Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 12 — Example AD direct authentication deployments
VCS Deployment Guide: Device authentication on Cisco VCS (VCS X7.1)
Page 44 of 47
VCS Control and VCS Expressway with Active
Directory (direct) authentication for proxied
registrations
Directory (direct) authentication for proxied
registrations
If the VCS Expressway cannot be connected directly to the AD server, then authentication can be
performed on the VCS Control.
performed on the VCS Control.
The SIP UA sends a request to the VCS Expressway, but authentication does not happen until
the request gets sent to the VCS Control.
the request gets sent to the VCS Control.
With proxied registrations the registration will occur on the VCS Control and will be challenged for
authentication. Proxying registrations results in media traversing the firewall in more cases.
authentication. Proxying registrations results in media traversing the firewall in more cases.
Setting
VCS Expressway
VCS Control
Setting
Cisco TMS
Provisioning
Public SIP
Server
VCS Expressway
IP address or
FQDN
AD configuration
Default Zone
Do not check credentials
Check credentials
Default Subzone
Do not check credentials
Check credentials
Traversal Zone
Do not check credentials
Check credentials
SIP domain
-
Domain for SIP account
SIP registration proxy mode
Proxy to known only
Off
SIP UA
VCS Expressway
VCS Control
Provisioning
server
Active
Directory
Subscribe
CSeq: <xxx> SUBSCRIBE
Subscribe
CSeq: <xxx> SUBSCRIBE
407 Proxy Authentication
Required
with SIP header: ‘Proxy-
Authenticate: NTLM
realm="<VCSHostID>",
qop="auth",
targetname="<VCSHostID>"’
407 Proxy Authentication
Required
with SIP header: ‘Proxy-
Authenticate: NTLM
AD
Database
VCS Expressway
VCS Control
Cisco TMS
Register
SIP UA