Example 5: NAT Traversal
Illustration of a network managed by IBM® Sametime® Bandwidth Manager where NAT Traversal is in use.
Remote user scenarios
Sametime supports firewall and NAT traversal for the media exchange path for clients. Scenarios for both remote and internally-firewalled users are also supported by the Bandwidth Manager. The Bandwidth Manager supports the following calling scenarios with remote users:
- A remote user (Home user or Business partner) calling another remote user
- A remote user calling users in the enterprise
- A remote user calling users working behind an internal firewall in the enterprise
Internal firewall scenarios
The graphic that follows shows how the Bandwidth Manager supports the following calling scenarios with users working behind an internal firewall:
- Internal user calling users in the enterprise
- Internal user calling other users located behind the same internal firewall
- Internal user calling remote users
In this deployment example, administrative policies prevent direct media Connections between remote users (Home User 1 and Business Partner 2) and any internal users. To support call scenarios between remote users and internal users, a reflector is deployed in the DMZ to relay the media streams. Additionally, users in Site B (User 5 and User 6) are firewalled from other users in the enterprise and direct media Connections are not allowed. To connect with other users, Site B users will require use of the internal reflector. In this scenario where a remote user wants to call an internally firewalled user, the call path requires two reflectors. Therefore, the expected call route between User 6 and Business Partner 3 would be as follows:
Based on these examples, the reflector policies for this enterprise could be summarized as follows:
| Endpoint Site | Reflector Assigned to Endpoint | Remote Site Accessible |
|---|---|---|
| Site B | Internal Reflector | Any other Site |
| Internet | DMZ Reflector | Any other Site |
If you replace specific users and devices with sites and then connect the sites with links, the resulting network topology model looks like this:
Sametime features that support NAT Traversal
To enable NAT Traversal support, Sametime uses the following features to model the enterprise network and allocate bandwidth to calls accurately.
- Sametime Connect
Client endpoints
use ICE protocol to determine the best media path for each call.
For discovering the correct endpoints (IP addresses) of clients, the Bandwidth Manager uses several techniques, including inspecting the ICE candidates that are carried in the underlying SIP flows. Part of the ICE protocol is the usage of SIP re-INVITEs by the clients, which serve to inform the Bandwidth Manager about the IP addresses that were actually used for a call (in "c=" SDP attribute). These re-INVITEs enable the Bandwidth Manager to correct the predicted call path if the predicted path was not correct the first time. Bandwidth can be modified better by subsequent re-INVITEs for the same call (upgrade to video, for example).
- Reflectors in the deployment support call scenarios where a direct
connection does not exist.
Reflectors are transit sites on a given call's route, for example: Caller site - > Reflector1 site -> Reflector2 site -> Callee site. The existence of reflectors affects route calculation and distance. For accurate route calculation, the Bandwidth Manager needs to know if there are any reflectors used. In order to accurately reflect the route transitions that a given media path takes, the Bandwidth Manager enables the configuration of Reflector Policies.