Cisco Cisco Expressway Maintenance Manual
Configuring Default Zone access rules
The Default Zone access rules (
Configuration > Zones > Default Zone access rules
) control which
external systems are allowed to connect over SIP TLS to the Expressway via the Default Zone.
Each rule specifies a pattern type and string that is compared to the identities (Subject Common Name and
any Subject Alternative Names) contained within the certificate presented by the external system. You can
then allow or deny access to systems whose certificates match the specified pattern. Up to 10,000 rules can
be configured.
any Subject Alternative Names) contained within the certificate presented by the external system. You can
then allow or deny access to systems whose certificates match the specified pattern. Up to 10,000 rules can
be configured.
access rules are enabled, then by default no systems will be allowed to connect over SIP TLS to the Default
Zone; you must set up the access rules for the systems you want to grant access. Note that the access rules
do not affect other connections to the Default Zone (H.323 and SIP UDP/TCP).
Zone; you must set up the access rules for the systems you want to grant access. Note that the access rules
do not affect other connections to the Default Zone (H.323 and SIP UDP/TCP).
The configurable options are:
Field
Description
Usage tips
Name
The name assigned to the rule.
Description An optional free-form description of the rule.
Priority
Determines the order in which the rules are applied if the
certificate names match multiple rules. The rules with the
highest priority (1, then 2, then 3 and so on) are applied first.
Multiple rules with the same priority are applied in
configuration order.
certificate names match multiple rules. The rules with the
highest priority (1, then 2, then 3 and so on) are applied first.
Multiple rules with the same priority are applied in
configuration order.
Pattern
type
type
The way in which the Pattern string must match the Subject
Common Name or any Subject Alternative Names contained
within the certificate.
Common Name or any Subject Alternative Names contained
within the certificate.
Exact: the entire string must exactly match the name,
character for character.
character for character.
Prefix: the string must appear at the beginning of the name.
Suffix: the string must appear at the end of the name.
Regex: treats the string as a
tool
(
Maintenance > Tools > Check
pattern
).
Pattern
string
string
The pattern against which the name is compared.
Action
The action to take if the certificate matches this access rule.
Allow: allows the external system to connect via the Default
Zone.
Zone.
Deny: rejects any connection requests received from the
external system.
external system.
State
Indicates if the rule is enabled or not.
Use this setting to test
configuration changes, or to
temporarily disable certain rules.
Any disabled rules still appear in
the rules list but are ignored.
configuration changes, or to
temporarily disable certain rules.
Any disabled rules still appear in
the rules list but are ignored.
Cisco Expressway Administrator Guide (X8.2)
Page 109 of 378
Zones and neighbors
Configuring Default Zone access rules