Cisco Cisco TelePresence Video Communication Server Expressway
Configure Lync Server media encryption capabilities
By default Lync Server mandates the use of encrypted media. However, the headers used in Lync SRTP are
different from those used by video network devices.
different from those used by video network devices.
VCS has the capability to carry out on-the-fly modification of these headers if the Microsoft Interoperability
option key is enabled on the "Lync gateway" VCS.
option key is enabled on the "Lync gateway" VCS.
The choice of how to configure Lync’s encryption capabilities depends on:
n
Is the connection between Lync and the "Lync gateway" VCS over TLS?
If it is not TLS, then crypto keys will not pass (they can be sent only over a secure – encrypted signaling
link), encryption must not be set to require on Lync Server.
If it is not TLS, then crypto keys will not pass (they can be sent only over a secure – encrypted signaling
link), encryption must not be set to require on Lync Server.
n
Does the "Lync gateway" VCS have the Microsoft Interoperability option key enabled?
If no, encryption must not be set to require on Lync Server.
If no, encryption must not be set to require on Lync Server.
n
Do all video endpoints support encrypted media, and will they offer encrypted media when initiating calls?
If no, then configure the relevant VCS so that the Media encryption policy for that endpoint's
zone/subzone is set to Force encrypted.
If no, then configure the relevant VCS so that the Media encryption policy for that endpoint's
zone/subzone is set to Force encrypted.
To configure the way Lync will handle encryption, use the command:
set-CsMediaConfiguration -EncryptionLevel <value>
where <value> is one of RequireEncryption, SupportEncryption, DoNotSupportEncryption.
For example:
C:\Users\administrator.CISCOTP> set-CsMediaConfiguration -EncryptionLevel
supportencryption
Note that:
n
This parameter is a value communicated to Lync clients to affect its operation. To activate this change on a
Lync client, sign out, then sign back into the Lync client.
It may take a while for the parameter to be shared throughout the pool (up to an hour) so you may have to
wait a while before restarting the Lync clients for them take on the new value.
Lync client, sign out, then sign back into the Lync client.
It may take a while for the parameter to be shared throughout the pool (up to an hour) so you may have to
wait a while before restarting the Lync clients for them take on the new value.
n
If the Microsoft Interoperability option key is installed and the connection between the VCS and Lync
Server is TLS, then the default setting of the command set-CsMediaConfiguration –EncryptionLevel
RequireEncryption may be used. However, be aware that if RequireEncryption is set on Lync, either all
video endpoints must support encryption or the VCS's Media encryption policy for the relevant zones
and subzones must be set to Force encrypted. Otherwise, calls will fail – consider using
SupportEncryption instead.
Server is TLS, then the default setting of the command set-CsMediaConfiguration –EncryptionLevel
RequireEncryption may be used. However, be aware that if RequireEncryption is set on Lync, either all
video endpoints must support encryption or the VCS's Media encryption policy for the relevant zones
and subzones must be set to Force encrypted. Otherwise, calls will fail – consider using
SupportEncryption instead.
"Lync gateway" VCS configuration (part 2)
This comprises the following steps:
Cisco TelePresence Microsoft Lync and Cisco VCS Deployment Guide (X8.2)
Page 29 of 80
Enabling endpoints registered on the video network to call clients registered on Lync