Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
■
access over SSH and through the serial port is disabled and cannot be turned on (the pwrec password
recovery function is also unavailable)
recovery function is also unavailable)
■
access over HTTPS is enabled and cannot be turned off
■
the command line interface (CLI) and API access are unavailable
■
the root account, the admin account and any other local administrator accounts are disabled
■
administrator account authentication source is set to Remote only and cannot be changed
■
if there are three consecutive failed attempts to log in (by the same or different users), login access to the VCS
is blocked for 60 seconds
is blocked for 60 seconds
■
immediately after logging in, the current user is shown statistics of when they previously logged in and details
of any failed attempts to log in using that account
of any failed attempts to log in using that account
■
administrator accounts with read-only or read-write access levels cannot view the Event Log, Configuration
Log and Network Log pages (these pages can be viewed only by accounts with Auditor access level)
Log and Network Log pages (these pages can be viewed only by accounts with Auditor access level)
■
the Upgrade page only displays the System platform component
■
downgrades to version X5.0 or below are not allowed
The Event Log, Configuration Log, Network Log, call history, search history and registration history are cleared
whenever the VCS is taken out of advanced account security mode. Note that if
whenever the VCS is taken out of advanced account security mode. Note that if
is enabled, this
will cause any existing blocked addresses to become unblocked.
Configuring FIPS140-2 Cryptographic Mode
FIPS140 is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules.
FIPS140-1 became a mandatory standard for the protection of sensitive data in 1994 and was superseded by
FIPS140-2 in 2001.
FIPS140-1 became a mandatory standard for the protection of sensitive data in 1994 and was superseded by
FIPS140-2 in 2001.
VCS X8.1 or later implements FIPS140-2 compliant features. When in FIPS140-2 cryptographic mode, system
performance may be affected due to the increased cryptographic workload.
performance may be affected due to the increased cryptographic workload.
Prerequisites
Before FIPS140-2 mode can be enabled:
■
Ensure that the system is not using NTLM protocol challenges with a direct Active Directory Service
connection for device authentication; NTLM cannot be used while in FIPS140-2 mode.
connection for device authentication; NTLM cannot be used while in FIPS140-2 mode.
■
If login authentication via a remote LDAP server is configured, ensure that it uses TLS encryption if it is using
SASL binding.
SASL binding.
■
The Advanced Account Security option key must be installed.
FIPS140-2 compliance also requires the following configuration settings:
■
System-wide SIP transport mode settings must be TLS: On, TCP: Off and UDP: Off.
■
All SIP zones must use TLS.
■
The VCS cannot be a part of a cluster.
■
SNMP and NTP server configuration cannot use MD5 hashing or DES encryption.
If your system is running as a virtualized application and has never been through an upgrade process:
1.
Ensure it has a valid release key (check this via Maintenance > Option keys).
2.
Perform a system upgrade. You can upgrade the system to the same software release version that it is
currently running.
currently running.
If you do not complete this step, the activation process described below will fail.
293
Cisco TelePresence Video Communication Server Administrator Guide