Cisco Cisco TelePresence Video Communication Server Expressway
Protocol
Security
Service
SIP
TLS
Session establishment – Register, Invite etc.
HTTPS
TLS
Logon, provisioning/configuration, directory, visual voicemail
RTP
SRTP
Media - audio, video, content sharing
XMPP
TLS
Instant Messaging, Presence, Federation
Clustered VCS Systems and Failover Considerations
You can configure a cluster of VCS Controls and a cluster of VCS Expressways to provide failover (redundancy)
support as well as improved scalability.
support as well as improved scalability.
and information about how to configure Jabber endpoints and DNS are contained in Configure DNS for Cisco Jabber.
Note that when discovering Unified CM and IM&P servers on VCS Control, you must do this on the primary peer.
Authorization Rate Control
The VCS can limit the number of times that any user's credentials can be used, in a given configurable period, to
authorize the user for collaboration services. This feature is designed to thwart inadvertent or real denial of service
attacks, which can originate from multiple client devices authorizing the same user, or from clients that reauthorize
more often than necessary.
authorize the user for collaboration services. This feature is designed to thwart inadvertent or real denial of service
attacks, which can originate from multiple client devices authorizing the same user, or from clients that reauthorize
more often than necessary.
Each time a client supplies credentials to authorize the user, the VCS checks whether this attempt would exceed the
Maximum authorizations per period within the previous number of seconds specified by the Rate control period.
Maximum authorizations per period within the previous number of seconds specified by the Rate control period.
If the attempt would exceed the chosen maximum, then the VCS rejects the attempt and issues the HTTP error 429
"Too Many Requests".
"Too Many Requests".
The authorization rate control settings are configurable in the Advanced section of the Configuration > Unified
Communications > Configuration page.
Communications > Configuration page.
Credential Caching
Note:
These settings do not apply to clients that are using SSO (common identity) for authenticating via MRA.
The VCS caches endpoint credentials which have been authenticated by Unified CM. This caching improves overall
performance because the VCS does not always have to submit endpoint credentials to Unified CM for authentication.
performance because the VCS does not always have to submit endpoint credentials to Unified CM for authentication.
The caching settings are configurable in the Advanced section of the Configuration > Unified Communications
> Configuration page.
> Configuration page.
Credentials refresh interval specifies the lifetime of the authentication token issued by the VCS to a successfully
authenticated client. A client that successfully authenticates should request a refresh before this token expires, or it
will need to re-authenticate. The default is 480 minutes (8 hours).
authenticated client. A client that successfully authenticates should request a refresh before this token expires, or it
will need to re-authenticate. The default is 480 minutes (8 hours).
Credentials cleanup interval specifies how long the VCS waits between cache clearing operations. Only expired
tokens are removed when the cache is cleared, so this setting is the longest possible time that an expired token can
remain in the cache. The default is 720 minutes (12 hours).
tokens are removed when the cache is cleared, so this setting is the longest possible time that an expired token can
remain in the cache. The default is 720 minutes (12 hours).
Unified CM Denial of Service Threshold
High volumes of mobile and remote access calls may trigger denial of service thresholds on Unified CM. This is
because all the calls arriving at Unified CM are from the same VCS Control (cluster).
because all the calls arriving at Unified CM are from the same VCS Control (cluster).
If necessary, we recommend that you increase the level of the SIP Station TCP Port Throttle Threshold (System >
Service Parameters, and select the Cisco CallManager service) to 750 KB/second.
Service Parameters, and select the Cisco CallManager service) to 750 KB/second.
47
Mobile and Remote Access Through Cisco Video Communication Server Deployment Guide
Additional Information