Cisco Cisco TelePresence Video Communication Server Expressway
Enabling endpoints registered on the video network to call MOC/Lync clients registered on OCS/Lync
Cisco VCS Deployment Guide: Microsoft OCS 2007 R2, Lync 2010 and Cisco VCS X7.1
Page 42 of 104
Lync: configure Lync Server media encryption capabilities
By default Lync Server mandates the use of encrypted media. The headers used in Lync SRTP are
however different from those used by video network devices.
however different from those used by video network devices.
VCS has the capability to carry out on-the-fly modification of these headers if the Enhanced OCS
Collaboration option key is enabled on the “OCS/Lync gateway” VCS.
Collaboration option key is enabled on the “OCS/Lync gateway” VCS.
The choice of how to configure Lync’s encryption capabilities will depend on:
Is the connection between Lync and the “OCS/Lync gateway” VCS TLS?
- if it is not TLS, then crypto keys will not pass (they may only be sent over a secure – encrypted
signaling link), encryption must not be set to require on Lync server
- if it is not TLS, then crypto keys will not pass (they may only be sent over a secure – encrypted
signaling link), encryption must not be set to require on Lync server
does the “OCS/Lync gateway” VCS have the Enhanced OCS Collaboration option key enabled?
- if no, encryption must not be set to require on Lync server
- if no, encryption must not be set to require on Lync server
is the “OCS/Lync gateway” using the B2BUA?
- if no, encryption must be the same on the Lync server and in the video network
- if the B2BUA is in use and Encryption (in B2BUA Advanced settings) is set to Auto, the B2BUA
will allow calls with Lync side encrypted and video side not, both sides encrypted and both sides
unencrypted. It should however be noted that the "Lync side encrypted and video side not"
scenario can only occur when the B2BUA receives an empty INVITE from the VCS, for instance in
an H323 > SIP interworked call. If Lync is configured to require encryption, and the endpoint on
the VCS side does not support media encryption, a call from Lync to this endpoint will fail as Lync
will drop the call because of the encryption capability mismatch.
- if no, encryption must be the same on the Lync server and in the video network
- if the B2BUA is in use and Encryption (in B2BUA Advanced settings) is set to Auto, the B2BUA
will allow calls with Lync side encrypted and video side not, both sides encrypted and both sides
unencrypted. It should however be noted that the "Lync side encrypted and video side not"
scenario can only occur when the B2BUA receives an empty INVITE from the VCS, for instance in
an H323 > SIP interworked call. If Lync is configured to require encryption, and the endpoint on
the VCS side does not support media encryption, a call from Lync to this endpoint will fail as Lync
will drop the call because of the encryption capability mismatch.
do all video endpoints support encrypted media, and will they offer encrypted media when
initiating calls?
- if no, and the B2BUA is not in use, or is not configured to allow encryption to be different on Lync
and in the video network, encryption must not be set to require on Lync server
initiating calls?
- if no, and the B2BUA is not in use, or is not configured to allow encryption to be different on Lync
and in the video network, encryption must not be set to require on Lync server
In Lync the values:
RequireEncryption
,
SupportEncryption
,
DoNotSupportEncryption
are
allowed.
To configure the way Lync will handle encryption, use the command:
“
set-CsMediaConfiguration -EncryptionLevel
<value>”
where <value> is one of:
RequireEncryption
,
SupportEncryption
,
DoNotSupportEncryption
.
For example:
C:\Users\administrator.CISCOTP> set-CsMediaConfiguration -EncryptionLevel
supportencryption
supportencryption
Note:
This parameter is a value communicated to Lync clients to affect its operation. To activate this
change on a Lync client, sign out, then sign back into the Lync client.
It may take a while for the parameter to be shared throughout the pool (up to an hour) so you
may have to wait a while before restarting the Lync clients for them take on the new value.
change on a Lync client, sign out, then sign back into the Lync client.
It may take a while for the parameter to be shared throughout the pool (up to an hour) so you
may have to wait a while before restarting the Lync clients for them take on the new value.
If the Enhanced OCS Collaboration option key is installed and the connection between the
Cisco VCS and Lync Server is TLS, then the default setting of the command set-
CsMediaConfiguration –EncryptionLevel RequireEncryption may be used. However, be aware
that if RequireEncryption is set, either the B2BUA must handle interworking encryption between
the video and Lync server, or all video endpoints must support encryption, otherwise calls will fail
– consider using SupportEncryption instead.
Cisco VCS and Lync Server is TLS, then the default setting of the command set-
CsMediaConfiguration –EncryptionLevel RequireEncryption may be used. However, be aware
that if RequireEncryption is set, either the B2BUA must handle interworking encryption between
the video and Lync server, or all video endpoints must support encryption, otherwise calls will fail
– consider using SupportEncryption instead.