Cisco Cisco TelePresence Video Communication Server Expressway
n
Call, presence, and phone book request authentication is controlled by the Default Subzone (or relevant
alternative subzone) if the endpoint is registered, or by the Default Zone if the endpoint is not registered.
alternative subzone) if the endpoint is registered, or by the Default Zone if the endpoint is not registered.
By default, zones and subzones are configured as Do not check credentials.
Using delegated credential checking
If you have enabled device authentication in your network (by using an Authentication policy of Check
credentials) and you have remote workers (outside the enterprise) with SIP devices, you should consider
enabling delegated credential checking. In summary, this would require you to:
credentials) and you have remote workers (outside the enterprise) with SIP devices, you should consider
enabling delegated credential checking. In summary, this would require you to:
n
Set up a secure traversal zone between the VCS Expressway and the VCS Control.
n
Enable the VCS Expressway and the VCS Control's SIP settings, traversal zones and required SIP
domains for delegated credential checking.
domains for delegated credential checking.
n
Configure the VCS Control with the relevant authentication mechanisms.
This means that remote workers can now register to the VCS Expressway (assuming it has its SIP
registration proxy mode set to Off) and be authenticated securely via the VCS Control against an
authentication mechanism inside the enterprise.
registration proxy mode set to Off) and be authenticated securely via the VCS Control against an
authentication mechanism inside the enterprise.
for full information on configuring device
authentication and delegated credential checking.
Task 18: Restricting access to ISDN gateways (optional)
VCS users are recommended to take appropriate action to restrict unauthorized access to any ISDN
gateway resources (also known as toll-fraud prevention). This optional step shows some methods in which
this can be achieved.
gateway resources (also known as toll-fraud prevention). This optional step shows some methods in which
this can be achieved.
In these examples, an ISDN gateway is registered to the VCS Control with a prefix of 9 (and/or has a
neighbour zone specified that routes calls starting with a 9).
neighbour zone specified that routes calls starting with a 9).
VCS Expressway
Two search rules are created on the VCS Expressway:
n
both search rules have a pattern string that matches calls directed at the ISDN gateway — in this example,
calls that are prefixed by a 9
calls that are prefixed by a 9
n
the first rule has a Source of All zones; this allows calls from registered endpoints and neighbor zones to
be passed through to the traversal zone
be passed through to the traversal zone
n
the second rule is similar to the first rule but has a Source of All; this means that non-registered endpoints
(which are excluded from the previous rule) are included by this rule and can be stopped by defining the
Replace string as "do-not-route-this-call"
(which are excluded from the previous rule) are included by this rule and can be stopped by defining the
Replace string as "do-not-route-this-call"
n
both rules stop any further search rules from being looked at (On successful match = Stop).
To create the search rules:
1. Go to
Configuration > Dial plan > Search rules
.
2. Click New.
3. Configure the fields as follows:
Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway) Deploy-
ment Guide (X8.5.2)
ment Guide (X8.5.2)
Page 40 of 67
Optional configuration tasks