Cisco Cisco TelePresence Video Communication Server Expressway 릴리즈 노트
New features in X7
Cisco TelePresence Video Communication Server X7.2 Software Release Notes
Page 10 of 46
New features in X7
X7.2
Controlled SIP TLS connections to the Default Zone
Default Zone access rules that control which external systems are allowed to connect over SIP TLS to
the VCS via the Default Zone can now be configured.
the VCS via the Default Zone can now be configured.
Each rule specifies a pattern type and string that is compared to the identities (Subject Common
Name and any Subject Alternative Names) contained within the certificate presented by the external
system. You can then allow or deny access to systems whose certificates match the specified pattern.
Name and any Subject Alternative Names) contained within the certificate presented by the external
system. You can then allow or deny access to systems whose certificates match the specified pattern.
Enabling this feature requires that all systems (including endpoints) connecting to the Default Zone
must present client certificates that are trusted by the VCS.
must present client certificates that are trusted by the VCS.
Device authentication
The VCS can now be configured to authenticate devices against multiple remote H.350 directory
servers. This provides a redundancy mechanism in the event of reachability problems to an H.350
directory server.
servers. This provides a redundancy mechanism in the event of reachability problems to an H.350
directory server.
As from version X7.2, for Digest authentication, the VCS attempts to verify device credentials
presented to it by first checking against its on-box local database of usernames and passwords,
before checking against any configured H.350 directory server. (Note that the endpoint presents
the VCS with a the hash of its credentials, which the VCS attempts to validate against a hash
created from the credentials stored in the local database - the VCS does not see the actual
credentials from the device.) As a result of this:
•
presented to it by first checking against its on-box local database of usernames and passwords,
before checking against any configured H.350 directory server. (Note that the endpoint presents
the VCS with a the hash of its credentials, which the VCS attempts to validate against a hash
created from the credentials stored in the local database - the VCS does not see the actual
credentials from the device.) As a result of this:
•
The
Device authentication configuration
page no longer exists; there is no longer an
option to switch between an authentication database type of Local database or LDAP
database.
database.
•
The NTLM protocol challenges setting is now configured on the
Active Directory Service
page.
The
Device LDAP configuration
and
Device LDAP schemas
pages are now called
Device
authentication H.350 configuration
and
Device authentication H.350 schemas
respectively.
The Alias origin field on the
Device authentication H.350 configuration
page is now called
Source of aliases for registration.
Enhanced account security
Administrator accounts can now be configured to authenticate first against the local database and
then if no matching account is found to fall back to a check against the external credentials
directory.
then if no matching account is found to fall back to a check against the external credentials
directory.
When defining administrator accounts and groups, you can now also specify if the account/group
can access the web interface and/or the XML/REST APIs.
can access the web interface and/or the XML/REST APIs.
When strict passwords are enforced for administrator accounts, you can now customize the rules
for what constitutes a strict password.
for what constitutes a strict password.
Local administrator passwords are now stored using a SHA512 hash.
In a cluster, the default admin account password is now replicated across all peers.
Note that the "Login Administrator" set of xConfiguration CLI commands are no longer supported.