Break ISP restrictions to implement enterprise-class VoIP Communication

In recent years, broadband services based on IP technology have become increasingly popular. As a result, H.323 multimedia communication systems are no longer limited to private network user groups. Moreover, they are increasingly favored by Internet-based enterprise users. With the gradual popularization of H.323 system applications on the Internet, the conventional problem of firewall and NAT traversal has encountered new challenges, and this contradiction is becoming increasingly apparent.

Compared with the foreign broadband access environment, China's broadband network environment has its own characteristics, making Chinese enterprise users still face some non-technical obstacles in their application of the H.323 system. Technical and non-technical barriers have resulted in the development of video conferencing and VoIP applications in enterprises far slower than expected. Breaking through these obstacles will promote the popularization and development of IP applications such as video conferencing and VoIP to a certain extent.

You may have learned that the H.323 Protocol dynamically allocates ports for audio and video multimedia data during communication and generates and maintains multiple UDP data streams. This is in conflict with the formulation of many enterprise firewall policies, that is, it is in conflict with the fixed port restrictions of Traditional firewalls and the basic policies that prohibit inbound connection initiation.

In addition, it is well known that, apart from the United States, the world is facing an extremely short IPv4 address space. However, building IPv6 in a large area cannot be implemented in a short period of time. In order to solve this thorny problem, people have come up with a lot of solutions. The URL translation (NAT) technology is one of the best solutions to this problem. However, after NAT technology is adopted, enterprise users may only use private IP addresses for their IP address speech and video devices. Because these addresses cannot be routed on the public network, enterprises can purchase video conferences or make VoIP devices unavailable.

In fact, most organizations use both firewall and NAT, so the VoIP solution adopted by enterprise users must be complete, that is, one solution must solve both of the above problems at the same time.

In traditional solutions, we usually think there are several solutions, each of which has its own advantages and disadvantages:

1. Use the PSTN Gateway
Use the gateway to convert the IP voice and video on the LAN to the public circuit to switch the PSTN voice and video on the Internet. When using such a gateway, you do not need to worry about the network firewall penetration problem, because no data packets need to pass through the firewall and NAT devices.
However, such a solution faces many problems, such as complicated equipment, connection troubles, difficult expansion, and a single function. It also loses the cheap advantage of long-distance IP communication, therefore, it is rarely used in actual cases.

2. Dual-network port MCU
Use an MCU with two network ports. One network port connects to the internal network, and the other port connects directly to the external public network. Although this solution is relatively simple to deploy, it is a pity that enterprise users also need to use MCU for point-to-point calls, thus losing the convenience of VoIP. At the same time, this solution also has a fatal dead point-in the network topology, MCU is parallel to the firewall device, which will become a very serious security risk. Once hackers attack the MCU, the user's internal network is completely transparent.

3. H.323 proxy
The H.323 proxy makes a call process look like two separate call processes: one is from the terminal on the private network to the proxy server, and the other is from the proxy server to the terminal on the public network. The H.323 proxy solves the NAT problem through a call. The H.323 proxy must have both the proxy function of the network guard and the proxy function of the RTP/RTCP multimedia stream.
The biggest problem with this solution is that it does not solve the firewall problem.

4. Application Layer Gateway
Enterprises can use Application layer gateways to solve firewall and NAT penetration problems. The Application Layer Gateway is a Firewall that can recognize specific IP protocols like H.323 and SIP. It is also called ALG Firewall. It can perform in-depth analysis on data packets flowing into the device. In other words, it can not only identify layer-3 routing layer) data, but also identify application layer data. By analyzing data communication content, in this way, the firewall port can be dynamically controlled, and the Content determines whether the port is open or not.
The disadvantage of this solution is that it increases firewall processing tasks, reduces network transmission efficiency, and may become a potential bottleneck for network transmission.

5. Virtual Private Network (VPN)
At present, many firewall manufacturers provide Firewall Products, usually having both NAT and VPN functions. The VPN function allows communication between all branches and headquarters of the user to be the same as that between the local area network. In terms of communication, this solution can meet all the functions of video conferencing and VoIP.
However, as a CEN administrator, you must note that H.323 maintains multiple dynamic connections, so whether the firewall's load capacity can meet the needs of such applications requires in-depth analysis. The increase in functions will inevitably increase the cost of equipment production, resulting in an increase in the cost of ownership of user devices.

6. tunnel penetration plan
The tunnel penetration solution consists of two components: Server and Client. The Client is placed on the private network in the firewall, and terminals in the private network are registered to the Client. It creates an inner-exclusive signaling and control channel with the Server outside the firewall, all registration and call control signaling and audio and video data can be forwarded to the Server. At the same time, the firewall's communication to the Intranet is simulated as feedback from the internal and external communication, so as to smoothly pass through the firewall and NAT. The Server is on the public network and acts as the network guard agent. All registration and call signals received from the Client are forwarded by the Server to the central network guard.
The disadvantage of this method is that all firewall-based communications must be forwarded through the Server, which may cause potential bottlenecks and users must add additional proxy devices for the Video Conferencing System.

The above solutions are technical solutions to firewall and NAT problems. However, users in China still encounter non-technical problems in actual use. One is that China's broadband network service providers play the role of telecom service providers at the same time. Audio and video communication services over the Internet will have an impact on their original long-distance services. Therefore, many broadband network service providers set up their own network devices, this shields audio and video communication protocols based on international standards, including H.323 and SIP. That is to say, even if the video conferencing and VoIP system established by our enterprise users successfully solves the firewall and NAT problems, it may be unable to be used due to the blocking of telecom service providers.

In the above solution, VPN and tunnel technology will re-encapsulate the communication content, so the two solutions can solve the firewall and NAT problems while, avoid being blocked by telecom service providers. However, these two schemes are logical star connections. Therefore, all communications must be transferred through the center, so the cost of loans must be paid.