Cisco Cisco TelePresence Video Communication Server Expressway
By default, zones and subzones are configured as Do not check credentials.
Using Delegated Credential Checking
If you have enabled device authentication in your network (by using an Authentication policy of Check credentials)
and you have remote workers (outside the enterprise) with SIP devices, you should consider enabling delegated
credential checking. In summary, this would require you to:
and you have remote workers (outside the enterprise) with SIP devices, you should consider enabling delegated
credential checking. In summary, this would require you to:
■
Set up a secure traversal zone between the VCS Expressway and the VCS Control.
■
Enable the VCS Expressway and the VCS Control's SIP settings, traversal zones and required SIP domains for
delegated credential checking.
delegated credential checking.
■
Configure the VCS Control with the relevant authentication mechanisms.
This means that remote workers can now register to the VCS Expressway (assuming it has its SIP registration proxy
mode set to Off) and be authenticated securely via the VCS Control against an authentication mechanism inside the
enterprise.
mode set to Off) and be authenticated securely via the VCS Control against an authentication mechanism inside the
enterprise.
for full information on configuring device authentication and
delegated credential checking.
Task 19: Restricting Access to ISDN Gateways (Optional)
We recommend that you restrict unauthorized access to any ISDN gateway resources (also known as toll-fraud
prevention). Some methods to achieve this are described here.
prevention). Some methods to achieve this are described here.
In these examples, an ISDN gateway is registered to the VCS Control with a prefix of 9. And / or it has a neighbor zone
specified that routes calls starting with a 9.
specified that routes calls starting with a 9.
VCS Expressway
Two search rules are created on the VCS Expressway:
■
Both rules have a pattern string that matches calls directed at the ISDN gateway. (In this example calls
prefixed with a 9.)
prefixed with a 9.)
■
The first rule has a Source of All zones. This allows calls from registered endpoints and neighbor zones to pass
through to the traversal zone.
through to the traversal zone.
■
The second rule is similar to the first rule but has a Source of All. So it includes nonregistered endpoints
(which are excluded from the previous rule). They can be stopped by defining the Replace string as "do-not-
route-this-call."
(which are excluded from the previous rule). They can be stopped by defining the Replace string as "do-not-
route-this-call."
■
Both rules stop any further search rules from being looked at (On successful match = Stop).
To create the search rules:
1.
Go to Configuration > Dial plan > Search rules.
2.
Click New.
46
Cisco VCS Expressway and VCS Control - Basic Configuration Deployment Guide
Optional Configuration Tasks