RCV Connectivity/Firewall requirements
​
The ReadyCloud Video (RCV) service uses the following public network range: 122.56.65.112/28
​
Connecting via Essentials - When connecting to RCV via essentials this route will be injected and redistributed via the Spark WAN Routers. If your environment has internal routing e.g., Layer 3 Switches, then it is important to ensure that the RCV network route points to the Spark WAN and not the Internet gateway.
Note – Environments with internal Firewalls will need to permit the RCV traffic
Connecting via the Internet – When connecting to RCV via the internet (RCV Basic Only) no additional routes will be required as the gateway of last resort for the network should route this traffic to the internet gateway.
Note – Internet firewall rule changes will be required.
​
VC Bandwidth Requirements
​
VC calling is typically setup preferred calling speed of 1920kbps (2Mbps). This calling speed will provide a VC call with 720p resolution at 30fps.
The per site network bandwidth requirements will need to be designed to support the maximum number of simultaneous VC calls.
NOTE: when video traffic co-exists in the same high priority queue as Unified Comms (PBX) voice traffic, care should be taken to ensure no contention of bandwidth between the voice and video traffic. Therefore – there should be sufficient real-time traffic to support peak video and peak voice traffic simultaneously. For customers using RCC, we recommended registering your VC endpoints to RCC also to take advantage of a single point of Call Admission control for optimal management of this.
​
Quality of Service
​
Though the RCV service does not mandate that video traffic be carried in an end to end QoS enabled environment it is highly recommended.
​
The following default traffic marking is recommended for VC endpoints.
​
RCV Registered VC endpoints
NOTE: the markings below apply to Essentials connected clients.
From VC endpoint to RCV:
Traffic Type Diffserv Value Recommended Queue
Audio: 46 (EF) Realtime Queue (Highest priority queue)
Signalling: 24 Interactive Queue (Medium/Intermediate queue)
Video: 34 Realtime Queue (Highest priority queue)
From RCV to VC endpoint (marked by RCV service):
Traffic Type Diffserv Value Recommended Queue
Video/Audio/Signalling 34 Realtime Queue (Highest priority queue)
​
RCV JabberGuest and PVMR Browser Based Video Calling (Browser based client)
NOTE: the markings below apply to both Essentials connected and Internet connected clients.
From Client to RCV (standard marking by plugin):
Traffic Type Diffserv Value Recommended Queue
Video/Audio/Signalling (HTTPS) 0 Business (Best Efforts)
From RCV to Client (marked by RCV service):
Traffic Type Diffserv Value Recommended Queue
Video/Audio/Signalling (HTTPS) 0 Business (Best Efforts)
​
Skype for Business federated and any Internet Connected endpoints
NOTE: All Internet based traffic is best efforts due to the lack of queuing. Markings will vary based on client type but are ultimately not honoured.
From Endpoint to RCV:
Traffic Type Diffserv Value Recommended Queue
Video/Audio/Signalling Any n/a
From RCV to endpoint (marked by RCV service):
Traffic Type Diffserv Value Recommended Queue
Video/Audio/Signalling 0/34/46 n/a
​
​
Disable SIP Application Layer Gateway Function
​
On some routers and firewalls the SIP ALG (Application Layer Gateway) Functions can cause issues with video traffic and will need to be disabled.
​
Cisco IOS routers (e.g. 877, 1900, 2900, etc.)
Note: SIP ALG is enabled by default and should be disabled particularly in older IOS versions. For example, 12.4 and older. Issue the following command in global config mode:
Router(config)# no ip nat service sip tcp port 5060
Juniper ScreenOS firewall
More information on how to view the status of the Application Layer gateway function and how to disable it can be found here:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB13509
or for J-Web interface:
Video Conferencing Endpoint Firewall Rules
​
The following rules apply to standards-based SIP or H.323 VC endpoints connecting to RCV. The rules apply to SIP Registered or Unregistered endpoints, connecting via the Internet or Essentials.
​
The rules below assume the following:
-
Ensure any NAT traversal fix up functionality is disabled on the firewall, as it can interfere with the media ports and cause media transmission issues
-
Ensure that the firewalls Deep Packet Inspections or Application Level Gateway is turned off for this traffic as it could cause connections issues.
-
Rules below assume firewall rules are reflexive (allow return traffic of established sessions) and general outbound TCP ports 80, 443 and DNS are allowed.
​
VC Endpoints Registering to RCV Standard
​
This scenario could apply to RCV Standard endpoints. The traffic flow would not typically traverse any firewalls unless internal firewalls have been placed between the VC endpoints and the Spark WAN. RCV Standard supports registration via SIP Only.
​
​
​
​
​
​
​
​
​
​
​
​
​
​
​
Unregistered VC Endpoints Calling to RCV via Essentials
This scenario could apply to RCV Basic environments. The traffic flow would not typically traverse any firewalls unless internal firewalls have been placed between the VC endpoints and the Spark WAN.
​
​
​
​
​
​
​
​
​
​
​
​
Unregistered VC Endpoints Calling to RCV via Internet
​
This scenario could apply to RCV Basic environments where the service is accessed via the internet. The VC endpoint would require the following permissions to be able to establish a call to RCV. The VC Endpoint could be positioned in a Public IP on a DMZ or on the internal LAN with Network Address Translation (NAT).
​
Video Conferencing Software Client Firewall Rules
​
The following rules apply to Software video clients connecting to RCV. These clients do not register to the service and can connecting to the service via the Internet or Essentials.
​
The rules below assume the following:
-
Ensure any NAT traversal fix up functionality is disabled on the firewall as it can interfere with the media ports and cause media transmission issues
-
Ensure that the firewalls Deep Packet Inspections or Application Level Gateway is turned off for this traffic as it could cause connections issues.
-
Rules below assume firewall rules are reflexive (allow return traffic of established sessions) and general outbound TCP ports 80, 443 and DNS is allowed.
​
Polycom Real Presence Client or Cisco Jabber for TelePresence
​
Connecting via a Spark Essentials Connection – The Polycom RealPresence client allows direct SIP calling to the ReadyCloud Video service.
This client does not need to register to ReadyCloud Video. Therefore, the traffic can go directly to RCV via the essentials connection without traversing the customers’ internet firewall.
Connecting via the Internet - Below are the internet firewall ports that must be opened to allow the Cisco Jabber Video client (not the Enterprise Jabber collaboration client) or the Polycom RealPresence client to access the ReadyCloud Video Internet gateway.
​
​
​
​
​
​
​
​
​
​
​
​
* The Polycom RealPresence Client should be setup to call with SIP, using TCP and no registration.
​
ReadyCloud Video – Jabber Guest
​
The RCV Guest service uses Cisco’s Jabber Guest software and allows users to join VMR’s from their Windows/Apple browser or Android/IOS device. In a typical home environment firewall rule changes are typically not required. Corporate firewalls may have tighter controls on outbound connections and may require some of the following additions.
​
​
​
​
​
​
​
​
​
Note - Internet Proxy exemptions may be required in some environments. Customers with a Spark Essentials connection can route RCV Guest traffic via the WAN rather than over the internet.
Test VMR Link - https://guest.rcvideo.net/call/demo
​
​
​
ReadyCloud Video – PVMR Web Browser Video Calling
​
The RCV PVMR service allows users to connect and control meetings natively from a supported browser (Chrome, Firefox, Edge and Safari). This service will support meeting participants from either within or outside of the organisation. The firewall ports for this service are typical web browser ports and are therefore already permitted by most corporate firewalls. The traffic for this service can flow either via the WAN/Essentials or via the internet.
​
​
​
​
​
​
​
​
​
​
​
​
Note - Internet Proxy exemptions may be required in some environments. Customers with a Spark Essentials connection can route RCV PVMR traffic via the WAN rather than over the internet.
​
PVMR Active Directory Integration
​
ReadyCloud Video – AD Integration
​
The PVMR service integrates with the customers Active Directory database to read user details when creating their PVMRs. These credentials are also used to access the PVMR Portal (https://my.rcvideo.net) and the Outlook Plug-in. Microsoft AD 2008 or later is required.
​
​
​
​
​
​
​
​
To establish connectivity a certificate trusts must be established between the RCV service and the Customer’s AD server to create a secure connection for the exchange of PVMR User credentials and the authentication of login attempts. The customer then creates a read-only Active Directory Service Account which RCV can use to read users credentials. The account name should be ‘PVMR AD Service Account’ and the password must be set to not expire.
​
NOTE: Please see here for Skype for Business federation firewall rules.
​
​