Cisco Cisco TelePresence Video Communication Server Expressway
Configuring VCS authentication policy
VCS Deployment Guide: Device authentication on Cisco VCS (VCS X7.1)
Page 13 of 47
Practical configuration of authentication policy
VCS Control
The table below contains practical guidelines for configuring authentication policy on a VCS Control.
Authentication point
Guideline
Default Zone
Use Check credentials.
Default Subzone
Use Check credentials.
Specific local subzones
For known local subnets, to avoid having to configure all local endpoints with
credentials, use Treat as authenticated.
Although this is a practical solution, it is recommended that no Treat as
authenticated subzones are used, and that every endpoint is populated with
appropriate and unique credentials and that Check credentials is used.
credentials, use Treat as authenticated.
Although this is a practical solution, it is recommended that no Treat as
authenticated subzones are used, and that every endpoint is populated with
appropriate and unique credentials and that Check credentials is used.
Other subzone
Use Check credentials.
Traversal zone
Use Check credentials. Always check the credentials of requests coming from the
Expressway.
Expressway.
Neighbor zone
Use Do not check credentials and set SIP authentication trust mode to On.
VCS Expressway
Ideally, VCS Expressway authentication policy, should follow exactly the same guidelines as for the
VCS Control. However if AD Direct or H.350 access is required, many security policies will not allow a
device in a DMZ access to those resources. Practicality therefore recommends that authentication is
left to the VCS Control.
VCS Control. However if AD Direct or H.350 access is required, many security policies will not allow a
device in a DMZ access to those resources. Practicality therefore recommends that authentication is
left to the VCS Control.
Use registration allow and deny lists to limit what can register to the Expressway. If it is required that
outbound calls may only be made by authenticated users, ensure that all call requests are routed to
the VCS Control and it only forwards requests back that it can authenticate.
outbound calls may only be made by authenticated users, ensure that all call requests are routed to
the VCS Control and it only forwards requests back that it can authenticate.