Signaling for incoming phone calls from the PSTN flows through the media gateway to the Mediation Server, where it is translated to SIP for internal call routing. The media portion follows the same route to the Mediation Server. From the Mediation Server, the call is routed directly to the endpoint if the direct connection is available.
If a direct connection is not available, the Mediation Server opens a connection with the A/V Access Edge service, which acts as a media relay for transporting audio and video content across corporate NATs and firewalls. For details, see Media Traversal.
The important point about this transaction is that the Mediation Server must open a connection to the A/V Access Edge service and request the media before it is allowed to cross the corporate firewall.
Media flowing both directions between the Mediation Server and internal Office Communications Server 2007 R2 servers are encrypted using SRTP in the default configuration where both the Mediation Server and internal servers support and use encryption.
Best Practices
Organizations that rely on Internet Protocol security (IPsec) for packet security are strongly advised to create an exception on a small media port range if they are to deploy Enterprise Voice. The security negotiations required by IPsec work fine for normal UDP or TCP connections, but they can slow down call setup to unacceptable levels.