Cisco Cisco TelePresence Video Communication Server Expressway
Configuring encrypted VCS traversal zones
To support Unified Communications features via a secure traversal zone connection between the VCS
Control and the VCS Expressway:
Control and the VCS Expressway:
n
The VCS Control and VCS Expressway must be configured with a zone of type Unified Communications
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when
selected on a VCS Control, or a traversal server zone when selected on a VCS-E) that uses SIP TLS with
TLS verify mode set to On, and Media encryption mode set to Force encrypted.
traversal. This automatically configures an appropriate traversal zone (a traversal client zone when
selected on a VCS Control, or a traversal server zone when selected on a VCS-E) that uses SIP TLS with
TLS verify mode set to On, and Media encryption mode set to Force encrypted.
n
Both VCSs must trust each other's server certificate. As each VCS acts both as a client and as a server
you must ensure that each VCS’s certificate is valid both as a client and as a server.
you must ensure that each VCS’s certificate is valid both as a client and as a server.
n
If an H.323 or a non-encrypted connection is also required, a separate pair of traversal zones must be
configured.
configured.
To set up a secure traversal zone, configure your VCS Control and VCS Expressway as follows:
1. Go to
Configuration > Zones > Zones
.
2. Click New.
3. Configure the fields as follows (leave all other fields with default values):
VCS Control
VCS Expressway
Name
"Traversal zone" for example
"Traversal zone" for example
Type
Unified Communications
traversal
traversal
Unified Communications traversal
Connection credentials
section
Username
"exampleauth" for example
"exampleauth" for example
Password
"ex4mpl3.c0m" for example
Click Add/Edit local authentication database,
then in the popup dialog click New and enter the
Name ("exampleauth") and Password
("ex4mpl3.c0m") and click Create credential.
then in the popup dialog click New and enter the
Name ("exampleauth") and Password
("ex4mpl3.c0m") and click Create credential.
SIP
section
Port
7001
7001
TLS verify subject name
Not applicable
Enter the name to look for in the traversal client's
certificate (must be in either the Subject
Common Name or the Subject Alternative Name
attributes). If there is a cluster of traversal clients,
specify the cluster name here and ensure that it
is included in each client's certificate.
certificate (must be in either the Subject
Common Name or the Subject Alternative Name
attributes). If there is a cluster of traversal clients,
specify the cluster name here and ensure that it
is included in each client's certificate.
Authentication
section
Authentication policy
Do not check credentials
Do not check credentials
Location
section
Unified Communications Mobile and Remote Access via Cisco VCS Deployment Guide (X8.5.3)
Page 17 of 54
Unified Communications prerequisites