Cisco Cisco TelePresence Video Communication Server Expressway
Optional configuration steps
Cisco VCS Basic Configuration (Single VCS Control) Deployment Guide
Page 24 of 32
Restrict access to ISDN gateways (optional)
Cisco VCS users are recommended to take appropriate action to restrict unauthorized access to any ISDN
gateway resources (also known as toll-fraud prevention). This optional step shows some methods in which
this can be achieved.
gateway resources (also known as toll-fraud prevention). This optional step shows some methods in which
this can be achieved.
In these examples, an ISDN gateway is registered to the VCS Control with a prefix of 9 (and/or has a
neighbour zone specified that routes calls starting with a 9).
neighbour zone specified that routes calls starting with a 9).
This example shows how to configure the VCS Control to stop calls coming in from the gateway from being
able to route calls back out of the gateway. This is done by loading some specially constructed CPL onto the
VCS Control and configuring its Call policy mode to use Local CPL.
able to route calls back out of the gateway. This is done by loading some specially constructed CPL onto the
VCS Control and configuring its Call policy mode to use Local CPL.
Create a CPL file
The CPL file to be uploaded onto the VCS can be created in a text editor.
Here are 2 example sets of CPL. In these examples:
n
“GatewayZone” is the neighbour zone to the ISDN gateway
n
“GatewaySubZone” is the subzone to the ISDN gateway (required if the gateway registers the 9 prefix to
the VCS)
the VCS)
n
Calls coming into the ISDN gateway and hitting a FindMe will not ring devices that use the gateway – for
example, calls forwarded to a mobile phone will be disallowed
example, calls forwarded to a mobile phone will be disallowed
This example CPL excludes any checking of whether the calling party is authenticated or not:
<?xml version="1.0" encoding="UTF-8" ?>
<cpl xmlns="urn:ietf:params:xml:ns:cpl"
xmlns:taa="http://www.tandberg.net/cpl-extensions"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">
<taa:routed>
<taa:rule-switch>
<!--Check that gateway is not hairpinning call - Neighbor zone -->
<taa:rule originating-zone="GatewayZone" destination="9.*">
<!-- Calls coming from the gateway are not allowed to send calls back out of this
gateway -->
<!-- Reject call with a status code of 403 (Forbidden) -->
<reject status="403" reason="ISDN hairpin call denied"/>
</taa:rule>
<!-- Check that gateway is not hairpinning call - Subzone for registered gateway -->
<taa:rule originating-zone="GatewaySubZone" destination="9.*">
<!-- Calls coming from the gateway are not allowed to send calls back out of this
gateway -->
<!-- Reject call with a status code of 403 (Forbidden) -->
<reject status="403" reason="ISDN hairpin call denied"/>
</taa:rule>
<taa:rule origin=".*" destination=".*">
<!-- All other calls allowed -->
<proxy/>
</taa:rule>
</taa:rule-switch>
</taa:routed>