Cisco Cisco Expressway Maintenance Manual
■
) that can have a media
encryption policy applied.
■
Configuring the B2BUA for Media Encryption
The B2BUA used for encryption (and ICE support) is a different instance to the B2BUA used for Microsoft
interoperability. The Microsoft interoperability service B2BUA has to be manually configured and enabled, the B2BUA
used for encryption is automatically enabled whenever an encryption policy is applied.
interoperability. The Microsoft interoperability service B2BUA has to be manually configured and enabled, the B2BUA
used for encryption is automatically enabled whenever an encryption policy is applied.
Configuring ICE Messaging Support
The ICE support option is a per-zone configuration setting that controls how the Expressway supports ICE messages
to and from SIP devices within that zone.
to and from SIP devices within that zone.
The behavior depends upon the configuration of the ICE support setting on the incoming (ingress) and outgoing
(egress) zone. When there is a mismatch of settings i.e. On on one side and Off on the other side, the Expressway
invokes its back-to-back user agent (B2BUA) to perform ICE negotiation with the relevant host.
(egress) zone. When there is a mismatch of settings i.e. On on one side and Off on the other side, the Expressway
invokes its back-to-back user agent (B2BUA) to perform ICE negotiation with the relevant host.
All zones have ICE support set to Off by default.
When the B2BUA performs ICE negotiation with a host, it can offer TURN relay candidate addresses. To do this, the
B2BUA must be configured with the addresses of the TURN servers to offer (via Applications > B2BUA > B2BUA
TURN servers).
B2BUA must be configured with the addresses of the TURN servers to offer (via Applications > B2BUA > B2BUA
TURN servers).
The following matrix shows the Expressway behavior for the different possible combinations of the ICE support
setting when handling a call between, for example, zone A and zone B:
setting when handling a call between, for example, zone A and zone B:
ICE
support
setting
support
setting
Zone A
Off
On
Zone
B
B
Off
Standard Expressway proxying behavior.
B2BUA is not normally invoked (however, see the
note below regarding media encryption policy).
note below regarding media encryption policy).
B2BUA is invoked.
B2BUA includes ICE candidates in messages to
hosts in Zone A.
hosts in Zone A.
On
B2BUA is invoked.
B2BUA includes ICE candidates in messages to
hosts in Zone B.
hosts in Zone B.
Standard Expressway proxying behavior.
B2BUA is not normally invoked (however, see the
note below regarding media encryption policy).
note below regarding media encryption policy).
Effect of media encryption policy when combined with ICE support
(any encryption setting other than
Auto). This table shows the effect on ICE negotiation behavior depending on the ICE support and media encryption
modes of the ingress and egress zones:
modes of the ingress and egress zones:
ICE support
Media encryption
mode
mode
B2BUA
invoked
invoked
Effect on ICE negotiation
Both zones = Off
At least one zone is
not Auto
not Auto
Yes
The B2BUA will not perform any ICE negotiation with
either host.
either host.
Both zones = On
At least one zone is
not Auto
not Auto
Yes
The B2BUA will perform ICE negotiation with both hosts.
Both zones = On
Both zones = Auto
No
The Expressway will not offer any TURN relay candidate
addresses to either of the ICE capable hosts. However,
note that each host device may have already been
provisioned with TURN relay candidate addresses.
addresses to either of the ICE capable hosts. However,
note that each host device may have already been
provisioned with TURN relay candidate addresses.
128
Cisco Expressway Administrator Guide
Zones and Neighbors