Cisco Cisco Expressway
■
Registration authentication is controlled by the Default Subzone configuration (or the relevant alternative
subzone).
subzone).
■
Initial provisioning subscription request authentication is controlled by the Default Zone configuration.
■
Call and phone book request authentication is controlled by the Default Subzone (or relevant alternative
subzone) if the endpoint is registered, or by the Default Zone if the endpoint is not registered.
subzone) if the endpoint is registered, or by the Default Zone if the endpoint is not registered.
By default, zones and subzones are configured as Do not check credentials.
Task 15: Restricting Access to ISDN Gateways (Optional)
We recommend that you restrict unauthorized access to any ISDN gateway resources (also known as toll-fraud
prevention). This section describes one way to achieve this.
prevention). This section describes one way to achieve this.
In these examples, an ISDN gateway is registered to the Cisco Expressway-C with a prefix of 9. And / or it has a
neighbor zone specified that routes calls starting with a 9.
neighbor zone specified that routes calls starting with a 9.
This example describes how to configure the Cisco Expressway-C to stop calls that come in through the gateway,
from being able to route calls back out of the gateway.
from being able to route calls back out of the gateway.
To do this, you load some specially constructed CPL onto the Cisco Expressway-C and configure its Call policy
mode to use Local CPL.
mode to use Local CPL.
Creating a CPL File
The CPL file can be created in a text editor.
Here are two example sets of CPL. In these examples:
■
“GatewayZone” is the neighbor zone to the ISDN gateway.
■
“GatewaySubZone” is the subzone to the ISDN gateway (required if the gateway registers the 9 prefix to the
Expressway).
Expressway).
■
Calls coming into the ISDN gateway and hitting a FindMe do not ring devices that use the gateway. So for
example, calls forwarded to a mobile phone are disallowed.
example, calls forwarded to a mobile phone are disallowed.
This example CPL excludes any checking of whether the calling party is authenticated:
<?xml version="1.0" encoding="UTF-8" ?>
<cpl xmlns="urn:ietf:params:xml:ns:cpl"
xmlns:taa="http://www.tandberg.net/cpl-extensions"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">
<taa:routed>
<taa:rule-switch>
<!--Check that gateway is not hairpinning call - Neighbor zone -->
<taa:rule originating-zone="GatewayZone" destination="9.*">
<!-- Calls coming from the gateway may not send calls back out of this gateway -->
<!-- Reject call with a status code of 403 (Forbidden) -->
<reject status="403" reason="ISDN hairpin call denied"/>
</taa:rule>
<!-- Check that gateway is not hairpinning call - Subzone for registered gateway -->
<taa:rule originating-zone="GatewaySubZone" destination="9.*">
<!-- Calls coming from the gateway may not send calls back out of this gateway -->
<!-- Reject call with a status code of 403 (Forbidden) -->
<reject status="403" reason="ISDN hairpin call denied"/>
</taa:rule>
<taa:rule origin=".*" destination=".*">
<!-- All other calls allowed -->
<proxy/>
</taa:rule>
</taa:rule-switch>
</taa:routed>
29
Cisco Expressway Registrar Deployment Guide
Optional Configuration Tasks