Cisco Cisco Expressway Maintenance Manual
TLS Certificate Verification of Neighbor Systems
When a SIP TLS connection is established between an Expressway and a neighbor system, the Expressway can be
configured to check the X.509 certificate of the neighbor system to verify its identity. You do this by configuring the
zone’s TLS verify mode setting.
configured to check the X.509 certificate of the neighbor system to verify its identity. You do this by configuring the
zone’s TLS verify mode setting.
If TLS verify mode is enabled, the neighbor system's FQDN or IP address, as specified in the Peer address field of
the zone’s configuration, is used to verify against the certificate holder’s name contained within the X.509 certificate
presented by that system. (The name has to be contained in either the Subject Common Name or the Subject
Alternative Name attributes of the certificate.) The certificate itself must also be valid and signed by a trusted
certificate authority.
the zone’s configuration, is used to verify against the certificate holder’s name contained within the X.509 certificate
presented by that system. (The name has to be contained in either the Subject Common Name or the Subject
Alternative Name attributes of the certificate.) The certificate itself must also be valid and signed by a trusted
certificate authority.
Note that for traversal server and DNS zones, the FQDN or IP address of the connecting traversal client is not
configured, so the required certificate holder’s name is specified separately.
configured, so the required certificate holder’s name is specified separately.
If the neighbor system is another Expressway, or it is a traversal client / traversal server relationship, the two systems
can be configured to authenticate each other’s certificates. This is known as mutual authentication and in this case
each Expressway acts both as a client and as a server and therefore you must ensure that each Expressway’s
certificate is valid both as a client and as a server.
can be configured to authenticate each other’s certificates. This is known as mutual authentication and in this case
each Expressway acts both as a client and as a server and therefore you must ensure that each Expressway’s
certificate is valid both as a client and as a server.
uploading the Expressway’s server certificate and uploading a list of trusted certificate authorities.
Configuring a Zone for Incoming Calls Only
To configure a zone so that it is never sent an alias search request (for example if you only want to receive incoming
calls from this zone), do not define any search rules that have that zone as its target.
calls from this zone), do not define any search rules that have that zone as its target.
In this scenario, when viewing the zone, you can ignore the warning indicating that search rules have not been
configured.
configured.
120
Cisco Expressway Administrator Guide
Zones and Neighbors