Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
■
: the local VCS is a traversal server for the system being connected to, and there is a firewall
between the two.
■
: the zone contains endpoints discoverable by ENUM lookup.
■
: the zone contains endpoints discoverable by DNS lookup.
■
: a traversal client or traversal server zone used for Unified Communications
features such as mobile and remote access or Jabber Guest. Note that this zone type applies to the web
interface only; the underlying CLI configuration uses traversal client and traversal server zone types.
interface only; the underlying CLI configuration uses traversal client and traversal server zone types.
■
section for information about the configuration options available for all zone types.
■
section for information about including zones as targets
for search rules.
Automatically generated neighbor zones
The VCS may automatically generate some non-configurable neighbor zones:
■
A VCS Control automatically generates neighbor zones between itself and each discovered Unified CM node
when the system is configured for
when the system is configured for
.
■
A VCS automatically generates a neighbor zone named "To Microsoft destination via B2BUA" when the
is enabled.
Configuring Media Encryption Policy
The media encryption policy settings allow you to selectively add or remove media encryption capabilities for SIP calls
flowing through the VCS. This allows you to configure your system so that, for example, all traffic arriving or leaving a
VCS Expressway from the public internet is encrypted, but is unencrypted when in your private network.
flowing through the VCS. This allows you to configure your system so that, for example, all traffic arriving or leaving a
VCS Expressway from the public internet is encrypted, but is unencrypted when in your private network.
■
The policy is configured on a per zone/subzone basis and applies only to that leg of the call in/out of that
zone/subzone.
zone/subzone.
■
Encryption is applied to the SIP leg of the call, even if other legs are H.323.
Media encryption policy is configured through the Media encryption mode setting on each zone and subzone,
however the resulting encryption status of the call is also dependent on the encryption policy settings of the target
system (such as an endpoint or another VCS).
however the resulting encryption status of the call is also dependent on the encryption policy settings of the target
system (such as an endpoint or another VCS).
The encryption mode options are:
■
Force encrypted: all media to and from the zone/subzone must be encrypted. If the target system/endpoint is
configured to not use encryption, then the call will be dropped.
configured to not use encryption, then the call will be dropped.
■
Force unencrypted: all media must be unencrypted. If the target system/endpoint is configured to use
encryption, then the call may be dropped; if it is configured to use Best effort then the call will fall back to
unencrypted media.
encryption, then the call may be dropped; if it is configured to use Best effort then the call will fall back to
unencrypted media.
■
Best effort: use encryption if available, otherwise fall back to unencrypted media.
■
Auto: no specific media encryption policy is applied by the VCS. Media encryption is purely dependent on the
target system/endpoint requests. This is the default behavior and is equivalent to how the VCS operated
before this feature was introduced.
target system/endpoint requests. This is the default behavior and is equivalent to how the VCS operated
before this feature was introduced.
Encryption policy (any encryption setting other than Auto) is applied to a call by routing it through a back-to-back user
agent (B2BUA) hosted on the VCS.
agent (B2BUA) hosted on the VCS.
When configuring your system to use media encryption you should note that:
■
Any zone with an encryption mode of Force encrypted or Force unencrypted must be configured as a SIP-only
zone (H.323 must be disabled on that zone).
zone (H.323 must be disabled on that zone).
■
TLS transport must be enabled if an encryption mode of Force encrypted or Best effort is required.
153
Cisco TelePresence Video Communication Server Administrator Guide
Zones and Neighbors