Cisco Cisco TelePresence Video Communication Server Expressway Maintenance Manual
1.
Open up the Active Directory Users and Computers MMC snap-in.
2.
Under your BaseDN right-click and select New Organizational Unit.
3.
Create an Organizational unit called h350.
It is good practice to keep the H.350 directory in its own organizational unit to separate out H.350 objects from other
types of objects. This allows access controls to be setup which only allow the VCS read access to the BaseDN and
therefore limit access to other sections of the directory.
types of objects. This allows access controls to be setup which only allow the VCS read access to the BaseDN and
therefore limit access to other sections of the directory.
Add the H.350 objects:
1.
Create an ldif file with the following contents:
# MeetingRoom1 endpoint
dn: commUniqueId=comm1,ou=h350,DC=X
objectClass: commObject
objectClass: h323Identity
objectClass: h235Identity
objectClass: SIPIdentity
commUniqueId: comm1
h323Identityh323-ID: MeetingRoom1
h323IdentitydialedDigits: 626262
h235IdentityEndpointID: meetingroom1
h235IdentityPassword: mypassword
SIPIdentityUserName: meetingroom1
SIPIdentityPassword: mypassword
SIPIdentitySIPURI: sip:MeetingRoom@X
2.
Add the ldif file to the server using the command:
ldifde -i -c DC=X <ldap_base> -f filename.ldf
where:
<ldap_base>
is the base DN of your Active Directory Server.
The example above will add a single endpoint with an H.323 ID alias of
MeetingRoom1
, an E.164 alias of
626262
and a
SIP URI of
MeetingRoom@X
. The entry also has H.235 and SIP credentials of ID
meetingroom1
and password
mypassword
which are used during authentication.
H.323 registrations will look for the H.323 and H.235 attributes; SIP will look for the SIP attributes. Therefore if your
endpoint is registering with just one protocol you do not need to include elements relating to the other.
endpoint is registering with just one protocol you do not need to include elements relating to the other.
Note:
the SIP URI in the
ldif
file must be prefixed by
sip:
.
For information about what happens when an alias is not in the LDAP database see Source of aliases for
registration in the
registration in the
Securing with TLS
To enable Active Directory to use TLS, you must request and install a certificate on the Active Directory server. The
certificate must meet the following requirements:
certificate must meet the following requirements:
■
Be located in the Local Computer’s Personal certificate store. This can be seen using the Certificates MMC
snap-in.
snap-in.
■
Have the private details on how to obtain a key associated for use with it stored locally. When viewing the
certificate you should see a message saying “You have a private key that corresponds to this certificate’’.
certificate you should see a message saying “You have a private key that corresponds to this certificate’’.
■
Have a private key that does not have strong private key protection enabled. This is an attribute that can be
added to a key request.
added to a key request.
■
The Enhanced Key Usage extension includes the Server Authentication object identifier, again this forms part
of the key request.
of the key request.
■
Issued by a CA that both the domain controller and the client trust.
380
Cisco TelePresence Video Communication Server Administrator Guide
Reference Material