Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 10 – Connecting Cisco VCS to CUCM using TLS (rather than TCP)
Cisco VCS Deployment Guide: CUCM v6.1, 7 and 8 with Cisco VCS X7 using a SIP trunk
Page 50 of 54
Update the VCS neighbor zone to CUCM to use TLS
Note: Cisco VCS will report that the CUCM zone is active even while it is communicating with CUCM
over TCP. The changes below are necessary to allow communications to happen over TLS.
over TCP. The changes below are necessary to allow communications to happen over TLS.
On Cisco VCS:
1. On the
Edit zone
page (
VCS configuration > Zones
, then select the zone to CUCM).
2. Configure the following fields:
SIP section
Port
5061
Transport
TLS
TLS verify mode
Off
Authentication trust mode
Off
Leave other parameters as previously configured.
3. Click Save.
Verify that the TLS connection is operational
To verify correct TLS operation, check that the Cisco VCS zone reports its status as active and then
make some test calls:
make some test calls:
1. Check the Cisco VCS zone is active:
a. Go to
VCS configuration > Zones
.
b. Check the Status of the zone.
If the zone is not active, try resetting or restarting the trunk again on CUCM.
2. Make a test call from a Cisco VCS registered endpoint to a CUCM phone.
3. Make a test call from a CUCM phone to a Cisco VCS registered endpoint.
Note: CUCM 8.0.2 and earlier do not handle received crypto tags properly; the receipt of them may
cause CUCM to clear the call. If this occurs, configure endpoints with Encryption = Off.
cause CUCM to clear the call. If this occurs, configure endpoints with Encryption = Off.
Network of Cisco VCSs
If there is a network of VCSs behind this VCS neighbored to CUCM, then, either:
CUCM must trust the certificates of all the VCSs in the network, or
(From X7.0) configure VCS neighbor zone to ‘always’ route the signaling
Set VCS to always route signaling to CUCM
With TLS configured between VCS and CUCM, and where VCS is configured for optimal routing
(usual case), either:
(usual case), either:
CUCM must trust the certificates for all VCSs in the network, or
If VCS is X7.0 or later, go to the CUCM neighbor zone and:
a. Change the Advanced Zone profile from Cisco Unified Communications Manager to
Custom.