Originally Posted by FruitLover
You're making a lot of leaps and assumptions there rolion; I get the impression you don't have a whole lot of experience with VPN configuration.
If this IP phone company is any use at all, they'll be able to configure a site-to-site VPN between an endpoint on their network and the client site, meaning no client software needed. Obviously, full connectivity would not be permitted; I don't understand why you're making a big hoopla about that, with your bold letters and mention of viruses. Only traffic on specific ports/services should be permitted from the monitoring company, and ideally the video equipment should be in a DMZ (you got that bit right, at least).
While this could technically be done by opening access from the monitoring company's public IP range in (assuming the cameras and/or monitoring system support encrypted sessions), a VPN would be a cleaner and safer way of doing things.
SO...you are saying that me,as a CCTV monitoring company i should have a possibility of installing VPN tunnel(s) (site-to-site OR gateway-to-gateway) solution for every site that has my equipment installed !? Forget it...
Also,if is in the DMZ...why you'll need a VPN ???
Also,setting ports and restrictions and basically Policy NAT-ing the VPN...what's the point of having a VPN link !? Same as ip2ip and port filtering based solution !
I'll get back to that CCTV installer company of mine and check how they work in this scenarious...
Also,the OP will be very 'nice' if he can give us an update here AS despite technical solutions been possible,in various combination (in bold-ed or not letters),i reckon is VERY determined by the type ,capability, knowledge, equipment and cost coming from the whole installation'scope and budget...
So...we can be right ,all of us...all giving free advices here AND taken as a free advice !!
In mean time,have a nice Paddy's Day..i have two myself !!!
re my VPN skills,we can have a chat in private and trust me,you'll be disappointed !!..
not sure but...bold means anything to readers,i thought THIS MEANS SHOUTING !! sorry...
let's say that OP office LAN is 192.168.1.x/24
in my office' router/firewall i setup a VPN site-to-site,assuming that his IP address is static already.
i have to create a rule in my routing table saying that ALL traffic with the destination of 192.168.1.x coming from my CCTV company LAN of 10.1.1.x/24 should use this VPN tunnel,establish and keep it alive ! all ok so far.
also,from my Cisco & Sonicwall,i understood that VPN is treated as a safe,trusted zone ( i can be wrong here) so nat and/or policy can be ignored(i can be wrong here)...so all VPN traffic site-to-site is trusted ! you can go on ACL,per ip and port ...correct...hmmm
...but what if their router is not so smart !??
...a l s o ...
what if me ,as a CCTV company i have to install another system,in another site ...and...has same IP range...i'm i going to change their IP addressing network just to get my VPN working for a port in for DVR !??? Or OP's site...
install the VPN client only on one PC in the monitoring station,but then ...how the central crawling monitoring agent knows to use that PC or connect and process external monitored data and line status...lost here !