Cisco Cisco Expressway 维护手册
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
Setting
Cisco Unified
Communications
Manager
Communications
Manager
Cisco Unified
Communications
Manager (8.6.1
or later)
Communications
Manager (8.6.1
or later)
Nortel
Communication
Server 1000
Communication
Server 1000
Infrastructure
device
device
Default
SIP multipart MIME strip mode
Off
Off
Off
Off
Off
SIP UPDATE strip mode
Off
Off
On
Off
Off
Interworking SIP search
strategy
strategy
Options
Options
Options
Options
Options
SIP UDP/BFCP filter mode
On
Off
Off
Off
Off
SIP UDP/IX filter mode
On
On
On
On
Off
SIP record route address type
IP
IP
IP
IP
IP
SIP Proxy-Require header strip
list
list
<blank>
<blank>
"com.nortelnetw
orks.firewall"
orks.firewall"
<blank>
<blank>
.
TLS Certificate Verification of Neighbor Systems
When a SIP TLS connection is established between an Expressway and a neighbor system, the Expressway can be
configured to check the X.509 certificate of the neighbor system to verify its identity. You do this by configuring the
zone’s TLS verify mode setting.
configured to check the X.509 certificate of the neighbor system to verify its identity. You do this by configuring the
zone’s TLS verify mode setting.
If TLS verify mode is enabled, the neighbor system's FQDN or IP address, as specified in the Peer address field of
the zone’s configuration, is used to verify against the certificate holder’s name contained within the X.509 certificate
presented by that system. (The name has to be contained in either the Subject Common Name or the Subject
Alternative Name attributes of the certificate.) The certificate itself must also be valid and signed by a trusted
certificate authority.
the zone’s configuration, is used to verify against the certificate holder’s name contained within the X.509 certificate
presented by that system. (The name has to be contained in either the Subject Common Name or the Subject
Alternative Name attributes of the certificate.) The certificate itself must also be valid and signed by a trusted
certificate authority.
Note that for traversal server and DNS zones, the FQDN or IP address of the connecting traversal client is not
configured, so the required certificate holder’s name is specified separately.
configured, so the required certificate holder’s name is specified separately.
If the neighbor system is another Expressway, or it is a traversal client / traversal server relationship, the two systems
can be configured to authenticate each other’s certificates. This is known as mutual authentication and in this case
each Expressway acts both as a client and as a server and therefore you must ensure that each Expressway’s
certificate is valid both as a client and as a server.
can be configured to authenticate each other’s certificates. This is known as mutual authentication and in this case
each Expressway acts both as a client and as a server and therefore you must ensure that each Expressway’s
certificate is valid both as a client and as a server.
uploading the Expressway’s server certificate and uploading a list of trusted certificate authorities.
Configuring a Zone for Incoming Calls Only
To configure a zone so that it is never sent an alias search request (for example if you only want to receive incoming
calls from this zone), do not define any search rules that have that zone as its target.
calls from this zone), do not define any search rules that have that zone as its target.
In this scenario, when viewing the zone, you can ignore the warning indicating that search rules have not been
configured.
configured.
110
Cisco Expressway Administrator Guide