Cisco Cisco TelePresence Video Communication Server Expressway
■
Do all video endpoints in the network support encrypted media and offer encrypted media?
If all VCS-registered endpoints can do media encryption, then mandatory encryption on Lync Server is
possible.
possible.
If some endpoints cannot do media encryption, then mandatory encryption from Lync Server will not work.
However, you can use a zone on the VCS Control to encrypt the media on behalf of those endpoints. Set up
your search rules on the VCS Control to route calls to/from those endpoints through a zone that has Media
encryption policy set to Force encrypted.
your search rules on the VCS Control to route calls to/from those endpoints through a zone that has Media
encryption policy set to Force encrypted.
Important:
If you choose this option, make sure that Media encryption policy, on the neighbor zones of the
Gateway VCS, is set to Auto. Do not force encryption on behalf of endpoints on the Gateway VCS.
If encrypting media on behalf of the endpoints is not practical or possible, then you must change the default
media encryption on Lync Server.
media encryption on Lync Server.
How do I Change the Media Encryption Policy on Lync Server?
To configure the media encryption policy on Lync Server use
Set-CsMediaConfiguration
as follows:
set-CsMediaConfiguration -EncryptionLevel <value>
where
<value>
is one of
RequireEncryption
,
SupportEncryption
,
DoNotSupportEncryption
.
For example:
C:\Users\Administrator.example> set-CsMediaConfiguration -EncryptionLevel SupportEncryption
Note:
■
EncryptionLevel
is communicated to Lync clients and changes their operation. Users must sign out of the Lync
client and sign back in.
You may have to wait (up to an hour, depending on complexity) for
EncryptionLevel
to propagate throughout
the pool. Restarting Lync clients too soon may not change their media encryption policy.
■
If the Gateway VCS has the Microsoft Interoperability option key AND it makes a TLS connection to Lync
Server, then you can use the default setting
Server, then you can use the default setting
–EncryptionLevel RequireEncryption
.
In this case, all video endpoints must support encryption or calls will fail. If some endpoints cannot do media
encryption, you should use
encryption, you should use
-EncryptionLevel SupportEncryption
.
Configure the B2BUA and Search Rules on the Gateway VCS
■
■
■
Task 5: (If Required) Create Search Rules to Route Calls to Other Domains Supported on Lync, page 27
Task 3: Configure the B2BUA on the Gateway VCS
The values you enter for Lync signaling destination address and Lync signaling destination port depend on the
structure of the Lync environment:
structure of the Lync environment:
If the Lync environment…
Configure the signaling destination address and
port to be that of the…
port to be that of the…
is fronted by a Hardware Load Balancer in front of Lync
Directors
Directors
Hardware Load Balancer
25
Cisco VCS and Microsoft Lync Deployment Guide