VCS Expressway - Possible use of CPL script to block incoming IP?

Similar Questions

• Change the Source URI for outbound calls using VCS Expressway X8.2

  Hi all

  I would like a little help on a CPL script, that I'm working on. I lived all the examples of community support and I am always sick.

  We run on VCS X8.2.  What I've read, VCS X8.1 has introduced a few new CPL capabilities, including the node location CPL supports rewriting the regex-based source alias.  I would like to take advantage of this new feature. I'm looking for a tutorial or a direction more advanced examples using this new capability.

  Here's my question:

  I have an internal domain "CompanyA.local" and I have a public domain "Entreprisea.com". «My Cisco video endpoints register control VCS with a SIP URI of "[email protected] / * / .local'.»

  Receive calls from outside help "[email protected] / * / com" and the rules of research, I route calls properly internally.

  When I dial an external company, my endpoint is showing a video SIP URI of "[email protected] / * / .local"

  Of course, this isn't a SIP URI dial-able and should be changed to "[email protected] / * / .com'." "

  I know that this can be achieved using CPL, but I have not used this feature before.
  Any help would be appreciated.

  Please suggest an example script CPL I can review.

  I would use a Regex to cover all of my similar to the following endpoints:

  source-url-to-message-regex = "(.*) ' @CompanyA.local '"
  source-url-to-message-replace = "------[email protected] / * /"

  Thanks in advance for any help.

  oooooo, that answer above gave me the answer I was looking for. It does not work! It seems that the syntax for the xml file has changed from pre x 8 and x 8. Looks like I've been using the incorrect syntax. I was missing the AVA: in the clause to the proxy, which is my version of rule switch not working. Still don't know why the address switch did not work, but I prefer the rule-switch anyway, so no big loss for me.

  I've tested, and it is fully functional on my vm VCS x8.2 running lab

  
  
  "xmlns:TAA ="http://www.tandberg.net/cpl-extensions"
  "" xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance"
  xsi: schemaLocation = "urn: ietf:params:xml:ns:cpl cpl.xsd" >
         
           
             
               "[email protected] / * / ' >
                 
               
             
           
         
  

• Block calls with the Expressway CPL script custom field empty

  We currently have a CPL script in place on our highway E we use to restrict access to certain devices.  We found that we had a call from h323 come in which the field is empty, it is somehow making it through scripting and is able to call anything.  Here are our current config:

  -

  -

  -

  -

  http://www.w3.org/2001/XMLSchema-instance"xmlns:taa ="http://www.tandberg.net/cpl-extensions">."

  
  

  
  

  -

  -

  -

  We tried to change the rules where the origin is empty, or just simply have a *, but it doesn't seem to work.  Anyone have ideas on how to match a call when the field is empty?

  Thanks in advance!

  I get the these calls all the time. the CPL script that I use to block is attached.

  Question of the use of the good source and destination, for example in the attached CPL, I use:

• VCS Expressway to ISDN gateway

  Hi, it seems that my vcse is being moved from the outside and many hits or calls fraudulent are be tempted through my ISDN gateway.  I believe it is called hair pin!  What are the best practices and how to secure my Express?

  Thank you

  Ravi

  This has been covered in different threads in the past such as:

  https://supportforums.Cisco.com/message/3392768#3392768

  https://supportforums.Cisco.com/message/3542518#3542518

  https://supportforums.Cisco.com/message/3561238#3561238

  Look at the CPL examples in these discussions, and also the corresponding section in the administration guide for VCS - E also chronicled in a couple threads.

  In addition to the CPL script, you should consider breaking up the dial string by using something like # in the prefix of GW, IE if your prefix is 1 you use # 1 instead.

  You will not be able to block attempts to call as with the above, so they will always appear in the newspaper, but you minimized the possibility of the any of these tent appeal actually succeed.

  A way to block them completely disable SIP completely on the VCS-E, but disable SIP UDP will also keep these attempts at a minimum, at least that's my experience.

  /Jens

• VCS Expressway Starter Pack

  Hi all

  First of all, let me say that I am the kind again in part "Tandberg" telepresence.

  I'll put up a VCS Expressway Starter Pack (with the option to double network interface) the week next to our customers.

  I read the VCS Expressway SP deployment guide, but I still have a few questions:

  -What is the best place to place the SP VCSe?  (inside the DMZ, or the Public network)

  Tomorrow we will hear whether or not the customer has a demilitarized area.

  -I understand that the external firewall must redirect the ports 5060, 5061 and range 50000/52399 to SP VCSe

  If there is a demilitarized zone we need to open the ports on the firewall inside as well?

  -Is possible with MS VCSe to receive video calls to (locally) the ends registred? (For example: an E20 to another company) If so, we need to open additional ports on the firewall?

  Thank you in advance,

  Wouter

  Hi Wouter,

  Check out the link for more information below.

  http://www.Cisco.com/en/us/prod/collateral/ps7060/ps11305/ps11315/ps11337/data_sheet_c78-697075.html

  It gives answer to some of your questions, like which is the best place to install the VCS - SP network.

  Normally, we have seen many customers put the box in the DMZ and use for incoming and outgoing calls.

  Although the deployment either specifically depends on requirement and network design once.

  Also see VCS starter pack deployment guide.

  http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/VCs/config_guide/Cisco_VCS_Expressway_Starter_Pack_Deployment_Guide_X7-1.PDF

  He gave the port information and also check the document use of port at the link below.

  http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/VCs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X4_to_X7.PDF

  and answer your last questions, yes its possible to receive video call of endpoint not locally registered in VCS - SP, but then you need of DNS SRV records for your video field or you must call using ip address-SP-VCS.

  SRV DNS is the preferred method.

  Thank you

  Alok

• 2 MCU and VCS Expressway, routing problem

  Hi all

  We have a design with a group of control VCS (2 members), cluster VCS Expressway (2 members), and a couple of microcontrollers (registred H.323 on VCS control cluster with the same prefix: 90).

  Each highway has a public IP address and incoming calls from outside can only be routed to microcontrollers:

  [email protected]/ * / for MCU_1 and [email protected]/ * / for MCU_2 (we don't have external DNS resolution).

  I put a conversion into motorway of VCS to change [email protected]/ * / to [email protected] / * / and [email protected]/ * / to [email protected] / * /.

  The problem is when someone calls [email protected]/ * / sometimes (randomly) the call is routed to MCU_2 (instead of MCU_1) and if the appellant see the auto attendant.

  The occcurs even then of the appeal [email protected]/ * / (MCU_2), sometimes the call is routed to MCU_1.

  Any idea what can cause this device or a way to make it work well?

  Thanks for help.

  José

  I think still that separate prefix would work, but here are a few ideas:

  Are incoming calls which do not possibly using SIP that is being interoperability H323 or incoming calls all certainly the H323?

  If you want to keep pure H323, you could perhaps just have a search rule/turn on your VCS-E who changed [email protected] to an E164 e.g. 90... and had a search on your VCS - C rule that says 90... stop at the local area.

  I also noticed that you direct calls to [number]@MCU-IP - have you tried to direct all calls to [number]@VCS-C IP instead?  If the VCS is the holder of a registration for a number, it should be able to deliver accordingly.

• give the user local administrator rights using local admin script

  I would like to give a domain user with local administrator rights using scripts via sccm, now that user does not disconnect, and if the admin rights come into force. I want to get the user who is logged on rights and it shall take effect as it is connected. This is possible thanks to a script or restart a service or group policy update?

  Thank you very much for your time.

  Asher

  Hey Asher,

  Thanks for posting in the Microsoft Community.

  As you try to give a domain user with local administrator rights using scripts via SCCM, the question you posted would be better suited for COMPUTING public Pro on TechNet. I would recommend posting your query in the TechNet Forums to get help:

  System Center Configuration Manager

• Jabber client - encryption of VCS Expressway with MRA

  Hi all

  I'm working on the implementation of MRA for a video solution existing. Version CUCM is 9.1.2 (no IM & P server), vcs - c and vcs-e 8.2.2.  Client Jabber is 11.5.x

  I finished most of the introduction and I am able to call internally and externally through MRA.

  I still have a few things to tweak.  One is the encryption of video calling once jabber connects from outside.  From my understanding, the thigh jabber call end point and VCS Expressway uses TLS. But when I run wireshark on the PC with Jabber client, I don't see the RTP stream as being encrypted.

  CUCM my jabber device does not use a secure profile.  Is it ok or not?

  Please let me know if more are needed.  Thank you

  You can confirm the call is encrypted from the client of jabber MRA by doing as follows (I used 11.5 jabber client, if you are using an older client, I can't guarantee this method):

  1. make a call from the client jabber ARM, once the call is configured and media is established, you can end the call.
  2. create a jabber client problem report (help > report a problem...)
  3. Enter the required details and save the .zip file.
  4 extract the file "jabber.log" from the .zip file. Since this file (at least since the version of client jabber 11.5) has the SIP messaging included in this document, you can use TranslatorX to view the file (you can also use a text editor if you wish).
  5 generate a diagram of the log file.

  translatorx - 01.png

  

  6. in the diagram of the scale, you should be able to locate the origin of the call. Search for an invitation, in my case a "RE-INVITE" and select it. A pop-up window will appear with the details of the SIP message.

  translatorx - 02.png

  

  7. read the content of the message prompt of the SIP protocol (focusing on the SDP - the component of negotiating media). I won't go into detail about how to read SIP messages (there's a good article here, it is not for jabber specifically, but the same concepts apply).

  translatorx - 03.png

  

  8. close the prompt message and open the message 'OK w/SDP' to examine the response of the VCS-E. The SDP response, we can confirm that the encryption settings have been accepted for the media (media will be encrypted).

  translatorx - 04.png

  

  For re - apply point Jamie, unless you run CUCM in mixed mode and using security profiles, signalling/media encryption stops on the thigh of CUCM/endpoint and the VCS - C respectively. See the diagram below for reference (mixed mode not implemented).

  MRA-media - flow.png

  

  You need not applied to the device of CSF security profiles to obtain the encryption between the client of jabber MRA and the VCS-E. If you can decode signaling and media packets in Wireshark your jabber client, you probably will not connect via ARM (ARM is always encrypted).

  Please let us know if that helps.

  -Jon

• Question record DNS SRV + VCS Expressway

  Hi all

  I have a South, VCS in the DMZ, and I am facing a problem with the SRV DNS records.

  VCS Expressway Hostname:-VCSe

  Domain: example.com

  FULL VCSE domain name: VCSe.example.com

  and I have an a record set up for the same FQDN in DNS Public Server.

  I have a sip domain configured as 'cisco.com' in my VCS Expressway.

  What is the SRV records, I need to create in the Public DNS server.

  Kind regards

  Nikhil Jayan

  Nikhil,

  It seems that you have not checked the link I sent you earlier... A very explicit documents. in any case that we talked about earlier is we were talking about signs send calls to the highway as well as parts of the record.

  In your deployment, you have a different domain for DNS and SIP domain. Also as you say you meet Highway cluster and you want to record to both endpoints and then I suggest you to check the document for the creation of cluster on cisco webesite.

  Now, if you have a cluster for Highway then you must create several srv records that would be pointing to each domain name FULL of the approved cluster with equal weight. In normal use scneario of domain common to different services are recommended.

  Srv records would have seen something like that.

  _sips._tcp.company.com. 86400 IN SRV 1 1 5061 vcse1.company.com.

  _sips._tcp.company.com. 86400 IN SRV 1 1 5061 vcse2.company.com.

  _sip._tcp.company.com. 86400 IN SRV 1 1 5060 vcse1.company.com.

  _sip._tcp.company.com. 86400 IN SRV 1 1 5060 vcse2.company.com.

  _h323ls._udp.company.com. 86400 IN SRV 1 1 1719 vcse1.company.com.

  _h323ls._udp.company.com. 86400 IN SRV 1 1 1719 vcse2.company.com.

  _h323cs._tcp.company.com. 86400 IN SRV 1 1 1720 vcse1.company.com.

  _h323cs._tcp.company.com. 86400 IN SRV 1 1 1720 vcse2.company.com.

  _h323rs._udp.company.com. 86400 IN SRV 1 1 1719 vcse1.company.com.

  _h323rs._udp.company.com. 86400 IN SRV 1 1 1719 vcse2.company.com.

  However, your case is different. In your deplyoment what you have to do is any request for the domain "cisco.com" should be resolved in FQDN of the VCS-Highway peers with equal weight.

  for example

  _tcp.gmail.com. IN SRV 20 0 5222     talk2.l.google.com.

  Therefore, any request to gmail.com would resolve to the talk2.1.google.com server.

  same way you have to make it work.

  Thank you

  Alok

• VCS Expressway outside to endpoints internal call

  I have a new implementation where internal control 1 to VCS in LAN and VCS Expressway in DMZ 1.

  VCS Expressway has an IP public address/NAT.

  Currently, we have a group of VC endpoint, each endpoint has a public IP/NAT to the local network, to allow internet to make H.323 call directly by public IP address of the composition of the endpoint.

  My question is, after having implemented VCS Expressway in DMZ, how do the numbering plan at each endpoint internal VCS Highway outside call? Do I still need to give to each endpoint an ip/NAT publich.

  Thank you very much.

  A much simpler and in my opinion, more elegant and more scalable solution would be not to use IP addresses for calls, but to allocate and register outcomes with E.164 alias. That way you all you need is the internal IP address.

  So the outer ends may, in this case, call your settings using the [email protected] / * / or [email protected] / * /-E_IP_address.

  Internal assessment criteria can call each other using alias only for as long you have the rules of research in place, and cannot therefore have the external ends you will allow to record with you VCS-E for one reason or another.

  If you have the outcomes of Polycom external with the old version of the software that does not support Annex O URI component, then it's very simple to include a transformation of prior research on the VCS-E which will allow these settings call using owners 'numbering URI "; VCS-E_IP_address ##Alias - and if you, on the odd occasion, a final point which cannot use anything other than IP addresses, you can configure the alias of relief on the VCS-E to point to a specific or a standard automatic on a MCU, purpose etc.

  A dial plan using as above will also allow you to use DHCP addresses, the alias remains static, and that's what counts, addresses much simpler to give to people. e.g. 123456 is much easier to remember than 202.138.98.23 etc, not to mention the IPv6 addresses, and because you save your settings with domain name, and then customers SIP will also be able to connect very easily.

  /Jens

• VCS Expressway, highway

  Hello

  Gently, I confused, what are the differences between VCS Expressway and Freeway?

  -Don't need Expressway a HW (server), it is only allowed in CUCM I need to buy?

  -pre sales engineer, when can I choose VCS-E? and when can I take the freeway?

  Thanks and greetings

  There is a thread here:

  https://supportforums.Cisco.com/discussion/12699961/Expressway-series-vs-VCs-control-Expressway

  To summarize:

  What are the differences between VCS Expressway and Freeway?

  -VCS expressway or the Server Traversal is the 'legacy' that supports local recording of external H323/SIP based endpoints by using its features of Registrar Gatekeeper h.323 and SIP. It also serves as the traversal server for VCS (client of crossing) control to support for firewall traversal calls and B2B.

  -Highway consists of Core Expressway and the highway, or they call it 'Collaboration Edge'. The concept of highway is the same as the 'life' VCS control + VCS Expressway to provide firewall route, B2B calls. Channel Express is an extension for CUCM controlled environment for Mobile and remote access. With Highway, external clients/video endpoints can register on the CUCM without using VPN. Expressway in this case do not support the records the of endpoints. Endpoints will locally save on CUCM using technology of firewall Expressway (Core + Edge) courses.

  Expressway takes a HW (server), it is only allowed in CUCM I need to buy?

  -  Highway needs a server and it can be deployed in a virtual environment.

  You can take a look at offerings Cisco Business Edition 6000 (BE6K):

  http://www.Cisco.com/c/en/us/products/collateral/Unified-Communications/Business-Edition-6000/data_sheet_c78-717454.html?CacheMode=refresh

  as when can pre sales engineer, I choose VCS-E? and when can I take the freeway?

  -I suggest to contact your Cisco representative helping you find the right solution for your customer.

  Kind regards

  Acevirgil

• VCS Expressway & movi 4.2 configuration

  Hi all

  I created movi account manually in the TMS and it work perfectly with VCS - control.

  However, it cannot register for VCS expressway. Is it mandatory to have a name authority pointer record in DNS?

  For example, configure us abc.com as the domain name SIP Highway VCS, is mandatory to fix abc.com as public highway VCS by DNS server IP address?

  Thank you

  Ben

  That is to say you do not originate in the AMZ comes directly to the public IP address of the VCSE

  If that's the case at least, you should see registration tent if nothing can be seen then you need to look at the firewall

  is he ASA? try tp packets capture and see why you arew not hitting the VCSE using SIP

  as it could be firewall issue!

  HTH

• VCS expressway firewall rules

  Hello

  I just need your confirmation on the following configuration.

  VCSC - FW - Internet

  |

  |

  VCSE

  We use the double option with NAT Nic key.

  VCS expressway wil be connected with 1 single interface LAN for FW.  It will be a private ip address.  Firewall will be Natting the private ip address of VCSE to a public ip address.

  When updating the FW in ruling according to the following link:

  http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/VCs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.PDF

  Appendix 3 - Page 55-58

  What address VCS expressway ip do you need to use FW rules?  a private or public?

  Thanks in advance.

  Ahmed

  Hi, Ahmed.

  If you use the VCS-E with the option of dual interface for NAT with all of a communication interface,

  the internet and your internal network must go to the _public_ ip address, not the private sector

  one. If it's not only on the firewall, but also the destination of the area on the VCS - C.

  Regards to your firewall, that depends on what must have configured your firewall.

  Some firewalls (or at least admins/users) seem to have problems getting the vcs - e accessible from inside on the

  external ip address. If there is a problem, you must use the secondary interface of the vcs and set a new

  DMZ.

  Please remember useful frequency responses and identify useful or correct answers.

• Highway-C and highway-E and VCS Expressway

  Hello

  I'm confused by these three

  I know that expressway-E is used with Express-C track

  Their function is like VCS Expressway? or am I wrong?

  Please help to know when to use each one?

  Also why use us next to the firewall? What is the average of the crossing of firewall?

  Also, when I connect external with Jabber, is there any type of registration with each of them? I see a number taken in charge of registeration of 2500 and 5000 in the VCS Expressway data sheet

  Thank you

  Haitham

  Hi Haitham,

  In general, a point of endpoints/client must register for a 'device' so that it can be used as part of a company dial plan. This 'device' could be CUCM or a VCS and will determine if an endpoint/client is used to connect, or how the calls and form, it can be done.

  If the endpoint does NOT have one of these devices (CUCM or VCS), it could still be used (for example, a videoconferencing device stand alone), it's just that we do not see within the company structure of appeal. It may not appear in the directories, it cannot give priority to call outside, etc etc. The Jabber client has to register with CUCM either a VCS to make it work at all.

  If you use CUCM with a VCS-E, endpoints will record to CUCM. If the endpoints are internal to the company, they apply directly to the CUCM and if are external, then they will be connect via VCS-E and the recording will be dug through CUCM, so still save with CUCM.

  VCS-C/e with environment of TMS, endpoints will record VCS - c when internal and again use the VCS-E for tunnel applications from external device to the VCS - C. Depending on how you want to deploy these devices, external devices/clients could actually register directly with VCS-E, but I'm getting ahead of things. Jabber in this environment use of TMS to provide authentication of the user, even if the actual recording takes place on the VCS.

  Does that help?

  Chris

• VCS Expressway cannot connect

  Hello

  I just put in place a control of VCS and a highway of VCS. I set up the traversal client on the VCS control using the port 6001 H.323 and SIP 7001.  I set up the crossing on the VCS Exp server using the same ports.  I get "H.323 could not not connect to x.x.x.x:6001 no response of the system.

  The SIP will not connect either 'connection failed '.

  There is no list of the control of VCS to VCS highway.  Authentication is disabled.  They are both pointed out the same NTP.

  Any ideas?

  Thank you!!

  Rhonda,

  In short, the configuration looks OK. Can specify you what other types of devices couche3 between the VCS - C and VCS-E outside the ASA?

  If the firewall is not the issue, the problem may be caused by routing problems. If you allow ICMP from the command to the highway, you can check if the routing of the works by logging in as root (with SSH) for the VCS - C and launching the command

  Traceroute x.x.x.x

  where x.x.x.x is the IP address of your Expressway.

  Thank you

  Andreas