Cisco Cisco Expressway
Each time a client supplies credentials to authorize the user, the Expressway checks whether this attempt would
exceed the Maximum authorizations per period within the previous number of seconds specified by the Rate control
period.
exceed the Maximum authorizations per period within the previous number of seconds specified by the Rate control
period.
If the attempt would exceed the chosen maximum, then the Expressway rejects the attempt and issues the HTTP error
429 "Too Many Requests".
429 "Too Many Requests".
The authorization rate control settings are configurable in the Advanced section of the Configuration > Unified
Communications > Configuration page.
Communications > Configuration page.
Credential Caching
Note:
These settings do not apply to clients that are using SSO (common identity) for authenticating via MRA.
The Expressway caches endpoint credentials which have been authenticated by Unified CM. This caching improves
overall performance because the Expressway does not always have to submit endpoint credentials to Unified CM for
authentication.
overall performance because the Expressway does not always have to submit endpoint credentials to Unified CM for
authentication.
The caching settings are configurable in the Advanced section of the Configuration > Unified Communications
> Configuration page.
> Configuration page.
Credentials refresh interval specifies the lifetime of the authentication token issued by the Expressway to a
successfully authenticated client. A client that successfully authenticates should request a refresh before this token
expires, or it will need to re-authenticate. The default is 480 minutes (8 hours).
successfully authenticated client. A client that successfully authenticates should request a refresh before this token
expires, or it will need to re-authenticate. The default is 480 minutes (8 hours).
Credentials cleanup interval specifies how long the Expressway waits between cache clearing operations. Only
expired tokens are removed when the cache is cleared, so this setting is the longest possible time that an expired
token can remain in the cache. The default is 720 minutes (12 hours).
expired tokens are removed when the cache is cleared, so this setting is the longest possible time that an expired
token can remain in the cache. The default is 720 minutes (12 hours).
Unified CM Denial of Service Threshold
High volumes of mobile and remote access calls may trigger denial of service thresholds on Unified CM. This is
because all the calls arriving at Unified CM are from the same Expressway-C (cluster).
because all the calls arriving at Unified CM are from the same Expressway-C (cluster).
If necessary, we recommend that you increase the level of the SIP Station TCP Port Throttle Threshold (System >
Service Parameters, and select the Cisco CallManager service) to 750 KB/second.
Service Parameters, and select the Cisco CallManager service) to 750 KB/second.
Expressway Automated Intrusion Protection
You may need to enable the Automated protection service (System > System administration) if it is not yet running.
To protect against malicious attempts to access the HTTP proxy, you can configure automated intrusion protection on
the Expressway-E (System > Protection > Automated detection > Configuration).
the Expressway-E (System > Protection > Automated detection > Configuration).
We recommend that you enable the following categories on the Expressway-E:
■
HTTP proxy authorization failure and HTTP proxy protocol violation. Note: Do not enable the HTTP proxy
resource access failure category.
resource access failure category.
■
XMPP protocol violation
Note: The Automated protection service uses Fail2ban software. It protects against brute force attacks that
originate from a single source IP address.
originate from a single source IP address.
Appendix 1: Troubleshooting
40
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Appendix 1: Troubleshooting