Cisco Cisco Expressway 维护手册

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">

<taa:routed>

<address-switch field="destination">

<address regex="9(.*)">

<address-switch field="originating-zone">

<address is="TraversalZone">

<reject status="403" reason="Denied by policy"/>

</address>

</address-switch>

</address>

</address-switch>

</taa:routed>

</cpl>

Using the Taa:Rule-Switch Node

<?xml version="1.0" encoding="UTF-8" ?>

<cpl xmlns="urn:ietf:params:xml:ns:cpl"

xmlns:taa="http://www.tandberg.net/cpl-extensions"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">

<taa:routed>

<taa:rule-switch>

<taa:rule originating-zone="TraversalZone" destination="9(.*)">

<reject status="403" reason="Denied by policy"/>

</taa:rule>

<taa:rule origin="(.*)" destination="(.*)">

<proxy/>

</taa:rule>

</taa:rule-switch>

</taa:routed>

</cpl>

Changing the Default SSH Key

Using the default key means that SSH sessions established to the Expressway may be vulnerable to "man-in-the-
middle" attacks, so you are recommended to generate new SSH keys which are unique to your Expressway.

An alarm message "Security alert: the SSH service is using the default key” is displayed if your Expressway is still
configured with its factory default SSH key.

To generate a new SSH key for the Expressway:

Log into the CLI as root.

Type regeneratesshkey.

Type exit to log out of the root account.

Go to Maintenance > Restart. You are taken to the Restart page.

Check the number of calls currently in place.

Click Restart system and then confirm the restart when asked.

If you have a clustered Expressway system you must generate new SSH keys for every cluster peer. Log into each
peer in turn and follow the instructions above. You do not have to decluster or disable replication.

250

Cisco Expressway Administrator Guide

Reference Material