Cisco Cisco Expressway
4.
Use the command
New-CsTrustedApplication
to assign a new application to the trusted application pool.
Example Command
C:\Users\Administrator.example>New-CsTrustedApplication -ApplicationId ExpresswayApplication1 -
TrustedApplicationPoolFqdn lyncexp.video.example.com -Port 65072
TrustedApplicationPoolFqdn lyncexp.video.example.com -Port 65072
-ApplicationID
Names the Gateway Expressway application (this is for Lync only, it is not a
DNS name).
DNS name).
-
TrustedApplicationPoolFQDN
TrustedApplicationPoolFQDN
Specifies the FQDN of the Gateway Expressway.
-Port
Specifies TLS/TCP port to use for neighboring, which must match the Port on
B2BUA for Lync call communications on the Gateway B2BUA (default
65072).
65072).
Table 9 Parameter Reference
5.
Run the command
Enable-CsTopology
to enable the configuration.
6.
To read and check the application pool and application configurations, use
Get-CsTrustedApplicationPool
and
Get-CsTrustedApplication
.
Task 2: Configure Lync Server Media Encryption Capabilities
The Lync Server defaults to mandatory media encryption, which you may need to change to suit your video network.
To read the current media encryption policy on Lync Server use
To read the current media encryption policy on Lync Server use
get-CsMediaConfiguration
. The default
EncryptionLevel
is
RequireEncryption
.
Also, the headers used in Lync SRTP are different from those used by Cisco Collaboration devices. The Expressway
B2BUA can modify these headers if the Gateway Expressway has the Microsoft Interoperability option key.
B2BUA can modify these headers if the Gateway Expressway has the Microsoft Interoperability option key.
When Should I Consider Changing the Default Encryption on Lync Server?
You can modify the media encryption setting on Lync Server, and the value you choose will depend on the following
factors:
factors:
■
Is the connection between Lync and the Gateway Expressway made over TLS?
If the connection is TLS, then mandatory encryption is possible.
If the connection is not TLS, then the crypto keys will not be sent across the unsecure connection. Mandatory
encryption will be impossible and calls will fail. In this case, you must change the default media encryption on
Lync Server.
encryption will be impossible and calls will fail. In this case, you must change the default media encryption on
Lync Server.
■
Does the Gateway Expressway have the Microsoft Interoperability option key?
This key is required for interoperating with Lync Server 2013 and also for RDP transcoding. If it is installed on
the Gateway Expressway, then mandatory encryption is possible.
the Gateway Expressway, then mandatory encryption is possible.
The Gateway Expressway might not have this key when interworking with Lync Server 2010. In this case,
mandatory encryption will be impossible because the B2BUA will not be able to modify the SRTP headers from
Lync. You must change the default media encryption on Lync Server in this case.
mandatory encryption will be impossible because the B2BUA will not be able to modify the SRTP headers from
Lync. You must change the default media encryption on Lync Server in this case.
■
Do all video endpoints in the network support encrypted media and offer encrypted media?
If all Unified CM-registered endpoints can do media encryption, then mandatory encryption on Lync Server is
possible.
possible.
If some endpoints cannot do media encryption, then mandatory encryption from Lync Server will not work.
How do I Change the Media Encryption Policy on Lync Server?
To configure the media encryption policy on Lync Server use
Set-CsMediaConfiguration
as follows:
29
Cisco Expressway with Microsoft Lync Deployment Guide