Cisco Cisco Expressway
Note that when discovering Unified CM and IM&P servers on Expressway-C, you must do this on the master
peer.
peer.
Authorization rate control
The Expressway can limit the number of times that any user's credentials can be used, in a given
configurable period, to authorize the user for collaboration services. This feature is designed to thwart
inadvertent or real denial of service attacks, which can originate from multiple client devices authorizing the
same user, or from clients that reauthorize more often than necessary.
configurable period, to authorize the user for collaboration services. This feature is designed to thwart
inadvertent or real denial of service attacks, which can originate from multiple client devices authorizing the
same user, or from clients that reauthorize more often than necessary.
Each time a client supplies credentials to authorize the user, the Expressway checks whether this attempt
would exceed the Maximum authorizations per period within the previous number of seconds specified by
the Rate control period.
would exceed the Maximum authorizations per period within the previous number of seconds specified by
the Rate control period.
If the attempt would exceed the chosen maximum, then the Expressway rejects the attempt and issues the
HTTP error 429 "Too Many Requests".
HTTP error 429 "Too Many Requests".
The authorization rate control settings are configurable in the
Advanced
section of the
Configuration >
Unified Communications > Configuration
page.
Credential caching
Note: These settings do not apply to clients that are using SSO (common identity) for authenticating via
MRA.
MRA.
The Expressway caches endpoint credentials which have been authenticated by Unified CM. This caching
improves overall performance because the Expressway does not always have to submit endpoint credentials
to Unified CM for authentication.
improves overall performance because the Expressway does not always have to submit endpoint credentials
to Unified CM for authentication.
The caching settings are configurable in the
Advanced
section of the
Configuration > Unified
Communications > Configuration
page.
Credentials refresh interval specifies the lifetime of the authentication token issued by the Expressway to
a successfully authenticated client. A client that successfully authenticates should request a refresh before
this token expires, or it will need to re-authenticate. The default is 480 minutes (8 hours).
a successfully authenticated client. A client that successfully authenticates should request a refresh before
this token expires, or it will need to re-authenticate. The default is 480 minutes (8 hours).
Credentials cleanup interval specifies how long the Expressway waits between cache clearing operations.
Only expired tokens are removed when the cache is cleared, so this setting is the longest possible time that
an expired token can remain in the cache. The default is 720 minutes (12 hours).
Only expired tokens are removed when the cache is cleared, so this setting is the longest possible time that
an expired token can remain in the cache. The default is 720 minutes (12 hours).
Unified CM denial of service threshold
High volumes of mobile and remote access calls may trigger denial of service thresholds on Unified CM. This
is because all the calls arriving at Unified CM are from the same Expressway-C (cluster).
is because all the calls arriving at Unified CM are from the same Expressway-C (cluster).
If necessary, we recommend that you increase the level of the SIP Station TCP Port Throttle Threshold
(
(
System > Service Parameters
, and select the Cisco CallManager service) to 750 KB/second.
Expressway automated intrusion protection
You may need to enable the Automated protection service (
System > System administration
) if it is not
yet running.
Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.5.3)
Page 44 of 54
Additional information