Cisco Cisco Expressway Maintenance Manual
Configuring Default Zone access rules
Create Default Zone access rules (Configuration > Zones > Default Zone access rules) to control which external
systems are allowed to connect over SIP TLS to the Expressway via the Default Zone.
systems are allowed to connect over SIP TLS to the Expressway via the Default Zone.
For each rule, you specify a pattern to compare against the CN (and any SANs) in the certificates received from
external systems. You can then choose whether to allow or deny access to systems that present matching
certificates. Up to 10,000 rules can be configured.
external systems. You can then choose whether to allow or deny access to systems that present matching
certificates. Up to 10,000 rules can be configured.
The switch to control whether or not these rules are engaged on the default zone is on the Configuration > Zones >
Zones > DefaultZone page. See
Zones > DefaultZone page. See
Field
Description
Usage tips
Name
The name assigned to the rule.
Description An optional free-form description of the rule.
Priority
Determines the order in which the rules are applied if the
certificate names match multiple rules. The rules with the
highest priority (1, then 2, then 3 and so on) are applied first.
Multiple rules with the same priority are applied in
configuration order.
certificate names match multiple rules. The rules with the
highest priority (1, then 2, then 3 and so on) are applied first.
Multiple rules with the same priority are applied in
configuration order.
Pattern
type
type
The way in which the Pattern string must match the Subject
Common Name or any Subject Alternative Names contained
within the certificate.
Common Name or any Subject Alternative Names contained
within the certificate.
Exact: the entire string must exactly match the name,
character for character.
character for character.
Prefix: the string must appear at the beginning of the name.
Suffix: the string must appear at the end of the name.
tool
(Maintenance > Tools > Check
pattern).
Pattern
string
string
The pattern against which the name is compared.
Action
The action to take if the certificate matches this access rule.
Allow: allows the external system to connect via the Default
Zone.
Zone.
Deny: rejects any connection requests received from the
external system.
external system.
State
Indicates if the rule is enabled or not.
Use this setting to test configuration
changes, or to temporarily disable
certain rules. Any disabled rules still
appear in the rules list but are
ignored.
changes, or to temporarily disable
certain rules. Any disabled rules still
appear in the rules list but are
ignored.
Table 5 Default Zone Access Rule Parameters
104
Cisco Expressway Administrator Guide
Zones and Neighbors