Cisco Cisco TelePresence Video Communication Server Expressway
VCS Control
1. Configure SIP domains (
Configuration > Domains
).
It must be configured with all of the domains for which it will receive delegated authentication checks.
2. Configure the relevant authentication mechanisms (local database, Active Directory Service or H.350
directory via LDAP).
3. Enable Delegated credential checking (
Configuration > Protocols > SIP
).
4. Ensure that the traversal client zone is configured to Accept delegated credential checks.
VCS Expressway
1. Configure SIP domains (
Configuration > Domains
).
It must be configured with all of the domains for which it will delegate authentication checks.
2. For each domain, choose the traversal zone over which the credential checks are to be delegated.
3. If NTLM / Active Directory Service authentication is required, ensure that NTLM protocol challenges
(
Configuration > Authentication > Devices > Active Directory Service
) is set to Auto.
4. Enable Delegated credential checking on the
SIP
page (
Configuration > Protocols > SIP
).
are set to Check credentials.
Note that any H.323 messages that arrive at the zones or subzones that are now configured to Check
credentials will still have those credentials checked via the relevant mechanisms (such as the local
database or H.350 directory) on that local VCS and they will not be delegated.
credentials will still have those credentials checked via the relevant mechanisms (such as the local
database or H.350 directory) on that local VCS and they will not be delegated.
6. If required as part of your dial plan, configure search rules that forward SIP call signaling messages to the
relevant traversal client zones.
(Note that no specific search rules are required to support the delegation of authentication messages to
the VCS Control.
(Note that no specific search rules are required to support the delegation of authentication messages to
the VCS Control.
The credential checking of authentication challenges made by the VCS Expressway should now be
delegated through the traversal zone to the VCS Control.
delegated through the traversal zone to the VCS Control.
Testing the credential checking service
To verify whether the VCS to which credential checking has been delegated is able to receive messages and
perform the relevant authentication checks:
perform the relevant authentication checks:
1. Go to
Configuration > Domains
.
2. Select the relevant domains.
3. Click Test credential checking service.
The system displays a
Results
section and reports whether the receiving VCS can be reached over the
traversal zone and, additionally, if it is able to perform credential checking for both NTLM and SIP digest
type challenges.
If you are not using NTLM authentication in your video network, and thus the receiving VCS is not
configured with a connection to an Active Directory Service, then the NTLM check will be expected to
fail.
type challenges.
If you are not using NTLM authentication in your video network, and thus the receiving VCS is not
configured with a connection to an Active Directory Service, then the NTLM check will be expected to
fail.
TURN services
If TURN services are enabled on the VCS Expressway and you also want to delegate the credential
checking of TURN server requests:
checking of TURN server requests:
1. Go to
Configuration > Traversal > TURN
.
2. Set Delegated credential checking to On.
Device Authentication on Cisco VCS Deployment Guide (VCS X8.1)
Page 13 of 55
Authentication policy