VCS - C 7.2.2 to VCS - E with X8.1.1

Similar Questions

• VCS - C cluster and Cluster VCS-E with Movi 4.6 register and call interruption

  Hi all

  We have VCS - C cluster and Cluster VCS-E with Movi 4.6 register and call interruptions. The point is, if the appeal or record comes from the Internet. We have the sip proxy model vcse--> vcs - c record. The strange point is, if run us in mode not cluster with only 1 vcs - c, then the call works very well or so over 1 minute. We also have findme. The call internal registered locally (VCSC) works as well) the case appears if the active VCS - c cluster and the movi has been listed in the subzone of the crossing of VCS - c
  VCS versions are x.7.2.2 and tms 14.2.2
  Thx for your comments

  Sent by Cisco Support technique iPhone App

  Hi friend

  The issue you are experiencing is a known limit of Jabber of telepresence. This happens when registration of the device is transmitted by proxy to the VCS control, where VCS are clusters. Probably what is happening:

  -Jabber client records through the fast track to a control in the area of the highway crossing.

  -L' check requires authentication

  -When the customer registers again every minute (registration of SIP (re) process normal), the registration request is sent to one of the other controls in the cluster.

  -The customer then completes the current record and authenticates back to the other control

  -The client (Jabber) will tear down the ongoing call when there is re - authenticate registration

  This problem is resolved in the current version for Jabber for iPad. The current version of Jabber for TelePresence still has this problem. Default: CSCud17952

  Another user has reported the same issue. See the following:

  https://supportforums.Cisco.com/message/3967325#3967325

  Zachary Colton gave the answer. I simply copied his explanation and pasted here.

  Paulo Souza

  Please note the answers and mark it as "answered" as appropriate.

• VCS Express with CUCM 10

  Hello

  There is a lot of confusion on Express C/E & VCS C/E, if anyone can confirm my following queries:

  With VCS VCS & Express control every endpoint to register with VCS control (no participation required CUCM or VCS control can't integrate with CUCM)?

  With Highway Core & edge that every endpoint is record in CUCM & CUCM will record Expressway Core?

  For calls B2B & movi Jabber, that we must have Expressway Center/periphery, VCS control/Express IS NOT support jabber movi & called B2B?

  Software Express C/E & VCS C/E are the same, but the licenses are different?

  Our clients have obtained

  1 x control VCS licensed

  1 x Express VCS under license

  1 x ISDN gateway,

  1 x TP driver

  1 x TP management suit.

  Kind regards

  Francisco

  With VCS VCS & Express control every endpoint to register with VCS control (no participation required CUCM or VCS control can't integrate with CUCM)?

  Yes, no CUCM is required, endpoints can also enroll in the VCS-E or it could register SIP to VCS - C proxy endpoints. A parallel installation of VCS CUCM with a trunk should also work with todays versions.

  The VCS will be only support standards basis of endpoints SIP and H323, its main purpose

  a for video settings. You won't be able to use it to register, provision or use of Cisco IP phones with it.

  With Highway Core & edge that every endpoint is record in CUCM & CUCM will record Expressway Core?

  See the C & E highway as a single unit to the external communication. The registrations are transferred by proxy

  CUCM outside.

  But that also means, you can't register 3 party at the highway and even end points

  Cisco endpoints must support the installation of the fast track C & E.

  The highway also runs things like XMPP for Jabber.

  For calls B2B & movi Jabber, that we must have Expressway Center/periphery, VCS control/Express IS NOT support jabber movi & called B2B?

  The C & E Highway can also manipulate calls business2business or another sip trunks / h323, but this infrastructure requires the media license.

  B2B calls also works very well with the installation of VCS.

  If you are talking about how to provide Jabber accounts and video Jabber:

  There are video Jabber (which is implemented by TMS and VCS) and Jabber (i.e. led CUCM) there.

  If you are talking about outside calls that he can just be regarded as regular b2b external calls.

  then they be it work with VCS or motorways on the site of the end.

  Software Express C/E & VCS C/E are the same, but the licenses are different?

  It is correct. Licensing Expressway is more attractive for users CUCM, but you already have

  have SPRDD in place that should work in all cases well.

  With CUCM, you get licenses Expressway in any case. So according to the type of use, you.

  B2B, internal calls... you can add a configuration of fast track to Jabber and the stuff of office home and

  use the VCs to B2B and part 3 records.

• Jabber client - encryption of VCS Expressway with MRA

  Hi all

  I'm working on the implementation of MRA for a video solution existing. Version CUCM is 9.1.2 (no IM & P server), vcs - c and vcs-e 8.2.2.  Client Jabber is 11.5.x

  I finished most of the introduction and I am able to call internally and externally through MRA.

  I still have a few things to tweak.  One is the encryption of video calling once jabber connects from outside.  From my understanding, the thigh jabber call end point and VCS Expressway uses TLS. But when I run wireshark on the PC with Jabber client, I don't see the RTP stream as being encrypted.

  CUCM my jabber device does not use a secure profile.  Is it ok or not?

  Please let me know if more are needed.  Thank you

  You can confirm the call is encrypted from the client of jabber MRA by doing as follows (I used 11.5 jabber client, if you are using an older client, I can't guarantee this method):

  1. make a call from the client jabber ARM, once the call is configured and media is established, you can end the call.
  2. create a jabber client problem report (help > report a problem...)
  3. Enter the required details and save the .zip file.
  4 extract the file "jabber.log" from the .zip file. Since this file (at least since the version of client jabber 11.5) has the SIP messaging included in this document, you can use TranslatorX to view the file (you can also use a text editor if you wish).
  5 generate a diagram of the log file.

  translatorx - 01.png

  

  6. in the diagram of the scale, you should be able to locate the origin of the call. Search for an invitation, in my case a "RE-INVITE" and select it. A pop-up window will appear with the details of the SIP message.

  translatorx - 02.png

  

  7. read the content of the message prompt of the SIP protocol (focusing on the SDP - the component of negotiating media). I won't go into detail about how to read SIP messages (there's a good article here, it is not for jabber specifically, but the same concepts apply).

  translatorx - 03.png

  

  8. close the prompt message and open the message 'OK w/SDP' to examine the response of the VCS-E. The SDP response, we can confirm that the encryption settings have been accepted for the media (media will be encrypted).

  translatorx - 04.png

  

  For re - apply point Jamie, unless you run CUCM in mixed mode and using security profiles, signalling/media encryption stops on the thigh of CUCM/endpoint and the VCS - C respectively. See the diagram below for reference (mixed mode not implemented).

  MRA-media - flow.png

  

  You need not applied to the device of CSF security profiles to obtain the encryption between the client of jabber MRA and the VCS-E. If you can decode signaling and media packets in Wireshark your jabber client, you probably will not connect via ARM (ARM is always encrypted).

  Please let us know if that helps.

  -Jon

• Reuse an existing one (currently registered for VCS) C20 with CUCM 8.6.2

  Hello friends...

  I have existing C20 which is registed to the VCS control running Software version: TC6.0.0.876266.

  Now, I thought of trying to save this to my 8.6.2 CUCM end point. I know that there is a different firmware (file Release TC5.1.3 - COP CUCM) who should be responsible on this endpoint before it can register.

  I looked for Cisco docos but they all assume that the Endepoint is already running a friendly of CUCM (file COP) endpoint. No cover that I could find the steps on how to get the file of the Conference of the PARTIES on the endpoint.

  Unless he can can be loaded via the CUCM by registering to the CUCM? But my question, it'll still join CUCM if he does not run the

  CUCM friendly (COP file) on the endpoint.

  Any thoughts on this will be appreciated.

  Kind regards

  Hello

  You're poorly understand the concept. C20 and an other TC end points do not have a special firmware to run on CUCM. The COP file that you install on CUCM is just a package to contain the common endpoint upgrade file, the same file that you can download and install manually in your endpoint.

  You can then go ahead and enter them on CUCM 8.6.2 is running the same version you, TC 6.0.0.

  This document contains all the instructions you need:

  http://www.Cisco.com/en/us/docs/Telepresence/endpoint/codec-c-series/TC5/administration_guide/cts_endpoint_administration_ucm86_quick_start_guide_tc50.PDF

  Concerning

  Paulo Souza

  My answer was helpful? Please note the useful answers and do not forget to mark questions resolved as "responded."

• A VCS - C with two clients of course to the two different VCS - E (traversal servers)

  Hello

  Can I have a WHAT VCS - C connected to two different VCS-E?

  So, I will configure two 'route customers' VCS - C each pointing to VCS - E, and each VCS-E will have a 'crossing server' set up.

  Hello Jose,.

  Yes, it is possible, you can have several customer experience (and also servers traversal) on each VCS.

  Jens: there is an abundance of deployments where this would be wise. A cluster can have meaning where you need a logic of instance, which is be of multiple physical boxes.

  We have customers who need an environment safe, so that they have a VCS - E for outbound communications, generic endpoints and then VCS-control a VCS-E for another network to terminate VPN connections internal who couldn't talk directly inside.

  There was one other poster here recently where a company had a VCS - E + C Setup, the other

  C only, so that they could use a VCS-E talk to each other.

  But even in the same network where you want to cluster, but you cannot due to

  various geolocations with much delay between the sites...

  And so now ;-)

• Control of VCS and VCS expressway design

  I have a problem with the design of control and track Express VCS. Now, here's two VCS control and a highway. As you know, put on the Internet Highway and a control on my seat. At the same time, I want to put the other control on the management of my company which is in another city. Can it work correctly? How dose it work?

  You must create two zones on VCS Expressway crossing server and a customer journey area by control VCS.

  In other words, you should have a link path by VCS - C connection VCS-E separately.

  Please be sure to set different H.323/SIP port on each VCS - C.

  For example:

  VCS - C1 (Headquarters): area of traversal client pointing to VCS-E 6001 as port H323 and SIP traversal port 7001.

  VCS - C2 (branch): area of traversal client pointing to VCS - E with 6002 as port H323 and SIP traversal port 7002.

  VCS-E: a traversal server zone list for VCS - C1 (6001 as port H323 and SIP traversal port 7001) and other traversal server list for VCS - C2 (6002 as port H323 and SIP traversal port 7002)

• VCS - C leave IP address directly with VCS - E also

  Hello

  I have a VCS - C with a VCS-E in an environment x7.0

  The majority of endpoints are registered on the VCS - C, but there are some points of endpoints that are not for specific reasons.

  Endpoints are not registered in the VCS - C can call termination points registered by its IP address, but the end point registered can not dial end points unregistered. I understand that this is normal with the indirect numbering and the VCS-E but y at - there a way around this direct IP activation on the VCS - C and the use of a search rule that everything that does not correspond to a 10. hit the VCS-E?

  I'm doing a lab to do the test but would be great to see some comments on this.

  Thank you

  Hello

  You can work around this by creating a subarea on the VCS - C with one or several partners subzone composition one or several rules of type "Subnet", where you set of these endpoints unregistered IP addresses/ranges.

  This will have the effect that when registered endpoint contains an IP address appearing in one of this subarea subnet-type membership rules, the VCS - C will consider the known IP address and continue to attempt to place the call to that specific IP address.

  It will be easier for you if these unregistered end points were easy to define subnet membership rules, for example if they are all in the same subnet, rather than spread around different subnets, without overlap.

  -Andreas

• Where can I find documentation on how to get the VCS - C and VCS-E to Exchange presence information

  I turned presence on my VCS - C and VCS-E, but depending on whether I am VPNed or not, I don't see the State of the presence of my side of the firewall.

  I checked for x7.1 Administrator's guide, I looked in the guide of authentication devices, and I'm at a bit of a loss.

  Is what I'm trying to do as possible, and if so, what do I have to do to make this work?

  I have a pretty simple setup - that works very well, could give you some ideas;

  Two VCS - Independent C (soon to be clustered) and a VCS-E;

  all internal clients of the JabberVideo register with a VCS - C, and when external registers with the VCS-E (all of my users of Singapore recorded with the VCS-E).

  Authentication is directly with AD and is made on the a WHAT VCS - C regardless of the user is registered with the VCS - C or the VCS-E.

  PUA and presence disabled on VCS-E and activated on the VCS - C, which is used as SIP registrar.

  Authentication on VCS - e:

  Default subfield "do not check".

  Default zone "do not check".

  Traversal server box "do not check".

  Authentication on VCS - C:

  Default subfield "audit powers.

  MOVI area 'audit powers.

  Point final SIP registration box "treat as authenticated.

  Course customer area 'audit powers.

  Authentication works well, the users cannot sign up for the VCS-E with the wrong password or user name, and presence works well too - both inside and outside.

  /Jens

• C20 / VCS disconnect

  Hello

  We always seem to have problems calling VCS VCS systems with endpoints via internet. We lack 7.2 on our VCS and remote society running 7.1 on the VCS. Calls connect ok but there are drops randomly during the session 3, session of 1 h 30. I get a busy error user (logged on TMS) when trying to reconnect and I finally pass after a few minutes by train. I checked the C20 error logs and you can find this error - can anyone explain highlights lines below? or explain why I get disconnected?

  Thank you

  Stem

  (The appeal of VC is going through internet to the remote system)

  21 Nov 07:32:41 (none) principal: 3150.48 MC I: RemoteParticipant::configureIncomingChannel: table of capacity:

  21 Nov 07:32:41 (none) principal: 3150.48 i H323Call: h323_call_handler::handleH323IncMode: incoming mode

  21 Nov 07:32:41 (none) principal: 3150.48 MC I: RemoteParticipant::configureIncomingChannel: table of capacity:

  21 Nov 07:32:41 (none) principal: 3150.48 i H323Call: h323_call::configureIncomingChannelCnf (p = 6): don't send not openSessionCnf to receive the mode change

  21 Nov 07:32:41 (none) principal: 3150.49 DataGateCfgReq (ig = 5) DATACTRL I: hdlc = yes

  21 Nov 07:32:41 (none) principal: 3150.49 DataGateCfgReq (ig = 5) DATACTRL I: hdlc = yes

  21 Nov 07:32:41 (none) principal: 3150.49 i H323Call: h323_call::configureIncomingChannelCnf (p = 6): don't send not openSessionCnf to receive the mode change

  21 Nov 07:32:41 (none) principal: 3150.49 i H323Call: h323_call_handler::handleH323IncMode: incoming mode

  21 Nov 07:32:41 (none) principal: 3150.50 MC I: RemoteParticipant::configureIncomingChannel: Capset(2) empty

  21 Nov 07:32:41 (none) principal: 3150.50 i H323Call: h323_call_handler::handleH323IncMode: incoming mode

  21 Nov 07:32:41 (none) principal: 3150.50 MC I: RemoteParticipant::configureIncomingChannel: Capset(2) empty

  21 Nov 07:32:41 (none) principal: 3150.50 i H323Call: h323_call::configureIncomingChannelCnf (p = 6): don't send not openSessionCnf to receive the mode change

  21 Nov 07:32:41 (none) principal: 3150.50 i H323Call: h323_call::configureIncomingChannelCnf (p = 6): don't send not openSessionCnf to receive the mode change

  21 Nov 07:32:41 (none) principal: 3150,74 getOutputPortStatus MV::getVCSetting MediaStreamController I: initialized 1

  21 Nov 07:32:41 (none) principal: 3150.74 i MediaStreamController: MV::getVCSetting localHwCookieHint_ 1 w 1920 1080 h

  21 Nov 07:32:42 (no) principal: 3150.79 probe flow VIDEOCTRL-0 i: Reset for (outputvideo, 2).

  21 Nov 07:32:42 (no) principal: 3150.80 i H323Call: h323_call::configureIncomingChannelCnf (p = 6): don't send not openSessionCnf to receive the mode change

  21 Nov 07:32:42 (no) principal: 3151.35 I: RemoteInputGateImpl::setIncomingModeReport (ig = 60, p = 6) MC [Audio (1): aud-off stereo 0 k]

  21 Nov 07:32:44 (none) principal: 3152.97 H323Call I: h323_call_handler::handleDiscInd (p = 6, s = 1) received disconnect indication (Cause: 11:55, h323 cause: 16:55)-RemoteRejected Q850

  21 Nov 07:32:44 (none) principal: 3152.98 I: RemoteParticipant::reevalRefMode (p = 6, ch = 2) MC set Ref [Video (2): vid-off [email protected] / * / 0 k] q = auto, t60 = 6000

  21 Nov 07:32:44 (none) principal: 3152.98 i: ModesController ModesController::resetRateLimit (ch = 2)

  21 Nov 07:32:44 (none) principal: 3152.98 I: RemoteParticipant::modeChanged (p = 6, ch = 2) MC: ModesController wants to run mode: video (2): vid-off [email protected] / * / 0 k

  21 Nov 07:32:44 (none) principal: 3152.99 i H323Call: h323_call::sendOutgoingModesToStack (p = 6): Modes sent to stack: audio: AAC - LD, video: vid-off, duo: vid, data: H.224 - HDLC

  21 Nov 07:32:44 (none) principal: 3153.03 i H323Call: h323_call::affirmIncomingDisconnect (p = 6): incoming logout confirmed

  21 Nov 07:32:44 (none) principal: call Tel: RemoteParticipant::disconnectTokenParticipant (p = 6) No. 3153,09 MC

  21 Nov 07:32:44 (none) principal: 3153.09 MC I: Conference::updateCommonCapSet (c = 5)

  21 Nov 07:32:44 (none) principal: 3153.10 I: IXUser iXController teardownIxChannel: not connected

  21 Nov 07:32:44 (none) principal: 3153.11 MC I: CapabilityControllerImpl reduced::setCapset() = 0, waitForDuoGate = 1, hasLegacyVideo = 0

  21 Nov 07:32:44 (none) principal: 3153.14 RTP I: TrafficCtrl: remove entry (hand): id: 34, dict: 65568

  21 Nov 07:32:44 (none) principal: 3153.14 RTP I: TrafficCtrl: remove entry (Duet): id: 36, dict: 65568

  21 Nov 07:32:44 (none) principal: 3153.15 CAMERA I: CamVisca::Ready_doCAMActionReq cameraId = 1 actionId = 20

  21 Nov 07:32:44 (none) principal: 3153,16 getOutputPortStatus MV::getVCSetting MediaStreamController I: initialized 1

  21 Nov 07:32:44 (none) principal: 3153.16 i MediaStreamController: MV::getVCSetting localHwCookieHint_ 1 w 1920 1080 h

  21 Nov 07:32:44 (none) principal: 3153.18 i MediaStreamController: doAUDIOMIXERREMGATECNF(ms-ig=7) not found

  21 Nov 07:32:44 (none) principal: 3153.19 i: DATACTRL DataGateRemReq (ig = 5)

  21 Nov 07:32:44 (none) principal: 3153.20 i: DATACTRL DataGateRemReq (og = 2)

  Hi Rod,

  It is not easy to guide you to the first cause, why endpoint disconnects the call, with the information and the log summary above.

  I recommend you open a support ticket with Cisco and also to join the journal of diagnosis (with DEBUG level) of two VCS, if possible, as well as newspapers for endpoints in the call. Then we should be able to find the cause of this problem.

  Normally, the B2B calls are disconnected due to safety, for example incorrect firewall configurations or application layer, as correction active etc. H323 gateways.

  It is also good to exclude scenarios; as this phenomenon happens with any point of termination? Of each location? At each location? Where registered endpoints, and firewall etc. does cross when it is a failure.

  Hope this helps,

  Arne

• Question of marking DSCP QoS VCS.

  I want to audio/video/signaling traffic values recommended in the SRND QoS of Medianet 4.0 in our VCS (video Communication Server).  The recommendations are for audio and interactive video the same signalling to CS3 and CS4.

  However, when I web in the VCS management application, there are only two drop-down boxes for QoS/DSCP marking. A box should allow to 'media' DSCP or not. The other box is to enter the DSCP value.

  I guess that the "media" are video and audio.

  Three questions:

  1. "media" means the audio and video packets?

  2. any reason why traffic is not part of the functions of the VCS - DSCP marking or is this configuration point somewhere else in the GUI?

  3. If there is no way for VCS mark signaling packets, then it to the next layer (the switch) to mark packets of signaling?

  jkeefee,

  I understand where you are coming, and feature requests already exist for VCS for the increase of the QoS configuration options, including the marking of different for audio, video and signage and interface, area and subarea specific marking as well.

  Since there are a wide range of feature requests for VCS (as with most of our products), it is always advantageous to put as much weight as possible behind each application, as applications who demand most of the customers are those who is likely to be implemented and improved first.

  I would advise, so reach out to your Cisco account manager to report your need more capabilities of QoS on the VCS, so that it can be forwarded to the VCS product management.

  Hope this helps,

  Andreas

• Doubts about the migration parallel to Lync 2013-> Skype4B 2015 on VCS - C (not clustered)

  Hello everyone!

  As I saw on Cisco documents, applying "B2BUA/Microsoft Interoperability" on VCS can "communicate" with just an instance Microsoft Lync pool servers, but we need to migrate the Lync server on parallel to the servers of Skype, we need to have a few "maintenance window" to migrate all users!

  Can we keep 'UP' communication for VCS (lync and Skype) pool of two servers until the end of the migration? The lync Server legacy 2013 (shared resources) with VCS today can communicate with users (migrated) for 2015 of Skype with trunk Lync existing TLS today?

  I think we generate another certificate for TLS and affecting some Skype server on the option "host approved", that's okay, I forgot something? Or I have other ways to communicate two pools Microsoft server with a VCS - C with the application "B2BUA/Microsoft Interoperability?

  Thanks for help me!

  To see some possible examples of deployment options, refer to Appendix 3 of the infrastructure Microsoft (X8.8) Deployment Guide and totalled, suggest that you also look over the guide in full as it might answer some of your questions about what is supported.

• SIP spam attack and MCU and vcs - e call

  as far as I know sip call spam attacks is done against the videoconference, connected with a public ip address, I disabled the sip but im not sure if my mcu and vcs - e with sound are vulnerable to them? they pose no threat to security for them? and if so, how? and what can we do about it?

  It is a well known problem and it affects H.323 and SIP, take a look at the below threads:

  https://supportforums.Cisco.com/discussion/12340591/nuisance-h323-calls-SX20

  https://supportforums.Cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls

  https://supportforums.Cisco.com/discussion/12508641/Cisco-source-spam-calls-stepped-complexity

  https://supportforums.Cisco.com/discussion/12613681/attack-vcse

  There are many more discussions on this issue, the above, this is just a small selection. :)

  You do not need to disable SIP on the VCS-E, all you need to do is turn SIP UDP unless you need it for voice services.

  You can protect yourself by using a CPL on the VCS-E who will avoid calls to go through your MCU, or anything else you have sitting behind the VCS-E. This is assuming that you are using a combo of VCS-C/VCS-E, with the VCS - C behind a firewall and the VCS-E outside the firewall, for example in the demilitarized zone.

  Having just trouble ask points of termination or MCU sitting in nature with public IP addresses.

  These scans, moreover, mainly looking for systems that will allow them to make free international calls.

  /Jens

  Please evaluate the answers and makr as 'answered' questions as appropriate.

• VCS VCS - E, TMS, TMSPE, Jabber/Movi authentication

  Just trying to figure the best way to approach this.

  I have read the documentation and the best approach seems to get to the VCS VCS-E to Active Directory and the synchronization of the TMS with AD for user account creation. This would avoid the need to records movi proxy for control of VCS and would ensure that all (SIP and H323) registration for the VCS-E would be authenticated.

  I don't think that my client will allow the VCS-E talk to AD.

  So, what are my options?

  If I SIP proxy of VCS-E records the VCS control, how are they managing H323? I don't want just any point endpoint h323 register with the VCS-E. I need to authenticate them. The customer has exernal h323 endpoints that they would like to sign up for VCS - E. I know I could put registration rules to restrict only some URI SIP, H323 IDs etc but it's really just security by obscurity.

  The local on VCS and VCS-E database can be used for authentication Movi/SIP and H323 records? I know that I would have to duplicate accounts and passwords on both.

  What books commissioning and address through registration to the VCS-E? Would it still work?

  Any suggestions on the best way to handle this in the safest way possible without breaking things?

  If I go with the control of VCS and VCS Expressway with authentication Active Directory (directly) on the control method of the VCS as described in the guide of authentication devices, I'm looking for the reality that I will not be able to restrict who can register for the VCS-E? At this time should I just seek to restrict the search for rules to only authenticated users?

  Thank you

  Jon

  Hey Jon,

  MOVI/Jabber you won't have to worry about authenticating H323. With your endpoints however you can just use the database local to authenticate or H350 (more can be read about in the guide of the Provisioning device referred to as Tomo). You can create a different generic for all your endpoints (less secure if which is discovered). But by combining this feature with a political appeal will ensure better security.

  I highly doubt that your client will allow you to leave the talk VCSE in AD. For movi/jabber users, you can create another subfield and use a regex pattern for point movi/jabber users to authenticate it as. * (\.movi)@domain.com. In addition, you can refer to this fragment and others have used in the past.

  In a secure design, the VCS (control and Highway) would require identification for registration information.

  The Control of VCS would have Active Directory Service active and joins the Active Directory domain. For VCS authenticate the credentials of Movi/Jabber on Active Directory before the SUBSCRIPTION for the supply is sent to the service of commissioning, the default Zone would be set to verify the credentials. For requests for SUBSCRIPTION from the highway, the area on the VCS control would also to verify the credentials. It handles authentication for the provision.

  The next part is the record of the Movi/Jabber client. The subzone to which the customer will register must also be set to verify the credentials. Here's everything you need for internal records (registration to the VCS control).

  For the Highway, things get a little more complicated. For commissioning subscription, the SUBSCRIPTION is forwarded to the VCS control. With the area on the VCS game to check the credentials, you're all set. Now on registration to the highway. The subzone to which the customer will register to must be defined to check credentials. From the motorway VCS don't have direct access to Active Directory, we use local credentials on the highway. A set of credentials should be configured in VCS Configuration > authentication > devices > local database. You will create a single name and password all Movi/Jabber clients will use. The end user has NO need to know these credentials. The username and password is provided to the Movi/Jabber client via configuration data it has received. To set up these data, MSDS, you must configure a SIP of authentication user name and password for SIP authentication in the configuration of the commissioning. For these options to be available, you must ensure that you have downloaded the configuration template xml for the Movi/Jabber version you are using. The xml file is included in the zip package full of the client which can be downloaded on www.cisco.com. So, who will be recording from the highway. Now, this creates an interesting situation with VCS control. The internal Movi/Jabber client will receive the same provisioning configuration and will attempt to use those same credentials when you register for the control of VCS. The VCS control is already set to authenticate against Active Directory and Active Directory ONLY registration.

  You will need to create an account in Active Directory corresponding to these credentials. The Active Directory account didn't need special access. It is used only for authentication purposes. A few things to keep in mind: SIP authentication user name and password for SIP authentication are stored in clear text configuration configuration. This means that the data is sent in clear text. To be sure that these data are not compromised on the wire, do not forget that you are using for your communication SIP Movi/Jabber TLS.

  With this directories will always work as jabber should be authenticated in order to receive directories. Your physical endpoint points will work differently with how they receive books and whether or not they are able to communicate with MSDS (unless you choose to configure endpoints also if those you are capable).

  It is in no way the design as safe as possible. It is to you to ensure that your environment is as secure as possible and therefore tested. The best way to fix everything is a well-defined appeal policy designed with your specific needs.

  The foregoing is in no way a recommendation but just a little more information to chew while looking to choose and implement what is best for you.

  Adam

• VCS expressway firewall rules

  Hello

  I just need your confirmation on the following configuration.

  VCSC - FW - Internet

  |

  |

  VCSE

  We use the double option with NAT Nic key.

  VCS expressway wil be connected with 1 single interface LAN for FW.  It will be a private ip address.  Firewall will be Natting the private ip address of VCSE to a public ip address.

  When updating the FW in ruling according to the following link:

  http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/VCs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.PDF

  Appendix 3 - Page 55-58

  What address VCS expressway ip do you need to use FW rules?  a private or public?

  Thanks in advance.

  Ahmed

  Hi, Ahmed.

  If you use the VCS-E with the option of dual interface for NAT with all of a communication interface,

  the internet and your internal network must go to the _public_ ip address, not the private sector

  one. If it's not only on the firewall, but also the destination of the area on the VCS - C.

  Regards to your firewall, that depends on what must have configured your firewall.

  Some firewalls (or at least admins/users) seem to have problems getting the vcs - e accessible from inside on the

  external ip address. If there is a problem, you must use the secondary interface of the vcs and set a new

  DMZ.

  Please remember useful frequency responses and identify useful or correct answers.