Cisco Cisco TelePresence Video Communication Server Expressway
(Mixed) (so that it can support devices provisioned with secure profiles). The TLS zone is configured with its
TLS verify mode set to On if the Unified CM discovery had TLS verify mode enabled. This means that the
VCS Control will verify the CallManager certificate for subsequent SIP communications. Note that secure
profiles are downgraded to use TCP if Unified CM is not in mixed mode.
TLS verify mode set to On if the Unified CM discovery had TLS verify mode enabled. This means that the
VCS Control will verify the CallManager certificate for subsequent SIP communications. Note that secure
profiles are downgraded to use TCP if Unified CM is not in mixed mode.
The VCS neighbor zones to Unified CM use the names of the Unified CM nodes that were returned by
Unified CM when the Unified CM publishers were added (or refreshed) to the VCS. The VCS uses those
returned names to connect to the Unified CM node. If that name is just the host name then:
Unified CM when the Unified CM publishers were added (or refreshed) to the VCS. The VCS uses those
returned names to connect to the Unified CM node. If that name is just the host name then:
n
it needs to be routable using that name
n
this is the name that the VCS expects to see in the Unified CM's server certificate
If you are using secure profiles, ensure that the root CA of the authority that signed the VCS Control
certificate is installed as a CallManager-trust certificate (
certificate is installed as a CallManager-trust certificate (
Security > Certificate Management
in the
Cisco
Unified OS Administration
application).
VCS automated intrusion protection
You may need to enable the Automated protection service (
System > System administration
) if it is not
yet running.
To protect against malicious attempts to access the HTTP proxy, you can configure automated intrusion
protection on the VCS Expressway (
protection on the VCS Expressway (
System > Protection > Automated detection > Configuration
).
We recommend that you enable the following categories:
n
HTTP proxy authorization failure and HTTP proxy protocol violation. Note: Do not enable the HTTP
proxy resource access failure category.
proxy resource access failure category.
n
XMPP protocol violation
Note: The Automated protection service uses Fail2ban software. It protects against brute force attacks
that originate from a single source IP address.
that originate from a single source IP address.
Unified CM denial of service threshold
High volumes of mobile and remote access calls may trigger denial of service thresholds on Unified CM. This
is because all the calls arriving at Unified CM are from the same VCS Control (cluster).
is because all the calls arriving at Unified CM are from the same VCS Control (cluster).
If necessary, we recommend that you increase the level of the SIP Station TCP Port Throttle Threshold
(
(
System > Service Parameters
, and select the Cisco CallManager service) to 750 KB/second.
Limitations
n
The IPV4 protocol only is supported for mobile and remote access users
n
SIP Early Media is not supported
n
In VCS Expressway systems that use dual network interfaces, XCP connections (for IM&P XMPP traffic)
always use the non-external (i.e. internal) interface. This means that XCP connections may fail in
deployments where the VCS Expressway internal interface is on a separate network segment and is used
for system management purposes only, and where the traversal zone on the VCS Control connects to the
VCS Expressway's external interface.
always use the non-external (i.e. internal) interface. This means that XCP connections may fail in
deployments where the VCS Expressway internal interface is on a separate network segment and is used
for system management purposes only, and where the traversal zone on the VCS Control connects to the
VCS Expressway's external interface.
Unified Communications Mobile and Remote Access via Cisco VCS Deployment Guide (X8.2)
Page 31 of 40
Additional information