Cisco Cisco Expressway Maintenance Manual
Configuring media encryption policy
The media encryption policy settings allow you to selectively add or remove media encryption capabilities for
SIP calls flowing through the Expressway. This allows you to configure your system so that, for example, all
traffic arriving or leaving an Expressway-E from the public internet is encrypted, but is unencrypted when in
your private network.
SIP calls flowing through the Expressway. This allows you to configure your system so that, for example, all
traffic arriving or leaving an Expressway-E from the public internet is encrypted, but is unencrypted when in
your private network.
n
The policy is configured on a per zone basis and applies only to that leg of the call in/out of that zone.
n
Encryption is applied to the SIP leg of the call, even if other legs are H.323.
Media encryption policy is configured through the Media encryption mode setting on each zone, however
the resulting encryption status of the call is also dependent on the encryption policy settings of the target
system (such as an endpoint or another Expressway).
the resulting encryption status of the call is also dependent on the encryption policy settings of the target
system (such as an endpoint or another Expressway).
The encryption mode options are:
n
Force encrypted: all media to and from the zone must be encrypted. If the target system/endpoint is
configured to not use encryption, then the call will be dropped.
configured to not use encryption, then the call will be dropped.
n
Force unencrypted: all media must be unencrypted. If the target system/endpoint is configured to use
encryption, then the call may be dropped; if it is configured to use Best effort then the call will fall back to
unencrypted media.
encryption, then the call may be dropped; if it is configured to use Best effort then the call will fall back to
unencrypted media.
n
Best effort: use encryption if available, otherwise fall back to unencrypted media.
n
Auto: no specific media encryption policy is applied by the Expressway. Media encryption is purely
dependent on the target system/endpoint requests. This is the default behavior and is equivalent to how the
Expressway operated before this feature was introduced.
dependent on the target system/endpoint requests. This is the default behavior and is equivalent to how the
Expressway operated before this feature was introduced.
Encryption policy (any encryption setting other than Auto) is applied to a call by routing it through a back-to-
back user agent (B2BUA) hosted on the Expressway.
back user agent (B2BUA) hosted on the Expressway.
When configuring your system to use media encryption you should note that:
n
Any zone with an encryption mode of Force encrypted or Force unencrypted must be configured as a SIP-
only zone (H.323 must be disabled on that zone).
only zone (H.323 must be disabled on that zone).
n
TLS transport must be enabled if an encryption mode of Force encrypted or Best effort is required.
n
The call component routed through the B2BUA can be identified in the call history details as having a
component type of B2BUA.
component type of B2BUA.
n
) that can have a
media encryption policy applied.
n
is enabled.
Configuring the B2BUA for media encryption
The B2BUA used for encryption (and ICE support) is a different instance to the B2BUA used for Microsoft
Lync integration. Whereas the Lync B2BUA has to be manually configured and enabled, the B2BUA used for
encryption is automatically enabled whenever an encryption policy is applied.
Lync integration. Whereas the Lync B2BUA has to be manually configured and enabled, the B2BUA used for
encryption is automatically enabled whenever an encryption policy is applied.
Cisco Expressway Administrator Guide (X8.5)
Page 114 of 394
Zones and neighbors
Configuring media encryption policy