Cisco Cisco TelePresence Video Communication Server Expressway
Task 13: Restricting access to ISDN gateways (optional)
VCS users are recommended to take appropriate action to restrict unauthorized access to any ISDN
gateway resources (also known as toll-fraud prevention). This optional step shows some methods in which
this can be achieved.
gateway resources (also known as toll-fraud prevention). This optional step shows some methods in which
this can be achieved.
In these examples, an ISDN gateway is registered to the VCS Control with a prefix of 9 (and/or has a
neighbour zone specified that routes calls starting with a 9).
neighbour zone specified that routes calls starting with a 9).
This example shows how to configure the VCS Control to stop calls coming in via the gateway from being
able to route calls back out of the gateway. This is done by loading some specially constructed CPL onto the
VCS Control and configuring its Call policy mode to use Local CPL.
able to route calls back out of the gateway. This is done by loading some specially constructed CPL onto the
VCS Control and configuring its Call policy mode to use Local CPL.
Creating a CPL file
The CPL file to be uploaded onto the VCS can be created in a text editor.
Here are 2 example sets of CPL. In these examples:
n
“GatewayZone” is the neighbour zone to the ISDN gateway
n
“GatewaySubZone” is the subzone to the ISDN gateway (required if the gateway registers the 9 prefix to
the VCS)
the VCS)
n
Calls coming into the ISDN gateway and hitting a FindMe will not ring devices that use the gateway – for
example, calls forwarded to a mobile phone will be disallowed
example, calls forwarded to a mobile phone will be disallowed
This example CPL excludes any checking of whether the calling party is authenticated or not:
<?xml version="1.0" encoding="UTF-8" ?>
<cpl xmlns="urn:ietf:params:xml:ns:cpl"
xmlns:taa="http://www.tandberg.net/cpl-extensions"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">
<taa:routed>
<taa:rule-switch>
<!--Check that gateway is not hairpinning call - Neighbor zone -->
<taa:rule originating-zone="GatewayZone" destination="9.*">
<!-- Calls coming from the gateway may not send calls back out of this gateway -->
<!-- Reject call with a status code of 403 (Forbidden) -->
<reject status="403" reason="ISDN hairpin call denied"/>
</taa:rule>
<!-- Check that gateway is not hairpinning call - Subzone for registered gateway -->
<taa:rule originating-zone="GatewaySubZone" destination="9.*">
<!-- Calls coming from the gateway may not send calls back out of this gateway -->
<!-- Reject call with a status code of 403 (Forbidden) -->
<reject status="403" reason="ISDN hairpin call denied"/>
</taa:rule>
<taa:rule origin=".*" destination=".*">
<!-- All other calls allowed -->
<proxy/>
</taa:rule>
</taa:rule-switch>
</taa:routed>
</cpl>
This example CPL also ensures that the calling party is authenticated:
Cisco TelePresence Video Communication Server Basic Configuration (Single VCS Control) Deployment
Guide (X8.5.2)
Guide (X8.5.2)
Page 22 of 30
Optional configuration tasks