Cisco Cisco TelePresence Video Communication Server Expressway 관리 매뉴얼
Zones and neighbors
Cisco VCS Administrator Guide (X7.2)
Page 130 of 498
Configuring Default Zone access rules
The Default Zone access rules (
VCS configuration > Zones > Default Zone access rules
) control which
external systems are allowed to connect over SIP TLS to the VCS via the Default Zone.
Each rule specifies a pattern type and string that is compared to the identities (Subject Common Name and
any Subject Alternative Names) contained within the certificate presented by the external system. You can
then allow or deny access to systems whose certificates match the specified pattern.
any Subject Alternative Names) contained within the certificate presented by the external system. You can
then allow or deny access to systems whose certificates match the specified pattern.
To use the rules, Use Default Zone access rules on the
page must be set to Yes. If the
access rules are enabled, then by default no systems will be allowed to connect over SIP TLS to the Default
Zone; you must set up the access rules for the systems you want to grant access. Note that the access rules
do not affect other connections to the Default Zone (H.323 and SIP UDP/TCP).
Zone; you must set up the access rules for the systems you want to grant access. Note that the access rules
do not affect other connections to the Default Zone (H.323 and SIP UDP/TCP).
The configurable options are:
Field
Description
Usage tips
Name
The name assigned to the rule.
Description An optional free-form description of the rule.
Priority
Determines the order in which the rules are applied if the
certificate names match multiple rules. The rules with the
highest priority (1, then 2, then 3 and so on) are applied
first. Multiple rules with the same priority are applied in
configuration order.
certificate names match multiple rules. The rules with the
highest priority (1, then 2, then 3 and so on) are applied
first. Multiple rules with the same priority are applied in
configuration order.
Pattern
type
type
The way in which the Pattern string must match the
Subject Common Name or any Subject Alternative
Names contained within the certificate.
Subject Common Name or any Subject Alternative
Names contained within the certificate.
Exact: the entire string must exactly match the name,
character for character.
character for character.
Prefix: the string must appear at the beginning of the
name.
name.
Suffix: the string must appear at the end of the name.
Regex: treats the string as a
You can test whether a pattern
matches a particular name by using the
matches a particular name by using the
tool (
Maintenance >
Tools > Check pattern
).
Pattern
string
string
The pattern against which the name is compared.
Action
The action to take if the certificate matches this access
rule.
rule.
Allow: allows the external system to connect via the
Default Zone.
Default Zone.
Deny: rejects any connection requests received from the
external system.
external system.
State
Indicates if the rule is enabled or not.
Use this setting when making or testing
configuration changes, or to
temporarily enable or disable certain
rules. Any disabled rules still appear in
the rules list but are ignored.
configuration changes, or to
temporarily enable or disable certain
rules. Any disabled rules still appear in
the rules list but are ignored.
Up to 10,000 rules can be configured.