Cisco Cisco TelePresence Video Communication Server Expressway
On VCS:
1.
Go to Configuration > Zones > Zones and select the Unified CM neighbor zone used for the SIP trunk.
(Note that the automatically generated neighbor zones between VCS Control and each discovered Unified CM
node for line side communications are non-configurable.)
node for line side communications are non-configurable.)
2.
Configure the SIP Port to the same value as the Incoming Port configured on Unified CM.
3.
Click Save.
information about configuring a SIP trunk.
Configuring Secure Communications
This deployment requires secure communications between the VCS Control and the VCS Expressway, and between
the VCS Expressway and endpoints located outside the enterprise. This involves the mandating of encrypted TLS
communications for HTTP, SIP and XMPP, and, where applicable, the exchange and checking of certificates. Jabber
endpoints must supply a valid username and password combination, which will be validated against credentials held
in Unified CM. All media is secured over SRTP.
the VCS Expressway and endpoints located outside the enterprise. This involves the mandating of encrypted TLS
communications for HTTP, SIP and XMPP, and, where applicable, the exchange and checking of certificates. Jabber
endpoints must supply a valid username and password combination, which will be validated against credentials held
in Unified CM. All media is secured over SRTP.
VCS Control automatically generates non-configurable neighbor zones between itself and each discovered Unified
CM node. A TCP zone is always created, and a TLS zone is created also if the Unified CM node is configured with a
Cluster Security Mode (System > Enterprise Parameters > Security Parameters) of 1 (Mixed) (so that it can
support devices provisioned with secure profiles). The TLS zone is configured with its TLS verify mode set to On if
the Unified CM discovery had TLS verify mode enabled. This means that the VCS Control will verify the CallManager
certificate for subsequent SIP communications.
CM node. A TCP zone is always created, and a TLS zone is created also if the Unified CM node is configured with a
Cluster Security Mode (System > Enterprise Parameters > Security Parameters) of 1 (Mixed) (so that it can
support devices provisioned with secure profiles). The TLS zone is configured with its TLS verify mode set to On if
the Unified CM discovery had TLS verify mode enabled. This means that the VCS Control will verify the CallManager
certificate for subsequent SIP communications.
Note:
Secure profiles are downgraded to use TCP if Unified CM is not in mixed mode.
The VCS neighbor zones to Unified CM use the names of the Unified CM nodes that were returned by Unified CM
when the Unified CM publishers were added (or refreshed) to the VCS. The VCS uses those returned names to
connect to the Unified CM node. If that name is just the host name then:
when the Unified CM publishers were added (or refreshed) to the VCS. The VCS uses those returned names to
connect to the Unified CM node. If that name is just the host name then:
■
it needs to be routable using that name
■
this is the name that the VCS expects to see in the Unified CM's server certificate
If you are using secure profiles, ensure that the root CA of the authority that signed the VCS Control certificate is
installed as a CallManager-trust certificate (Security > Certificate Management in the Cisco Unified OS
Administration application).
installed as a CallManager-trust certificate (Security > Certificate Management in the Cisco Unified OS
Administration application).
Media Encryption
Media encryption is enforced on the call legs between the VCS Control and the VCS Expressway, and between the
VCS Expressway and endpoints located outside the enterprise.
VCS Expressway and endpoints located outside the enterprise.
The encryption is physically applied to the media as it passes through the B2BUA on the VCS Control.
Limitations
■
In VCS Expressway systems that use dual network interfaces, XCP connections (for IM&P XMPP traffic)
always use the non-external (i.e. internal) interface. This means that XCP connections may fail in
deployments where the VCS Expressway internal interface is on a separate network segment and is used for
system management purposes only, and where the traversal zone on the VCS Control connects to the VCS
Expressway's external interface.
always use the non-external (i.e. internal) interface. This means that XCP connections may fail in
deployments where the VCS Expressway internal interface is on a separate network segment and is used for
system management purposes only, and where the traversal zone on the VCS Control connects to the VCS
Expressway's external interface.
45
Mobile and Remote Access Through Cisco Video Communication Server Deployment Guide
Additional Information