Cisco Cisco TelePresence Video Communication Server Expressway
Configuring VCS to use an external policy server
There are 3 main areas where the VCS can be configured to use an external policy server:
n
Registration Policy
n
Call Policy (also known as Admin Policy)
n
Search rules (dial plan)
Each area can be configured independently of each other as to whether or not to use an external policy
service. If an external policy service is used for a specific policy decision, the decision made by the policy
service replaces (rather than supplements) the policy decision that would have been made by the VCS.
service. If an external policy service is used for a specific policy decision, the decision made by the policy
service replaces (rather than supplements) the policy decision that would have been made by the VCS.
Configuring Registration Policy to use an external service
To configure Registration Policy to refer all registration restriction policy decisions out to an external service:
1. Go to
VCS configuration > Registration > Configuration
.
2. Select a Restriction policy of Policy service.
3. Configure the fields as follows:
Protocol
The protocol used to connect to the policy
service.
service.
The default is HTTPS.
The VCS automatically supports HTTP to
HTTPS redirection when communicating
with the policy service server.
HTTPS redirection when communicating
with the policy service server.
Certificate
verification
mode
verification
mode
When connecting over HTTPS, this setting
controls whether the certificate presented by
the policy server is verified.
controls whether the certificate presented by
the policy server is verified.
If On, for the VCS to connect to a policy server
over HTTPS, the VCS must have a root CA
certificate loaded that authorizes that server’s
server certificate. Also the certificate's Subject
Common Name or Subject Alternative Name
must match one of the Server address fields
below.
over HTTPS, the VCS must have a root CA
certificate loaded that authorizes that server’s
server certificate. Also the certificate's Subject
Common Name or Subject Alternative Name
must match one of the Server address fields
below.
The VCS’s root CA certificate is loaded on
the
the
Security certificates
page
(
Maintenance > Certificate management
> Security certificates
).
HTTPS
certificate
revocation list
(CRL)
checking
certificate
revocation list
(CRL)
checking
Enable this option if you want to protect
certificate checking using CRLs and you have
manually loaded CRL files, or you have
enabled automatic CRL updates.
certificate checking using CRLs and you have
manually loaded CRL files, or you have
enabled automatic CRL updates.
Use the
CRL management
page
(
Maintenance > Certificate management
> CRL management
). to configure how
the VCS uploads CRL files.
Server
address 1 - 3
address 1 - 3
Enter the IP address or Fully Qualified Domain
Name (FQDN) of the server hosting the service.
You can specify a port by appending :<port>
to the address.
Name (FQDN) of the server hosting the service.
You can specify a port by appending :<port>
to the address.
If an FQDN is specified, ensure that the
VCS has an appropriate DNS
configuration that allows the FQDN to be
resolved.
VCS has an appropriate DNS
configuration that allows the FQDN to be
resolved.
For resiliency, up to three server
addresses can be supplied.
addresses can be supplied.
Path
Enter the URL of the service on the server.
External Policy on Cisco VCS Deployment Guide (X7)
Page 6 of 29
Configuring VCS to use an external policy server