Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 12 — Example AD direct authentication deployments
VCS Deployment Guide: Device authentication on Cisco VCS (VCS X7.1)
Page 41 of 47
VCS Control and VCS Expressway with Active
Directory (direct) authentication on VCS Control
Directory (direct) authentication on VCS Control
If the VCS Expressway cannot be connected directly to the AD server, then authentication can be
performed on the VCS Control.
performed on the VCS Control.
The SIP UA sends a request to the VCS Expressway, but authentication does not happen until
the request gets sent to the VCS Control.
the request gets sent to the VCS Control.
The registration takes place on the VCS Expressway, and as such is not authenticated.
Provisioning requests, and call requests sent to the VCS Control will be challenged for
authentication.
Provisioning requests, and call requests sent to the VCS Control will be challenged for
authentication.
Setting
VCS Expressway
VCS Control
Setting
Cisco TMS
Provisioning
Public SIP
Server
VCS Expressway
IP address or
FQDN
AD configuration
Default Zone
Do not check credentials
Check credentials
Default Subzone
Do not check credentials
Check credentials
Traversal Zone
Do not check credentials
Check credentials
SIP domain
Domain for SIP account
Domain for SIP account
SIP registration proxy mode
Off
Off
This example shows a subscribe for provisioning that is challenged using an AD (direct) authentication
challenge by the VCS Control:
challenge by the VCS Control:
SIP UA
VCS Expressway
VCS Control
Provisioning
server
Active
Directory
Subscribe
CSeq: <xxx> SUBSCRIBE
Subscribe
CSeq: <xxx> SUBSCRIBE
407 Proxy Authentication
Required
with SIP header: ‘Proxy-
Authenticate: NTLM
realm="<VCSHostID>",
qop="auth",
targetname="<VCSHostID>"’
407 Proxy Authentication
Required
with SIP header: ‘Proxy-
Authenticate: NTLM
realm="<VCSHostID>",
AD
Database
VCS Expressway
VCS Control
Cisco TMS
Register
SIP UA