The Internet may be used for many forms of communication, including voice conversations, video conferencing, development collaboration, and the like. In order for a manufacturers' programs, applications, equipment, and systems to be interoperable with each other, many protocols have been developed to standardize the communication between such systems. For example, video conferencing calls often involve the interfacing of video network endpoint devices manufactured by a variety of different manufacturers and using a variety of protocols and network communication interfaces.
Communication protocols have grown increasingly complex to handle all the types of traffic generated to facilitate communication for video conferencing, voice over Internet Protocol (VoIP), and data over Internet Protocol applications. Two such protocols are H.323 from the International Telecommunication Union-Telecommunication Standardization Sector (ITU-T) and the Session Initiation Protocol (SIP) from the Internet Engineering Task Force (IETF). Both H.323 and SIP typically allow for multimedia communication including voice, video, and data communications in real-time. H.323 and SIP each rely on multiple other protocols, some of which may in turn rely on User Datagram Protocol (UDP) for sending and receiving multimedia traffic. UDP features minimal overhead compared to other transport protocols (most notably Transmission Control Protocol (TCP)) at the expense of having less reliability. UDP does not provide for guaranteed packet delivery nor data integrity. UDP does offer the highest possible throughput, thus, making it ideally suited for multimedia real-time communications.
Within a given communication network, various network nodes may be communicatively coupled to the network for use in enabling communication between two or more endpoint devices. For instance, a network may include various switches, routers, hubs, and/or other intermediary devices that are used for transporting communication (e.g., data, voice, etc.) between two or more endpoint devices. Further, various types of endpoint communication devices may be implemented to, for instance, receive input from a user (e.g., to be communicated across the network to another user) and/or to output received information to the user. Thus, an endpoint communication device refers to a device at which communication originates or at which communication is destined (e.g., terminates), whereas various intermediary devices, such as switches, routers, etc., may reside between the endpoint devices on the network for transporting communication between the endpoint devices. Both the endpoint devices and the intermediary devices are referred to generally as network nodes.
In Internet Protocol (IP) communication networks, nodes on the network are typically identified by their respective IP address. Often, however, certain nodes, particularly endpoint devices used for videoconferencing (or other multimedia communication), are not persistent within a given network, but may instead be moved from location to location and thus their respective IP addresses may change from time to time. For instance, a given video conference endpoint device may be moved within a company from one conference room to another conference room as needed for various scheduled meetings to occur in the conference rooms (where the endpoint device is connected to the company's local area network via different network access points at each conference room).
Disparate networks, such as different local area networks (LANs), are typically protected by a firewall that restricts certain externally-originated communication from entering the protected network. That is, the firewall of a given LAN may block certain traffic to minimize the risk of allowing malicious traffic into the LAN. Accordingly, multimedia communications traffic will most likely have to traverse a firewall at some point during transmission, especially over the Internet, regardless to which protocol the traffic conforms. Firewalls are used in modern networks to screen out unwanted or malicious traffic. It should be understood that, as used herein, a “firewall” may refer to any piece of equipment or device that is configured to restrict certain externally-originated communication from entering the protected network. As one example, a firewall may be implemented via an access control list and/or rules deployed on a router or other device. Of course, a firewall may be achieved through implementation of any access control device that restricts certain traffic from entering and/or exiting the protected network.
As multimedia communications, such as videoconferencing, have grown in popularity, a need has arisen for managing the endpoint communication devices (i.e., the devices that output communication to participants on a call and/or that receive input communication from participants on a call, such as video capture equipment, video display equipment, voice capture equipment, and voice output equipment, including as examples, telephones, videophones, etc.). Endpoint communication devices may be stand-alone devices (e.g., a stand-alone telephone or video display) or they may be implemented as embedded within other devices, such as a VoIP application embedded within a processor-based computer, such as a laptop or PC. Any of various management operations, such as scheduling use of the endpoints for conferences, upgrading/updating software on the endpoint devices, configuring the endpoint devices, monitoring and diagnosing problems of the endpoint devices, and/or performing various other management operations for the endpoint devices, may be desired from time to time. Accordingly, various computer-based management systems have been developed for managing endpoint devices. For instance, certain management systems enable an administrator to interact with a computer console to perform such management tasks as scheduling conferences, etc. Examples of traditional endpoint management systems include those commercially available from TANDBERG, such as TANDBERG'S MANAGEMENT SUITE (TMS). Further management systems that have been proposed include, as examples, those described in U.S. Pat. No. 7,206,808 titled “System and Method for Managing Diverse Video Network Devices via Application and Interface Objects”, U.S. Pat. No. 7,385,622 titled “Method and System for Presenting a Video Call Management Console”, U.S. Pat. No. 7,346,912 titled “Method and System for Managing Video Devices”, U.S. Patent Application Publication No. 2007/0022201 titled “Method for Instant Scheduling of Conference Calls”, and U.S. Patent Application Publication No. 2008/0134200 titled “Method and System for Managing Video Devices”, the disclosures of which are hereby incorporated herein by reference. TANDBERG's system is commonly employed for managing video endpoints. Similar systems, such as those available from LUCENT TECHNOLOGIES, may be employed for managing data network nodes, and similar systems, such as those available from CISCO SYSTEMS, INC., may be employed for managing voice and/or voice-over-IP (VoIP) nodes.
As discussed further hereafter, traditional endpoint management systems are commonly implemented for management of endpoints that reside on the same LAN as the management system. Central management of endpoints that reside on different networks (e.g., on different LANs) raises additional issues. For example, the above-mentioned TMS system resides on a given LAN and expects to be able to communicate with endpoint(s) directly on its LAN. The TMS system has no ability to seek out endpoints that are not accessible on its immediate network. So, the TMS system implemented on one LAN is generally not employed for managing an endpoint located on a different LAN.
When endpoints desired to be managed are located in different networks, the traditional methods used to gain communication to the endpoints include some type of Network Address Translation (NAT), such as one-to-one-NAT, on the edge firewalls or routers, which would basically create an externally accessible IP address with access rules to given mirrored protocols (e.g., UDP or TCP) that would translate directly to the endpoint. Because each of the LANs on which the endpoints reside will typically have their own firewalls, the NAT would typically be required to be implemented on two or more firewalls and may require a lot of administrative overhead to accomplish. Further, if care is not taken to correctly set up the access rules, a given LAN may become vulnerable to external attacks by allowing access to unwanted entities into the network. Alternatively, a traditional Virtual Private Network (VPN) may be established to bridge the different LANs, and access rules may be established to restrict access to the VPN. Again, a lot of administrative overhead may be required in implementing such a VPN solution.
The above solutions are impractical and difficult to employ when the network nodes (e.g., endpoint devices) to be managed reside on disparate LANs that are not governed or owned by the same entity or administrator. For instance, when a management system residing in a first LAN desires access for managing endpoint devices in a second LAN that is not owned or governed by a common entity (e.g., as when the LANs are of different companies), the network administrator of the second LAN will be reluctant to permit establishment of such a connection with the management system of the first LAN unless great administrative burden is undertaken to ensure that proper access rules are established. The administrative burden for establishing such a connection, and the risk of diminished security resulting from establishing such a connection, presents a great obstacle that generally prevents the establishment of a connection to enable a management system residing on one LAN to manage endpoint devices on disparate LANs. Indeed, oftentimes the administrators within an organization who are responsible for management of multimedia communication endpoints, such as videoconferencing equipment, are not the same persons who govern the network security of the organization (such as its firewalls, routers, etc.), and thus the administrators desiring to permit management of the multimedia communication endpoints may have further obstacles within their own organization in order to permit appropriate access to the network for management by an external management system.
The network security administrators within a protected LAN are generally resistant to establishment of one-to-one-NAT relationships or implementing VPN connection, for example, in order to permit access to the endpoint devices by a management system residing outside of the protected LAN because such establishment will likely allow unwanted traffic not only from unauthorized outside resources to reach into the protected LAN but also because the established connection may permit access from within the protected LAN to resources that are not supposed to be accessed by the LAN's devices. So, it is very difficult for administrators to make sure that the access permissions are locked down. Accordingly, centralized management of multimedia communication endpoint devices across disparate networks is generally not undertaken due, at least in part, on the above-mentioned administrative burdens and security risks associated therewith.
Various different communication protocols may be utilized by a management system for managing endpoint communication devices, such as HTTP, HTTPS, FTP, TFTP, TELNET, and/or SNMP, as examples. To support all of such protocols, further difficulty may arise for an administrator to permit suitable access to a protected LAN by an external management system while maintaining proper security, thereby further increasing the administrative burden associated with establishing such a connection.
In view of the above, traditional management systems, such as the TMS system, are generally implemented for management of endpoints on a common LAN. Management of network nodes (e.g., endpoint devices) that reside on disparate networks (e.g., disparate protected LANs) may each be managed by their respective management system that resides on their respective network, but the nodes across disparate networks are generally not managed in a coordinated fashion by a centralized management system. Again, traditional techniques for undertaking any centralized management of endpoint devices across disparate protected networks generally involve use of either a NAT or VPN and requires undesirable administrative burden to establish communication connections for the centralized management system with the disparate networks, while also giving rise to an undesirable security vulnerability.