is no restriction on terminals and servers. This solution can be used for firewall NAT traversal.
2. The existing devices do not need any changes and have a powerful compatibility, including terminals, GK, and MCU.
3. The security level is high. The GK and MCU are indivisible to terminals. After the packets sent by terminals are encapsulated and decapsulated by the tunnel, the proxy performs the security check for these packets.
4. All packets pass the SBC. Therefore, you can select proper quality of service (QoS) policies for the SBC on the network.
5. This solution has the following disadvantages:
− Multiple SBCs are required, which increases the implementation cost.
− The network deployment is relatively complex. Routing between the UTC and UTS must be considered. In addition, the existing configuration of the firewall must be modified.
− Media streams must be transmitted as follows: UTCNAT/FWUTS.
Therefore, the network performance of the media stream is restricted.
Huawei Quidway SessionEngine2000 (SE2000) aims at session boundary controllers (SBCs), and is a proxy-based IP service gateway. SE2000 is used for deployment of videoconferencing services on an IP network. SE2000 is also used to help videoconferencing GKs and terminals resolve problems concerning NAT traversal, security, QoS, and interworking.
SE2000 uses the signaling and media proxy technology to process and forward call packets and media streams in a directional manner. In addition, SE2000 is used to redirect the RTP stream receive address and port of private and public network users. In this way, address translation between network domains (including address translation between a public network and a private network) can be easily implemented. This ensures the traversal from media streams to NAT gateways.
Different from a NAT application layer gateway (ALG), SE2000 uses the full-proxy mode to transmit media streams in a direct manner. There is no special requirement on NAT devices.
Therefore, the existing devices on the live network do not need reconstruction. This provides convenience for telecom operators to deploy services.
8.4.3 Solution Analysis
This solution has the following advantages:
− SE2000 uses the full-proxy mode to transmit media streams in a directional manner.
There is no special requirement on NAT devices. Therefore, the existing devices on the live network do not need reconstruction. This provides convenience for telecom operators to deploy services.
− This solution does not affect any services and guarantees the security and quality of video conferences.
− All video terminals can be used on the customer premises network.
− As a convergence-layer device, the SBC can prevent terminals from accessing important devices such as GKs. This provides functions such as security protection, QoS guarantee, and terminal access management for important devices.
This solution has the following disadvantages:
SE2000 series devices must be added to the original network.
Technical White Paper for Traversal of Huawei Videoconferencing System Between Private and Public Networks
8 Huawei Videoconferencing System's Solution to Traversal Between Private and Public Networks