VidyoCloud™ offers a Hybrid solution which includes deploying local Vidyo servers that connect to the cloud. VidyoRouter™, VidyoGateway™, and VidyoReplay™ are all part of this service offering. Reasons for a Hybrid implementation can range from bandwidth restrictions to quality improvement to better security. Your Vidyo sales engineer and CSM can help assess if this option is a good fit for your company.
What is a Hybrid Solution?
To implement a Hybrid solution, you will need to deploy local Vidyo servers, such as:
- VidyoRouter – For local client media traffic; helps manage WAN bandwidth and improves local quality.
- VidyoGateway – For local legacy endpoint connectivity; helps manage bandwidth and manage legacy connectivity (firewall, security, etc.).
- VidyoReplay – For local recording capabilities; keeps your recordings local.
Normally, Hybrid servers are deployed in the customer’s DMZ and relevant security policies are added to the network so the servers can connect to the cloud as well as be managed by the VidyoCloud Operations team. As a best practice, the servers should only be used by internal users; external users are directed to cloud public resources.
This article highlights the requirements for such a deployment. If you have questions or want to investigate other options, please contact the Vidyo implementation team. You can also see the attached document for a Hybrid Implementation Form that you can fill out.
What is the Process?
Here are the steps you should expect to take to deploy a Hybrid solution:
- Deploy the servers (physical or virtual) and configure the basic IP addresses.
- Configure 1-to-1 NAT when applicable.
- Open the firewall for inbound management traffic.
- Open outbound traffic to the VidyoCloud environments (Prod and Staging).
- A Vidyo implementation engineer will upgrade the servers to the latest version.
- A Vidyo implementation engineer will help obtain and upload SSL certificates.
- If deploying VidyoReplay, a NAS/SAN storage will be required.
- Configure external and internal DNS servers.
- Provide subnet information to VidyoCloud Operations.
- VidyoCloud Operations will add the servers to the staging environment and schedule a test.
- Vidyo and the customer will test together to make sure servers can properly connect and local endpoints are directed to use these resources.
- Once confirmed to be working, the VidyoCloud team will take ownership of the servers (change the passwords) and will schedule a production deployment.
Note: We can only deploy to our production environment during a scheduled maintenance window. These windows typically occur during the first weekend of each month.
- VidyoCloud Operations will add the servers and subnet rules to Cloud production and perform a test.
Since this will be done off hours, we recommend providing a test endpoint that is configured to auto-answer on the local network.
- Once enabled on the environment, the resource (server) will be assigned to the customer tenant.
What are the Requirements for a Hybrid Implementation?
Here are the requirements for a Hybrid implementation:
- Local Vidyo servers must be accessible for management from the NJ office.
- Local Vidyo servers must be accessible to the VidyoCloud infrastructure.
- Local Vidyo servers must be accessible to the VidyoCloud staging infrastructure.
- The customer is responsible for obtaining an SSL certificate from a publicly known CA for all local Vidyo servers.
- The customer needs to provide this information for each local Vidyo server:
- Public FQDN
- Public IP address (if NATed)
- Admin password for web interface/SSH
- For local VidyoRouters, VidyoCloud Operations will require the public subnets where users are connecting from and assign them with local VidyoRouters. Normally these are the office public subnets. If possible, users should be provided with the internal subnets as well.
- For customers with both a VidyoRouter and VidyoGateway, VidyoCloud will configure the local VidyoGateway to use the local VidyoRouter. Some additional firewall and DNS configuration may be needed.
- For customers with a VidyoGateway, the VidyoGateway must be open to internal legacy endpoints, and if expected, external legacy endpoints.
- For customers with a VidyoReplay, a NAS will be required as well as proper security configuration.
- The local endpoint must be set to auto-answer for tests.
What are the Network Requirements?
Vidyo NJ Office IP:
188.8.131.52 / 184.108.40.206– All inbound management rules should be limited to these IPs.
Vidyo Monitoring System:
inputs1.vidyo.splunkcloud.com, inputs2.vidyo.splunkcloud.com, inputs3.vidyo.splunkcloud.com, inputs4.vidyo.splunkcloud.com, inputs5.vidyo.splunkcloud.com – Traffic to/from this IP is used by Vidyo monitoring and the log aggregation system.
For EU specific portal customers:
inputs1.vidyoeu.splunkcloud.com, inputs2.vidyoeu.splunkcloud.com, inputs3.vidyoeu.splunkcloud.com, inputs4.vidyoeu.splunkcloud.com, inputs5.vidyoeu.splunkcloud.com, – Traffic to/from this IP is used by Vidyo monitoring and the log aggregation system.
|22/2222||TCP||SSH||SSH Access to the VidyoRouter||NJ Office -> Customer VidyoRouter|
|80||TCP||HTTP||Web Access to the VidyoRouter||NJ Office -> Customer VidyoRouter|
|443/8443||TCP||HTTPS||Secure Web Access to the VidyoRouter||NJ Office -> Customer VidyoRouter|
|53||TCP/UDP||DNS||Connection to Customer or Public DNS Server||Customer VidyoRouter -> Customer or Public DNS Server|
|123||TCP/UDP||NTP||Time Sync to Customer or Public NTP Server||Customer VidyoRouter -> Customer or Public NTP Server|
|9997||TCP||Splunk||Log Forwarding||Customer VidyoRouter -> Vidyo Splunk Server|
|80||TCP||HTTP||Authentication to VidyoPortal||Customer VidyoRouter -> VidyoCloud Portals|
|443||TCP||HTTPS||Authentication to VidyoPortal||Customer VidyoRouter -> VidyoCloud Portals|
|17991||TCP||RMCP||Connection to VidyoManager (Hosted on VidyoPortal)||Customer VidyoRouter -> VidyoCloud Portals|
|17990||TCP||SCIP||Signaling Connections Between VidyoRouters||Customer VidyoRouter -> VidyoCloud Routers|
|50000-65535||UDP||Media||Audio and Video Connection||Customer VidyoRouter -> VidyoCloud Routers|
VidyoGateways and VidyoReplays:
|22/2222||TCP||SSH||SSH Access to the VidyoRouter||NJ Office -> Customer VidyoGateway/Replay|
|80||TCP||HTTP||Web Access to the VidyoRouter||NJ Office -> Customer VidyoGateway/Replay|
|443/8443||TCP||HTTPS||Secure Web Access to the VidyoRouter||NJ Office -> Customer VidyoGateway/Replay|
|53||TCP/UDP||DNS||Connection to Customer or Public DNS Server||Customer VidyoGateway/Replay -> Customer or Public DNS Server|
|123||TCP/UDP||NTP||Time Sync to Customer or Public NTP Server||Customer VidyoGateway/Replay -> Customer or Public NTP Server|
|9997||TCP||Splunk||Log Forwarding||Customer VidyoGateway/Replay -> Vidyo Splunk Server|
|80||TCP||HTTP||Authentication to VidyoPortal||Customer VidyoGateway/Replay -> VidyoCloud Portals|
|443||TCP||HTTPS||Authentication to VidyoPortal||Customer VidyoGateway/Replay -> VidyoCloud Portals|
|17992||TCP||EMCP||Connection to VidyoManager (Hosted on VidyoPortal)||Customer VidyoGateway/Replay -> VidyoCloud Portals|
|17990||TCP||SCIP||Signaling Connections Between VidyoGateway/Replay and VidyoRouter||Customer VidyoGateway/Replay -> VidyoCloud Routers|
|50000-65535||UDP||Media||Audio and Video Connection||Customer VidyoGateway/Replay -> VidyoCloud Routers|
|VidyoGateway and Legacy Endpoint Connection|
|1718||UDP||H323 Gatekeeper Discovery||Customer Gateway <-> Legacy Endpoints|
|1719||UDP||H323 Gatekeeper Registration||Customer Gateway <-> Legacy Endpoints|
|1720||TCP||H323 Call Setup||Customer Gateway <-> Legacy Endpoints|
|5060||UDP/TCP||SIP Call Signaling||Customer Gateway <-> Legacy Endpoints|
|5061||TLS||SIP Call Signaling||Customer Gateway <-> Legacy Endpoints|
|1024-65535||UDP/TCP||Media||Audio and Video Connection||Customer Gateway <-> Legacy Endpoints|
Information on IPs/firewalls can be found here:
Do I need to open inbound traffic?
When deploying a Hybrid solution using Vidyo’s best practices, for inbound traffic, you only need to open the ports in the firewall marked as management ports and only open them to Vidyo’s public IPs. Another best practice is to assign local resources for internal users/endpoints, and direct external/guest users to VidyoCloud public IPs.
There are uses cases when a customer would prefer their guests or remote users to connect to their Hybrid servers. In such case, the firewall must allow that media traffic.
Why do I need to allow SSH access?
Once connected to VidyoCloud Production, the local servers are part of VidyoCloud, and as such, the VidyoCloud Operations team is fully responsible for maintaining the servers, security patches, and more. At times, VidyoCloud Operations needs to access the servers via SSH for immediate security issues, restarts, or troubleshooting.
Why is Vidyo collecting local server logs and can I access them?
As part of normal operation, the VidyoCloud Operations team uses a Splunk® forwarder on its servers to proactively monitor server performance as well as aggregate the logs for troubleshooting and root-cause analysis when needed. Access to the logs is available upon request.
Why does Vidyo need my public IPs?
The way Vidyo identifies the users coming from the local network is by the public IP addresses of the users connecting to the VidyoCloud portal. At deployment, VidyoCloud is configured to assign the local VidyoRouters to all users coming from these IPs. If you change or add public IPs, VidyoCloud Operations should be notified to modify the configuration in the next maintenance window.