Cisco Cisco TelePresence Video Communication Server Expressway
Configuring VCS authentication policy
VCS Deployment Guide: Authenticating Devices (VCS X7.0)
Page 10 of 44
Hierarchical dial plan (directory VCS) deployments
When introducing authentication into video networks which have a hierarchical dial plan with a
directory VCS, authentication problems can occur if:
directory VCS, authentication problems can occur if:
any VCS in the network uses a different authentication database from any other VCS in the
network, and
network, and
credential checking is enabled on the Default Zone of each node VCS, and
the directory VCS or any other VCS in a signaling path can optimize itself out of the call routing
path
path
In such deployments, each VCS must be configured with a neighbor zone between itself and every
other VCS in the network. Each zone must be configured with an Authentication policy of Do not
check credentials. (No search rules are required for these neighbor zones; the zones purely provide a
mechanism for trusting messages between VCSs.)
other VCS in the network. Each zone must be configured with an Authentication policy of Do not
check credentials. (No search rules are required for these neighbor zones; the zones purely provide a
mechanism for trusting messages between VCSs.)
This is required because, otherwise, some messages such as SIP RE-INVITES, which are sent
directly between VCSs (due to optimal call routing), will be categorized as coming from the Default
Zone. The VCS will then attempt to authenticate the message and this may fail as it may not have the
necessary credentials in its authentication database. This means that the message will be rejected
and the call may be dropped. However, if the node VCSs have a neighbor zone relationship then the
message will be identified as coming through that neighbor zone, the VCS will not perform any
credential checking and the message will be accepted.
directly between VCSs (due to optimal call routing), will be categorized as coming from the Default
Zone. The VCS will then attempt to authenticate the message and this may fail as it may not have the
necessary credentials in its authentication database. This means that the message will be rejected
and the call may be dropped. However, if the node VCSs have a neighbor zone relationship then the
message will be identified as coming through that neighbor zone, the VCS will not perform any
credential checking and the message will be accepted.
Deployments with multiple regional / subnetwork directory VCSs
If your deployment is segmented into multiple regional subnetworks, each with their own directory
VCS, it is not feasible (or recommended) to set up neighbor zones between each and every VCS
across the entire network.
VCS, it is not feasible (or recommended) to set up neighbor zones between each and every VCS
across the entire network.
In this scenario you should configure each subnetwork as described above – i.e. set up neighbor
zones between each of the VCSs managed by the same directory VCS – and then configure the
neighbor zones between each directory VCS so that they do stay in the call signaling path on calls
crossing subnetworks between those directory VCSs. To do this:
zones between each of the VCSs managed by the same directory VCS – and then configure the
neighbor zones between each directory VCS so that they do stay in the call signaling path on calls
crossing subnetworks between those directory VCSs. To do this:
1. On the directory VCS, go to the
Zones
page (
VCS configuration > Zones
) and then click on the
relevant zone to the other directory VCS.
2. On the
Edit zones
page, scroll down to the Advanced section and set Zone profile to Custom.
3. Set Call signaling routed mode to Always.
4. Click Save.
5. Repeat this for the equivalent zone definition on the “other” directory VCS, and then repeat the
entire process for any other zone configurations between any other directory VCSs.
Note: do not modify the directory VCS’s primary Call signaling routed mode setting on the
Calls
page.
This means that the each directory VCS will stay in the call signaling path for calls that go between
subnetworks. Each directory VCS will still be able to optimize itself out of the call signaling path for
calls entirely within each subnetwork.
subnetworks. Each directory VCS will still be able to optimize itself out of the call signaling path for
calls entirely within each subnetwork.
You must also ensure that you have sufficient non-traversal and traversal licenses on each directory
VCS to handle those calls going between each subnetwork.
VCS to handle those calls going between each subnetwork.
Infrastructure devices
You are recommended to configure your VCS so that infrastructure products, such as MCUs, register
to a dedicated subzone with an authentication policy set to Treat as authenticated.
to a dedicated subzone with an authentication policy set to Treat as authenticated.