Cisco Cisco TelePresence Video Communication Server Expressway
—
The VCS includes a built-in mechanism to generate a certificate signing request (CSR) and is the
recommended method for generating a CSR:
recommended method for generating a CSR:
•
Ensure that the CA that signs the request does not strip out the client authentication extension.
•
The generated CSR includes the client authentication request and any relevant subject alternate names
for the Unified Communications features that have been enabled (see
for the Unified Communications features that have been enabled (see
).
—
To generate a CSR and /or to upload a server certificate to the VCS, go to Maintenance > Security
certificates > Server certificate. You must restart the VCS for the new server certificate to take effect.
certificates > Server certificate. You must restart the VCS for the new server certificate to take effect.
2.
Install on both VCSs the trusted Certificate Authority (CA) certificates of the authority that signed the VCS's
server certificates.
server certificates.
There are additional trust requirements, depending on the Unified Communications features being deployed.
For mobile and remote access deployments:
—
The VCS Control must trust the Unified CM and IM&P tomcat certificate.
—
If appropriate, both the VCS Control and the VCS Expressway must trust the authority that signed the
endpoints' certificates.
endpoints' certificates.
For Jabber Guest deployments:
—
When the Jabber Guest server is installed, it uses a self-signed certificate by default. However, you can
install a certificate that is signed by a trusted certificate authority. You must install on the VCS Control
either the self-signed certificate of the Jabber Guest server, or the trusted CA certificates of the authority
that signed the Jabber Guest server's certificate.
install a certificate that is signed by a trusted certificate authority. You must install on the VCS Control
either the self-signed certificate of the Jabber Guest server, or the trusted CA certificates of the authority
that signed the Jabber Guest server's certificate.
To upload trusted Certificate Authority (CA) certificates to the VCS, go to Maintenance > Security certificates
> Trusted CA certificate. You must restart the VCS for the new trusted CA certificate to take effect.
> Trusted CA certificate. You must restart the VCS for the new trusted CA certificate to take effect.
VCS’s server certificate and how to upload a list of trusted certificate authorities.
Configuring Encrypted VCS Traversal Zones
To support Unified Communications features via a secure traversal zone connection between the VCS Control and
the VCS Expressway:
the VCS Expressway:
■
The VCS Control and VCS Expressway must be configured with a zone of type Unified Communications
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when selected
on a VCS Control, or a traversal server zone when selected on a VCS-E) that uses SIP TLS with TLS verify
mode set to On, and Media encryption mode set to Force encrypted.
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when selected
on a VCS Control, or a traversal server zone when selected on a VCS-E) that uses SIP TLS with TLS verify
mode set to On, and Media encryption mode set to Force encrypted.
■
Both VCSs must trust each other's server certificate. As each VCS acts both as a client and as a server you
must ensure that each VCS’s certificate is valid both as a client and as a server.
must ensure that each VCS’s certificate is valid both as a client and as a server.
■
If an H.323 or a non-encrypted connection is also required, a separate pair of traversal zones must be
configured.
configured.
To set up a secure traversal zone, configure your VCS Control and VCS Expressway as follows:
1.
Go to Configuration > Zones > Zones.
2.
Click New.
13
Mobile and Remote Access Through Cisco Video Communication Server Deployment Guide
Unified Communications Prerequisites