Cisco Cisco Expressway Maintenance Manual
Setting
Cisco Unified
Communications
Manager
Communications
Manager
Cisco Unified
Communications
Manager (8.6.1
or later)
Communications
Manager (8.6.1
or later)
Nortel
Communication
Server 1000
Communication
Server 1000
Infrastructure
device
device
Default
SIP UPDATE strip mode
Off
Off
On
Off
Off
Interworking SIP search
strategy
strategy
Options
Options
Options
Options
Options
SIP UDP/BFCP filter mode
On
Off
Off
Off
Off
SIP UDP/IX filter mode
On
On
On
On
Off
SIP Duo Video filter mode
Off
Off
Off
Off
Off
SIP record route address
type
type
IP
IP
IP
IP
IP
SIP Proxy-Require header
strip list
strip list
<blank>
<blank>
"com.nortelnetw
orks.firewall"
orks.firewall"
<blank>
<blank>
.
TLS certificate verification of neighbor systems
When a SIP TLS connection is established between an Expressway and a neighbor system, the
Expressway can be configured to check the X.509 certificate of the neighbor system to verify its identity.
You do this by configuring the zone’s TLS verify mode setting.
Expressway can be configured to check the X.509 certificate of the neighbor system to verify its identity.
You do this by configuring the zone’s TLS verify mode setting.
If TLS verify mode is enabled, the neighbor system's FQDN or IP address, as specified in the Peer
address field of the zone’s configuration, is used to verify against the certificate holder’s name contained
within the X.509 certificate presented by that system. (The name has to be contained in either the Subject
Common Name or the Subject Alternative Name attributes of the certificate.) The certificate itself must also
be valid and signed by a trusted certificate authority.
address field of the zone’s configuration, is used to verify against the certificate holder’s name contained
within the X.509 certificate presented by that system. (The name has to be contained in either the Subject
Common Name or the Subject Alternative Name attributes of the certificate.) The certificate itself must also
be valid and signed by a trusted certificate authority.
Note that for traversal server and DNS zones, the FQDN or IP address of the connecting traversal client is
not configured, so the required certificate holder’s name is specified separately.
not configured, so the required certificate holder’s name is specified separately.
If the neighbor system is another Expressway, or it is a traversal client / traversal server relationship, the two
systems can be configured to authenticate each other’s certificates. This is known as mutual authentication
and in this case each Expressway acts both as a client and as a server and therefore you must ensure that
each Expressway’s certificate is valid both as a client and as a server.
systems can be configured to authenticate each other’s certificates. This is known as mutual authentication
and in this case each Expressway acts both as a client and as a server and therefore you must ensure that
each Expressway’s certificate is valid both as a client and as a server.
for more information about certificate verification and for instructions
on uploading the Expressway’s server certificate and uploading a list of trusted certificate authorities.
Configuring a zone for incoming calls only
To configure a zone so that it is never sent an alias search request (for example if you only want to receive
incoming calls from this zone), do not define any search rules that have that zone as its target.
incoming calls from this zone), do not define any search rules that have that zone as its target.
In this scenario, when viewing the zone, you can ignore the warning indicating that search rules have not
been configured.
been configured.
Cisco Expressway Administrator Guide (X8.5.2)
Page 133 of 403
Zones and neighbors
Configuring zones