59
D14049.07
March 2010
Grey Headline
(continued)
TANDBERG
VIDEO COMMUNICATION SERVER
ADMINISTRATOR GUIDE
Introduction
Overview and
status
System
configuration
VCS
configuration
Zones and
neighbors
Clustering and
peers
Call
processing
Bandwidth
control
Firewall
traversal
Appendices
Applications
Maintenance
Registration control
About Allow and Deny Lists
When an endpoint attempts to register with the VCS it presents
a list of aliases. You can control which endpoints are allowed to
register by setting the
Restriction Policy
to
Allow List
or
Deny
List
and then including any one of the endpoint’s aliases on the
Allow List or the Deny list as appropriate. Each list can contain
up to 2,500 entries.
When an endpoint attempts to register, each of its aliases
is compared with the patterns in the relevant list to see if it
matches. Only one of the aliases needs to appear in the Allow
List or the Deny List for the registration to be allowed or denied.
For example, If the Registration Restriction policy is set to
Deny
List
and an endpoint attempts to register using three aliases,
one of which matches a pattern on the Deny List, that endpoint’s
registration will be denied. Likewise, if the Registration
Restriction policy is set to
Allow List
, only one of the endpoint’s
aliases needs to match a pattern on the Allow List for it to be
allowed to register using all its aliases.
Allow Lists and Deny Lists are mutually exclusive: only one may
be in use at any given time.
You can also control registrations at the
subzone
level.
Each subzone's registration policy can be configured to
allow or deny registrations assigned to it via the subzone
membership rules.
Allow and Deny Lists
Activating use of Allow or Deny Lists
The
Registration Configuration
page allows you to specify
whether an Allow List or a Deny List should be used when
determining which endpoints may register with the VCS.
To go to the
Registration Configuration
page:
•
VCS configuration > Registration > Configuration
.
To configure this using the CLI:
•
xConfiguration Registration RestrictionPolicy
The
Restriction policy
option specifies the policy to be used
when determining which endpoints may register with the VCS.
The options are:
None
: any endpoint may register.
AllowList
: only those endpoints with an alias that matches an
entry in the Allow List may register.
DenyList
: all endpoints may register, unless they match an entry
on the Deny List.
The default is
None
.
!
If you have elected to use an Allow List or a Deny List,
you must also go to the appropriate configuration page
(
VCS configuration > Registration > Allow List
or
VCS
configuration > Registration > Deny List
) to create the
list to be used.
Removing existing registrations
After an Allow List or Deny List has been activated, it controls
all registration requests from that point forward. However, any
existing registrations may remain in place, even if the new list
would otherwise block them. Therefore, you are recommended
to manually remove all existing unwanted registrations after you
have implemented an Allow List or Deny List.
To manually remove a registration, go to
Status > Registrations
> By device
, select the registration(s) you want to remove, and
click
Unregister
.
Re-registrations
All endpoints must periodically re-register with the VCS in order
to keep their registration active. If you do not manually delete the
registration, the registration could be removed when the endpoint
attempts to re-register, but this depends on the protocol being
used by the endpoint:
•
H.323 endpoints may use "light" re-registrations which do not
contain all the aliases presented in the initial registration, so
the re-registration may not get filtered by the Allow List or Deny
List. If this is the case, the registration will not expire at the
end of the registration timeout period and must be removed
manually.
•
SIP re-registrations contain the same information as the initial
registrations so will be filtered by the Allow List and Deny
List. This means that, after the list has been activated, all
SIP registrations will disappear at the end of their registration
timeout period.
The frequency of re-registrations is determined by the
Registration Expire Delta
setting for SIP (
VCS configuration >
Protocols > SIP > Configuration
) and the
Time to Live
setting for
H.323 (
VCS configuration > Protocols > H.323
).