Cisco Systems and the ASA Services Module Manual De Usuario
20-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy
Information About Cisco Intercompany Media Engine Proxy
As illustrated in
. Enterprise B makes a PSTN call to enterprise A. That call completes
successfully. Later, Enterprise B Cisco Intercompany Media Engine server initiates validation
procedures with Enterprise A. These validation procedures succeed. During the validation handshake,
Enterprise B sends Enterprise A its domain name. Enterprise A verifies that this domain name is not on
the blacklisted set of domains. Assuming it is not, Enterprise A creates a ticket.
procedures with Enterprise A. These validation procedures succeed. During the validation handshake,
Enterprise B sends Enterprise A its domain name. Enterprise A verifies that this domain name is not on
the blacklisted set of domains. Assuming it is not, Enterprise A creates a ticket.
Subsequently, someone in Enterprise B calls that number again. That call setup message from Enterprise
B to Enterprise A includes the ticket in the X-Cisco-UC-IME-Ticket header field in the SIP INVITE
message. This message arrives at the Enterprise A ASA. The ASA verifies the signature and computes
several checks on the ticket to make sure it is valid. If the ticket is valid, the ASA forwards the request
to Cisco UCM (including the ticket). Because the ASA drops requests that lack a valid ticket,
unauthorized calls are never received by Cisco UCM.
B to Enterprise A includes the ticket in the X-Cisco-UC-IME-Ticket header field in the SIP INVITE
message. This message arrives at the Enterprise A ASA. The ASA verifies the signature and computes
several checks on the ticket to make sure it is valid. If the ticket is valid, the ASA forwards the request
to Cisco UCM (including the ticket). Because the ASA drops requests that lack a valid ticket,
unauthorized calls are never received by Cisco UCM.
The ticket password is a 128 bit random key, which can be thought of as a shared password between the
adaptive security appliance and the Cisco Intercompany Media Engine server. This password is
generated by the Cisco Intercompany Media Engine server and is used by a Cisco Intercompany Media
Engine SIP trunk to generate a ticket to allow a call to be made between Cisco Intercompany Media
Engine SIP trunks. A ticket is a signed object that contains a number of fields that grant permission to
the calling domain to make a Cisco Intercompany Media Engine call to a specific number. The ticket is
signed by the ticket password.
adaptive security appliance and the Cisco Intercompany Media Engine server. This password is
generated by the Cisco Intercompany Media Engine server and is used by a Cisco Intercompany Media
Engine SIP trunk to generate a ticket to allow a call to be made between Cisco Intercompany Media
Engine SIP trunks. A ticket is a signed object that contains a number of fields that grant permission to
the calling domain to make a Cisco Intercompany Media Engine call to a specific number. The ticket is
signed by the ticket password.
The Cisco Intercompany Media Engine also required that you configure an epoch for the password. The
epoch contains an integer that updates each time that the password is changed. When the proxy is
configured the first time and a password entered for the first time, enter 1 for the epoch integer. Each
time you change the password, increment the epoch to indicate the new password. You must increment
the epoch value each time your change the password.
epoch contains an integer that updates each time that the password is changed. When the proxy is
configured the first time and a password entered for the first time, enter 1 for the epoch integer. Each
time you change the password, increment the epoch to indicate the new password. You must increment
the epoch value each time your change the password.
Typically, you increment the epoch sequentially; however, the ASA allows you to choose any value when
you update the epoch. If you change the epoch value, the tickets in use at remote enterprises become
invalid. The incoming calls from the remote enterprises fallback to the PSTN until the terminating
enterprise reissues tickets with the new epoch value and password.
you update the epoch. If you change the epoch value, the tickets in use at remote enterprises become
invalid. The incoming calls from the remote enterprises fallback to the PSTN until the terminating
enterprise reissues tickets with the new epoch value and password.
The epoch and password that you configure on the ASA must match the epoch and password configured
on the Cisco Intercompany Media Engine server. If you change the password or epoch on the ASA, you
must update them on the Cisco Intercompany Media Engine server. See the Cisco Intercompany Media
Engine server documentation for information.
on the Cisco Intercompany Media Engine server. If you change the password or epoch on the ASA, you
must update them on the Cisco Intercompany Media Engine server. See the Cisco Intercompany Media
Engine server documentation for information.
Call Fallback to the PSTN
Cisco Intercompany Media Engine provides features that manage the QoS on the Internet, such as the
ability to monitor QoS of the RTP traffic in real-time and fallback to PSTN automatically if problems
arise. Call fallback from Internet VoIP calls to the public switched telephone network (PSTN) can occur
for two reasons changes in connection quality and signal failure for the Cisco Intercompany Media
Engine.
ability to monitor QoS of the RTP traffic in real-time and fallback to PSTN automatically if problems
arise. Call fallback from Internet VoIP calls to the public switched telephone network (PSTN) can occur
for two reasons changes in connection quality and signal failure for the Cisco Intercompany Media
Engine.
Internet connections can vary wildly in their quality and vary over time. Therefore, even if a call is sent
over VoIP because the quality of the connection was good, the connection quality might worsen mid-call.
To ensure an overall good experience for the end user, Cisco Intercompany Media Engine attempts to
perform a mid-call fallback.
over VoIP because the quality of the connection was good, the connection quality might worsen mid-call.
To ensure an overall good experience for the end user, Cisco Intercompany Media Engine attempts to
perform a mid-call fallback.
Performing a mid-call fallback requires the adaptive security appliance to monitor the RTP packets
coming from the Internet and send information into an RTP Monitoring Algorithm (RMA) API, which
will indicates to the adaptive security appliance whether fallback is required. If fallback is required, the
adaptive security appliance sends a REFER message to Cisco UCM to tell it that it needs to fallback the
call to PSTN.
coming from the Internet and send information into an RTP Monitoring Algorithm (RMA) API, which
will indicates to the adaptive security appliance whether fallback is required. If fallback is required, the
adaptive security appliance sends a REFER message to Cisco UCM to tell it that it needs to fallback the
call to PSTN.