Cisco Cisco TelePresence Video Communication Server Expressway 릴리즈 노트
New features in X7
Cisco TelePresence Video Communication Server X7.2 Software Release Notes
Page 11 of 46
System security enhancements
You can now configure firewall rules to control access to the VCS at the IP level. You can:
•
•
specify the source IP address subnet from which to allow or deny traffic
•
configure well known services such as SSH, HTTP/HTTPS or specify customized rules based
on transport protocols and port ranges
on transport protocols and port ranges
The VCS can be configured to use a combination of OCSP and CRL checking for certificates
exchanged during SIP TLS connection establishment. CRLs can be loaded manually onto the
VCS, downloaded automatically from preconfigured URIs, or downloaded automatically from a
CRL distribution point (CDP).
exchanged during SIP TLS connection establishment. CRLs can be loaded manually onto the
VCS, downloaded automatically from preconfigured URIs, or downloaded automatically from a
CRL distribution point (CDP).
The VCS can now generate server certificate signing requests. This removes the need to use an
external mechanism to generate and obtain certificate requests. The upload of the VCS's trusted
CA certificate and the management of its server certificate are now configured on separate pages
under the
external mechanism to generate and obtain certificate requests. The upload of the VCS's trusted
CA certificate and the management of its server certificate are now configured on separate pages
under the
Maintenance > Certificate management
menu.
When enabling client certificate-based security you can now configure CRL checking behavior.
VCS can now be configured to use HTTP Strict Transport Security (HSTS). This can be used to
force a web browser to communicate with the VCS using secure connections only.
force a web browser to communicate with the VCS using secure connections only.
Access to the VCS via the serial port can be disabled.
You can configure the authentication method used by the VCS when connecting to an NTP
server. It utilizes the security features available in NTPv4 and retains compatibility with NTPv3
implementations. Options include symmetric key message hashing and private key encryption.
server. It utilizes the security features available in NTPv4 and retains compatibility with NTPv3
implementations. Options include symmetric key message hashing and private key encryption.
System backup files can now be encrypted / password protected. (Note that encrypted backup
files normally have a ".tar.gz.enc" filename extension. However, if you use Internet Explorer to
create an encrypted backup file, the filename extension will be ".tar.gz.gz" by default. These
different filename extensions have no operational impact; you can create and restore encrypted
backup files using any supported browser.)
files normally have a ".tar.gz.enc" filename extension. However, if you use Internet Explorer to
create an encrypted backup file, the filename extension will be ".tar.gz.gz" by default. These
different filename extensions have no operational impact; you can create and restore encrypted
backup files using any supported browser.)
OpenSSL has been updated to version 1.0.1 (includes support for TLS v1.2).
Zone and subzone media encryption policy
Media encryption policy settings allow you to selectively add or remove media encryption capabilities
for SIP calls flowing through the VCS. This allows you to configure your system so that, for example,
all traffic arriving or leaving a VCS Expressway from the public internet is encrypted, but is
unencrypted when in your private network. The policy is configured on a per zone/subzone basis; this
level of granularity means that different encryption policies could be applied to each leg of a call in/out
of a zone/subzone.
for SIP calls flowing through the VCS. This allows you to configure your system so that, for example,
all traffic arriving or leaving a VCS Expressway from the public internet is encrypted, but is
unencrypted when in your private network. The policy is configured on a per zone/subzone basis; this
level of granularity means that different encryption policies could be applied to each leg of a call in/out
of a zone/subzone.
Call processing
When configuring search rules you can now specify:
The source protocol for which the rule applies.
A specific source zone or subzone for which the rule applies. Named sources creates the ability
for search rules to be applied as dial plan policy for specific subzones and zones.
for search rules to be applied as dial plan policy for specific subzones and zones.
Improved interworking flow control
The VCS now supports the ability to interwork the H.323 flowControlCommand into RFC 5104
Temporary Maximum Media Stream Bit Rate Request (TMMBR). This provides the ability to stem the
flow of data from a remote participant.
Temporary Maximum Media Stream Bit Rate Request (TMMBR). This provides the ability to stem the
flow of data from a remote participant.
Enhanced diagnostics
There is an improved filter mechanism for call and registration status management.