background image

Groups belonged to

Access permissions granted

Administrators

 and 

Region B

read-write access to the API interface, but no web interface access

Administrators

 and 

Region C

read-write access to the web and API interfaces

Region A

 only

read-only access to the web interface and no API access

Configuring FindMe groups

The 

FindMe groups

 page (

Users > FindMe groups

) lists all the FindMe groups that have been configured 

on the VCS, and lets you add, edit and delete groups.

Note that this page does not apply if the VCS is using 

TMS Provisioning Extension services

 to provide 

FindMe account data; in this case, FindMe accounts are maintained through Cisco TMS.

 

FindMe groups are only active when 

remote FindMe authentication

 is enabled.

 

FindMe groups determine which access rights members of the group have after they have been 
successfully authenticated to use the VCS. 

When a FindMe user logs in to the VCS their credentials are authenticated against the remote directory 
service and they are assigned the access rights associated with the group to which that user belongs. If the 
user account belongs to more than one group, the highest level permission is assigned.

The configurable options are:

Field

Description

Usage tips

Name

The name of the FindMe group.

It cannot contain any of the following 
characters:

/ \ [ ] : ; | = , + * ? > < @ "

The group names defined in the VCS must match the group 
names that have been set up in the remote directory service to 
manage FindMe accounts.

State

Indicates if the group is enabled or 
disabled. 

Enabled

: users can view and modify 

their personal FindMe details, 
devices and locations.

Disabled

: users are not allowed to log 

in to their account.

Default: 

Enabled

 

Cisco VCS Administrator Guide (X8.1.1)

Page 270 of 507

User accounts

Configuring remote account authentication using LDAP

Summary of Contents for TelePresence

Page 1: ...Cisco TelePresence Video Communication Server Administrator Guide Software version X8 1 1 D14049 16 April 2014 ...

Page 2: ...onfiguring firewall rules 34 Current active firewall rules 36 Configuring automated intrusion protection 36 Network services 40 Configuring system name and access settings 40 Configuring SNMP settings 43 Configuring time settings 45 Configuring the Login page 47 Configuring external manager settings 48 Configuring TMS Provisioning Extension services 49 Firewall traversal 52 About firewall traversa...

Page 3: ...SIP registrar 81 VCS as a SIP proxy server 82 Proxying registration requests 83 VCS as a SIP Presence Server 83 Configuring SIP 84 SIP functionality and SIP specific transport modes and ports 84 Certificate revocation checking modes 84 Registration controls 85 Authentication controls 87 Configuring domains 88 Configuring the supported services for Unified Communications VCS Control only 88 Configu...

Page 4: ...n 132 Structured dial plan 132 Hierarchical dial plan 132 About zones 134 Configuring media encryption policy 135 Configuring the B2BUA for media encryption 136 Configuring ICE messaging support 137 About the Local Zone and subzones 138 The Default Zone 139 Configuring the Default Zone 139 Configuring Default Zone access rules 140 Configuring zones 141 Configuring neighbor zones 141 Configuring tr...

Page 5: ...ngs 188 Allowing calls to IP addresses only if they come from known zones 190 Configuring search rules to use an external service 191 About Call Policy 194 Configuring Call Policy 194 Configuring Call Policy rules using the web interface 195 Configuring Call Policy using a CPL script 195 Configuring Call Policy to use an external service 197 Supported address formats 199 Dialing by IP address 199 ...

Page 6: ...back to back user agent overview 243 Configuring B2BUA TURN servers 243 Microsoft Lync B2BUA 244 FindMe 251 End user FindMe account configuration 251 How are devices specified 251 FindMe process overview 252 Recommendations when deploying FindMe 252 Configuring FindMe 252 Cisco TMS provisioning 255 VCS Provisioning Server 256 Starter Pack provisioning 258 Configuring Starter Pack provisioning 258 ...

Page 7: ...ring certificate based authentication 290 Testing client certificates 292 Advanced security 295 Configuring advanced account security mode 295 Configuring FIPS140 2 cryptographic mode 296 Configuring language settings 299 Changing the language 299 Installing language packs 299 Removing language packs 300 Backing up and restoring VCS data 301 When to create a backup 301 Content of the backup file 3...

Page 8: ...35 Zone status 336 Bandwidth 337 Link status 337 Pipe status 337 Policy server status and resiliency 338 Viewing policy server status via the VCS 338 TURN relays status 339 Unified Communications status 340 Presence 341 Presence publishers 341 Presence presentities 341 Presence subscribers 342 Lync B2BUA 343 Lync user status 343 Lync B2BUA status 343 TMS Provisioning Extension service status 344 P...

Page 9: ...iguring an OpenLDAP server 379 DNS configuration examples 383 Verifying the SRV record 383 Microsoft DNS server 383 BIND 8 9 383 Changing the default SSH key 385 Restoring default configuration factory reset 386 Prerequisite files 386 Performing a reset to default configuration 386 Resetting via USB stick 386 Password encryption 388 Pattern matching variables 389 Port reference 391 Local VCS inbou...

Page 10: ...ternal policy request parameters 491 Default CPL for policy services 492 Flash status word reference table 493 Supported RFCs 494 Software version history 496 X7 2 1 496 X7 2 496 X7 1 499 X7 500 Related documentation 503 Legal notices 505 Intellectual property rights 505 Copyright notice 505 Patent information 506 Cisco VCS Administrator Guide X8 1 1 Page 10 of 507 ...

Page 11: ...des an overview of the Cisco TelePresence Video Communication Server About the Cisco TelePresence Video Communication Server VCS 12 About this guide 17 What s new in this version 22 Cisco VCS Administrator Guide X8 1 1 Page 11 of 507 ...

Page 12: ...ce services to organizations with Unified CM It also offers interoperability with third party unified communications IP telephony networks and voice over IP VoIP systems The VCS supports on premises and cloud applications and is available as a dedicated appliance or as a virtualized application on VMware with additional support for Cisco Unified Computing System Cisco UCS platforms You can deploy ...

Page 13: ...t from increased employee productivity and enhanced communication with partners and customers It uses an intelligent framework that allows endpoints behind firewalls to discover paths through which they can pass media verify peer to peer connectivity through each of these paths and then select the optimum media connection path eliminating the need to reconfigure enterprise firewalls The VCS Expres...

Page 14: ...ll Policy also known as Administrator Policy including support for CPL n Support for external policy servers n Can be managed with Cisco TelePresence Management Suite Cisco TMS 13 2 or later n AD authentication for administrators of the VCS n Pre configured defaults for l Cisco Unified Communications Manager neighbor zones l Cisco TelePresence Advanced Media Gateway l Nortel Communication Server n...

Page 15: ...e VCS can be used to route SIP calls between the VCS and a Microsoft Lync Server It provides interworking between Microsoft ICE used by Lync clients and media for communications with standard video endpoints The Microsoft Interoperability option key is required for all types of communication with Lync 2013 Advanced Networking The Advanced Networking option enables the LAN 2 Ethernet port on the VC...

Page 16: ...nstallation Guide for more information Installation and initial configuration Full installation and initial configuration instructions for the VCS are contained in VCS Getting Started Guide Cisco VCS Administrator Guide X8 1 1 Page 16 of 507 Introduction About the Cisco TelePresence Video Communication Server VCS ...

Page 17: ...e shown in the format xConfiguration Element SubElement xCommand Command Related documentation See Related documentation p 503 for a full list of documents and web sites referenced in this guide Training Training is available online and at our training locations For more information on all the training we provide and where our training offices are located visit www cisco com go telepresencetrainin...

Page 18: ...age Note that when logging in using the VCS web interface you may receive a warning message regarding the VCS s security certificate This can safely be ignored A command line interface is also available Required fields All mandatory fields on web pages are indicated by a red star Supported browsers The VCS web interface is designed for use with Internet Explorer 8 or 9 not in compatibility mode Fi...

Page 19: ...ommands allow you to add and edit single items of data such as IP address and zones See Command reference xConfiguration p 422 for a full list of xConfiguration commands n xCommand these commands allow you to add and configure items and obtain information See Command reference xCommand p 469 for a full list of xCommand commands n xHistory these commands provide historical information about calls a...

Page 20: ...page System alarm This icon appears on the top right corner of every page when there is a system alarm in place Click on this icon to go to the Alarms page which gives information about the alarm and its suggested resolution Help This icon appears on the top right corner of every page Clicking on this icon opens a new browser window with help specific to the page you are viewing It gives an overvi...

Page 21: ...ascending and descending order Select All and Unselect All Use these buttons to select and unselect all items in the list Mandatory field Indicates an input field that must be completed Peer specific configuration item When a VCS is part of a cluster most items of configuration are applied to all peers in a cluster However items indicated with a must be specified separately on each cluster peer Sy...

Page 22: ... VCS software X8 1 Microsoft Lync 2013 H 264 SVC support The Microsoft Lync B2BUA now supports calls to and from Microsoft Lync 2013 clients It provides interworking between standard H 264 AVC and Lync 2013 s H 264UC SVC codec To use Lync 2013 you must install the Microsoft Interoperability option key formerly known as the Enhanced OCS Collaboration option key Note that for Lync 2010 the Microsoft...

Page 23: ...n challenge Alternatively you can now configure the VCS so that the credential checking of SIP messages is delegated via a traversal zone to another VCS Delegated credential checking is useful in deployments where you want to allow devices to register on a VCS Expressway but for security you want all communications with authentication systems such as an Active Directory server to be performed insi...

Page 24: ...so been removed Instead we recommend that you use the Microsoft Lync B2BUA to route SIP calls between the VCS and a Microsoft Lync Server and to configure your Cisco AM GWs as B2BUA transcoders Note that B2BUA connections to Microsoft OCS are no longer supported from X8 1 Support for Active Control VCS supports Active Control iX Channel passthrough as supported by Cisco TelePresence Server 3 1 or ...

Page 25: ...an be deleted n The VCS Starter Pack Express supports device provisioning for SX20 endpoints Note this is a preview feature n You have the option to take a tcpdump while diagnostic logging is in progress n SIP network logging at the DEBUG level now includes the local address and port as well as the destination source information n You can specify the transport type to use for SIP calls from a DNS ...

Page 26: ...tes will not be affected n When configuring the sources for administrator account authentication the Remote option is now labeled as Remote only This also means you can no longer access the VCS via the default admin account if a Remote only authentication source is in use The Local option has also been renamed to Local only Note do not use Remote only if VCS is managed by Cisco TMS n The Reboot Re...

Page 27: ...erworked calls n The following settings have been removed from the SIP configuration page Require UDP BFCP mode and Require Duo Video mode They existed to provide support for interoperability issues with old versions of Cisco TelePresence MXP endpoints These settings can still be configured via the CLI if necessary n The Login account authentication configuration page has been removed and the Admi...

Page 28: ...VCS in relation to the network in which it is located for example its IP settings firewall rules intrusion protection and the external services used by the VCS for example DNS NTP and SNMP Network settings 29 Intrusion protection 34 Network services 40 Configuring external manager settings 48 Configuring TMS Provisioning Extension services 49 Cisco VCS Administrator Guide X8 1 1 Page 28 of 507 ...

Page 29: ...ed gatewayed by the VCS All IPv6 addresses configured on the VCS are treated as having a 64 network prefix length IPv4 to IPv6 gatewaying interworking The VCS can act as a gateway for calls between IPv4 and IPv6 devices To enable this feature select an IP protocol of Both Calls for which the VCS is acting as an IPv4 to IPv6 gateway are traversal calls and require a traversal call license IP gatewa...

Page 30: ...o route IP traffic to the public internet and instead the traffic must pass through an application proxy such as the VCS Expressway To enable the use of dual network interfaces 1 Ensure that the Advanced Networking option key is installed on the VCS Expressway 2 Set Use dual network interfaces to Yes 3 Set External LAN interface to LAN2 LAN 2 should be used as the public interface of the VCS Expre...

Page 31: ...he private IP address will be sent in the SDP rather than the static NAT address and this will cause calls to fail Note that the recommended configuration for VCS Control with VCS Expressway deployments is to n configure the same media encryption policy setting on the traversal client zone on VCS Control the traversal server zone on VCS Expressway and every zone and subzone on VCS Expressway n use...

Page 32: ... the VCS is the System host name plus the Domain name Impact on SIP messaging The System host name and Domain name are also used to identify references to this VCS in SIP messaging where an endpoint has configured the VCS as its SIP proxy in the form of an FQDN as opposed to an IP address which is not recommended In this case the VCS may for example reject an INVITE request if the FQDN configured ...

Page 33: ... associating it with the same Domain names In this scenario DNS requests for those domains will be sent in parallel to both DNS servers Tip you can also use the DNS lookup tool Maintenance Tools Network utilities DNS lookup to check which domain name server DNS server is responding to a request for a particular hostname Caching DNS records To improve performance DNS lookups may be cached This cach...

Page 34: ...ra rules to lock down the system to your specifications Note that return traffic from outbound connections is always accepted User configured rules The user configured rules are typically used to restrict what can access the VCS You can n Specify the source IP address subnet from which to allow or deny traffic n Choose whether to drop or reject denied traffic n Configure well known services such a...

Page 35: ... the web interface then the rollback will ensure that its ability to access the system is reinstated When configuring firewall rules you also have the option to Revert all changes This discards all pending changes and resets the working copy of the rules to match the current active rules Rule settings The configurable options for each rule are Field Description Usage tips Priority The order in whi...

Page 36: ... protection The automated protection service can be used to detect and block malicious traffic and to help protect the VCS from dictionary based attempts to breach login security It works by parsing the system log files to detect repeated failures to access specific service categories such as SIP SSH and web HTTPS access When the number of failures within a specified time window reaches the config...

Page 37: ...s Failed n Currently blocked the number of addresses currently being blocked for this category n Total failures the total number of failed attempts to access the services associated with this category n Total blocks the total number of times that a block has been triggered Note that l The Total blocks will typically be less than the Total failures unless the Trigger level is set to 1 l The same ad...

Page 38: ...dresses page Managing blocked addresses The Blocked addresses page System Protection Automated detection Blocked addresses is used to manage the addresses that are currently blocked by the automated protection service n It shows all currently blocked addresses and from which categories those addresses have been blocked n You can unblock an address or unblock an address and at the same time add it ...

Page 39: ... dropped the host receives no response n A host address can be blocked simultaneously for multiple categories but may not necessarily be blocked by all categories Those blocks may also expire at different times n When an address is unblocked either manually or after its block duration expires it has to fail again for the full number of times as specified by the category s trigger level before it w...

Page 40: ...99 still applies to earlier releases that have upgraded to X8 1 Administration access settings While you can administer the VCS via a PC connected directly to the unit via a serial cable you may want to access the system remotely over IP You can do this using either the web interface via HTTPS or through a command line interface via SSH The configurable options are Field Description Usage tips Ser...

Page 41: ...dministrator sessions A value of 0 turns session limits off System protection Automated protection service Determines whether the automated protection service is active Default is Off After enabling the service you must go and configure the specific protection categories Web server configuration Redirect HTTP requests to HTTPS Determines whether HTTP requests are redirected to the HTTPS port Defau...

Page 42: ...and test client certificates on the Testing client certificates p 292 page Enabling Certificate based authentication means that the standard login mechanism is no longer available You can log in only if your browser certificate is valid and the credentials it provides have the appropriate authorization levels You can configure how the VCS extracts credentials from the browser certificate on the Ce...

Page 43: ...y access the server through its fully qualified name rather than its IP address VCS unit front panel The LCD panel on the front of the VCS hardware unit has a rotating display of the VCS s system name IP addresses alarms and the number of current traversal calls non traversal calls and registrations To control the display of status items n ENTER stops the display from automatically rotating throug...

Page 44: ...he System contact and Location are used for reference purposes by administrators when following up on queries Location Specifies the physical location of the VCS Username The VCS s SNMP username used to identify this SNMP agent to the SNMP manager Only applies when using secure SNMPv3 v3 Authentication settings only applicable to SNMPv3 Authentication mode Enables or disables SNMPv3 authentication...

Page 45: ...er Three of the Address fields default to NTP servers provided by Cisco You can configure the Authentication method used by the VCS when connecting to an NTP server Use one of the following options for each NTP server connection Authentication method Description Disabled No authentication is used Symmetric key Symmetric key authentication When using this method a Key ID Hash method and Pass phrase...

Page 46: ...he restart However the NTP server may have remained contactable during the restart process Offset The difference between the NTP server s time and the VCS s time Delay The network delay between the NTP server and the VCS Stratum The degree of separation between the VCS and a reference clock 1 indicates that the NTP server is a reference clock Ref ID A code identifying the reference clock Ref time ...

Page 47: ...he web interface You can upload an image that will appear above the welcome message on the login page when using the web interface n supported image file formats are JPG GIF and PNG n images larger than 200x200 pixels will be scaled down If the VCS is using the TMS Provisioning Extension services to provide FindMe account data then users log into their FindMe accounts through Cisco TMS not through...

Page 48: ...Determines whether communications with the external manager are over HTTP or HTTPS The default is HTTPS Certificate verification mode Controls whether the certificate presented by the external manager is verified If you enable verification you must also add the certificate of the issuer of the external manager s certificate to the file containing the VCS s trusted CA certificates This is done from...

Page 49: ... services Each specific service can choose to use these default settings or alternatively specify its own connection settings for example if a different Cisco TMSPE server is being used for each service Server address The IP address or Fully Qualified Domain Name FQDN of the service Destination port The listening port on the Cisco TMSPE service Default is 443 Encryption The encryption to use for t...

Page 50: ... service for updates Defaults are FindMe 2 minutes Users 2 minutes Phone books 1 day The Device service polling interval is set to 30 seconds and cannot be modified You can request an immediate update of all services by clicking Check for updates at the bottom of the page Use the default connection configuration Controls whether the service uses the default connection configuration for Cisco TMSPE...

Page 51: ...mber of provisioning licenses being consumed n the status of the devices that are making provisioning requests to the VCS s Provisioning Server Cisco VCS Administrator Guide X8 1 1 Page 51 of 507 Network and system settings Configuring TMS Provisioning Extension services ...

Page 52: ...e firewalls About firewall traversal 53 Configuring a traversal client and server 57 Configuring ports for firewall traversal 58 Firewall traversal and authentication 61 Configuring Expressway and traversal endpoint communications 62 About ICE and TURN services 63 Cisco VCS Administrator Guide X8 1 1 Page 52 of 507 ...

Page 53: ...r When the traversal server receives an incoming call for the traversal client it uses this existing connection to send an incoming call request to the client The client then initiates the necessary outbound connections required for the call media and or signaling This process ensures that from the firewall s point of view all connections are initiated from the traversal client inside the firewall...

Page 54: ...P address of the destination firewall to the destination endpoint or from the endpoint via a TURN server to destination endpoint n The VCS supports ICE for calls where the VCS does not have to traverse media for example if there is no IPv4 IPv6 conversion or SIP H 323 conversion required typically this means 2 endpoints which are able to support ICE directly communicating to a VCS Expressway clust...

Page 55: ...ay pair the only demultiplexing that would occur would be on the VCS Expressway ports facing the VCS Control Enterprise endpoint VCS Control VCS Expressway Home endpoint Non demuxed Non demuxed Demuxed Non demuxed RTP ports 36002 36004 36000 36002 RTCP ports 36003 36005 36001 36003 However an H 323 call from within an enterprise to an Assent capable H 323 endpoint at home through the same VCS Cont...

Page 56: ...ient Configuring other traversal server features n For the VCS Expressway to act as a firewall traversal server for traversal enabled endpoints such as Cisco MXP endpoints and any other endpoints that support the ITU H 460 18 and H 460 19 standards no additional configuration is required See Configuring Expressway and traversal endpoint communications p 62 for more information n To enable TURN rel...

Page 57: ... password as credentials into the local authentication database On the VCS Control create a traversal client zone this represents the connection to the VCS Expressway Enter the same authentication Username and Password as specified on the VCS Expressway Configure all the modes and ports in the H 323 and SIP protocol sections to match identically those of the traversal server zone on the VCS Expres...

Page 58: ... client by the port on which it receives the connection and the authentication credentials provided by the client 3 After the connection has been established the client regularly sends a probe to the VCS Expressway to keep the connection alive 4 When the VCS Expressway receives an incoming call for the client it uses this initial connection to send an incoming call request to the client 5 The clie...

Page 59: ...S Expressway s traversal server zones The following table shows the default ports used for connections to the VCS Expressway Protocol Call signaling Media Assent UDP 1719 listening port for RAS messages TCP 2776 listening port for H 225 and H 245 protocols RTP and RTCP media demultiplexing ports are allocated from the start of the traversal media ports range UDP 36000 36001 H 460 18 19 UDP 1719 li...

Page 60: ...cify in advance any rules that will allow you to connect out to the endpoint s ports You can however specify the ports on the VCS Expressway that are used for calls to and from endpoints on the public internet so that your firewall administrator can allow connections via these ports The ports that can be configured for this purpose are H 323 SIP TURN TCP 1720 signaling UDP 1719 signaling UDP 36000...

Page 61: ...s is set on the VCS Expressway by using Configuration Zones Zones Edit zone in the Connection credentials section There must also be an entry in the VCS Expressway s authentication database with the corresponding client username and password Endpoint The endpoint client provides its Authentication ID and Authentication Password There must be an entry in the VCS Expressway s authentication database...

Page 62: ...VCS Expressway uses if an endpoint supports both Assent and H 460 18 UDP probe retry interval The frequency in seconds with which locally registered endpoints send a UDP probe to the VCS Expressway UDP probe retry count The number of times locally registered endpoints attempt to send a UDP probe to the VCS Expressway UDP probe keep alive interval The interval in seconds with which locally register...

Page 63: ...communicate via UDP or TCP from behind a NAT device Currently the VCS supports TURN over UDP only For more information about TURN see RFC 5766 and for detailed information about the base STUN protocol see RFC 5389 Each ICE client requests the TURN server to allocate relays for the media components of the call A relay is required for each component in the media stream between each client After the ...

Page 64: ...ons between the VCS and Microsoft Lync clients that are registered through a Microsoft Edge Server you need to use the B2BUA for Microsoft Lync n The TURN server does not support bandwidth requests Traversal zone bandwidth limits do not apply Configuring TURN services TURN relay services are only available on the VCS Expressway To use TURN services you need the TURN Relay option key this controls ...

Page 65: ... checking is On you choose from the set of configured SIP domains The chosen domain also determines the traversal zone through which credential checking is delegated When Delegated credential checking is Off ensure that the client s credentials are stored in the relevant device authentication database Media port range start end The lower and upper port in the range used for the allocation of TURN ...

Page 66: ...re the VCS Control and VCS Expressway for Unified Communications functionality a core part of the Cisco Collaboration Edge Architecture Mobile and remote access 67 Configuring mobile and remote access on VCS 69 Cisco VCS Administrator Guide X8 1 1 Page 66 of 507 ...

Page 67: ...premises access a consistent experience outside the network for Jabber and EX MX SX Series clients n Security secure business to business communications n Cloud services enterprise grade flexibility and scalable solutions providing rich WebEx integration and Service Provider offerings n Gateway and interoperability services media and signaling normalization and support for non standard endpoints F...

Page 68: ...rience inside and outside the enterprise It provides a secure connection for Jabber application traffic without having to connect to the corporate network over a VPN It is a device and operating system agnostic solution for Cisco Unified Client Services Framework clients on Windows Mac iOS and Android platforms It allows Jabber clients that are outside the enterprise to n use instant messaging and...

Page 69: ...eer Configuring the VCS Control for Unified Communications Enabling mobile and remote access To enable mobile and remote access functionality 1 Go to Configuration Unified Communications Configuration 2 Set Unified Communications mode to Mobile and remote access 3 Click Save Note that you must select Mobile and remote access before you can configure the relevant domains and traversal zones Configu...

Page 70: ...y those IM P and Unified CM servers 1 Determine the relevant CA certificates to upload l If the servers are using self signed certificates the VCS Control s trusted CA list must include a copy of the tomcat certificate from every IM P Unified CM server l If the servers are using CA signed certificates the VCS Control s trusted CA list must include the root CA of the issuer of the tomcat certificat...

Page 71: ...r is using self signed certificates the VCS Control s trusted CA list must include a copy of the tomcat certificate and the CallManager certificate from every Unified CM server o If the Unified CM server is using CA signed certificates the VCS Control s trusted CA list must include the root CA of the issuer of the tomcat certificate and the CallManager certificate d Click Add address The system th...

Page 72: ...Ensure that TURN services are Off Setting up VCS security certificates This deployment requires secure communications between the VCS Control and the VCS Expressway and between the VCS Expressway and endpoints located outside the enterprise Therefore you must 1 Install a suitable server certificate on both the VCS Control and the VCS Expressway The certificate on each VCS has different requirement...

Page 73: ...ion when it is forwarding messages from devices that are configured with those security profiles A new certificate may need to be produced if chat node aliases are added or renamed such as when an IM and Presence node is added or renamed or if new TLS phone security profiles are added You must restart the VCS Control for any new uploaded server certificate to take effect VCS Expressway server cert...

Page 74: ...other fields with default values VCS Control VCS Expressway Name Traversal zone for example Traversal zone for example Type Traversal client Traversal server Username exampleauth for example exampleauth for example Password ex4mpl3 c0m for example Click Add Edit local authentication database then in the popup dialog click New and enter the Name exampleauth and Password ex4mpl3 c0m and click Create...

Page 75: ...services on both VCS Control and VCS Expressway 1 Go to Status Unified Communications 2 Review the list and status of domains zones and VCS Control only Unified CM and IM P servers Any configuration errors will be listed along with links to the relevant configuration page from where you can address the issue Additional configuration Configuring the HTTP server allow list whitelist on VCS Control J...

Page 76: ... addresses to which HTTP access will be allowed 1 On VCS Control go to Configuration Unified Communications Configuration 2 Click HTTP server allow list 3 Configure the hostnames or IP addresses of an HTTP server that a Jabber client located outside of the enterprise is allowed to access Access is granted if the server portion of the client supplied URI matches one of the names entered here or if ...

Page 77: ...t how to configure the VCS to support the SIP and H 323 protocols About H 323 78 Configuring H 323 79 About SIP 81 Configuring SIP 84 Configuring domains 88 Configuring SIP and H 323 interworking 90 Cisco VCS Administrator Guide X8 1 1 Page 77 of 507 ...

Page 78: ... H 323 endpoints in your network must register with the VCS in order to use it as their gatekeeper There are two ways an H 323 endpoint can locate a VCS with which to register manually or automatically The option is configured on the endpoint itself under the Gatekeeper Discovery setting consult your endpoint manual for how to access this setting n If the mode is set to automatic the endpoint will...

Page 79: ...e original registration and replaces it with the new registration An H 323 endpoint may attempt to register with the VCS using an alias that has already been registered on the VCS from another IP address The reasons for this could include n Two endpoints at different IP addresses are attempting to register using the same alias n A single endpoint has previously registered using a particular alias ...

Page 80: ...covery Requests sent out by endpoints The default is On To prevent H 323 endpoints being able to register automatically with the VCS set Auto discover to Off This means that endpoints can only register with the VCS if their Gatekeeper Discovery setting is Manual and they have been configured with the VCS s IP address Caller ID Specifies whether the prefix of the ISDN gateway is inserted into the c...

Page 81: ...ccept registration requests where the domain portion of the AOR is either the FQDN or the IP address of the VCS Whether or not the VCS accepts a registration request depends on its registration control settings In a Unified Communications deployment endpoint registration for SIP devices may be provided by Unified CM In this scenario the VCS provides secure firewall traversal and line side support ...

Page 82: ...a SIP proxy server when SIP mode is enabled The role of a proxy server is to forward requests such as REGISTER and INVITE from endpoints or other proxy servers on to further proxy servers or to the destination endpoint The VCS s behavior as a SIP proxy server is determined by n the SIP registration proxy mode setting n the presence of Route Set information in the request header n whether the proxy...

Page 83: ...ny this is the same as Proxy to known only but for all zone types i e it also includes ENUM and DNS zones If your network is set up to proxy registration requests we recommend that you disable GRUU on the VCS systems that are acting as a Registrar for those proxied requests If GRUU is left enabled Presence may not work properly for the proxy registered endpoints GRUU can only be disabled via the C...

Page 84: ...utgoing connections using that protocol are supported and if so the ports on which the VCS listens for such connections By default UDP is Off and TCP and TLS are On The default ports are n UDP port 5060 n TCP port 5060 n TLS port 5061 At least one of the transport protocols must be set to a Mode of On for SIP functionality to be supported TCP outbound port start end The range of ports the VCS uses...

Page 85: ...cally from a CRL distribution point CDP URI contained in the X 509 certificate Allow CRL downloads from CDPs Controls whether the download of CRLs from the CDP URIs contained in X 509 certificates is allowed Fallback behavior Controls the revocation checking behavior if the revocation status cannot be established for example if the revocation source cannot be contacted Treat as revoked treat the c...

Page 86: ... maximum The maximum allowed value for a SIP registration refresh period for standard registrations Requests for a value greater than this will result in a lower value being returned calculated according to the Standard registration refresh strategy The default is 60 seconds Outbound registration refresh strategy The method used to generate the SIP registration expiry period for outbound registrat...

Page 87: ...g Route Sets are proxied only if they were received from a known zone Proxy to any registration requests are proxied in accordance with existing call processing rules to all known zones Requests containing Route Sets are always proxied The default is Off See Proxying registration requests p 83 for more information Authentication controls This section contains the device authentication controls for...

Page 88: ...nified CM The VCS acts as a Unified Communications gateway to provide secure firewall traversal and line side support for Unified CM registrations The default is Off n IM and Presence services on Unified CM instant messaging and presence services for this SIP domain are provided by the Unified CM IM and Presence service The default is Off Configuring delegated credential checking VCS Expressway on...

Page 89: ...in your video network and thus the receiving VCS is not configured with a connection to an Active Directory Service then the NTLM check will be expected to fail Cisco VCS Administrator Guide X8 1 1 Page 89 of 507 Protocols Configuring domains ...

Page 90: ...ec capabilities can be agreed more than one video codec can be accepted and the SIP device is at liberty to change the codec it uses at any time within the call If this happens because VCS is in the media path it will close and open logical channels to the H 323 device as the media changes as required so that media is passed correctly Searching by protocol When searching a zone the VCS first perfo...

Page 91: ...tion of the alias for those URIs that are in the form of number domain See the pre search transforms section for information about how to configure pre search transforms and the stripping domain for dialing to H 323 numbers section for an example of how to do this Cisco VCS Administrator Guide X8 1 1 Page 91 of 507 Protocols Configuring SIP and H 323 interworking ...

Page 92: ...formation about the pages that appear under the Configuration Registration menu About registrations 93 About Allow and Deny Lists 97 Configuring Registration Policy to use an external service 99 Cisco VCS Administrator Guide X8 1 1 Page 92 of 507 ...

Page 93: ...ction In a Unified Communications deployment endpoint registration for SIP devices may be provided by Unified CM In this scenario the VCS provides secure firewall traversal and line side support for Unified CM registrations When configuring domains you must select the system either Unified CM or VCS to provide registration services for each domain Finding a VCS with which to register Before an end...

Page 94: ...guring registration restriction policy The Registration configuration page Configuration Registration Configuration is used to control how the VCS manages its registrations The Restriction policy option specifies the policy to use when determining which endpoints may register with the VCS The options are n None any endpoint may register n Allow List only those endpoints with an alias that matches ...

Page 95: ...has already been registered on the VCS from another IP address You can control how the VCS behaves in this situation by configuring the Registration conflict mode on the H 323 page Configuration Protocols H 323 n SIP a SIP endpoint will always be allowed to register using an alias that is already in use from another IP address When a call is received for this alias all endpoints registered using t...

Page 96: ...on policy If this is the case the registration will not expire at the end of the registration timeout period and must be removed manually n SIP re registrations contain the same information as the initial registrations so will be filtered by the restriction policy This means that after the list has been activated all SIP registrations will disappear at the end of their registration timeout period ...

Page 97: ...y exclusive only one may be in use at any given time You can also control registrations at the subzone level Each subzone s registration policy can be configured to allow or deny registrations assigned to it via the subzone membership rules Configuring the registration Allow List The Registration Allow List page Configuration Registration Allow List shows the endpoint aliases and alias patterns th...

Page 98: ...d Description Usage tips Description An optional free form description of the entry Pattern type The way in which the Pattern string must match the alias Options are Exact the alias must match the pattern string exactly Prefix the alias must begin with the pattern string Suffix the alias must end with the pattern string Regex the pattern string is a regular expression You can test whether a patter...

Page 99: ...cate revocation list CRL checking Enable this option if you want to protect certificate checking using CRLs and you have manually loaded CRL files or you have enabled automatic CRL updates Go to Maintenance Security certificates CRL management to configure how the VCS uploads CRL files Server address 1 3 Enter the IP address or Fully Qualified Domain Name FQDN of the server hosting the service You...

Page 100: ...ces p 492 4 Click Save The VCS should connect to the policy service server and start using the service for Registration Policy decisions Any connection problems will be reported on this page Check the Status area at the bottom of the page and check for additional information messages against the Server address fields Cisco VCS Administrator Guide X8 1 1 Page 100 of 507 Registration control Configu...

Page 101: ...information about the VCS s authentication policy and the pages that appear under the Configuration Authentication menu About device authentication 102 Authenticating with external systems 129 Cisco VCS Administrator Guide X8 1 1 Page 101 of 507 ...

Page 102: ...ecisions can then be configured with different rules based upon whether a device is authenticated or not The VCS attempts to verify the credentials presented to it by first checking against its on box local database of usernames and passwords The local database also includes checking against credentials supplied by Cisco TMS if your system is using device provisioning If the username is not found ...

Page 103: ...s See Authentication policy configuration options p 105 for a full description of the various authentication policy behaviors Zone level authentication policy Authentication policy is configurable for zones that receive messaging the Default Zone neighbor zones traversal client and traversal server zones all allow configuration of authentication policy DNS and ENUM zones do not receive messaging a...

Page 104: ... services in the following areas n Registration Policy n Search rules dial plan n Call Policy n User Policy FindMe When the VCS uses a policy service it sends information about the call or registration request to the service in a POST message using a set of name value pair parameters Those parameters include information about whether the request has come from an authenticated source or not More in...

Page 105: ...ve messaging the Default Zone neighbor zones traversal client and traversal server zones all allow configuration of authentication policy DNS and ENUM zones do not receive messaging and so have no configuration To configure a zone s Authentication policy go to Configuration Zones Zones then click View Edit or the name of the zone The policy is set to Do not check credentials by default when a new ...

Page 106: ...ated Do not check credentials Off Messages are not challenged for authentication All messages are classified as unauthenticated Any existing P Asserted Identity headers are removed Messages are not challenged for authentication All messages are classified as unauthenticated Any existing P Asserted Identity headers are removed On Messages are not challenged for authentication Messages with an exist...

Page 107: ...essages that pass authentication are classified as authenticated If no credentials are supplied the message is always classified as unauthenticated Note that unauthenticated registration requests are rejected Do not check credentials Message credentials are not checked and all messages are classified as unauthenticated Treat as authenticated Message credentials are not checked and all messages are...

Page 108: ...ated or unauthenticated within the VCS Pre authenticated SIP requests are identified by the presence of a P Asserted Identity field in the SIP message header as defined by RFC 3325 The Authentication trust mode settings are n On pre authenticated messages are trusted without further challenge and subsequently treated as authenticated within the VCS Unauthenticated messages are challenged if the Au...

Page 109: ...egistrations and so on are challenged by the VCS Expressway but the checking of the credentials presented in response to those challenges is delegated to the VCS Control Configuring your video communications network for delegated credential checking Several configuration steps are involved on both your VCS Expressway and your VCS Control in setting up your video network for delegated credential ch...

Page 110: ...al VCS and they will not be delegated 6 If required as part of your dial plan configure search rules that forward SIP call signaling messages to the relevant traversal client zones Note that no specific search rules are required to support the delegation of authentication messages to the VCS Control The credential checking of authentication challenges made by the VCS Expressway should now be deleg...

Page 111: ...hentication mechanisms are configured on the VCS Expressway n The VCS Control can still perform authentication in the normal manner as well as providing a delegated credential checking service for the VCS Expressway Note that l The NTLM protocol challenges setting on the VCS Control only applies if the VCS Control itself is making an authentication challenge l The authentication policy configurati...

Page 112: ...raversal client zone s authentication policy must be set to either Check credentials or Treat as authenticated otherwise provisioning requests will fail n The authentication of subsequent messages including registration requests phone book requests and call signaling messages is controlled by the authentication policy setting on the Default Subzone or relevant alternative subzone if the endpoint i...

Page 113: ...rver on a VCS Starter Pack Express operates in the same manner as when using Cisco TMS provisioning it does not challenge provisioning requests It provisions devices only if the request has already been authenticated by the VCS at the zone or subzone entry point Cisco VCS Administrator Guide X8 1 1 Page 113 of 507 Device authentication About device authentication ...

Page 114: ...hentication policy must be set to either Check credentials or Treat as authenticated otherwise PUBLISH messages will fail meaning that endpoints will not be able to publish their presence status The following diagram shows the flow of presence messages from an endpoint to the Presence Server In each case the VCS performs its authentication checking against the appropriate credential store accordin...

Page 115: ...zone is set to Do not check credentials and the message will be accepted Deployments with multiple regional subnetwork directory VCSs If your deployment is segmented into multiple regional subnetworks each with their own directory VCS it is not feasible or recommended to set up neighbor zones between each and every VCS across the entire network In this scenario you should configure each subnetwork...

Page 116: ...VCS Expressway but be authenticated via a device authentication mechanism configured on the VCS Control You can also use registration allow and deny lists to limit what can register to the VCS Expressway If it is required that outbound calls may only be made by authenticated users ensure that all call requests are routed to the VCS Control and it only forwards requests back that it can authenticat...

Page 117: ...ime of writing all supported endpoints respond to an NTLM challenge in preference to a Digest challenge The following diagram shows the process followed by the VCS when authenticating credentials Note that accurate timestamps play an important part in authentication of H 323 devices helping to guard against replay attacks For this reason if you are using device authentication with H 323 devices bo...

Page 118: ...atabase Endpoint credentials used for authentication An endpoint must supply the VCS with a username and password if it is required to authenticate with the VCS for example when attempting to register and the relevant subzone s Authentication policy is set to Check credentials For Cisco endpoints using H 323 the username is typically the endpoint s Authentication ID for Cisco endpoints using SIP i...

Page 119: ...e set of credentials used within Cisco TMS Local database authentication in combination with H 350 directory authentication You can configure the VCS to use both the local database and an H 350 directory If an H 350 directory is configured the VCS will always attempt to verify any Digest credentials presented to it by first checking against the local database before checking against the H 350 dire...

Page 120: ...rectory Aliases presented by the endpoint that are not in the H 350 directory will not be registered o If no aliases are listed in the H 350 directory the endpoint will register with all the aliases it presented o If no aliases are presented by the endpoint it will register with all the aliases listed in the H 350 directory for its username l Combined the aliases presented by the endpoint are used...

Page 121: ...ult is Address record DNS SRV lookups enable the VCS to authenticate devices against multiple remote H 350 directory servers This provides a seamless redundancy mechanism in the event of reachability problems to an H 350 directory server The SRV lookup is for either _ldap _tcp or _ ldap _tls records depending on whether Encryption is enabled If multiple servers are returned the priority and weight...

Page 122: ...n configure the VCS to use both the local database and an H 350 directory If an H 350 directory is configured the VCS will always attempt to verify any Digest credentials presented to it by first checking against the local database before checking against the H 350 directory H 350 directory service authentication in combination with Active Directory direct authentication If Active Directory direct...

Page 123: ...g the domain n Entries must exist in the Active Directory server for all devices that are to be authenticated through this method Each entry must have an associated password n The device entries in all domains must be accessible by the user account that is used by VCS to join the domain If the VCS is in a domain that is part of a forest and there is trust between domains in the forest the VCS can ...

Page 124: ...tication Devices Active Directory Service 2 Configure the fields as follows Field Description Usage tips Connect to Active Directory Service Enables or disables the connection between the VCS and the Active Directory Service When the connection is enabled the VCS includes NTLM protocol challenges when authenticating endpoints according to the NTLM protocol challenges setting Turning Connect to Act...

Page 125: ...ult is Auto You are recommended to use Auto Encryption Sets the encryption to use for the LDAP connection to the Active Directory Service Off no encryption is used TLS TLS encryption is used The default is TLS If encryption is set to TLS a valid CA certificate private key and server certificate must be uploaded to the VCS Click Upload a CA certificate file for TLS in the Related tasks section to g...

Page 126: ...a at the bottom of the Active Directory Service page for more information about the status of the connection to the AD domain Note that n The domain administrator username and password are not stored in VCS they are only required to join an AD domain or to leave a domain n The VCS only needs to join the AD domain once even if the connection to the Active Directory Service is disabled and turned ba...

Page 127: ...uration Authentication Devices Active Directory Service 2 Ensure that NTLM protocol challenges is set to Auto Never use On as this will send NTLM challenges to devices that may not support NTLM and therefore they may crash or otherwise misbehave 3 Click Save if required 4 If the VCS is part of a cluster check that any configuration changes entered on the master peer have been replicated to each ot...

Page 128: ...ticate with a remote server It allows the client and server to identify which authentication protocols they both support and decide which protocol to use By default the VCS uses SPNEGO when communicating with an AD Domain Controller It can only be enabled or disabled through the CLI by using the command xConfiguration Authentication ADS SPNEGO Cisco VCS Administrator Guide X8 1 1 Page 128 of 507 D...

Page 129: ... invite from an endpoint to another VCS that other system may have authentication enabled and will therefore require your local VCS to provide it with a username and password Note that these settings are not used by traversal client zones Traversal clients which must always authenticate with traversal servers before they can connect configure their connection credentials per traversal client zone ...

Page 130: ... communications network 131 Structuring your dial plan 132 About zones 134 Configuring media encryption policy 135 Configuring ICE messaging support 137 About the Local Zone and subzones 138 The Default Zone 139 Configuring Default Zone access rules 140 Configuring zones 141 Cisco VCS Administrator Guide X8 1 1 Page 130 of 507 ...

Page 131: ...es an overview of the different parts of the video communications network and the ways in which they can be connected This information should allow you to configure your VCS to best suit your own infrastructure Example network diagram The diagram below shows the different components of a VCS i e subzones and zones and how they interrelate Using a VCS Control as the example Local Zone it shows that...

Page 132: ...e system they are registering with If you are using E 164 aliases each VCS would be assigned an area code When the VCSs are neighbored together each neighbor zone would have an associated search rule configured with its corresponding area code as a prefix a Mode of Alias pattern match and a Pattern type of Prefix That neighbor would then only be queried for calls to numbers which begin with its pr...

Page 133: ... Optimal call routing is enabled you must ensure that all search rules are configured with a Source of Any If the Source is configured to All zones H 323 calls will fail to connect This is because the H 323 SETUP message having followed the optimized route established by the original LRQ or ARQ will appear to the target VCS as coming from an unknown zone SIP calls however are successfully routed i...

Page 134: ...between the two n Traversal server the local VCS is a traversal server for the system being connected to and there is a firewall between the two n ENUM the zone contains endpoints discoverable by ENUM lookup n DNS the zone contains endpoints discoverable by DNS lookup The VCS also has a pre configured Default Zone n See the Zone configuration section for information about the configuration options...

Page 135: ... to how the VCS operated before this feature was introduced Encryption policy any encryption setting other than Auto is applied to a call by routing it through a back to back user agent B2BUA hosted on the VCS When configuring your system to use media encryption you should note that n Any zone with an encryption mode of Force encrypted or Force unencrypted must be configured as a SIP only zone H 3...

Page 136: ... the B2BUA used for Microsoft Lync integration Whereas the Lync B2BUA has to be manually configured and enabled the B2BUA used for encryption is automatically enabled whenever an encryption policy is applied Cisco VCS Administrator Guide X8 1 1 Page 136 of 507 Zones and neighbors Configuring media encryption policy ...

Page 137: ...s in messages to hosts in Zone B Standard VCS proxying behavior B2BUA is not normally invoked however see the note below regarding media encryption policy Effect of media encryption policy when combined with ICE support The VCS also invokes the B2BUA if it has to apply a media encryption policy any encryption setting other than Auto This table shows the effect on ICE negotiation behavior depending...

Page 138: ...e total of calls to or from endpoints within the subzone For full details of how to create and configure subzones and apply bandwidth limitations to subzones including the Default Subzone and Traversal Subzone see the Bandwidth control section Registration authentication and media encryption policies In addition to bandwidth management subzones are also used to control the VCS s registration authe...

Page 139: ...nfiguring media encryption policy p 135 for more information ICE support Controls whether ICE messages are supported by the devices in this zone See Configuring ICE messaging support p 137 for more information Use Default Zone access rules The Use Default Zone access rules setting controls which external systems are allowed to connect over SIP TLS to the VCS via the Default Zone If the access rule...

Page 140: ... which the rules are applied if the certificate names match multiple rules The rules with the highest priority 1 then 2 then 3 and so on are applied first Multiple rules with the same priority are applied in configuration order Pattern type The way in which the Pattern string must match the Subject Common Name or any Subject Alternative Names contained within the certificate Exact the entire strin...

Page 141: ... which configuration options are available For traversal server zones traversal client zones and neighbor zones this includes providing information about the neighbor system such as its IP address and ports The VCS also has a pre configured Default Zone The Default Zone represents any incoming calls from endpoints or other devices that are unregistered or not recognized as belonging to the Local Z...

Page 142: ...he Hop counts section for more information This field specifies the hop count to use when sending a search request to this particular zone If the search request was received from another zone and already has a hop count assigned the lower of the two values is used H 323 section Mode Determines whether H 323 calls are allowed to and from the neighbor system Port The port on the neighbor system used...

Page 143: ... this zone and whether they are subsequently treated as authenticated unauthenticated or are rejected The behavior varies for H 323 messages SIP messages that originate from a local domain and SIP messages that originate from non local domains See Authentication policy configuration options p 105 for more information SIP authentication trust mode Controls whether authenticated SIP messages ones co...

Page 144: ...S is a traversal client so you create a connection with the traversal server by creating a traversal client zone on your local VCS You then configure the client zone with details of the corresponding zone on the traversal server The traversal server must also be configured with details of the VCS client zone After you have neighbored with the traversal server you can n use the neighbor as a traver...

Page 145: ...al VCS For firewall traversal to work via H 323 the traversal server must have a traversal server zone configured on it to represent this VCS using this same port number SIP section Mode Determines whether SIP calls are allowed to and from the traversal server Port The port on the traversal server to use for SIP calls to and from the VCS This must be different from the listening ports used for inc...

Page 146: ... messages that originate from non local domains See Authentication policy configuration options p 105 for more information Accept delegated credential checks Controls whether this zone accepts delegated authentication requests See Configuring delegated credential checking SIP only p 109 for more information Client settings section Retry interval The interval in seconds with which a failed attempt ...

Page 147: ...est will be forwarded to a neighbor gatekeeper or proxy see the Hop counts section for more information This field specifies the hop count to use when sending a search request to this particular zone If the search request was received from another zone and already has a hop count assigned the lower of the two values is used Connection credentials section Username Traversal clients must always auth...

Page 148: ...d the traversal client If TLS verify mode is enabled a TLS verify subject name must be specified This is the certificate holder s name to look for in the traversal client s X 509 certificate If the traversal client is clustered the TLS verify subject name must be the FQDN of the cluster See TLS certificate verification of neighbor systems p 155 for more information Accept proxied registrations Con...

Page 149: ...y interval The interval in seconds with which the traversal client sends a TCP probe to the VCS Expressway if a keep alive confirmation has not been received TCP retry count The number of times the client attempts to send a TCP probe to the VCS Expressway during call setup TCP keep alive interval The interval in seconds with which the traversal client sends a TCP probe to the VCS Expressway when a...

Page 150: ...ansforms to alias search requests directed to that group of endpoints n control the bandwidth used for calls between your local VCS and each group of DNS endpoints See About URI dialing p 203 for more information on configuring and using DNS zones The configurable options for a DNS zone are Field Description Usage tips Name The name acts as a unique identifier allowing you to distinguish between z...

Page 151: ... zone See Configuring ICE messaging support p 137 for more information Zone profile Determines how the zone s advanced settings are configured Default uses the factory default profile Custom allows you to configure each setting individually See Zone configuration advanced settings p 151 for details on the advanced settings Only use the Custom profile to configure the individual advanced settings o...

Page 152: ...h will not continue to other lower priority zones and the call will be forwarded to this zone even if it cannot support it Off Neighbor DNS Send empty INVITE for interworked calls Determines whether the VCS generates a SIP INVITE message with no SDP to send via this zone INVITES with no SDP mean that the destination device is asked to initiate the codec selection and are used when the call has bee...

Page 153: ...ME stripping is performed on requests from this zone This option should normally be left as the default Off Off Neighbor SIP UPDATE strip mode Controls whether or not the VCS strips the UPDATE method from the Allow header of all requests and responses received from and sent to this zone This option should normally be left as the default Off However some systems do not support the UPDATE method in ...

Page 154: ...th headers of outgoing SIP requests to this zone IP uses the VCS s IP address Hostname uses the VCS s System host name if it is blank the IP address is used instead IP Neighbor DNS SIP Proxy Require header strip list A comma separated list of option tags to search for and remove from Proxy Require headers in SIP requests received from this zone None Neighbor Include address record Determines wheth...

Page 155: ... Off Off Off SIP UDP IX filter mode On On On On Off SIP Duo Video filter mode Off Off Off Off Off SIP record route address type IP IP IP IP IP SIP Proxy Require header strip list blank blank com nortelnetw orks firewall blank blank For more information about configuring a SIP trunk between VCS and Unified CM see Cisco Unified Communications Manager with VCS Deployment Guide TLS certificate verific...

Page 156: ...h as a client and as a server and therefore you must ensure that each VCS s certificate is valid both as a client and as a server See About security certificates p 285 for more information about certificate verification and for instructions on uploading the VCS s server certificate and uploading a list of trusted certificate authorities Configuring a zone for incoming calls only To configure a zon...

Page 157: ... Clustering is used to increase the capacity of your VCS deployment and to provide resiliency About clusters 158 License usage within a cluster 160 Managing clusters and peers 162 Troubleshooting cluster replication problems 170 Cisco VCS Administrator Guide X8 1 1 Page 157 of 507 ...

Page 158: ...one large VCS Local Zone as shown in the example below About the configuration master All peers in a cluster must have identical configuration for subzones zones links pipes authentication bandwidth control and Call Policy To achieve this you define a cluster name and nominate one peer as the configuration master Any configuration changes made to the master peer are then automatically replicated a...

Page 159: ...n each cluster peer Authentication is carried out through the use of a pre shared access key Each peer in the cluster must be individually configured with the IP address and associated access key of every other peer in that cluster Cisco VCS Administrator Guide X8 1 1 Page 159 of 507 Clustering and peers About clusters ...

Page 160: ... the cluster peers for two weeks from the time the cluster lost contact with the peer This will maintain the overall license capacity of the cluster however note that each peer is still limited by its physical capacity as listed above After this two week period the licenses associated with the unavailable peer are removed from the cluster To maintain the same capacity for your cluster you should e...

Page 161: ...versal call licenses 100 100 50 0 250 It would not matter to which peer an endpoint registers as the call licenses are shared across all of the peers If any one of the peers is temporarily taken out of service the full set of call licenses will remain available to the entire cluster However we recommend that where possible the number of licenses is configured evenly across all peers in the cluster...

Page 162: ...nse keys must be identical on each peer l The VCS must be restarted after installing some option keys in order to fully activate them n Cisco TMS if used is running version 13 2 or later 12 6 or later is permitted if you are not using Cisco TMS for provisioning or FindMe n Each peer has a different system name n H 323 mode is enabled on each peer Configuration Protocols H 323 and for H 323 mode se...

Page 163: ...or the cluster You should only make configuration changes on the master VCS Any changes made on other peers are not reflected across the cluster and will be overwritten the next time the master s configuration is replicated across the peers The only exceptions to this are some peer specific configuration items You may need to wait up to one minute before changes are updated across all peers in the...

Page 164: ... specific items in clustered systems Most items of configuration are applied to all peers in a cluster However the following items marked with a on the web interface must be specified separately on each cluster peer Cluster configuration System Clustering The list of Peer IP addresses including the peer s own IP address that make up the cluster has to be specified on each peer and they must be ide...

Page 165: ...The following system administration access settings are specific to each peer n Serial port console n SSH service n Web interface over HTTPS n Redirect HTTP requests to HTTPS n Automated protection service Option keys Maintenance Option keys Option keys are specific to each peer Each peer must have an identical set of option keys installed but you must purchase these separately for each peer in th...

Page 166: ... few minutes ensures that if one VCS becomes unavailable the endpoint will quickly failover to one of its peers To change this setting go to Configuration Protocols H 323 Gatekeeper Time to live SIP registrations The VCS supports multiple client initiated connections also referred to as SIP Outbound as outlined in RFC 5626 This allows SIP endpoints that support RFC 5626 to be simultaneously regist...

Page 167: ...d Presence Clustering supports the use of Presence n All peers in the cluster must have identical SIP domain Presence Server and Presence User Agent PUA configuration n If peers in the cluster have the PUA enabled each peer publishes information about its own local registrations This information is routed to a Presence Server authoritative for the cluster s domain n If peers have the Presence Serv...

Page 168: ...peers the Cluster Subzone will no longer appear in the call route and the call will appear as having come from or being routed to the Default Subzone The two situations in which a call will pass via the Cluster Subzone are n Calls between two endpoints registered to different peers in the cluster For example Endpoint A is registered in the Default Subzone to Peer 1 Endpoint B is also registered in...

Page 169: ...ot do this for traversal server zones as these connections are not configured by specifying the remote system s IP address Note systems that are configured as peers must not also be configured as neighbors to each other and vice versa Neighboring your clusters To neighbor your local VCS or VCS cluster to a remote VCS cluster you create a single zone to represent the cluster and configure it with t...

Page 170: ...network access problems n VCS unit is powered down n incorrectly configured IP addresses n incorrectly configured IPsec keys ensure each peer is configured with the same Cluster pre shared key value n different software versions Manual synchronization of configuration is required alarms are raised on peer VCSs 1 Log in to the peer as admin through the CLI available by default over SSH and through ...

Page 171: ...ring hop counts 174 Configuring dial plan settings 175 About transforms and search rules 176 Example searches and transforms 182 Configuring search rules to use an external service 191 About Call Policy 194 Supported address formats 199 Dialing by IP address 201 About URI dialing 203 About ENUM dialing 211 Configuring DNS servers for ENUM and URI dialing 217 Configuring call routing and signaling ...

Page 172: ...e transformed alias If this results in one or more new target aliases the process starts again with the new aliases checked against the pre search transforms 5 Any User Policy if FindMe is enabled is applied to the alias If the alias is a FindMe ID that resolves to one or more new target aliases the process starts again with all the resulting aliases checked against pre search transforms and Call ...

Page 173: ...Cisco VCS Administrator Guide X8 1 1 Page 173 of 507 Dial plan and call processing Call routing process ...

Page 174: ...e affecting the Max Forwards field in the request The hop count value can be between 1 and 255 The default is 15 Note if your hop counts are set higher than necessary you may risk introducing loops into your network In these situations a search request will be sent around the network until the hop count reaches 0 consuming resources unnecessarily This can be prevented by setting the Call loop dete...

Page 175: ...ess or domain name of the VCS has been given but no callee alias has been specified If no fallback alias is configured calls that do not specify an alias will be disconnected See below for more information About the fallback alias The VCS could receive a call that is destined for it but which does not specify an alias This could be for one of the following reasons n the caller has dialed the IP ad...

Page 176: ...ocess n set up different rules according to the protocol SIP or H 323 or the source of the query such as the Local Zone or a specific zone or subzone n limit the range of destinations or network services available to unauthenticated devices by making specific search rules applicable to authenticated requests only n use zone transforms to modify an alias before the query is sent to a target zone or...

Page 177: ...hen used for the remainder of the call routing process n Further transforms of the alias may take place during the remainder of the search process This may be as a result of Call Policy also known as Administrator Policy or User Policy if FindMe is enabled If this is the case the pre search transforms are re applied to the new alias n If you add a new pre search transform that has the same priorit...

Page 178: ...tain configuration elements Pattern behavior Specifies how the matched part of the alias is modified Options are Strip the matching prefix or suffix is removed Replace the matching part of the alias is substituted with the text in the Replace string Add Prefix prepends the Additional text to the alias Add Suffix appends the Additional text to the alias Replace string The string to substitute for t...

Page 179: ...a have been queried or l a search rule with a successful match has an On successful match setting of Stop searching Note the difference between a successful match where the alias matches the search rule criteria and an alias being found where a query sent to a target zone is successful The Stop searching option provides better control over the network s signaling infrastructure For example if sear...

Page 180: ...s and zones Source name The specific source zone or subzone for which the rule applies Choose from the Default Zone Default Subzone or any other configured zone or subzone Only applies if the Source is set to Named Request must be authenticated Specifies whether the search rule applies only to authenticated search requests This can be used in conjunction with the VCS s Authentication Policy to lim...

Page 181: ... identified by the alias is not found in the target zone If Stop is selected any rules with the same priority level as this rule are still applied Target The zone or policy service to query if the alias matches the search rule You can configure external policy services to use as a target of search rules This could be used for example to call out to an external service or application such as a Tele...

Page 182: ...ueried for aliases that match certain criteria For example assume all endpoints in your regional sales office are registered to their local Cisco VCS with a suffix of sales example com In this situation it makes sense for your Head Office VCS to query the Sales Office VCS only when it receives a search request for an alias with a suffix of sales example com Sending any other search requests to thi...

Page 183: ...e State Enabled Query a zone for a transformed alias Note that the Any alias mode does not support alias transforms If you want to always query a zone using a different alias to that received you need to use a mode of Alias pattern match in combination with a regular expression You may want to configure your dial plan so that when a user dials an alias in the format name example com the VCS querie...

Page 184: ...t be given the same Priority level For example you may want to query a neighbor zone for both a full URI and just the name the URI with the domain removed To achieve this on your local VCS from the Create search rule page Configuration Dial plan Search rules New set up two search rules as follows Rule 1 Field Value Rule name Overseas office original alias Description Query overseas office with the...

Page 185: ... prior to the search requests being sent out If any of the new aliases are found by that zone the call is forwarded to the zone It is then up to the controlling system to determine the alias to which the call will be forwarded For example you may want to configure your dial plan so that when a user dials an alias in the format name example com the VCS queries the zone simultaneously for both name ...

Page 186: ... when placing the call the SIP endpoint automatically appends its own domain to the number that is dialed So if you dial 123 from a SIP endpoint the search will be placed for 123 domain If the H 323 endpoint being dialed is registered as 123 the VCS will be unable to locate the alias 123 domain and the call will fail If you have a deployment that includes both SIP and H 323 endpoints that register...

Page 187: ...age Configuration Dial plan Search rules New create two new search rules as follows Rule 1 Field Value Rule name Dialing H 323 numbers Description Transform aliases in format number domain to number Priority 50 Source Any Request must be authenticated No Mode Alias pattern match Pattern type Regex Pattern string d domain Pattern behavior Replace Replace string 1 On successful match Continue Target...

Page 188: ...forms for alphanumeric H 323 ID dial strings This example builds on the Stripping domain for dialing to H 323 numbers example That example caters for number only dial strings however H 323 IDs do not have to be purely numeric they can contain alphanumeric letters and digits characters This example follows the same model as the example mentioned above a pre search transform and two local zone searc...

Page 189: ...ce Any Request must be authenticated No Mode Alias pattern match Pattern type Regex Pattern string domain Pattern behavior Replace Replace string 1 On successful match Continue Target zone Local Zone State Enabled Rule 2 Field Value Rule name Dialing H 323 strings with domain Description Place calls to string domain with no alias transform Priority 50 Source Any Request must be authenticated No Mo...

Page 190: ...ade to specified IP addresses To pass on such calls to the appropriate target zones you must set up search rules with a Mode of Any IP address To provide extra security you can set the rule s Source option to All zones This means that the query is only sent to the target zone if it originated from any configured zone or the Local Zone To achieve the example described above from the Create search r...

Page 191: ...presented by the policy server is verified If On for the VCS to connect to a policy server over HTTPS the VCS must have a root CA certificate loaded that authorizes that server s server certificate Also the certificate s Subject Common Name or Subject Alternative Name must match one of the Server address fields below The VCS s root CA certificates are loaded via Maintenance Security certificates T...

Page 192: ... rule page as appropriate for the searches you want to direct to the external policy server This example shows how to divert calls to aliases ending in meet to the external policy server Rule name A short name that describes the rule Description A free form description of the rule Priority As required for example 10 Protocol As required for example Any Source As required for example Any Request mu...

Page 193: ... rule The VCS will direct all searches that match the specified pattern to the policy service server Your search rules must be configured in such a way that they will result in a match for the initial alias and then either not match or not return a reject for any aliases to which the policy server has routed the call Cisco VCS Administrator Guide X8 1 1 Page 193 of 507 Dial plan and call processin...

Page 194: ...om where the VCS obtains its Call Policy configuration The options are n Local CPL uses locally defined Call Policy n Policy service uses an external policy service n Off Call Policy is not in use Each of these options are described in more detail below Local CPL The Local CPL option uses the Call Policy that is configured locally on the VCS If you choose Local CPL you must then either n configure...

Page 195: ...ss that the calling endpoint used to identify itself when placing the call If this field is blank the policy rule applies to all incoming calls from unauthenticated users meaning calls where the endpoint making the call is not either n locally registered and authenticated with the VCS or n registered and authenticated to a neighbor which in turn has authenticated with the local VCS See About devic...

Page 196: ... it the VCS will recognize the file and automatically add each rule back into the Call Policy rules page About CPL XSD files The CPL script must be in a format supported by the VCS The Call Policy configuration page allows you to download the XML schemas which are used to check scripts that are uploaded to the VCS You can use the XSD files to check in advance that your CPL script is valid Two down...

Page 197: ...ificate revocation list CRL checking Enable this option if you want to protect certificate checking using CRLs and you have manually loaded CRL files or you have enabled automatic CRL updates Go to Maintenance Security certificates CRL management to configure how the VCS uploads CRL files Server address 1 3 Enter the IP address or Fully Qualified Domain Name FQDN of the server hosting the service ...

Page 198: ...CPL for policy services p 492 4 Click Save The VCS should connect to the policy service server and start using the service for Call Policy decisions Any connection problems will be reported on this page Check the Status area at the bottom of the page and check for additional information messages against the Server address fields Cisco VCS Administrator Guide X8 1 1 Page 198 of 507 Dial plan and ca...

Page 199: ...ed on that system Dialing by H 323 ID or E 164 alias No special configuration is required to place a call using an H 323 ID or E 164 alias The VCS follows the usual call routing process applying any transforms and then searching the Local Zone and external zones for the alias according to the search rules Note that SIP endpoints always register using an AOR in the form of a URI You are recommended...

Page 200: ...retain the flexibility of URI dialing while having the simplicity of being called using just a number particularly important if any of your callers are restricted to dialing using a numeric keypad To support ENUM dialing on the VCS you must configure it with at least one DNS server and the appropriate ENUM zones Full instructions on how to configure the VCS to support ENUM dialing both outbound an...

Page 201: ...ed by the VCS according to the Calls to Unknown IP addresses setting n Direct the VCS attempts to place the call directly to the unknown IP address without querying any neighbors n Indirect the VCS forwards the search request to its neighbors in accordance with its normal search process meaning any zones that are the target of search rules with an Any IP Address mode If a match is found and the ne...

Page 202: ...red 2 As the IP address being called is not registered to that VCS and its Calls to unknown IP addresses setting is Indirect the VCS will not place the call directly Instead it will query its neighbor VCS Expressway to see if that system is able to place the call on the VCS Control s behalf Note that you need to configure a search rule for Any IP Address against the traversal server zone 3 The VCS...

Page 203: ...the local VCS calls to endpoints that are not registered locally or to a neighbor system could still be placed if the local VCS is neighbored either directly or indirectly with another VCS that has been configured for URI dialing via DNS In this case any URI dialed calls that are picked up by search rules that refer to that neighbor zone will go via that neighbor which will perform the DNS lookup ...

Page 204: ...o locate a destination URI address using the DNS system the general process is as follows H 323 1 The VCS sends a query to its DNS server for an SRV record for the domain in the URI If more than one DNS server has been configured on the VCS the query will be sent to all servers at the same time and all responses will be prioritized by the VCS with only the most relevant SRV record being used If av...

Page 205: ...okup The above steps will result in a tree of IP addresses port and transport protocols to be used to contact the target domain The tree is sub divided by NAPTR record priority and then by SRV record priority When the tree of locations is used the searching process will stop on the first location to return a response that indicates that the target destination has been contacted 2 If the search pro...

Page 206: ...o filter calls to systems and endpoints located via this zone based on whether the call is located using SIP or H 323 SRV lookups Include address record This setting determines whether if no NAPTR SIP or SRV SIP and H 323 records have been found for the dialed alias via this zone the VCS will then query for A and AAAA DNS records before moving on to query lower priority zones You are recommended t...

Page 207: ... of the VCS n Service SRV records which specify the FQDN of the VCS and the port on it to be queried for a particular protocol and transport type n NAPTR records which specify SRV record and transport preferences for a SIP domain You must provide an SRV or NAPTR record for each combination of domain hosted and protocol and transport type enabled on the VCS Incoming call process When an incoming ca...

Page 208: ...ion transaction exchanging LRQ and LCF For each domain hosted by the VCS you should configure a call signaling SRV record as follows n _Service is _h323cs n _Proto is _tcp n Port is the port number that has been configured from Configuration Protocols H 323 as the Call signaling TCP port Registration service SRV records Registration records are used by devices attempting to register to the VCS For...

Page 209: ...guration examples p 383 section For locally registered H 323 endpoints to be reached using URI dialing either n the H 323 endpoints should register with the VCS using an address in the format of a URI n an appropriate transform should be written to convert URIs into the format used by the H 323 registrations An example would be a deployment where H 323 endpoints register with an alias and incoming...

Page 210: ...roxy for the enterprise the DNS configuration examples p 383 section for more information This ensures that incoming calls placed using URI dialing enter the enterprise through the VCS Expressway allowing successful traversal of the firewall Cisco VCS Administrator Guide X8 1 1 Page 210 of 507 Dial plan and call processing About URI dialing ...

Page 211: ... their endpoint 2 The VCS converts the E 164 number into an ENUM domain as follows a The digits are reversed and separated by a dot b The name of the domain that is hosting the NAPTR records for that E 164 number is added as a suffix 3 DNS is then queried for the resulting ENUM domain 4 If a NAPTR record exists for that ENUM domain this will advise how the number should be converted into one or po...

Page 212: ...tered you may also need to configure a DNS zone if they are to be located using a DNS lookup Calling process The process below is followed when an ENUM E 164 number is dialed from an endpoint registered with your VCS 1 The user dials the E 164 number from their endpoint 2 The VCS initiates a search for the E 164 number as dialed It follows the usual call routing process 3 After applying any pre se...

Page 213: ...s appended This results in a transformed domain of 9 8 7 6 5 4 3 2 1 4 4 e164 arpa 6 DNS is then queried for that ENUM domain 7 The DNS server finds the domain and returns the information in the associated NAPTR record This tells the VCS that the E 164 number we have dialed is mapped to the SIP URI of fred example com 8 The VCS then starts another search this time for fred example com From this po...

Page 214: ... that callers in your enterprise might want to dial You can then set up search rules that filter the queries sent to each ENUM zone as follows n use a Mode of Alias pattern match n use the Pattern string and Pattern type fields to define the aliases for each domain that will trigger an ENUM lookup For example you want to enable ENUM dialing from your network to a remote office in the UK where the ...

Page 215: ... regulatory body Not all countries are yet participating in ENUM so you may want to use an alternative domain for your NAPTR records This domain could reside within your corporate network for internal use of ENUM or it could use a public ENUM database such as http www e164 org Configuring DNS NAPTR records ENUM relies on the presence of NAPTR records as defined by RFC 2915 These are used to obtain...

Page 216: ...3 1 example com describes the conversion l is a field separator l the first field represents the string to be converted In this example represents the entire E 164 number l the second field represents the H 323 URI that will be generated In this example h323 1 example com states that the E 164 number will be concatenated with example com For example 1234 will be mapped to 1234 example com n shows ...

Page 217: ...nnot be accessed via neighbor systems To configure the DNS servers used by the VCS for DNS queries 1 Go to the DNS page System DNS 2 Enter in the Address 1 to Address 5 fields the IP addresses of up to 5 DNS servers that the VCS will query when attempting to locate a domain These fields must use an IP address not a FQDN Cisco VCS Administrator Guide X8 1 1 Page 217 of 507 Dial plan and call proces...

Page 218: ...ll has been set up The VCS does not consume a call license for any such calls and the call signaling path is simplified This setting is useful in a hierarchical dial plan when used on the directory VCS In such deployments the directory VCS is used to look up and locate endpoints and it does not have any endpoints registered directly to it Call loop detection mode Your dial plan or that of networks...

Page 219: ...he call This Call Tag is then included in the call s details when the call is forwarded on A single call passing between two or more VCSs will be assigned a different Call Serial Number each time it arrives at a VCS including one it has already passed through but can be identified as the same call by use of the Call Tag This is particularly useful if you are using a remote syslog server to collate...

Page 220: ...e the call using the longer but unique call serial number Note that when disconnecting a call only the call with that Call Serial Number is disconnected Other calls with the same Call Tag but a different Call Serial Number may not be affected Limitations when disconnecting SIP calls Call disconnection works differently for H 323 and SIP calls due to differences in the way the protocols work For H ...

Page 221: ...ithin your Local Zone as well as calls out to other zones Configuration Local Zone and Configuration Bandwidth About bandwidth control 222 Configuring bandwidth controls 223 About subzones 224 Links and pipes 230 Bandwidth control examples 233 Cisco VCS Administrator Guide X8 1 1 Page 221 of 507 ...

Page 222: ...o it using the command xCommand CheckBandwidth For specific information about how bandwidth is managed across peers in a cluster see Sharing bandwidth across peers p 166 Example network deployment The following diagram shows a typical network deployment n a broadband LAN between the Enterprise and the internet where high bandwidth calls are acceptable n a pipe to the internet Pipe A with restricte...

Page 223: ...a call at the requested rate On the call will be downspeeded Off the call will not be placed About downspeeding If bandwidth control is in use there may be situations when there is insufficient bandwidth available to place a call at the requested rate By default and assuming that there is some bandwidth still available the VCS will still attempt to connect the call but at a reduced bandwidth this ...

Page 224: ...s All traversal calls pass through the Traversal Subzone so by applying bandwidth limitations to the Traversal Subzone you can control how much processing of media the VCS will perform at any one time These limitations can be applied on a total concurrent usage basis and on a per call basis See Applying bandwidth limitations to subzones p 228 for more details Configuring the Traversal Subzone port...

Page 225: ...s it is assigned to the Default Subzone subject to the Default Subzone s Registration policy and Authentication policy The use of a Default Subzone on its own without any other manually created subzones is suitable only if you have uniform bandwidth available between all your endpoints Note that if your Local Zone contains two or more different networks with different bandwidth limitations you sho...

Page 226: ...essages to the Default Subzone See Authentication policy configuration options p 105 for more information Media encryption mode The Media encryption mode setting controls the media encryption capabilities for SIP calls flowing through the subzone See Configuring media encryption policy p 135 for more information Note that if H 323 is enabled and the subzone has a media encryption mode of Force enc...

Page 227: ...configured pattern Pattern matching is useful for example for home workers on dynamic IP addresses rather than having to continually update the subnet to match what has been allocated you can match against their alias instead Subnet address and Prefix length These two fields together determine the range of IP addresses that will belong to this subzone The Address range field shows the range of IP ...

Page 228: ...bzone bandwidth limits if you want to configure the bandwidth available between one specific subzone and all other subzones or zones Use pipes if you want to configure the bandwidth available between one specific subzone and another specific subzone or zone If your bandwidth configuration is such that multiple types of bandwidth restrictions are placed on a call for example if there are subzone ba...

Page 229: ...ocation that is equal to twice the bandwidth of the call once for the call from the subzone to the Traversal Subzone and again for the call from the Traversal Subzone back to the originating subzone In addition as this call passes through the Traversal Subzone it will consume an amount of bandwidth from the Traversal Subzone equal to that of the call Cisco VCS Administrator Guide X8 1 1 Page 229 o...

Page 230: ...pply a pipe you must first have created it via the Pipes page Calls Shows the total number of calls currently traversing the link Bandwidth used Shows the total amount of bandwidth currently being consumed by all calls traversing the link You can configure up to 3000 links Some links are created automatically when a subzone or zone is created Default links If a subzone has no links configured then...

Page 231: ...al call To apply these limits you must first create a pipe and configure it with the required bandwidth limitations Then when configuring links you assign the pipe to one or more links Calls using the link will then have the pipe s bandwidth limitations applied to them See Applying pipes to links p 232 for more information The Pipes page Configuration Bandwidth Pipes lists all the pipes that have ...

Page 232: ...the link between the Default Subzone and the Home Office subzone and the link between the Default Subzone and the Branch Office subzone In this case Pipe A represents the Head Office s broadband connection to the internet and would have total and per call restrictions placed on it Two pipes one link Each link may have up to two pipes associated with it This is used to model the situation where the...

Page 233: ...then assigned two pipes representing the Internet connections of the offices at each end of the link In this scenario a call placed between the Home Office and Branch Office will consume bandwidth from the Home and Branch subzones and on the Home and Branch pipes Pipe B and Pipe C The Head Office s bandwidth budget will be unaffected by the call With a firewall If the example deployment above is m...

Page 234: ...from this subzone Note also that calls from the Home Office to the Branch Office must also go through the Traversal Subzone and will also consume bandwidth from this subzone as well as the Home and Branch subzones and Home Office Branch Office and Head Office pipes This example assumes that there is no bottleneck on the link between the VCS Expressway and the Head Office network so a pipe has not ...

Page 235: ...the additional services that are available under the Applications menu of the VCS Configuring Conference Factory 236 Presence 238 B2BUA back to back user agent overview 243 FindMe 251 Cisco TMS provisioning 255 Cisco VCS Administrator Guide X8 1 1 Page 235 of 507 ...

Page 236: ...es or disables the Conference Factory application Alias The alias that will be dialed by the endpoints when the Multiway feature is activated This must also be configured on all endpoints that may be used to initiate the Multiway feature An example could be multiway example com Template The alias that the VCS tells the endpoint to dial to create a Multiway conference on the MCU To ensure that each...

Page 237: ...o function If you want to be able to initiate calls to the Conference Factory from H 323 endpoints you must also set H 323 mode to On Configuration Protocols H 323 and ensure that H 323 SIP interworking mode is set to Registered only or On Configuration Protocols Interworking See Cisco TelePresence Multiway Deployment Guide for full details on how to configure individual components of your network...

Page 238: ...presentities subscribed to it Presence is supported by clustering For specific information about how Presence information is managed across peers in a cluster see Clustering and Presence p 167 Presence Server The Presence Server application on the VCS is responsible for managing the presence information for all presentities in the SIP domains for which the VCS is authoritative The Presence Server ...

Page 239: ...formation is called the Presence User Agent PUA The PUA takes information from the local registration database and the call manager and determines for each endpoint that is currently locally registered whether or not it is currently in a call The PUA then provides this status information via a PUBLISH message For the PUA to successfully provide presence information about a locally registered endpo...

Page 240: ...for existing registrations n a deregistration request n call setup and cleardown information For non traversal H 323 registrations the default registration refresh period is 30 minutes This means that when the PUA is enabled on a VCS with existing registrations it may take up to 30 minutes before an H 323 registration refresh is received and available presence information is published for that end...

Page 241: ...routing rules Note that SIP routes are configured using the CLI only l The Presence Server requires that any messages it receives have been pre authenticated the Presence Server does not do its own authentication challenge You must ensure that the subzone through which PUBLISH messages are being received has its Authentication policy is set to either Check credentials or Treat as authenticated oth...

Page 242: ... central source of information for all presentities in your network n VCS clusters for information about how Presence works within a cluster see Clustering and Presence p 167 Note any defined transforms also apply to any Publication Subscription or Notify URIs handled by the Presence Services Cisco VCS Administrator Guide X8 1 1 Page 242 of 507 Applications Presence ...

Page 243: ...URN servers and lets you create edit and delete TURN servers The B2BUA chooses which TURN server to offer via random load balancing between all of the available servers There is no limit to the number of servers that can be configured for the B2BUA to choose from To use these TURN servers with the Microsoft Lync B2BUA you must enable Offer TURN services on the Lync B2BUA configuration page They ar...

Page 244: ...A to take effect A system alarm is raised if a service restart is necessary Microsoft Lync 2010 The Microsoft Interoperability option key must be installed to enable encrypted calls to and from Microsoft Lync 2010 Server for both native SIP calls and calls interworked from H 323 It is also required by the B2BUA when establishing ICE calls to Lync 2010 clients The B2BUA can use the Cisco AM GW to t...

Page 245: ... of Microsoft Lync this profile is only used by the Lync B2BUA and cannot be selected against any manually configured zones For more information about configuring VCS and Microsoft Lync see n Microsoft Lync B2BUA port reference p 397 n Microsoft Lync and VCS Deployment Guide n Microsoft Lync 2010 Cisco AM GW and VCS Deployment Guide Configuring the Microsoft Lync B2BUA The Microsoft Lync B2BUA con...

Page 246: ... between standard codecs such as H 264 and Microsoft RT Video and RT Audio Port on B2BUA for transcoder communications The IP port used on the B2BUA for communicating with the transcoders Default is 65080 All transcoder communications are carried out over TLS Use transcoder policy rules Specifies whether the transcoder policy rules are used to control access to the transcoders Default is No If Ena...

Page 247: ...will negotiate for the session refresh interval for SIP calls Default is 500 seconds For further information see the definition of Min SE header in RFC 4028 Port on B2BUA for VCS communications The port used on the B2BUA for communicating with the VCS Default is 65070 Port on B2BUA for Lync call communications The port used on the B2BUA for call communications with the Microsoft Lync server Defaul...

Page 248: ...s of a call n If the aliases associated with a call do not match any of the policy rules the call will be routed via the transcoder Therefore you may want to consider having a general low priority rule with a regex pattern match for all aliases that denies transcoder resources and then have more specific rules with a higher priority that define the participants that are allowed to use the transcod...

Page 249: ...only transcoder currently supported by the Lync B2BUA is the Cisco TelePresence Advanced Media Gateway Cisco AM GW The B2BUA can use the Cisco AM GW to transcode between standard codecs such as H 264 and Microsoft RT Video and RT Audio to allow high definition calls between Microsoft Lync clients and Cisco endpoints The Transcoders page Applications B2BUA Microsoft Lync Transcoders is used to mana...

Page 250: ...s used to restart the Lync B2BUA service A restart is sometimes required to enable certain configuration changes to the B2BUA to take effect A system alarm will be raised if a service restart is necessary Note that this function only restarts the B2BUA service it does not restart the VCS However restarting the service will cause any active calls being managed by the B2BUA to be lost To restart the...

Page 251: ...upon whether or not the VCS is using Cisco TMS provisioning n If Cisco TMS provisioning is enabled l Users manage their FindMe settings by logging into their FindMe account via Cisco TMS l User account and FindMe data is provided by Cisco TMS to VCS via the TMS Provisioning Extension services n If you are using FindMe without Cisco TMS known as standalone FindMe then users manage their FindMe sett...

Page 252: ...indMe ID should be in the form of a URI and should be the individual s primary URI n Endpoints should not register with an alias that is the same as an existing FindMe ID You can prevent this by including all FindMe IDs on the Deny List Example Users at Example Corp have a FindMe ID in the format john smith example com Each of the user s endpoints are registered with a slightly different alias tha...

Page 253: ...vices associated with that FindMe account will be called For H 323 calls placed through an ISDN gateway the E 164 phone number associated with the FindMe account is signaled instead as that is a more appropriate number to dial when returning the call Note that the ISDN gateway must be registered to the same VCS as the call recipient The FindMe ID is only displayed if the source endpoint has been a...

Page 254: ...ing FindMe without Cisco TMS known as standalone FindMe The following options apply when FindMe mode is Remote service Field Description Protocol The protocol used to connect to the remote service Address The IP address or domain name of the remote service Path The URL of the remote service Username The username used by the VCS to log in and query the remote service Password The password used by t...

Page 255: ...rt up to 5 000 device registrations per peer with a maximum of 20 000 registrations per cluster However you are still limited to 10 000 FindMe accounts users and 10 000 provisioned devices per cluster If you need to provision more than 10 000 devices your network will require additional VCS clusters with an appropriately designed and configured dial plan See Cisco TMS Provisioning Extension Deploy...

Page 256: ...nd Cisco TMS can be triggered at any time by clicking Perform full synchronization at the bottom of the of the TMS Provisioning Extension services page Note that this will result in a temporary a few seconds lack of service on the VCS while the data is deleted and fully refreshed If you only need to ensure that all of the latest updates within Cisco TMS have been supplied to the VCS then click Che...

Page 257: ...of the provisioning licenses that are available within your system n Go to Status Applications TMS Provisioning Extension services Provisioned device status to see a list of all of the devices that have submitted provisioning requests to the Provisioning Server Note that some devices including Jabber Video 4 x do not inform the VCS when they sign out unsubscribe from being provisioned The VCS mana...

Page 258: ... provisioning The Provisioning page Applications Provisioning is used to configure the VCS s Provisioning Server when the VCS is running in Starter Pack mode The Starter Pack Provisioning Server provides basic device provisioning and is automatically enabled when the Starter Pack option key is installed It can be monitored on the Starter Pack status page Bandwidth limits The Bandwidth limits secti...

Page 259: ... all active administrator and FindMe sessions About user accounts 260 Configuring password security 262 Configuring administrator accounts 263 Configuring remote account authentication using LDAP 265 Configuring FindMe accounts 271 Resetting forgotten passwords 274 Using the root account 275 Cisco VCS Administrator Guide X8 1 1 Page 259 of 507 ...

Page 260: ...nt authentication you also need to configure the VCS with n appropriate LDAP server connection settings n administrator groups and or FindMe groups that match the corresponding group names already set up in the remote directory service to manage administrator and FindMe access to this VCS see Configuring administrator groups p 268 and Configuring FindMe groups p 270 The VCS can also be configured ...

Page 261: ...uthentication is selected each FindMe account must be created locally by the VCS administrator n If remote FindMe account authentication is selected the VCS administrator must set up FindMe groups to match the corresponding group names in the remote directory service Note that only the username and password details are managed remotely All other properties of the FindMe account such as the FindMe ...

Page 262: ...ut requiring all of them to be present n the maximum number of times the same character can be repeated consecutively by default there is no restriction Additional non configurable rules The following strict password rules always apply and cannot be configured Passwords must not n be based on a dictionary word n contain too many consecutive characters such as abc or 123 n contain too few different...

Page 263: ...nistrator accounts or you have forgotten those passwords as well you can still reset the password for the admin account providing you have physical access to the VCS See Resetting forgotten passwords p 274 for details Additional administrator accounts You can add additional local administrator accounts which can be used to access the VCS over the web and API interfaces but not the CLI The configur...

Page 264: ...trator accounts that are currently logged in to this VCS It displays details of their session including their login time session type IP address and port and when they last accessed this VCS You can terminate active web sessions by selecting the required sessions and clicking Terminate session You may see many sessions listed on this page if a zero Session time out value is configured This typical...

Page 265: ...s you to continue to use locally defined accounts This is useful while troubleshooting any connection or authorization issues with the LDAP server You cannot log in using a locally configured administrator account including the default admin account if Remote only authentication is in use Note do not use Remote only if VCS is managed by Cisco TMS FindMe authentication source Defines where FindMe a...

Page 266: ...a TLS connection with the LDAP server None no CRL checking is performed Peer only the CRL associated with the CA that issued the LDAP server s certificate is checked All all CRLs in the trusted certificate chain of the CA that issued the LDAP server s certificate are checked The default is None If you are using revocation lists any required CRL data must also be included within the CA certificate ...

Page 267: ... in the order ou then dc This is for authorization of an authenticated user to log in as an administrator or to log in to a user account If no Base DN for groups is specified then the Base DN for accounts will be used for both groups and accounts Checking the LDAP server connection status The status of the connection to LDAP server is displayed at the bottom of the page State Active No error messa...

Page 268: ...d for TLS Unable to get configuration LDAP server information may be missing or incorrect Configuring administrator groups The Administrator groups page Users Administrator groups lists all the administrator groups that have been configured on the VCS and lets you add edit and delete groups Administrator groups only apply if remote account authentication is enabled When an administrator logs in to...

Page 269: ...using the Application Programming Interface API Default Yes This controls access to the XML and REST APIs by systems such as Cisco TMS State Indicates if the group is enabled or disabled Access will be denied to members of disabled groups If an administrator account belongs to more than one administrator group with a combination of both Enabled and Disabled states their access will be Enabled Dete...

Page 270: ...group have after they have been successfully authenticated to use the VCS When a FindMe user logs in to the VCS their credentials are authenticated against the remote directory service and they are assigned the access rights associated with the group to which that user belongs If the user account belongs to more than one group the highest level permission is assigned The configurable options are F...

Page 271: ...ck View Edit or the username to edit an existing FindMe account The configurable options for a FindMe account are Field Description Usage tips Username The account name It is used along with a password by the user to log in to the VCS and configure their FindMe details The username cannot be changed after the account has been created If remote authentication is enabled the username defined in the ...

Page 272: ...u can control general FindMe behavior including whether users are allowed to add their own devices on the Configuring FindMe p 252 page Principal devices Starter Pack The Principal devices section is used to specify the principal devices that are associated with the FindMe profile and to enable provisioning for those devices This section only displays if the Starter Pack option key is installed Pr...

Page 273: ... their basic FindMe configuration Principal devices are also used by the VCS to decide which FindMe name to display as a Caller ID if the same device address is associated with more than one account The page lists all of the devices currently associated with the selected user The Principal device column indicates each device s current status as a principal device or not n To set devices as a princ...

Page 274: ...e the setting to Both this will allow local administrator accounts to access the system 5 Select the account root or admin whose password you want to change 6 You will be prompted for a new password The pwrec account is only active for one minute following a restart After that time you will have to restart the system again to change the password Resetting FindMe account passwords To change a passw...

Page 275: ...to the VCS as root using the existing password By default you can only do this using a serial connection or SSH 2 Type the command passwd You will be asked for the new password 3 Enter the new password and when prompted retype the password 4 Type exit to log out of the root account Accessing the root account over SSH The root account can be accessed over a serial connection or SSH only To enable a...

Page 276: ...281 Managing option keys 283 About security certificates 285 Advanced security 295 Configuring language settings 299 Backing up and restoring VCS data 301 Diagnostics tools 303 Incident reporting 306 Checking the effect of a pattern 309 Locating an alias 310 Port usage 311 Network utilities 313 Restarting rebooting and shutting down 317 Developer resources 319 Cisco VCS Administrator Guide X8 1 1 ...

Page 277: ...o Status Calls selecting the check box next to the calls you want to terminate and clicking Disconnect note that SIP calls may not disconnect immediately n Unified CM mobile and remote access sessions l Any existing calls passing through that VCS will be dropped l Jabber clients will failover automatically and re register through another peer in the cluster l Clients running TC software will not f...

Page 278: ...r all of the other components However you can independently upgrade the other components if required to do so The upgrade process ensures that compatibility is maintained across all components Upgrade prerequisites The upgrade requires you to have n a valid Release key if you are upgrading to the next major release of the System platform for example from X7 2 to X8 1 it is not required for dot rel...

Page 279: ... by that component will be temporarily stopped while the upgrade process completes Upgrading VCS software The Upgrade page Maintenance Upgrade is used to install new or to downgrade versions of VCS software components To upgrade a component using the web interface 1 Review the relevant release notes to see if any special steps are required either before or after installing the software image file ...

Page 280: ...tform component only Ensure there is no extraneous white space in this file n The file containing the software image To transfer these files 1 If you are upgrading the System platform component upload the Release Key file using SCP PSCP to the tmp folder on the system The target name must be release key for example scp release key root 10 0 0 1 tmp release key l Enter the root password when prompt...

Page 281: ...s such as H 460 18 keepalives and H 245 video fast updates 3 All Level 1 and Level 2 events plus n protocol keepalives n call related SIP signaling messages 4 The most verbose level all Level 1 Level 2 and Level 3 events plus n network level SIP messages See the Events and levels section for a complete list of all events that are logged by the VCS and the level at which they are logged Note that n...

Page 282: ...must ensure that a suitable CA certificate file has been configured on the VCS Note that CRL checking is disabled by default to enable CRL checking you must select the Custom mode set CRL check to On and ensure that relevant certificate revocation lists CRLs are loaded See About security certificates p 285 for more information Note that n The remote server cannot be another VCS n A VCS cannot act ...

Page 283: ...aversal call See the Call types and licensing p 403 section for more information n Non traversal calls determines the number of non traversal calls allowed on the VCS or VCS cluster at any one time Note that non traversal calls that are passing through the VCS from one neighbor to another but where neither endpoint in the call is locally registered may or may not require a non traversal call licen...

Page 284: ...e to use and configure the VCS in the meantime Adding option keys using the CLI To return the indexes of all the option keys that are already installed on your system xStatus Options To add a new option key to your system xConfiguration Option 1 64 Key Note when using the CLI to add an extra option key you can use any unused option index If you chose an existing option index that option will be ov...

Page 285: ...d the VCS is the server TLS can be difficult to configure For example when using it with an LDAP server we recommend that you confirm that your system is working correctly before you attempt to secure the connection with TLS You are also recommended to use a third party LDAP browser to verify that your LDAP server is correctly configured to use TLS Note be careful not to allow your CA certificates...

Page 286: ...a certificate signing request n upload a new server certificate Viewing the currently uploaded certificate The Server certificate data section shows information about the server certificate currently loaded on the VCS n To view the currently uploaded server certificate file click Show decoded to view it in a human readable form or click Show PEM file to view the file in its raw format n To replace...

Page 287: ...w certificate To upload a server certificate 1 Go to Maintenance Security certificates Server certificate 2 Use the Browse button to select and upload the server certificate PEM file 3 If you used an external system to generate the certificate request you must also upload the server private key PEM file that was used to encrypt the server certificate The private key file will have been automatical...

Page 288: ... users of the client application e g Jabber and any presence domains as configured on the VCS Control if they are different There is no need to include the domains in DNS SEC deployments n The same set of Chat Node Aliases as entered on the VCS Control s certificate if you are deploying federated XMPP Note that the list of required aliases can be viewed and copy pasted from the equivalent Generate...

Page 289: ... PEM and DER encoded CRL files are supported l the distribution point may point directly to a CRL file or to ZIP and GZIP archives containing multiple CRL files l the file extensions in the URL or on any files unpacked from a downloaded archive do not matter as the VCS will determine the underlying file type for itself however typical URLs could be in the format o http example com crl pem o http e...

Page 290: ...back behavior Controls the revocation checking behavior if the revocation status cannot be established for example if the revocation source cannot be contacted Treat as revoked treat the certificate as revoked and thus do not allow the TLS connection Treat as not revoked treat the certificate as not revoked Default Treat as not revoked Treat as not revoked ensures that your system continues to ope...

Page 291: ...is managed by a process external to the VCS When a user attempts to log in to the VCS the VCS will request a certificate from the client browser The browser may then interact with a card reader to obtain the certificate from the smart card or alternatively the certificate may already be loaded into the browser To release the certificate from the card browser the user will typically be requested to...

Page 292: ...d here must conform to PHP regex guidelines n The Username format field can contain a mixture of fixed text and the capture group names used in the Regex Delimit each capture group name with for example prefix Group1 suffix Each capture group name will be replaced with the text obtained from the regular expression processing You can use the Client certificate testing page to test the outcome of ap...

Page 293: ...ching sub patterns can be substituted in the associated Username format field for example Subject CN Group1 m The regex defined here must conform to PHP regex guidelines l The Username format field can contain a mixture of fixed text and the capture group names used in the Regex Delimit each capture group name with for example prefix Group1 suffix Each capture group name will be replaced with the ...

Page 294: ... n The regex is applied to a plain text version of an encoded certificate The system uses the command openssl x509 text nameopt RFC2253 noout to extract the plain text certificate from its encoded format Cisco VCS Administrator Guide X8 1 1 Page 294 of 507 Maintenance About security certificates ...

Page 295: ...account authentication for administrator accounts n the Advanced Account Security option key must be installed CAUTION ensure that the remote directory service is working properly as after advanced account security is enabled you will not be able to log in to the VCS via the local admin account or as root You are also recommended to configure your system so that n SNMP is disabled n the session ti...

Page 296: ...isplays the System platform component n downgrades to version X5 0 or below are not allowed The Event Log Configuration Log Network Log call history search history and registration history are cleared whenever the VCS is taken out of advanced account security mode Note that if intrusion protection is enabled this will cause any existing blocked addresses to become unblocked Configuring FIPS140 2 c...

Page 297: ...unt password will also be reset to TANDBERG To turn your system into a compliant FIPS140 2 cryptographic system 1 Enable FIPS140 2 cryptographic mode a Go to Maintenance Advanced security b Set FIPS140 2 cryptographic mode to On c Click Save 2 Fix any alarms that have been raised that report non compliant configuration 3 Take a system backup if you want to preserve your current configuration data ...

Page 298: ... VCS n Delegated credential checking n SRTP media encryption n SIP H 323 interworking n TURN server authentication n Encrypted backup restore operations n Connections to an external manager n Connections to external policy services n Remote logging n Incident reporting n CSR generation Other VCS features are not FIPS140 2 compliant including n SIP certificate revocation features n Any SIP media en...

Page 299: ...nguage pack Language packs are downloaded from the same area on cisco com from where you obtain your VCS software files All available languages are contained in one language pack zip file Download the appropriate language pack version that matches your software release After downloading the language pack unzip the file to extract a set of tlp files one per supported language To install a tlp langu...

Page 300: ...list of installed language packs select the language packs you want to remove 3 Click Remove 4 Click Yes when asked to confirm their removal The selected language packs are then removed This may take several seconds Cisco VCS Administrator Guide X8 1 1 Page 300 of 507 Maintenance Configuring language settings ...

Page 301: ...u can create a backup on one VCS and restore it to a different VCS for example if the original system has failed However before performing the restore you must install on the new system the same set of option keys that were installed on the old system If you attempt to restore a backup made on a different VCS you will receive a warning message but you will be allowed to continue n Backups should n...

Page 302: ...kup file Restoring a previous backup To restore the VCS to a previous configuration of system data 1 Go to Maintenance Backup and restore 2 In the Restore section Browse to the backup file containing the configuration you want to restore 3 In the Decryption password field enter the password that was used to create the backup file or leave it blank if the backup file was created without a password ...

Page 303: ...e the diagnostic log to your local file system You are prompted to save the file the exact wording depends on your browser The downloaded diagnostic log file can be sent to your Cisco support representative if you have been requested to do so Note that n Only one diagnostic log can be produced at a time creating a new diagnostic log will replace any previously produced log n The VCS continually lo...

Page 304: ...log file information including the Event Log Configuration Log and Network Log n Full snapshot contains a complete download of all system information The preparation of this snapshot file may take several minutes to complete and may lead to a drop in system performance while the snapshot is in progress To create a system snapshot file 1 Click one of the snapshot buttons to start the download of th...

Page 305: ...to configure the log levels for the range of Support Log message modules CAUTION changing the logging levels can affect the performance of your system You should only change a log level on the advice of Cisco customer support To change a logging level 1 Click on the Name of the module whose log level you want to modify 2 Choose the required Level from the drop down list l A log level of Fatal is t...

Page 306: ... IP addresses or other handset identifiers account information credit information demographic information and any other information that either alone or in combination with other data could provide information specific to a particular person PLEASE BE SURE THAT PRIVACY PROTECTED PERSONAL DATA IS NOT SENT TO CISCO WHEN THE VCS IS CONFIGURED TO AUTOMATICALLY SEND REPORTS IF DISCLOSURE OF SUCH INFORM...

Page 307: ...ingfully view or edit the information within the file If you need to edit the report before sending it to Cisco for example if you need to remove any potentially sensitive information you must copy and paste the information from the Incident detail page into a text file and edit the information in that file before sending it to Cisco Viewing incident reports The Incident view page Maintenance Diag...

Page 308: ...ernal build number of the VCS software version running when the incident occurred Name The name of the software System The system name if configured otherwise the IP address Serial number The hardware serial number Process ID The process ID the VCS application had when the incident occurred Release A true false flag indicating if this is a release build rather than a development build User name Th...

Page 309: ...o use this tool 1 Enter an Alias against which you want to test the transform 2 In the Pattern section enter the combination of Pattern type and Pattern behavior for the Pattern string being tested l If you select a Pattern behavior of Replace you also need to enter a Replace string l If you select a Pattern behavior of Add prefix or Add suffix you also need to enter an Additional text string to a...

Page 310: ...he Default Zone an unknown remote system the Default Subzone a locally registered endpoint or any other configured zone or subzone 5 Select whether the request should be treated as Authenticated or not search rules can be restricted so that they only apply to authenticated messages 6 Optionally you can enter a Source alias Typically this is only relevant if the routing process uses CPL that has ru...

Page 311: ... p 311 n Remote listening ports p 312 On a VCS Expressway you can also configure the specific listening ports used for firewall traversal via Configuration Traversal Ports See Port reference p 391 for more information about the specific ports used by the VCS Local inbound ports The Local inbound ports page Maintenance Tools Port usage Local inbound ports shows the listening IP ports on the VCS tha...

Page 312: ...ll must be configured to allow traffic originating from the local VCS to the remote devices identified by the IP addresses and IP ports listed on this page Note there are other remote devices not listed here to which the VCS will be sending media and signaling but the ports on which these devices receive traffic from the VCS is determined by the configuration of the destination device so they cann...

Page 313: ...en for a message to be sent from the VCS to the destination host system To use this tool 1 In the Host field enter the IP address or hostname of the host system you want to try to contact 2 Click Ping A new section will appear showing the results of the contact attempt If successful it will display the following information Host The hostname and IP address returned by the host system that was quer...

Page 314: ...th A new section will appear with a banner stating the results of the trace and showing the details of each router along the path the time taken for each router to respond to the request and the maximum transmission units MTU The route taken between the VCS and a particular host may vary for each tracepath request DNS lookup The DNS lookup tool Maintenance Tools Network utilities DNS lookup can be...

Page 315: ...age n If the supplied Host is not fully qualified l DNS is queried first for Host system_domain l If the lookup for Host system_domain fails then an additional query for Host is performed For SRV record type lookups multiple DNS queries are performed An SRV query is made for each of the following _service _protocol combinations n _h323ls _udp domain n _h323rs _udp domain n _h323cs _tcp domain n _s...

Page 316: ...that the response was a DNS record involving an internet hostname server or IP address Type The record type contained in the response to the query Response The content of the record received in response to the query for this Name and Type Cisco VCS Administrator Guide X8 1 1 Page 316 of 507 Maintenance Network utilities ...

Page 317: ...ly required if you want to unplug your unit prior to maintenance or relocation for example The system must be shut down before it is unplugged Avoid uncontrolled shutdowns in particular the removal of power to the system during normal operation After the system has been shut down the only way it can be restarted unless it is a virtual appliance is by pressing the soft power button on the unit itse...

Page 318: ...ge appears with an orange bar indicating progress After the system has successfully restarted or rebooted you are automatically taken to the Login page l Shutdown the Shutting down page appears This page remains in place after the system has successfully shut down but any attempts to refresh the page or access the VCS will be unsuccessful Cisco VCS Administrator Guide X8 1 1 Page 318 of 507 Mainte...

Page 319: ...rs to inspect what is happening at a detailed level on a live system including accessing and modifying configuration data and accessing network traffic To access these tools 1 Open an SSH session 2 Log in as admin or root as required 3 Follow the instructions provided by your Cisco support representative Experimental menu The VCS web interface contains a number of pages that are not intended for u...

Page 320: ...e usage 326 Registration status 328 Call status 330 B2BUA calls 332 Search history 333 Search details 334 Local Zone status 335 Zone status 336 Bandwidth 337 Policy server status and resiliency 338 TURN relays status 339 Unified Communications status 340 Presence 341 Lync B2BUA 343 TMS Provisioning Extension service status 344 Starter Pack Provisioning Server status 348 Managing alarms 349 Logs 35...

Page 321: ...concurrent usage broken down by n Unified CM remote session calls if Unified Communications Mobile and remote access is enabled n Traversal calls n Non traversal calls n SIP traversal audio only calls n Registrations n TURN relays VCS Expressway only It also displays resource and license usage information n Monitored resource usage expressed as a percentage of the system capacity n Current and pea...

Page 322: ...rt of a cluster then details for each peer are shown as well as totals for the entire cluster See About clusters p 158 for more information Cisco VCS Administrator Guide X8 1 1 Page 322 of 507 Overview and status information Status overview ...

Page 323: ...ion keys This section shows all the optional features currently installed on the VCS Hardware version The version number of the hardware on which the VCS software is installed Serial number The serial number of the hardware or virtual machine on which the VCS software is installed Time information section Up time The amount of time that has elapsed since the system last restarted System time UTC T...

Page 324: ...tworking option key has been installed the LAN 2 port Field Description MAC address The MAC address of the VCS s Ethernet device for that LAN port Speed The speed of the connection between the LAN port on the VCS and the Ethernet switch The Ethernet speed can be configured via the Ethernet page Cisco VCS Administrator Guide X8 1 1 Page 324 of 507 Overview and status information Ethernet status ...

Page 325: ... only endpoint the VCS acts as an IPv4 to IPv6 gateway It communicates with other systems via either protocol IPv4 gateway The IPv4 gateway used by VCS IPv6 gateway The IPv6 gateway used by VCS Advanced Networking Indicates whether the second LAN port has been enabled This is done by installing the Advanced Networking option key LAN 1 Shows the IPv4 address and subnet mask and IPv6 address of the ...

Page 326: ... statistics are based on data since the system was last restarted The information on this page refreshes automatically every 5 seconds Clustered VCS systems If the VCS is part of a cluster details for each peer are shown as well as totals for the entire cluster Any traversal or non traversal call licenses that have been installed on a cluster peer are available for use by any peer in the cluster U...

Page 327: ...y for your cluster you should ensure that either the problem with the peer is resolved or new option keys are installed on another peer in the cluster Note that you are also limited to the number of call license option keys that can be installed purchased per VCS peer as follows Large VM servers VCS appliances or equivalent VM Traversal calls 500 100 Non traversal calls 500 500 TURN relays 6000 18...

Page 328: ... be in order of preference its H 323 ID URI or email address For MCUs and Gateways this will be its alias or if it has not registered an alias one of its prefixes For SIP devices this is its SIP AOR Number For H 323 devices that have registered one or more E 164 numbers the first will be shown here For SIP devices this will always be blank because they cannot register E 164 numbers This is shown i...

Page 329: ...nd blocking devices The registration status pages provide options to manually unregister and block devices n Click Unregister to unregister the device Note that the device may automatically re register after a period of time depending on its configuration To prevent this you must also use a registration restriction policy such as an Allow List or Deny List n Click Unregister and block to unregiste...

Page 330: ...indMe ID may be displayed instead Destination The alias dialed from the device This may be different from the alias to which the call was placed which may have been transformed due to pre search transforms zone transforms or User Policy Type Indicates either a traversal or non traversal call Protocol Shows whether the call used H 323 SIP or both protocols For calls passing through the B2BUA this m...

Page 331: ...ponent and that will route the call through the CollaborationEdgeZone Note that if both endpoints are outside of the enterprise i e off premises you will see this treated as 2 separate calls Disconnecting calls Click Disconnect to disconnect the selected calls Note that if your VCS is part of a cluster you have to be logged into the peer through which the call is associated to be able to disconnec...

Page 332: ... Microsoft Lync server via B2BUA neighbor zone Note that for Microsoft Lync B2BUA calls you can click the Corresponding VCS call link to see details of the leg passing through the VCS Viewing B2BUA call media details The B2BUA call media page accessed from the B2BUA calls page by clicking View media statistics for this call shows information about the media channels audio and video that made up th...

Page 333: ...age is sent in order to place a call this is either a SIP INVITE or a SIP OPTIONS Note that an individual call can have one or more searches associated with it and these searches can be of different types Each search has an individual Search ID each call has an individual Call Tag see Identifying calls p 219 Search history list The search history summary list shows the following information Field ...

Page 334: ...n the Related tasks section at the bottom of the page n View all events associated with this call tag takes you to the Event Log page filtered to show only those events associated with the Call Tag relating to this search n View call information associated with this call tag takes you to the Call details page where you can view overview information about the call n View all searches associated wit...

Page 335: ...he number of devices currently registered within the subzone Note that devices cannot be registered to the Traversal Subzone Calls The number of calls currently passing through the subzone Note that a single call may pass through more than one subzone depending on the route it takes For example traversal calls from a locally registered endpoint will always pass through the Traversal Subzone so the...

Page 336: ... each zone H 323 SIP status Indicates the zone s H 323 or SIP connection status n Off the protocol is disabled at either the zone or system level n Active the protocol is enabled for that zone and it has at least one active connection if multiple connections are configured and some of those connections have failed the display indicates how many of the connections are Active n On applies to DNS and...

Page 337: ...l bandwidth of all the calls currently traversing the link Pipe status The Pipe status page Status Bandwidth Pipes lists all of the pipes currently configured on the VCS along with the number of calls and the bandwidth being used by each pipe The following information is displayed Field Description Name The name of each pipe Clicking on a pipe Name takes you to the configuration page for that pipe...

Page 338: ...lly 75 seconds Therefore in practice a TCP connection timeout is unlikely to occur as either the connection will be instantly unreachable or the 30 second request timeout will occur first The VCS uses the configured Default CPL if it fails to contact the policy service via any of the configured addresses Note that this method provides resiliency but not load balancing i e all requests will be sent...

Page 339: ...plays the addresses on which the TURN server is listening and the addresses from which it is allocating relays Viewing TURN relay details Click View to go to the TURN relay summary page where you can see more information about a relay From here further detailed information about the relay can be viewed by using the links in the Related tasks section at the bottom of the page n View permissions for...

Page 340: ...at have been configured for Unified Communications services If any configuration or connectivity problems are detected appropriate messages are displayed with either links or guidelines as to how to resolve the issue You can also view some advanced status information including n a list of all current and recent shown in red provisioning sessions VCS Control only n a list of the automatically gener...

Page 341: ...ce of information about their presence It is the job of the presentity manager to aggregate this information and determine the actual status of the presentity Presence presentities The Presentities page Status Applications Presence Presentities lists each presentity whose presence information is being managed by that is published to the local Presence Server and whose presence information has been...

Page 342: ... as a FindMe entity cannot subscribe to presence information However one or more of the endpoints that make up a FindMe user may be requesting presence information in which case that endpoint will be listed here URI The address of the endpoint that has requested presence information Subscription count The number of local presentities about whom this endpoint is requesting information To view the l...

Page 343: ...n the Lync Active Directory in the same way that Lync users can only register if they have a valid account enabled in the Lync AD Subscription state Indicates whether the B2BUA Presence Relay application has subscribed successfully to the FindMe ID s presence information Doing so allows Lync clients to view the presence information of FindMe users Peer The cluster peer that is registering the URI ...

Page 344: ...ovisioning Extension services See the Provisioning Server section for more information Provisioning Server device requests status Cisco TMSPE The Device requests status page Status Applications TMS Provisioning Extension services Device requests shows the status of the VCS Provisioning Server when using Cisco TMSPE The VCS Provisioning Server provides provisioning related services to provisioned d...

Page 345: ...VCS was last restarted User records provided by Cisco TMSPE services You can view the data records provided by the Cisco TMSPE Users service by going to Status Applications TMS Provisioning Extension services Users and then the relevant table n Accounts n Groups n Templates All the records in the chosen table are listed Note that some tables can contain several thousand records and you may experie...

Page 346: ...an also access the related location and device records Phone book records provided by Cisco TMSPE services You can view the data records provided by the Cisco TMSPE Phone books service by going to Status Applications TMS Provisioning Extension services Phone book and then the relevant table n Folders n Entries n Contact methods n User access All the records in the chosen table are listed Note that...

Page 347: ...ovisioning request The Active column indicates if the device is currently being provisioned and is thus consuming a provisioning license Checking provisioned data The Check provisioned data page is used to check the configuration data that the VCS s Provisioning Server will provision to a specific user and device combination You can get to this page only through the User accounts status page Statu...

Page 348: ...ng response n failed requests because the account requesting provisioning could not be found n failed requests because the account requesting provisioning had no provisioned devices associated with it Model licenses This section shows the number of licenses currently being used by devices that are registered to this VCS This information is broken down by the device types that can be provisioned by...

Page 349: ...larm its ID severity and so on are included in the information sent to Cisco TMS Alarms are dealt with by clicking each Action hyperlink and making the necessary configuration changes to resolve the problem Acknowledging an alarm by selecting an alarm and clicking on the Acknowledge button removes the alarm icon from the web UI but the alarm will still be listed on the Alarms page with a status of...

Page 350: ... to reapply any modified filter conditions To return to the complete log listing click Reset Reconfiguring the log settings Clicking Configure the log settings takes you to the Logging configuration page From this page you can set the level of events that are recorded in the Event Log and also set up a remote server to which the Event Log can be copied Saving the results to a local disk Click Down...

Page 351: ...cations Failure n Application Failed n Request Failed n System Backup Error n System Restore Error n Authorization Failure n Intrusion Protection Blocking For more information about the format and content of the Event Log see Event Log format p 357 and Events and levels p 360 Configuration Log The Configuration Log page Status Logs Configuration Log provides a list of all changes to the VCS config...

Page 352: ... text that appears after Event filters the list to show all the events of that particular type Likewise clicking on a particular user shows just those events relating to that particular administrator account All events that appear in the Configuration Log are recorded as Level 1 Events so any changes to the logging levels will not affect their presence in the Configuration Log Configuration Log ev...

Page 353: ...ngs takes you to the Network Log configuration page From this page you can set the level of events that are recorded in the Network Log Saving the results to a local disk Click Download results if you want to download the contents of the results section to a text file on your local PC or server Results section The Results section shows the events logged by each of the Network Log modules Most even...

Page 354: ...us yourself as opening or removing covers may expose you to dangerous voltages or other hazards and will void the warranty Refer all servicing to qualified service personnel Note that hardware status information is not displayed if the VCS is running on VMware VCS unit front panel The LCD panel on the front of the VCS hardware unit has a rotating display of the VCS s system name IP addresses alarm...

Page 355: ...on 388 Pattern matching variables 389 Port reference 391 Unified Communications port reference 395 Microsoft Lync B2BUA port reference 397 Device authentication port reference 399 Regular expressions 400 Supported characters 402 Call types and licensing 403 Alarms 405 Command reference xConfiguration 422 Command reference xCommand 469 Command reference xStatus 488 External policy overview 490 Flas...

Page 356: ...M servers minimum 8 cores with 2 x 10Gb NIC Supports the following set of concurrent calls and registrations n 500 encrypted traversal calls 768kbps or 1000 encrypted SIP audio traversal calls 64kbps and n 500 non traversal calls and n 5000 registrations This assumes a maximum sustained call rate of 10 calls per second VCS appliances or equivalent VM server with 2 cores and 1Gb NIC Supports the fo...

Page 357: ...which they are logged Event Log format The Event Log is displayed in an extension of the UNIX syslog format date time process_name message_details where Field Description date The local date on which the message was logged time The local time at which the message was logged process_name The name of the program generating the log message This could include n tvcs for all messages originating from V...

Page 358: ...nt and the last name element is always Level The table below shows all the possible name elements within the message_details field in the order that they would normally appear along with a description of each Note in addition to the events described below a syslog info event containing the string MARK is logged after each hour of inactivity to provide confirmation that logging is still active Name...

Page 359: ... first H 323 alias associated with the originator of the message If present the first E 164 alias associated with the originator of the message Dst alias If present the first H 323 alias associated with the recipient of the message If present the first E 164 alias associated with the recipient of the message Detail Descriptive detail of the Event Auth Whether the call attempt has been authenticate...

Page 360: ...rameter provides information about the nature of the issue 1 Alarm lowered The issue that caused an alarm to be raised has been resolved The Detail event parameter provides information about the nature of the issue 1 Alarm raised The VCS has detected an issue and raised an alarm The Detail event parameter provides information about the nature of the issue 1 Admin Session CBA Authorization Failure ...

Page 361: ...been rejected The Reason event parameter contains a textual representation of the H 225 additional cause code 1 Call Rerouted The VCS has Call signaling optimization set to On and has removed itself from the call signaling path 1 CBA Authorization Failure An attempt to log in using certificate based authentication has been rejected due to authorization failure 1 Certificate Management Indicates th...

Page 362: ...e between peers has been received 3 Message Received SIP An incoming message has been received 4 Message Rejected This could be for one of two reasons n If authentication is enabled and an endpoint has unsuccessfully attempted to send a message such as a registration request to the VCS This could be either because the endpoint has not supplied any authentication credentials or because its credenti...

Page 363: ...formation about the nature of the rejection 1 Registration Removed A registration has been removed by the VCS The Reason event parameter specifies the reason why the registration was removed This is one of n Authentication change n Conflicting zones n Operator forced removal n Operator forced removal all registrations removed n Registration superseded 1 Registration Requested A registration has be...

Page 364: ...essfully entered Advanced account security mode 1 Security Alert A potential security related attack on the VCS has been detected 1 Source Aliases Rewritten A source alias has been changed to indicate the caller s FindMe ID 1 Success Response Sent The TURN server has sent a success message to a client using STUN protocol 3 System backup completed The system backup process has completed 1 System Ba...

Page 365: ...S Negotiation Error Transport Layer Security TLS connection failed to negotiate 1 Unregistration Accepted An unregistration request has been accepted 1 Unregistration Rejected An unregistration request has been rejected 1 Unregistration Requested An unregistration request has been received 1 Upgrade Messages related to the software upgrade process The Detail event parameter provides specific infor...

Page 366: ...ws the correct use of namespaces to make the syntax acceptable xml version 1 0 encoding UTF 8 cpl xmlns urn ietf params xml ns cpl xmlns taa http www tandberg net cpl extensions xmlns xsi http www w3 org 2001 XMLSchema instance xsi schemaLocation urn ietf params xml ns cpl cpl xsd taa routed address switch field destination address is reception example com proxy address address switch taa routed c...

Page 367: ...he source aliases from the original LRQ or ARQ that started the call if it authenticated correctly or where the relevant Authentication Policy is Treat as authenticated otherwise not present Because SETUP messages are not authenticated if the VCS receives a SETUP without a preceding RAS message the origin will always be not present originating zone The name of the zone or subzone for the originati...

Page 368: ... otherwise node is executed if the address specified in the address switch was found but none of the preceding address nodes matched not present The not present node is executed when the address specified in the address switch was not present in the call setup message This form is most useful when authentication is being used With authentication enabled the VCS will only use authenticated aliases ...

Page 369: ...ding display name is also modified to match the username part of the modified source URL rule switch This extension to CPL is provided to simplify Call Policy scripts that need to make decisions based on both the source and destination of the call A taa rule switch can contain any number of rules that are tested in sequence as soon as a match is found the CPL within that rule element is executed E...

Page 370: ...apply The CPL can perform further actions based on these results Any results nodes must be contained within the proxy node For example proxy timeout 10 busy If busy route to recording service location clear yes url recorder proxy location busy proxy reject If a reject node is executed the VCS stops any further script processing and rejects the current call The custom reject strings status string a...

Page 371: ...ails on how to enable authentication xml version 1 0 encoding UTF 8 cpl xmlns urn ietf params xml ns cpl xmlns taa http www tandberg net cpl extensions xmlns xsi http www w3 org 2001 XMLSchema instance xsi schemaLocation urn ietf params xml ns cpl cpl xsd taa routed address switch field authenticated origin not present Reject call with a status code of 403 Forbidden reject status 403 reason Denied...

Page 372: ...y calls xml version 1 0 encoding UTF 8 cpl xmlns urn ietf params xml ns cpl xmlns taa http www tandberg net cpl extensions xmlns xsi http www w3 org 2001 XMLSchema instance xsi schemaLocation urn ietf params xml ns cpl cpl xsd taa routed address switch field destination address is fred address switch field authenticated origin subfield host address subdomain of annoying com Don t accept calls from...

Page 373: ...egistered endpoints only In this example the administrator only wants to allow calls that originate from locally registered endpoints xml version 1 0 encoding UTF 8 cpl xmlns urn ietf params xml ns cpl xmlns taa http www tandberg net cpl extensions xmlns xsi http www w3 org 2001 XMLSchema instance xsi schemaLocation urn ietf params xml ns cpl cpl xsd taa routed address switch field registered orig...

Page 374: ...itch node or the taa rule switch node Examples of each are shown below Using the address switch node xml version 1 0 encoding UTF 8 cpl xmlns urn ietf params xml ns cpl xmlns taa http www tandberg net cpl extensions xmlns xsi http www w3 org 2001 XMLSchema instance xsi schemaLocation urn ietf params xml ns cpl cpl xsd taa routed address switch field destination address regex 9 address switch field...

Page 375: ...he specified reason In addition the VCS allows multiple failure outputs to be specified within a single proxy node This allows a script to redirect the call to different locations such as different recorded messages based on the exact reason for call failure For example xml version 1 0 encoding UTF 8 cpl xmlns urn ietf params xml ns cpl xmlns taa http www tandberg net cpl extensions xmlns xsi http...

Page 376: ...net cpl extensions xmlns xsi http www w3 org 2001 XMLSchema instance xsi schemaLocation urn ietf params xml ns cpl cpl xsd taa routed taa rule switch taa rule origin destination user example com message regex SUBSCRIBE Cannot subscribe to user example com Reject call with a status code of 403 Forbidden reject status 403 reason Denied by policy taa rule taa rule switch taa routed cpl Cisco VCS Admi...

Page 377: ...s The schemas can be downloaded from the web interface on the VCS To do this 1 Go to Configuration Authentication Devices LDAP schemas You are presented with a list of downloadable schemas 2 Click on the Download button next to each file to open it 3 Use your browser s Save As command to store it on your file system Configuring a Microsoft Active Directory LDAP server Prerequisites These instructi...

Page 378: ...dentitySIPURI sip MeetingRoom X 2 Add the ldif file to the server using the command ldifde i c DC X ldap_base f filename ldf where ldap_base is the base DN of your Active Directory Server The example above will add a single endpoint with an H 323 ID alias of MeetingRoom1 an E 164 alias of 626262 and a SIP URI of MeetingRoom X The entry also has H 235 and SIP credentials of ID meetingroom1 and pass...

Page 379: ... the domain controller in the common name in the subject field and or the DNS entry in the subject alternative name extension To configure the VCS to use TLS on the connection to the LDAP server you must upload the CA s certificate as a trusted CA certificate This can be done on the VCS by going to Maintenance Security certificates Trusted CA certificate Configuring an OpenLDAP server Prerequisite...

Page 380: ...ommobject ldif in the case of the commobject file and remove the following lines structuralObjectClass entryUUID creatorsName createTimestamp entryCSN modifiersName modifyTimestamp 5 Add each schema to the ldap database via ldapadd For example for cn commobject ldif sudo ldapadd Q Y EXTERNAL H ldapi f cn commobject ldif the backslash after cn is an escape character 6 Repeat these steps for every s...

Page 381: ...egistrations will look for the H 323 and H 235 attributes SIP will look for the SIP attributes Therefore if your endpoint is registering with just one protocol you do not need to include elements relating to the other For information about what happens when an alias is not in the LDAP database see Source of aliases for registration in the Using an H 350 directory service lookup via LDAP p 120 sect...

Page 382: ...he connection to the LDAP server you must upload the CA s certificate as a trusted CA certificate This can be done on the VCS by going to Maintenance Security certificates Trusted CA certificate Cisco VCS Administrator Guide X8 1 1 Page 382 of 507 Reference material LDAP server configuration for device authentication ...

Page 383: ... server open a command window and enter dnscmd RecordAdd domain service_name SRV Priority Weight Port Target where domain is the domain into which you want to insert the record service_name is the name of the service you are adding Priority is the priority as defined by RFC 2782 Weight is the weight as defined by RFC 2782 Port is the port on which the system hosting the domain is listening Target ...

Page 384: ...ry within the options section This will give the directory in which the zone files are stored possibly relative to a new root directory In the appropriate zone section a file entry will give the name of the file containing the zone details For more details of how to configure BIND servers and the DNS system in general see the publication DNS and BIND Cisco VCS Administrator Guide X8 1 1 Page 384 o...

Page 385: ...re taken to the Restart page 6 Check the number of calls and registrations currently in place 7 Click Restart system and then confirm the restart when asked If you have a clustered VCS system you must generate new SSH keys for every cluster peer Log into each peer in turn and follow the instructions above You do not have to decluster or disable replication When you next log in to the VCS over SSH ...

Page 386: ... console or via a direct connection to the appliance with a keyboard and monitor This is because the network settings will be rewritten so any SSH session used to initiate the reset would be dropped and the output of the procedure would not be seen The process takes approximately 20 minutes 1 Log in to the system as root 2 Type factory reset 3 Answer the questions as required The recommended respo...

Page 387: ...own and rebuild the USB stick after use Do not reset one system and then take the USB stick and re use it on another system Cisco VCS Administrator Guide X8 1 1 Page 387 of 507 Reference material Restoring default configuration factory reset ...

Page 388: ...ver after the command has been executed the password is displayed in its encrypted form with a cipher prefix for example xConfiguration Authentication Password cipher xcy6k 4NgB025vYEgoEXXw Note that FindMe is a standalone application that can be hosted by the VCS or by another remote server This means that FindMe account information is not configured or accessible using the CLI of the VCS However...

Page 389: ...figuration Ethernet 2 IP V4 Address xConfiguration Ethernet 2 IP V6 Address Matches all IPv4 and IPv6 addresses Applies to all peer addresses if the VCS is part of a cluster not applicable ipv4 xConfiguration Ethernet 1 IP V4 Address xConfiguration Ethernet 2 IP V4 Address Matches the IPv4 addresses currently configured for LAN 1 and LAN 2 Applies to all peer addresses if the VCS is part of a clus...

Page 390: ...eplaces the string with the LAN 2 IPv6 address If the VCS is part of a cluster the address of the local peer is always used localdomains xConfiguration SIP Domains Domain 1 Name xConfiguration SIP Domains Domain 200 Name Matches all the SIP domains currently configured on the VCS not applicable localdomain1 localdomain200 xConfiguration SIP Domains Domain 1 Name xConfiguration SIP Domains Domain 2...

Page 391: ...mmand line administration 22 TCP inbound not configurable HTTP Unencrypted web administration 80 TCP inbound not configurable NTP System time updates and important for H 235 security 123 UDP outbound not configurable SNMP Network management 161 UDP inbound not configurable HTTPS Encrypted web administration 443 TCP inbound not configurable Clustering IPsec secure communication between cluster peer...

Page 392: ...S s non configurable firewall rules 5071 5073 TCP inbound not configurable Traversal server zone H 323 Port Port on the VCS Expressway used for H 323 firewall traversal from a particular traversal client 6001 UDP increments by 1 for each new zone inbound Configuration Zones Traversal server zone SIP Port Port on the VCS Expressway used for SIP firewall traversal from a particular traversal client ...

Page 393: ...VM deployments the first 12 ports in the range 36000 to 36011 are used The previous default range of 50000 54999 still applies to earlier releases that have upgraded to X8 1 36002 59999 UDP standard appliances or equivalent VM or 36012 59999 UDP Large VM server inbound outbound Configuration Local Zone Traversal Subzone TURN relay media port range Range of ports available for TURN media relay 2400...

Page 394: ...erver 514 UDP 6514 TCP Maintenance Logging Neighbors H 323 H 323 connection to a neighbor zone 1710 UDP Configuration Zones Neighbors SIP SIP connection to a neighbor zone 5060 5061 TCP Configuration Zones Traversal zone H 323 H 323 connection to a traversal server 6001 UDP Configuration Zones Traversal zone SIP SIP connection to a traversal server 7001 TCP Configuration Zones Endpoint H 323 Endpo...

Page 395: ...d from public internet to VCS Expressway DMZ Purpose Protocol Internet endpoint source VCS Expressway listening XMPP IM and Presence TCP 1024 5222 HTTP proxy UDS TCP 1024 8443 Media UDP 1024 36002 to 59999 SIP signaling TLS 1024 5061 HTTPS administrative access TCP 1024 443 From VCS Control to Unified CM CUC Purpose Protocol VCS Control source Unified CM listening XMPP IM and Presence TCP Ephemera...

Page 396: ...c on that port n The VCS Expressway listens on port 2222 for SSH tunnel traffic The only legitimate sender of such traffic is the VCS Control cluster Therefore we recommend that you create the following firewall rules for the SSH tunnels service l one or more rules to allow all of the VCS Control peer addresses via the internal LAN interface if appropriate l followed by a lower priority higher num...

Page 397: ...raversal media port range UDP 56000 to 57000 Lync client media ports Between B2BUA and VCS internal communications Purpose Protocol B2BUA IP port VCS IP port Internal communications with VCS application TLS 65070 SIP TCP outbound port Between B2BUA and VCS Expressway hosting the TURN server Purpose Protocol B2BUA IP port VCS Expressway IP port All communications UDP 56000 to 57000 3478 media signa...

Page 398: ... UDP media if it is sent via the VCS Expressway UDP 1024 65535 24000 29999 The default TURN relay media port range of 24000 29999 applies to new installations of X8 1 or later The previous default range of 60000 61799 still applies to earlier releases that have upgraded to X8 1 Between B2BUA and transcoder Purpose Protocol B2BUA IP port Transcoder B2BUA communications with transcoder Cisco AM GW T...

Page 399: ...d the AD system They are configurable via Configuration Authentication Devices Active Directory Service Purpose VCS port Destination port Kerberos Key Distribution Center UDP ephemeral port 88 UDP Kerberos TCP ephemeral port 88 TCP VCS with Domain Controller CLDAP UDP ephemeral port 389 UDP VCS with Domain Controller LDAP TCP ephemeral port 389 636 TCP Client credential authentication with the Dom...

Page 400: ...owed by the character and then the last character in the range You cannot use special characters within the they will be taken literally a z matches any alphabetical character 0 9 matches against any single E 164 character the E 164 character set is made up of the digits 0 9 plus the hash key and the asterisk key Matches anything except the set of specified characters Each character in the set can...

Page 401: ...ve lookahead Defines a subexpression that must not be present example com matches any string that does not end with example com alice matches any string that does not start with alice Negative lookbehind Defines a subexpression that must not be present net matches any string that does not end with net Note that regex comparisons are not case sensitive For an example of regular expression usage see...

Page 402: ... Unicode characters The following characters are specifically not allowed n tabs n angle brackets and n ampersand n caret Note that some specific text fields including Administrator and user groups have different restrictions and these are noted in the relevant sections of this guide Case sensitivity Text items entered through the CLI and web interface are case insensitive The only exceptions are ...

Page 403: ...dia does traverse the VCS Both Unified CM remote sessions and VCS traversal calls consume traversal call resources and each VCS has a maximum limit of 150 concurrent traversal calls 500 calls on Large VM servers Each VCS also allows up to 750 concurrent non traversal calls Note that n VCS defines an audio only SIP call as one that was negotiated with a single m line in the SDP Thus for example if ...

Page 404: ...a but the call is not classified as a VCS traversal call and does not consume a traversal call license it may still consume a non traversal license if the VCS takes the call signaling Traversal calls use more resource than non traversal calls and the numbers of each type of call are licensed separately The VCS has one license for the maximum number of concurrent traversal calls it can take and ano...

Page 405: ...ption keys 35nnn External applications and services such as policy services or LDAP AD configuration 40nnn Security issues such as certificates passwords or insecure configuration 45nnn General VCS configuration issues 55nnn B2BUA issues All alarms raised on the VCS are also raised as Cisco TMS tickets All the attributes of an alarm its ID severity and so on are included in the information sent to...

Page 406: ...h Some text labels may not be translated Contact your Cisco representative to see if an up to date language pack is available Warning 15013 Factory reset failed Factory reset failed Alert 15014 Restart required Core dump mode has been changed however a restart is required for this to take effect Restart the system Warning 15015 Maintenance mode The VCS is in Maintenance mode and will no longer acc...

Page 407: ...ication error There was an error during automatic replication of configuration View cluster replication instructions Warning 20010 Cluster replication error The NTP server is not configured Configure an NTP server Warning 20011 Cluster replication error This peer s configuration conflicts with the master s configuration manual synchronization of configuration is required View cluster replication i...

Page 408: ...d static NAT settings on the IP page and then restart the system Warning 25007 Restart required QoS settings have been changed however a restart is required for this to take effect Restart the system Warning 25008 Restart required Port configuration has been changed however a restart is required for this to take effect Restart the system Warning 25009 Restart required Ethernet configuration has be...

Page 409: ...erver Check Time configuration and status check DNS configuration Warning 25022 Time not synchronized over traversal zone The system time of this server is different from that on a server on the other side of a SIP traversal zone Ensure that your systems have consistent Time configuration note that any changes may take some time to become effective Warning 30001 Capacity warning The number of conc...

Page 410: ...n has been unavailable for more than n days Its licenses will be removed from the total available for use across the cluster on date Resolve the issue with this peer or remove it from the cluster configuration Warning 30015 License usage of lost cluster peer Several cluster peers have been unavailable for more than n days Their licenses will be removed from the total available for use across the c...

Page 411: ...egistrations are distributed evenly across all peers Warning 30025 Restart required An option key has been changed however a restart is required for this to take effect Restart the system Warning 35001 Configuration warning Active Directory mode has been enabled but the DNS hostname has not been configured Configure DNS hostname Warning 35002 Configuration warning Active Directory mode has been en...

Page 412: ... cannot communicate with one or more remote hosts Review the Event Log and check that the traversal zone between the VCS Control and the VCS Expressway is active Warning 35014 Unified Communications SSH tunnel notification failure This system cannot communicate with one or more remote hosts Ensure that your firewall allows traffic from the VCS Control ephemeral ports to 2222 TCP on the VCS Express...

Page 413: ...vanced account security mode Configure HTTPS client certificate validation Warning 40014 Time out period required A non zero system session time out period is required when in advanced account security mode Configure session time out period Warning 40015 System session limit required A non zero system session limit is required when in advanced account security mode Configure system session limit W...

Page 414: ...sword is hashed using MD5 which is not secure enough View instructions on changing the root password Warning 40029 LDAP server CA certificate is missing A valid CA certificate for the LDAP database has not been uploaded this is required for connections via TLS Upload a valid CA certificate Warning 40030 Security alert Firewall rules activation failed the firewall configuration contains at least on...

Page 415: ...ion requests Ensure that TLS verify mode is enabled on the traversal client zone Warning 40040 Unified Communications configuration error TLS verify mode is not enabled on a traversal zone configured for Unified Communications services Ensure that TLS verify mode is enabled on the traversal zone you may also need to check the remote traversal system Warning 40041 Security alert Automated intrusion...

Page 416: ...ly but the H323 SIP Interworking Gateway option key has been deleted Reconfigure Interworking mode or reinstall the option key Warning 45006 Configuration warning Expected default link between the Default Subzone and the Cluster Subzone is missing Configure default links Warning 45007 Configuration warning Expected default link between the Default Subzone and the Traversal Subzone is missing Confi...

Page 417: ...have their SIP default transport protocol set to protocol but that protocol is disabled system wide Check that the SIP default transport protocol for the DNS zone and the system wide SIP transport settings are consistent Warning 45019 Insufficient media ports There is an insufficient number of media ports to support the number of licensed calls Increase the media port range Warning 55001 B2BUA ser...

Page 418: ...r settings Warning 55018 B2BUA misconfiguration Transcoder address and or port details are misconfigured Check B2BUA configuration transcoder settings and the configured addresses of trusted hosts Warning 55019 B2BUA misconfiguration Invalid TURN server address Check B2BUA configuration TURN settings Warning 55021 B2BUA misconfiguration The setting to offer TURN services for this B2BUA is misconfi...

Page 419: ...heck the Lync B2BUA status page for more information about the problem you will then need to restart the B2BUA service after making any configuration changes Warning 55101 B2BUA misconfiguration Invalid VCS authorized host IP address Restart the service contact your Cisco representative if the problem persists Warning 55102 B2BUA misconfiguration Invalid URI format of VCS contact address Restart t...

Page 420: ...A misconfiguration Invalid command listening port Restart the service contact your Cisco representative if the problem persists Warning 55116 B2BUA misconfiguration Invalid debug status path Restart the service contact your Cisco representative if the problem persists Warning 55117 B2BUA misconfiguration Invalid service Restart the service contact your Cisco representative if the problem persists ...

Page 421: ...ot start B2BUA application because cluster name configuration is missing Configure the cluster name on the Clustering page Warning 55130 B2BUA misconfiguration Invalid cluster name Check the cluster name and then restart the B2BUA service Warning 55131 B2BUA misconfiguration Invalid session refresh interval Check B2BUA configuration advanced settings then restart the B2BUA service Warning 55132 B2...

Page 422: ...icated in the angle brackets following each command using the following notation Format Meaning 0 63 Indicates an integer value is required The numbers indicate the minimum and maximum value In this example the value must be in the range 0 to 63 S 7 15 An S indicates a string value to be enclosed in quotation marks is required The numbers indicate the minimum and maximum number of characters for t...

Page 423: ...hich configuration will be replicated to all other peers A cluster consists of up to 6 peers including the local VCS Example xConfiguration Alternates ConfigurationMaster 1 Alternates Peer 1 6 Address S 0 128 Specifies the IP address of one of the peers in the cluster to which this VCS belongs A cluster consists of up to 6 peers including the local VCS This must be a valid IPv4 or IPv6 address Exa...

Page 424: ...he lifetime value in seconds the Presence User Agent will advertise in the PUBLISH messages it sends to the Presence Server The Presence User Agent will refresh its PUBLISH messages at 75 of this value to keep them active The Presence Server may reduce this value in its responses Default 3600 Example xConfiguration Applications Presence User Agent ExpireDelta 3600 Applications Presence User Agent ...

Page 425: ...ication ADS KDC 1 Port 88 Authentication ADS MachineName S 0 15 This overides the default NETBIOS machine name used when the VCS joins the AD domain Example xConfiguration Authentication ADS MachineName short_name Authentication ADS MachinePassword Refresh On Off Determines if this samba client should refresh its machine password every 7 days when joined to the AD domain Default On Example xConfig...

Page 426: ...n Off Determines whether members of this group are allowed to log in to the system using the web interface Default On Example xConfiguration Authentication Account Admin Group 1 AccessWeb On Authentication Account Admin Group 1 n Enabled On Off Indicates if the group is enabled or disabled Access will be denied to members of disabled groups Default On Example xConfiguration Authentication Account ...

Page 427: ...ntials username Default captureCommonName Example xConfiguration Authentication Certificate UsernameTemplate captureCommonName Authentication H350 BindPassword S 0 60 Sets the password to use when binding to the LDAP server Example xConfiguration Authentication H350 BindPassword abcXYZ_123 Authentication H350 BindSaslMode None DIGEST MD5 The SASL Simple Authentication and Security Layer mechanism ...

Page 428: ...ch is then encrypted Note this does not apply to traversal client zones Example xConfiguration Authentication Password password123 Authentication Remote Digest Cache ExpireCheckInterval 0 65535 The interval between digest authentication cache expiration checks in seconds Default 600 Example xConfiguration Authentication Remote Digest Cache ExpireCheckInterval 600 Authentication Remote Digest Cache...

Page 429: ...must be present A special character is anything that is not a letter or a digit A value of 0 disables this check Default 2 Example xConfiguration Authentication StrictPassword MinimumOther 2 Authentication StrictPassword MinimumUpperCase 0 255 The minimum number of upper case characters that must be present A value of 0 disables this check Default 2 Example xConfiguration Authentication StrictPass...

Page 430: ...t Unlimited NoBandwidth no bandwidth available No calls can be made on this pipe Example xConfiguration Bandwidth Pipe 1 Bandwidth PerCall Mode Limited Bandwidth Pipe 1 1000 Bandwidth Total Limit 1 100000000 If this pipe has limited bandwidth sets the maximum bandwidth in kbps available at any one time on the pipe Default 500000 Example xConfiguration Bandwidth Pipe 1 Bandwidth Total Limit 1024 Ba...

Page 431: ...guration DNS PerDomainServer 1 Domain1 dept example com DNS PerDomainServer 1 5 Domain2 S 0 39 The second domain name to be resolved by this particular DNS server Example xConfiguration DNS PerDomainServer 1 Domain2 other example com DNS Server 1 5 Address S 0 39 The IP address of a default DNS server to use when resolving domain names You can specify up to 5 servers These default DNS servers are ...

Page 432: ...uto to automatically configure the speed You must restart the system for any changes to take effect Default Auto Example xConfiguration Ethernet 1 Speed Auto ExternalManager Address S 0 128 Sets the IP address or Fully Qualified Domain Name FQDN of the external manager Example xConfiguration ExternalManager Address 192 168 0 0 ExternalManager Path S 0 255 Sets the URL of the external manager Defau...

Page 433: ...ve 60 65534 The interval in seconds at which an H 323 endpoint must re register with the VCS to confirm that it is still functioning Default 1800 Example xConfiguration H323 Gatekeeper TimeToLive 1800 H323 Gateway CallerId IncludePrefix ExcludePrefix Specifies whether the prefix of the ISDN gateway is inserted into the caller s E 164 number presented on the destination endpoint Including the prefi...

Page 434: ...tify references to this VCS in SIP messaging Example xConfiguration IP DNS Domain Name example com IP DNS Hostname S 0 63 The DNS host name that this system is known by This is not the fully qualified domain name just the host label portion The name can only contain letters digits hyphens and underscores The first character must be a letter and the last character must be a letter or a digit Exampl...

Page 435: ... Disabled Determines when RFC4821 Packetization Layer Path MTU Discovery is used by the VCS network interface Default Disabled Enabled Packetization layer MTU probing is always performed Auto Disabled by default enabled when an ICMP black hole is detected Disabled Packetization layer MTU probing is not performed Example xConfiguration IP RFC4821 Mode Disabled IP Route 1 50 Address S 0 39 Specifies...

Page 436: ...c int Login Remote LDAP CRLCheck None Peer All Specifies whether certificate revocation lists CRLs are checked when forming a TLS connection with the LDAP server CRL data is uploaded to the VCS via the trusted CA certificate PEM file Default None None no CRL checking is performed Peer only the CRL associated with the CA that issued the LDAP server s certificate is checked All all CRLs in the trust...

Page 437: ...ver Only applies if using SASL Example xConfiguration Login Remote LDAP VCS BindUsername systemmanager Login Remote Protocol LDAP The protocol used to connect to the external directory Default LDAP Example xConfiguration Login Remote Protocol LDAP Login Source Admin LocalOnly RemoteOnly Both Defines where administrator login credentials are authenticated before access is allowed Default LocalOnly ...

Page 438: ...ntSessionsUser 0 65535 The number of concurrent sessions that each individual administrator account is allowed on the system This includes web SSH and serial sessions A value of 0 turns session limits off Default 0 Example xConfiguration Management Session MaxConcurrentSessionsUser 0 NTP Server 1 5 Address S 0 128 Sets the IP address or Fully Qualified Domain Name FQDN of up to 5 NTP servers to be...

Page 439: ...vocation list of the certificate authority of the certificate Default Off Example xConfiguration Policy AdministratorPolicy Service TLS CRLCheck Mode Off Policy AdministratorPolicy Service TLS Verify Mode On Off Controls X 509 certificate checking and mutual authentication between this VCS and the policy service When enabled the server s FQDN or IP address as specified in the address field must be...

Page 440: ...ndMe UserDeviceRestriction Off Policy Services Service 1 20 DefaultCPL S 0 255 The CPL used by the VCS when the remote service is unavailable Default reject status 504 reason Policy Service Unavailable Example xConfiguration Policy Services Service 1 DefaultCPL reject status 403 reason Service Unavailable Policy Services Service 1 20 Description S 0 64 A free form description of the Policy Service...

Page 441: ...e used by the VCS to log in and query the remote service Example xConfiguration Policy Services Service 1 UserName user123 Registration AllowList 1 2500 Description S 0 64 A free form description of the Allow List rule Example xConfiguration Registration AllowList 1 Description Everybody at example com Registration AllowList 1 2500 Pattern String S 0 60 Specifies an entry to be added to the Allow ...

Page 442: ...on Service Unavailable Registration RestrictionPolicy Service Password S 0 82 Specifies the password used by the VCS to log in and query the remote service The maximum plaintext length is 30 characters which will then be encrypted Example xConfiguration Registration RestrictionPolicy Service Password password123 Registration RestrictionPolicy Service Path S 0 255 Specifies the URL of the remote se...

Page 443: ... messages to the syslog server or choose user_defined to configure individually the transport type port and format Default bsd Example xConfiguration Remote Syslog 1 Mode bsd Remote Syslog 1 4 Port 1 65535 The UDP TCP destination port to use Suggested ports UDP 514 TCP TLS 6514 Default 514 Example xConfiguration Remote Syslog 1 Port 514 Remote Syslog 1 4 Transport udp tcp tls The transport protoco...

Page 444: ... 128 The traversal zone to use when delegating credential checks for SIP messages for this domain Example xConfiguration SIP Domain 1 Authzone traversalzone SIP Domain 1 200 Edge On Off Whether remote and mobile collaboration features are enabled Default Off Example xConfiguration SIP Domain 1 Edge On SIP Domain 1 200 Name S 0 128 Specifies a domain for which this VCS is authoritative The domain n...

Page 445: ...und Refresh Strategy Maximum Variable The method used to generate the SIP registration expiry period for Outbound registrations Default Variable Maximum uses the lesser of the configured maximum refresh value and the value requested in the registration Variable generates a random value between the configured minimum refresh value and the lesser of the configured maximum refresh value and the value...

Page 446: ...ng message has been authenticated Off always forward messages that match this route Example xConfiguration SIP Routes Route 1 Authenticated On SIP Routes Route 1 20 Header Name S 0 64 Name of SIP header field to match e g Event Note this command is intended for developer use only Example xConfiguration SIP Routes Route 1 Header Name Event SIP Routes Route 1 20 Header Pattern S 0 128 Regular expres...

Page 447: ... 65534 Specifies the listening port for incoming SIP TCP calls Default 5060 Example xConfiguration SIP TCP Port 5060 SIP TLS Certificate Revocation Checking CRL Mode On Off Controls whether Certificate Revocation Lists CRLs are used to perform certificate revocation checking CRLs can be loaded manually onto the VCS downloaded automatically from pre configured URIs or downloaded automatically from ...

Page 448: ... calls Default 5060 Example xConfiguration SIP UDP Port 5060 SNMP CommunityName S 0 16 The VCS s SNMP community name Default public Example xConfiguration SNMP CommunityName public SNMP SystemContact S 0 70 The name of the person who can be contacted regarding issues with the VCS Default Administrator Example xConfiguration SNMP SystemContact Administrator SNMP SystemLocation S 0 70 The physical l...

Page 449: ... xConfiguration SystemUnit Maintenance Mode Off SystemUnit Name S 0 50 Defines the name of the VCS The system name appears in various places in the web interface and on the front panel of the unit Choose a name that uniquely identifies the system Example xConfiguration SystemUnit Name MainHQ TimeZone Name S 0 64 Sets the local time zone of the VCS Time zone names follow the POSIX naming convention...

Page 450: ...ia Port End 1025 65533 For traversal calls where the VCS takes the media as well as the signaling specifies the upper port in the range to use for the media Ports are allocated from this range in pairs the first of each being even Thus the range must end with an odd number Default 59999 Example xConfiguration Traversal Media Port End 59999 Traversal Media Port Start 1024 65532 For traversal calls ...

Page 451: ...by the VCS for SIP calls including interworked calls to and from this zone Default Auto On All media must be encrypted Off All media must be unencrypted BestEffort Use encryption if available otherwise fallback to unencrypted media Auto No media encryption policy is applied Example xConfiguration Zones DefaultZone SIP Media Encryption Mode Auto Zones DefaultZone SIP Record Route Address Type IP Ho...

Page 452: ...faultSubZone Bandwidth Total Limit 500000 Zones LocalZone DefaultSubZone Bandwidth Total Mode Limited Unlimited NoBandwidth Controls if the Default Subzone has a limit on the total bandwidth being used by its endpoints at any one time Default Unlimited NoBandwidth no bandwidth available No calls can be made to from or within the Default Subzone Example xConfiguration Zones LocalZone DefaultSubZone...

Page 453: ... Office Zones LocalZone SubZones MembershipRules Rule 1 3000 Subnet Address S 0 39 Specifies an IP address used in conjunction with the prefix length to identify this subnet Example xConfiguration Zones LocalZone SubZones MembershipRules Rule 1 Subnet Address 192 168 0 0 Zones LocalZone SubZones MembershipRules Rule 1 3000 Subnet PrefixLength 1 128 The number of bits of the subnet address which mu...

Page 454: ... any one time Default Unlimited NoBandwidth no bandwidth available No calls can be made to from or within this subzone Example xConfiguration Zones LocalZone SubZones SubZone 1 Bandwidth Total Mode Limited Zones LocalZone SubZones SubZone 1 1000 Name S 0 50 Assigns a name to this subzone Example xConfiguration Zones LocalZone SubZones SubZone 1 Name BranchOffice Zones LocalZone SubZones SubZone 1 ...

Page 455: ...tion Zones LocalZone Traversal H323 TCPProbe RetryInterval 2 Zones LocalZone Traversal H323 UDPProbe KeepAliveInterval 1 65534 Sets the interval in seconds with which a traversal enabled endpoint registered directly with the VCS will send a UDP probe to the VCS once a call is established in order to keep the firewall s NAT bindings open Default 20 Example xConfiguration Zones LocalZone Traversal H...

Page 456: ...ule 1 2000 Mode AliasPatternMatch AnyAlias AnyIPAddress Determines whether a query is sent to the target zone Default AnyAlias AliasPatternMatch queries the zone only if the alias matches the corresponding pattern type and string AnyAlias queries the zone for any alias but not IP address AnyIPAddress queries the zone for any given IP address but not alias Example xConfiguration Zones Policy Search...

Page 457: ...chRules Rule 1 Progress Continue Zones Policy SearchRules Rule 1 2000 Protocol Any H323 SIP The source protocol required for the rule to match Example xConfiguration Zones Policy SearchRules Rule 1 Protocol Any Zones Policy SearchRules Rule 1 2000 Source Mode Any AllZones LocalZone Named The sources of the requests for which this rule applies Default Any Any locally registered devices neighbor or ...

Page 458: ... Specifies which video codec to use when empty INVITEs are not allowed Default H263 Example xConfiguration Zones Zone 1 DNS Interworking SIP Video DefaultCodec H263 Zones Zone 1 1000 DNS Interworking SIP Video DefaultResolution None QCIF CIF 4CIF SIF 4SIF VGA SVGA XGA Specifies which video resolution to use when empty INVITEs are not allowed Default CIF Example xConfiguration Zones Zone 1 DNS Inte...

Page 459: ... 1 1000 DNS SIP SearchAutoResponse On Off Controls what happens when the VCS receives a SIP search that originated as an H 323 search destined for this zone Default Off Off a SIP OPTION message will be sent to the zone On searches will be responded to automatically without being forwarded to the zone Example xConfiguration Zones Zone 1 DNS SIP SearchAutoResponse Off Zones Zone 1 1000 DNS SIP TLS V...

Page 460: ...heckCredentials Controls how the VCS authenticates incoming messages from this zone and whether they are subsequently treated as authenticated unauthenticated or are rejected The behavior varies for H 323 messages SIP messages that originate from a local domain and SIP messages that originate from non local domains Default DoNotCheckCredentials Example xConfiguration Zones Zone 3 Neighbor Authenti...

Page 461: ...ch video codec to use when empty INVITEs are not allowed Default H263 Example xConfiguration Zones Zone 3 Neighbor Interworking SIP Video DefaultCodec H263 Zones Zone 1 1000 Neighbor Interworking SIP Video DefaultResolution None QCIF CIF 4CIF SIF 4SIF VGA SVGA XGA Specifies which video resolution to use when empty INVITEs are not allowed Default CIF Example xConfiguration Zones Zone 3 Neighbor Int...

Page 462: ...ne This must be set to On for connections to a Microsoft Office Communications Server 2007 Default Off Example xConfiguration Zones Zone 3 Neighbor SIP MIME Strip Mode Off Zones Zone 1 1000 Neighbor SIP Media Encryption Mode Off On BestEffort Auto The media encryption policy applied by the VCS for SIP calls including interworked calls to and from this zone Default Auto On All media must be encrypt...

Page 463: ...quires a valid DNS system host name to be configured on the VCS Default IP Example xConfiguration Zones Zone 3 Neighbor SIP Record Route Address Type IP Zones Zone 1 1000 Neighbor SIP SDP Attribute Line Limit Length 80 65535 If SIP SDP attribute line limit mode is set to On sets the maximum line length of a fmtp SDP lines Default 130 Example xConfiguration Zones Zone 3 Neighbor SIP SDP Attribute L...

Page 464: ...sManagerBFCP NortelCS1000 NonRegisteringDevice LocalB2BUAService Determines how the zone s advanced settings are configured Default uses the factory defaults Custom allows you to configure each setting individually Preconfigured profiles alternatively choose one of the preconfigured profiles to automatically use the appropriate settings required for connections to that type of system Example xConf...

Page 465: ... Controls whether proxied SIP registrations routed through this zone are accepted Default Allow Example xConfiguration Zones Zone 4 TraversalClient Registrations Allow Zones Zone 1 1000 TraversalClient RetryInterval 1 65534 The interval in seconds with which a failed attempt to establish a connection to the traversal server should be retried Default 120 Example xConfiguration Zones Zone 4 Traversa...

Page 466: ... Mode DoNotCheckCredentials Zones Zone 1 1000 TraversalServer Authentication UserName S 0 128 The name used by the traversal client when authenticating with the traversal server If the traversal client is a VCS this must be the VCS s authentication user name If the traversal client is a gatekeeper this must be the gatekeeper s System Name Example xConfiguration Zones Zone 5 TraversalServer Authent...

Page 467: ...salServer SIP TLS Verify Mode On Off Controls X 509 certificate checking and mutual authentication between this VCS and the traversal client If enabled a TLS verify subject name must be specified Default Off Example xConfiguration Zones Zone 5 TraversalServer SIP TLS Verify Mode On Zones Zone 1 1000 TraversalServer SIP TLS Verify Subject Name S 0 128 The certificate holder s name to look for in th...

Page 468: ...ds with which the traversal client will send a UDP probe to the VCS Default 2 Example xConfiguration Zones Zone 5 TraversalServer UDPProbe RetryInterval 2 Zones Zone 1 1000 Type Neighbor TraversalClient TraversalServer ENUM DNS Determines the nature of the specified zone in relation to the local VCS Neighbor the new zone will be a neighbor of the local VCS TraversalClient there is a firewall betwe...

Page 469: ...nformation about using each of the xCommand commands from within the CLI type n xCommand or xCommand to return a list of all available xCommand commands n xCommand to return all current xCommand commands along with a description of each command a list of its parameters and for each parameter its valuespaces and description n xCommand command to return a description of the command a list of its par...

Page 470: ...trators AdsDcAdd Adds a new Active Directory server ActiveDirectoryAddress r S 0 39 The address of a domain controller that can be used when the VCS joins the AD domain Not specifying a specific AD will result the use of DNS SRV queries to find an AD Example xCommand AdsDcAdd ActiveDirectoryAddress 192 168 0 0 AdsDcDelete Deletes an Active Directory server ActiveDirectoryId r 1 5 The index of the ...

Page 471: ...AllowListAdd PatternString John Smith example com PatternType Exact Description Allow John Smith AllowListDelete Deletes an entry from the Allow List AllowListId r 1 2500 The index of the entry to be deleted Example xCommand AllowListDelete AllowListId 2 Boot Reboots the VCS This command has no parameters Example xCommand boot CheckBandwidth A diagnostic tool that returns the status and route as a...

Page 472: ...mconfigadd Performs a lookup on a Unified CM publisher Address r Value The FQDN or IP address of the Unified CM publisher Axlpassword r Value The password used by the VCS to access the Unified CM publisher Axlusername r Value The user name used by the VCS to access the Unified CM publisher CertValidationDisabled On Off Controls X 509 certificate checking against the certificate presented by the Un...

Page 473: ... 2 DisconnectCall Disconnects a call Call 1 1000 The index of the call to be disconnected CallSerialNumber S 1 255 The serial number of the call to be disconnected You must specify either a call index or a call serial number Example xCommand DisconnectCall CallSerialNumber 6d843434 211c 11b2 b35d 0010f30f521c Dnslookup Queries DNS for a supplied hostname Hostname Value The name of the host you wan...

Page 474: ...evel name must start with a letter Authzone S 1 128 The name of the traversal zone to use when delegating credential checks for SIP messages for this domain Leave this parameter unspecified if you want this VCS Expressway to perform the credential checking Edgesip On Off Endpoint registration call control and provisioning services are provided by Unified CM Default Off Edgexmpp On Off Instant mess...

Page 475: ...64 Descriptive name for the external application whose status is being referenced Example xCommand ExtAppStatusDelete Name foo Fail2ban Configures automated intrusion protection categories Argument S 1 64 The value applied by the command Command unbanip banip reload bantime findtime maxretry addignoreip delignoreip status The action to take Jail S 1 64 The category to which the command is applied ...

Page 476: ... RegistrationFailure Event AuthenticationFailure Example xCommand FeedbackRegister ID 1 URL http 192 168 0 1 feedback Expression 1 Status Calls Expression 2 Event CallAttempt FindRegistration Returns information about the registration associated with the specified alias The alias must be registered on the VCS on which the command is issued Alias r S 1 60 The alias that you wish to find out about E...

Page 477: ...SDL LinkDelete Deletes a link LinkId r 1 3000 The index of the link to be deleted Example xCommand LinkDelete LinkId 2 ListPresentities Returns a list of all the presentities being watched by a particular subscriber Subscriber r S 1 255 The URI of the subscriber who is watching Example xCommand ListPresentities Subscriber john smith example com ListSubscribers Returns a list of all subscribers who...

Page 478: ...th example com HopCount 15 Protocol SIP SourceZone LocalZone Authenticated Yes SourceAlias alice example com LoginUserAdd Adds an entry to the local authentication database Name r String Defines the name for this entry in the local authentication database Password r Password Defines the password for this entry in the local authentication database Example xCommand LoginUserAdd Name alice Password a...

Page 479: ...andwidth Controls total bandwidth restrictions for the pipe NoBandwidth no calls can be made using this pipe Default Unlimited Total 1 100000000 If this pipe has limited bandwidth sets the maximum bandwidth in kbps available at any one time on the pipe Default 500000 PerCallMode Unlimited Limited NoBandwidth Controls bandwidth restrictions of individual calls NoBandwidth no calls can be made using...

Page 480: ... or Fully Qualified Domain Name FQDN of the remote service Path S 0 255 Specifies the URL of the remote service StatusPath S 0 255 Specifies the path for obtaining the remote service status Default status UserName S 0 30 Specifies the user name used by the VCS to log in and query the remote service Password S 0 82 The password used by the VCS to log in and query the remote service The maximum plai...

Page 481: ...Crlcheck Off Format bsd Mode bsd Port 514 Transport udp RemoteSyslogDelete Address r Value The IP address or Fully Qualified Domain Name FQDN of the remote syslog server to delete Port r 1 65535 The port used by the remote syslog server to be deleted Transport r udp tcp tls The transport protocol used by the remote syslog server to be deleted Example xCommand RemoteSyslogDelete Address remote_serv...

Page 482: ...1 50 The index of the route to be deleted Example xCommand RouteDelete RouteId 1 Securemode Controls Advanced Account Security options Command r on off status The index of the route to be deleted Example xCommand Securemode Command off SearchRuleAdd Adds a new search rule to route searches and calls toward a zone or policy service Name r S 0 50 Descriptive name for the search rule ZoneName S 0 50 ...

Page 483: ...equests will be forwarded Port r 1 65534 Specifies the port on the next hop for this route to which matching SIP requests will be routed Default 5060 Transport r UDP TCP TLS Determines which transport type will be used for SIP messages forwarded along this route Tag r S 0 64 Tag value specified by external applications to identify routes that they create Example xCommand SIPRouteAdd Method SUBSCRI...

Page 484: ...hin this subzone Default Unlimited PerCallIntra 1 100000000 Specifies the bandwidth limit in kbps for any one call between two endpoints within this subzone applies only if the mode is set to Limited Default 1920 Example xCommand SubZoneAdd SubZoneName BranchOffice TotalMode Limited Total 1024 PerCallInterMode Limited PerCallInter 512 PerCallIntraMode Limited PerCallIntra 512 SubZoneDelete Deletes...

Page 485: ...t the beginning of the alias Suffix the string must appear at the end of the alias Regex the string is treated as a regular expression Default Prefix Behavior Strip Replace AddPrefix AddSuffix How the alias is modified Strip removes the matching prefix or suffix from the alias Replace substitutes the matching part of the alias with the text in the replace string AddPrefix prepends the replace stri...

Page 486: ...functioning Xmppdelete Deletes the details of IM and Presence servers Address r Value The IP address or Fully Qualified Domain Name FQDN of the IM and Presence server to delete Example xCommand Xmppdelete Address imp_server example com Xmppdiscovery Discovers the details of IM and Presence servers Address r Value The IP address or Fully Qualified Domain Name FQDN of the IM and Presence server to d...

Page 487: ... endpoints discoverable by ENUM lookup DNS the new zone contains endpoints discoverable by DNS lookup Example xCommand ZoneAdd ZoneName UK Sales Office Type Neighbor ZoneDelete Deletes a zone ZoneId r 1 1000 The index of the zone to be deleted Example xCommand ZoneDelete ZoneId 2 ZoneList A diagnostic tool that returns the list of zones grouped by priority that would be queried and any transforms ...

Page 488: ...ements n xStatus element sub element to return the current status of that group of sub elements To obtain information about the xStatus commands type n xStatus to return a list of all elements available under the xStatus command xStatus elements The current xStatus elements are n Alarm n Alternates n Applications n B2BUACalls n B2buapresencerelayservice n B2buapresencerelayuser n Calls n Cluster n...

Page 489: ...ovisioningdevicestatussynch n Provisioningservice n Registrations n ResourceUsage n SIP n SipServiceDomains n SipServiceZones n SystemUnit n TURN n Time n Warnings n Zones Cisco VCS Administrator Guide X8 1 1 Page 489 of 507 Reference material Command reference xStatus ...

Page 490: ...external policy server a service request over HTTP or HTTPS the service will send a response back containing a CPL snippet which the VCS will then execute Using an external policy server The main areas where the VCS can be configured to use an external policy server are n Registration Policy to allow or reject registrations n Call Policy also known as Admin Policy to control the allowing rejecting...

Page 491: ...ists the possible parameters contained within a request and indicates with a ü in which request types that parameter is included It also indicates where relevant the range of accepted values Parameter name Values Registration Policy Search rules Call Policy User Policy ALIAS ü ALLOW_INTERWORKING TRUE FALSE ü ü ü AUTHENTICATED TRUE FALSE ü ü ü ü AUTHENTICATED_SOURCE_ALIAS ü ü ü AUTHENTICATION_USER_...

Page 492: ...ault CPL for registrations and Call Policy defaults to reject status 403 reason Service Unavailable and this will reject the request The Default CPL for policy services used by search rules defaults to reject status 504 reason Policy Service Unavailable and this will stop the search via that particular search rule This default CPL mean that in the event of a loss of connectivity to the policy serv...

Page 493: ...d 0008 TEST4 pkt_denied access denied 0010 TEST5 pkt_auth authentication failure 0020 TEST6 pkt_stratum invalid leap or stratum 0040 TEST7 pkt_header header distance exceeded 0080 TEST8 pkt_autokey Autokey sequence error 0100 TEST9 pkt_crypto Autokey protocol error 0200 TEST10 peer_stratum invalid header or stratum 0400 TEST11 peer_dist distance threshold exceeded 0800 TEST12 peer_loop synchroniza...

Page 494: ...6 The Reason Header Field for the Session initiation Protocol SIP 3265 Session Initiation Protocol SIP Specific Event Notification 3327 Session Initiation Protocol SIP Extension Header Field for Registering Non Adjacent Contacts 3489 STUN Simple Traversal of User Datagram Protocol UDP Through Network Address Translators NATs 3515 The Session Initiation Protocol SIP Refer Method 3550 RTP A Transpor...

Page 495: ... Control Messages in the RTP Audio Visual Profile with Feedback AVPF Temporary Maximum Media Stream Bit Rate Request TMMBR 5245 Interactive Connectivity Establishment ICE 5389 Session Traversal Utilities for NAT STUN 5424 The Syslog Protocol 5626 Managing Client Initiated Connections in the Session Initiation Protocol SIP 5627 Obtaining and Using Globally Routable User Agent URIs GRUUs in the Sess...

Page 496: ...ainst its on box local database of usernames and passwords before checking against any configured H 350 directory server As a result of this l The Device authentication configuration page no longer exists there is no longer an option to switch between an authentication database type of Local database or LDAP database l The NTLM protocol challenges setting is now configured on the Active Directory ...

Page 497: ...re connections only n Access to the VCS via the serial port can be disabled n You can configure the authentication method used by the VCS when connecting to an NTP server It utilizes the security features available in NTPv4 and retains compatibility with NTPv3 implementations Options include symmetric key message hashing and private key encryption n System backup files can now be encrypted passwor...

Page 498: ... all peer addresses if the VCS is part of a cluster when used in a replace string the variable is always substituted with the address of the local peer only n The Microsoft B2BUA now supports up to 100 simultaneous calls the limit was 50 previously however calls that use transcoder resources count as 2 calls n TURN server now has full IPv6 support as per RFC 6156 The TURN relays status page displa...

Page 499: ...S Agent legacy mode to the new Provisioning Extension mode as soon as is practicable Call processing n Improved interworking between VCS and Cisco Unified Communications Manager VCS now always stays in the call signaling route for calls to neighbor zones that are configured with the Cisco Unified Communications Manager or the Infrastructure device zone profiles Virtual appliance support n The VCS ...

Page 500: ...ject to per peer limits but the licenses are available to all peers in the cluster See License usage within a cluster p 160 for more information Note that any other option keys FindMe for example must still be installed identically on each cluster peer as before Microsoft Edge Server support via B2BUA for Microsoft OCS Lync Support for Microsoft Edge Server communications has been added via the in...

Page 501: ... taken by a network packet sent from the VCS to a particular destination host system n DNS lookup allows you to check which domain name server DNS server is responding to a request for a particular hostname Alarms warnings n Warnings are now referred to as alarms n The alarm icon in the menu bar indicates the current number of unacknowledged alarms n The Alarms page indicates when an alarm was las...

Page 502: ... list page n Chrome web browser is now supported Internet Explorer 6 is no longer officially supported n The administrator no longer has to log out and log back in again after reconfiguring DNS server addresses n There is a new Call signaling routed mode advanced zone profile setting for neighbor zones It controls whether the zone always takes the signaling or uses the system wide Call routed mode...

Page 503: ...uide www cisco com FindMe Deployment Guide www cisco com VCS Getting Started Guide www cisco com VCS IP Port Usage for Firewall Traversal www cisco com Microsoft Lync 2010 Cisco AM GW and VCS Deployment Guide www cisco com Microsoft Lync and VCS Deployment Guide www cisco com Multiway Deployment Guide www cisco com VCS Starter Pack Express Deployment Guide www cisco com Unified Communications Mobi...

Page 504: ...l UDP Through NATs http tools ietf org html rfc3489 RFC 3550 RTP A Transport Protocol for Real Time Applications http tools ietf org html rfc3550 RFC 3761 The E 164 to URI Dynamic Delegation Discovery System DDDS Application ENUM http tools ietf org html rfc3761 RFC 3880 Call Processing Language CPL A Language for User Control of Internet Telephony Services http tools ietf org html rfc3880 RFC 402...

Page 505: ... be found at http www cisco com en US docs telepresence infrastructure vcs license_info Cisco_VCS_EULA pdf This product includes copyrighted software licensed from others A list of the licenses and notices for open source software used in this product can be found at http www cisco com en US products ps11337 products_licensing_information_listing html This product includes software developed by Co...

Page 506: ... obtain a separate use license from MPEG LA prior to any use of AVC H 264 encoders and or decoders Patent information This product is covered by one or more of the following patents n US7 512 708 n EP1305927 n EP1338127 Cisco VCS Administrator Guide X8 1 1 Page 506 of 507 Reference material Legal notices ...

Page 507: ...NG WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN ...

Reviews: