Cisco Cisco Expressway
Each time a client supplies credentials to authorize the user, the Expressway checks whether this attempt would
exceed the Maximum authorizations per period within the previous number of seconds specified by the Rate control
period.
exceed the Maximum authorizations per period within the previous number of seconds specified by the Rate control
period.
If the attempt would exceed the chosen maximum, then the Expressway rejects the attempt and issues the HTTP error
429 "Too Many Requests".
429 "Too Many Requests".
The authorization rate control settings are configurable in the Advanced section of the Configuration > Unified
Communications > Configuration page.
Communications > Configuration page.
Credential Caching
Note:
These settings do not apply to clients that are using SSO (common identity) for authenticating via MRA.
The Expressway caches endpoint credentials which have been authenticated by Unified CM. This caching improves
overall performance because the Expressway does not always have to submit endpoint credentials to Unified CM for
authentication.
overall performance because the Expressway does not always have to submit endpoint credentials to Unified CM for
authentication.
The caching settings are configurable in the Advanced section of the Configuration > Unified Communications
> Configuration page.
> Configuration page.
Credentials refresh interval specifies the lifetime of the authentication token issued by the Expressway to a
successfully authenticated client. A client that successfully authenticates should request a refresh before this token
expires, or it will need to re-authenticate. The default is 480 minutes (8 hours).
successfully authenticated client. A client that successfully authenticates should request a refresh before this token
expires, or it will need to re-authenticate. The default is 480 minutes (8 hours).
Credentials cleanup interval specifies how long the Expressway waits between cache clearing operations. Only
expired tokens are removed when the cache is cleared, so this setting is the longest possible time that an expired
token can remain in the cache. The default is 720 minutes (12 hours).
expired tokens are removed when the cache is cleared, so this setting is the longest possible time that an expired
token can remain in the cache. The default is 720 minutes (12 hours).
Unified CM Denial of Service Threshold
High volumes of mobile and remote access calls may trigger denial of service thresholds on Unified CM. This is
because all the calls arriving at Unified CM are from the same Expressway-C (cluster).
because all the calls arriving at Unified CM are from the same Expressway-C (cluster).
If necessary, we recommend that you increase the level of the SIP Station TCP Port Throttle Threshold (System >
Service Parameters, and select the Cisco CallManager service) to 750 KB/second.
Service Parameters, and select the Cisco CallManager service) to 750 KB/second.
Expressway Automated Intrusion Protection
On Expressway-C:
The Expressway-C receives a lot of inbound traffic from Unified CM and from the Expressway-E when it is used for
Mobile and Remote Access.
Mobile and Remote Access.
If you want to enable automated protection on the Expressway-C, you should add exemptions for all hosts that use
the automatically created neighbor zones and the Unified Communications secure traversal zone. The Expressway
does not automatically create exemptions for discovered Unified CM or related nodes.
the automatically created neighbor zones and the Unified Communications secure traversal zone. The Expressway
does not automatically create exemptions for discovered Unified CM or related nodes.
On Expressway-E:
You may need to enable the Automated protection service (System > System administration) if it is not yet running.
To protect against malicious attempts to access the HTTP proxy, you can configure automated intrusion protection on
the Expressway-E (System > Protection > Automated detection > Configuration).
the Expressway-E (System > Protection > Automated detection > Configuration).
We recommend that you enable the following categories on the Expressway-E:
■
HTTP proxy authorization failure and HTTP proxy protocol violation. Note: Do not enable the HTTP proxy
resource access failure category.
resource access failure category.
■
XMPP protocol violation
Note:
The Automated protection service uses Fail2ban software. It protects against brute force attacks that originate
from a single source IP address.
48
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Additional Information