Cisco Cisco TelePresence Video Communication Server Expressway
Configuring Delegated Credential Checking (SIP Only)
By default, the VCS uses the relevant credential checking mechanisms (local database, Active Directory Service or
H.350 directory via LDAP) on the same VCS that is performing the authentication challenge.
H.350 directory via LDAP) on the same VCS that is performing the authentication challenge.
Alternatively you can configure the VCS that is performing the authentication challenges to delegate the credential
checking of SIP messages, via a traversal zone, to another VCS (typically a VCS-C). Delegated credential checking is
useful in deployments where you want to allow devices to register on the VCS Expressway (so that, for example, calls
may be made without having to use a traversal license), but for security you want all communications with
authentication systems (such as an Active Directory server) to be performed inside the enterprise.
checking of SIP messages, via a traversal zone, to another VCS (typically a VCS-C). Delegated credential checking is
useful in deployments where you want to allow devices to register on the VCS Expressway (so that, for example, calls
may be made without having to use a traversal license), but for security you want all communications with
authentication systems (such as an Active Directory server) to be performed inside the enterprise.
■
Credential checking for both SIP Digest and NTLM messages may be delegated.
■
All messages must be for locally-defined SIP domains. You can delegate credential checking to different
traversal clients on a per domain basis if required.
traversal clients on a per domain basis if required.
The following diagram shows how incoming SIP messages (calls, registrations and so on) are challenged by the VCS
Expressway, but the checking of the credentials presented in response to those challenges is delegated to the VCS
Control.
Expressway, but the checking of the credentials presented in response to those challenges is delegated to the VCS
Control.
Configuring Your Video Communications Network for Delegated Credential Checking
Several configuration steps are involved, on both your VCS Expressway and your VCS Control, in setting up your
video network for delegated credential checking.
video network for delegated credential checking.
It is likely that much of this configuration, such as the set of local SIP domains, will already be in place, however the
sections below list all of the necessary configuration requirements.
sections below list all of the necessary configuration requirements.
VCS Expressway and VCS Control
There must be a secure traversal zone connection between the VCS Control and the VCS Expressway:
■
The VCS Control and VCS Expressway must be configured with a zone of type Unified Communications
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when selected
on a VCS Control, or a traversal server zone when selected on a VCS-E) that uses SIP TLS with TLS verify
mode set to On, and Media encryption mode set to Force encrypted.
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when selected
on a VCS Control, or a traversal server zone when selected on a VCS-E) that uses SIP TLS with TLS verify
mode set to On, and Media encryption mode set to Force encrypted.
■
Both VCSs must trust each other's server certificate. As each VCS acts both as a client and as a server you
must ensure that each VCS’s certificate is valid both as a client and as a server.
must ensure that each VCS’s certificate is valid both as a client and as a server.
■
If an H.323 or a non-encrypted connection is also required, a separate pair of traversal zones must be
configured.
configured.
11
Cisco VCS Authenticating Devices Deployment Guide