Cisco Cisco TelePresence Video Communication Server Expressway Maintenance Manual
2.
Install on both VCSs the trusted Certificate Authority (CA) certificates of the authority that signed the VCS's
server certificates.
server certificates.
There are additional trust requirements, depending on the Unified Communications features being deployed.
For mobile and remote access deployments:
—
The VCS Control must trust the Unified CM and IM&P tomcat certificate.
—
If appropriate, both the VCS Control and the VCS Expressway must trust the authority that signed the
endpoints' certificates.
endpoints' certificates.
For Jabber Guest deployments:
—
When the Jabber Guest server is installed, it uses a self-signed certificate by default. However, you can
install a certificate that is signed by a trusted certificate authority. You must install on the VCS Control
either the self-signed certificate of the Jabber Guest server, or the trusted CA certificates of the authority
that signed the Jabber Guest server's certificate.
install a certificate that is signed by a trusted certificate authority. You must install on the VCS Control
either the self-signed certificate of the Jabber Guest server, or the trusted CA certificates of the authority
that signed the Jabber Guest server's certificate.
To upload trusted Certificate Authority (CA) certificates to the VCS, go to Maintenance > Security certificates
> Trusted CA certificate. You must restart the VCS for the new trusted CA certificate to take effect.
> Trusted CA certificate. You must restart the VCS for the new trusted CA certificate to take effect.
for full information about how to create and upload the
VCS’s server certificate and how to upload a list of trusted certificate authorities.
Configuring Encrypted VCS Traversal Zones
To support Unified Communications features via a secure traversal zone connection between the VCS Control and
the VCS Expressway:
the VCS Expressway:
■
The VCS Control and VCS Expressway must be configured with a zone of type Unified Communications
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when selected
on a VCS Control, or a traversal server zone when selected on a VCS Expressway) that uses SIP TLS with TLS
verify mode set to On, and Media encryption mode set to Force encrypted.
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when selected
on a VCS Control, or a traversal server zone when selected on a VCS Expressway) that uses SIP TLS with TLS
verify mode set to On, and Media encryption mode set to Force encrypted.
■
Both VCSs must trust each other's server certificate. As each VCS acts both as a client and as a server you
must ensure that each VCS’s certificate is valid both as a client and as a server.
must ensure that each VCS’s certificate is valid both as a client and as a server.
■
If an H.323 or a non-encrypted connection is also required, a separate pair of traversal zones must be
configured.
configured.
To set up a secure traversal zone, configure your VCS Control and VCS Expressway as follows:
1.
Go to Configuration > Zones > Zones.
2.
Click New.
55
Cisco TelePresence Video Communication Server Administrator Guide