Cisco Cisco TelePresence Video Communication Server Expressway
and information about how to configure Jabber endpoints and DNS are contained in
Configure DNS for Cisco Jabber.
Note that when discovering Unified CM and IM&P servers on VCS Control, you must do this on the master
peer.
peer.
Authorization rate control
The VCS can limit the number of times that any user's credentials can be used, in a given configurable
period, to authorize the user for collaboration services. This feature is designed to thwart inadvertent or real
denial of service attacks, which can originate from multiple client devices authorizing the same user, or from
clients that reauthorize more often than necessary.
period, to authorize the user for collaboration services. This feature is designed to thwart inadvertent or real
denial of service attacks, which can originate from multiple client devices authorizing the same user, or from
clients that reauthorize more often than necessary.
Each time a client supplies credentials to authorize the user, the VCS checks whether this attempt would
exceed the Maximum authorizations per period within the previous number of seconds specified by the
Rate control period.
exceed the Maximum authorizations per period within the previous number of seconds specified by the
Rate control period.
If the attempt would exceed the chosen maximum, then the VCS rejects the attempt and issues the
HTTP error 429 "Too Many Requests".
HTTP error 429 "Too Many Requests".
The authorization rate control settings are configurable in the
Advanced
section of the
Configuration >
Unified Communications > Configuration
page.
Credential caching
Note: These settings do not apply to clients that are using SSO (common identity) for authenticating via
MRA.
MRA.
The VCS caches endpoint credentials which have been authenticated by Unified CM. This caching improves
overall performance because the VCS does not always have to submit endpoint credentials to Unified CM for
authentication.
overall performance because the VCS does not always have to submit endpoint credentials to Unified CM for
authentication.
The caching settings are configurable in the
Advanced
section of the
Configuration > Unified
Communications > Configuration
page.
Credentials refresh interval specifies the lifetime of the authentication token issued by the VCS to a
successfully authenticated client. A client that successfully authenticates should request a refresh before
this token expires, or it will need to re-authenticate. The default is 480 minutes (8 hours).
successfully authenticated client. A client that successfully authenticates should request a refresh before
this token expires, or it will need to re-authenticate. The default is 480 minutes (8 hours).
Credentials cleanup interval specifies how long the VCS waits between cache clearing operations. Only
expired tokens are removed when the cache is cleared, so this setting is the longest possible time that an
expired token can remain in the cache. The default is 720 minutes (12 hours).
expired tokens are removed when the cache is cleared, so this setting is the longest possible time that an
expired token can remain in the cache. The default is 720 minutes (12 hours).
Unified CM denial of service threshold
High volumes of mobile and remote access calls may trigger denial of service thresholds on Unified CM. This
is because all the calls arriving at Unified CM are from the same VCS Control (cluster).
is because all the calls arriving at Unified CM are from the same VCS Control (cluster).
If necessary, we recommend that you increase the level of the SIP Station TCP Port Throttle Threshold
(
(
System > Service Parameters
, and select the Cisco CallManager service) to 750 KB/second.
Unified Communications Mobile and Remote Access via Cisco VCS Deployment Guide (X8.5.2)
Page 44 of 54
Additional information