I have some cameras installed by a third party that we need to view. They have no problem letting my group view them, but this is a large enterprise network and I am not sure I have the networking skills to make this work reliably. Can anyone here provide some input?
Are you intending to view them from a machine somewhere on the VPN (which looks to be represented by the orange boxes)?
Sorry, I skipped that detail. Yes, we need to view them from inside the VPN but also ensure that nothing inside the VPN is accessible on the N-1 side.
That is primarily a function of routing configuration in the VPN concentrator. You would have to know the full setup of Network One to really have a solid gameplan (eg: can you just allow access to the entire set of cameras with subnetting, or are there other devices intermingled there, etc).
Just to circle back here. Does anyone see an issue with the cameras recording to two different recorders? Each would be an individual stream, but I am now getting push back from the other group because they do not think that will work.
First of all your one-way lines can't be that because one uses TCP/IP to communicate so there are packets going back and forth. In your heart you can promise there's no "active" traffic in the other direction, of course.
Depending on how many subnets there are in the actual network you may need to do some careful configuration of the pair of VPN appliances. You would have to make sure that the Victor server has a route back to the 172... camera network and since that means the packets have to go through the VPN tunnel you'll need to make sure the VPN has appropriate routing.
Assuming the networking issues are resolved there's still the two-VMS issue. VMS' generally presume they own the cameras they are talking to and so I would worry the two different recorders would fight over any given camera. (And Genetec is certainly capable of being over-zealous about changing camera configurations by itself.)
First of all your one-way lines can't be that because one uses TCP/IP to communicate so there are packets going back and forth.
He means in terms of connection origination, you know inbound vs outbound.
The simplest method is to just to have a server from NETWORK ONE run Genetec Web services and use this as the connection method from NETWORK TWO via the VPN. You can do this with the thick client (Security Desk) too, but more ports need to be opened and forwarded.
There are many complexities that arise when you want the cameras to be managed by 2 different systems. Is this the case? Does it need to be recorded to 2 different systems as well? Or do they only need access to view live/recorded video from the cameras? Do you need to see cameras from both systems in the same user interface, which is more of a Command and Control/PSIM layer? Or would opening a browser or second application be acceptable?
I'm no network guru but providing the cameras have a secondary h.264/265 stream available, there shouldn't be issues addressing them true the vpn, but of course the vpn bandwidth required will be considerable for 30 cameras. You just need to configure an access list on the inside interface that either permits or denies traffic from the remote subnet N-1. (as per cisco technical support). A certified Victor integrator should be able to assist the enterprise IT complying staff with those configs.
There are two common issues presented.
First, most VMS’s control the cameras and settings when using a direct driver or ONVIF. Typically the only way to isolate that impact is to call a video stream like RTP or RTSP.
Next, is isolating two networks with a single camera NIC. One address for the camera, regardless.
Much like UDM#2 stated above, RTSP is a great way to isolate those two streams.
It would allow the Genetec system to make the changes VMS systems love to make to camera settings, and still allow video to be transmitted to the second network uninhibited.
If network 1 and 2 have no overlap of IP addresses, and the VPN is set up correctly as many have stated above, this is a very achievable goal.
Network diagrams and discussions with IT departments from both sites are critical, and should be done multiple times before a deployment is ready. The amount of traffic generated here via a VPN cannot be overlooked, and bandwidth calcs done with roughly a 15% overhead addition minimum.
If network 1 and 2 have no overlap of IP addresses
Actually the Cisco VPN device should be able to handle this with an extra mapping rule. But according to the diagram, shouldn't have to worry about this.
This has all been very helpful, thanks to everyone who has participated.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
