VCS Starter Pack - home Movi

VCS Starter Pack in a datacenter (fixed Behinde NAT)

Hi guys,.

We have a server express telepresence VCS starter pack and it worked very well in our dataline E2 Office but now after moving to a data center there is a problem with saving a customer Movi of VCS on the Internet.

The server installation is now this: VCS Starter pack firewall/Touter - Internet - Movi

The VCS is connected to the local network (internal data center network with an interface and static is using a NAT to the Internet with a router)

all ports are open in the firewall (incoming and outgoing)

And here are the settings in the VCs:

Default credentials - authentication - Check policy

By default, subzone - authentication policy - threat as authenticated

Also, here is the log of the attempt to save Movi from the public network (Internet):

"" "" "TVCS: event ="application received"Service ="SIP"Src - ip ="41.130.193.41"Src-port ="59519"Dst - ip ="10.29.10.43"Dst-port ="5061"Protocol ="TLS"method ="SUBSCRIBE"Request-URI = 'sip: [email protected] / * /" Level = "3" elements UTCTime ='2011-12-26 12:11:21, 712"

26 Dec 14:11:21

"" "" "" TVCS: event = "Message received" Service ="SIP" Src - ip = "41.130.193.41" Src-port ="59519" Dst - ip = "10.29.10.43" Dst-port ="5061" Protocol = "TLS" Num-bytes ="998" Level = "4" elements UTCTime = '2011-12-26 12:11:21, 712"

26 Dec 14:11:21

"" "" "" TVCS: event = "Message sent" Service ="SIP" Src - ip = "10.29.10.43" Src-port ="5061" Dst - ip = "41.130.193.41" Dst-port ="59519" Protocol = "TLS" Num-bytes ="587" Level = "4" elements UTCTime = '2011-12-26 12:11:21, 643"

26 Dec 14:11:21

"" "" "TVCS: event ="responded"Service ="SIP"Src - ip ="10.29.10.43"Src-port ="5061"Dst - ip ="41.130.193.41"Dst-port ="59519"Protocol ="TLS"method ="FOLLOW"to ="sip: [email protected] / * /"code-response ="407"Level ="3"elements UTCTime ='2011-12-26 12:11:21, 643"

26 Dec 14:11:21

"" "" "TVCS: event ="application received"Service ="SIP"Src - ip ="41.130.193.41"Src-port ="59519"Dst - ip ="10.29.10.43"Dst-port ="5061"Protocol ="TLS"method ="SUBSCRIBE"Request-URI = 'sip: [email protected] / * /" Level = "3" elements UTCTime ='2011-12-26 12:11:21, 642"

26 Dec 14:11:21

"" "" "" TVCS: event = "Message received" Service ="SIP" Src - ip = "41.130.193.41" Src-port ="59519" Dst - ip = "10.29.10.43" Dst-port ="5061" Protocol = "TLS" Num-bytes ="661" Level = "4" elements UTCTime = '2011-12-26 12:11:21, 642"

Can someone help me understand why this happens?

Hi houari,.

There are several threads on this forum which explains the requirements for the deployment of a VCS in a private DMZ, you can find by searching for "VCS static NAT".

In short, when you deploy the VCS-E in a statically NAT'ed environment, it is necessary to have the option "Dual network interfaces" key on the VCS - E, this key unlocks the static NAT functionality of the VCS-E.

You can also find more information in the guide of the VCS for X7.0 Administrator.

Concerning

Andreas

Reset password on VCS Starter Pack x7.2

Hello!!

I had little problem with the remote control of the VCS Starter Pack... I have only access root via the serial number.

Could you tell me, what command could you help me change the admin name and password for the web access? How I understand it, the commands of version 6 does not work fo 7.2.

I did already try with aproach via pwrec but for some reason any, that it did not work. So I only need CLI command for version 7.2

Kind regards.

pwrec should also work, but works only in shortly after a restart.

As you say you have root access, you can simply set the admin password yourself.

Access the VCS as root, type:

admin passwd

~ # passwd admin
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

You will be asked to enter your new password twice, and there you go :-)

The following xcommand path appear to be removed from the current version:

SystemUnit AdminAccount [1..15] Password:
Defines the password of an administrator user who can login to the VCS web interface. The maximum plaintext length is 16 characters, which will then be encrypted.
Example: xConfiguration SystemUnit AdminAccount 1 Password: "password123"
SystemUnit Password:
Defines the password for the default 'admin' account. This account is used to log in to the VCS via Telnet, HTTP(S), SSH, SCP, and on the serial port. The maximum plaintext length is 16 characters, which will then be encrypted.
Example: xConfiguration SystemUnit Password: "password123"

And of course, there is also the way to factory default your vcs.

For more information, see the vcs administration guide

VCS Starter Pack

Hello

The 5300 series MCU and taken SX20 supported in VCS Starter Pack?

Only Jabber clients and a couple of SX20 will participate at conferences.

TIA

Hello

Yes 5300 MCU is supported in VCS Starter Pack.

VCS starter pack behaves just like VCS with some limitations of licenses and features. It supports all the standard endpoints and the bridges that are in line with the H323 and SIP.

Thank you

Saurabh

Profile C40 with VCS Starter Pack Expressway system

Hello guys,.

Customer not want options like Firewall and the Conference (MCU 5300) crossing.

But as this is a small script (there around 2 profile C40 + 2 SX20 10 video Jabber), I found that it will be interesting using VCS Starter Pack Expressway. He's no more than 50 records or 25 route calls as shown in the data sheet 'support '.

I took a look at the topis here and also some documents and say that C40/SX20 are not supported for the supply, but since the SIP/h.323 support, calls should work perfectly.

No doubt: that the client will lose in terms of features or benefits without the support of this commissioning endpoints?

It would be a pain in the neck to enter the SX20 or C40 to VCS Starterpack expressway?

http://www.Cisco.com/en/us/prod/collateral/ps7060/ps11305/ps11315/ps11337/data_sheet_c78-697075.html

http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/VCs/config_guide/Cisco_VCS_Expressway_Starter_Pack_Deployment_Guide_X7-2.PDF

Thank you!

Alan

Olá Alan, respenderei em inglês para fica na don't base dados, mas design sao best respondidas send any video Business forum.

About your 3 points, depends on:

(1) even if you deploy the TMS, endpoint will try to get the directory using HTTP/HTTPS connection. If the endpoints are outside / internet, it may be refused by security reasons.

(2) you can always configure auth on the StarterPack VCS to auth against the local database. At the endpoints configured manually, you can enter the identification information.

(3) you can configure the bandwidth on VC (subareas or pipes) configuration control or limit directly to each endpoint

The SX/MX/EX/C series can register the StarPack using a direct connection (h.323/SIP) or behind the FW/NAT using H.460.18/19 or assent. They can local Auth VCS DB. Be aware that the VCS S is usually installed in an external DMZ or directly with a public IP address. In this case, if you have 2 x SX to the internal network and the VCS at the DMZ (with NAT in the middle), all media will be hollow VCS, even if the two SX are on the same subnet.

PS: Be careful where to include the VCS. If you use NAT on the VCS, basic network license need double.

It will be useful.

Concerning

Elter

VCS Starter Pack can be used as VCS-E without any upgrade?

My client a VCS - C and the TMS, the VCS Starter Pack.

We rely on the deployment of all in the traditional model.

What I have to migrate MS full Expressway product or I can leave it as what?

Can't he do while it is configured as the Starter Pack? This may cause problems later?

It's my first time with it and someone else put in place before we got here.

Sent by Cisco Support technique iPhone App

Hey Michael!

Of course, you might think the delivery of the VCS-E as a stand-alone box with a crossing area and

SIP proxy VCS - c

I can't recommend this doing.

If I see just the starter pack is just an extra key, giving you all the options you need:

0 calls no course, 5 calls route, 50 entries, 900 ROUND relay, Expressway, encryption, FindMe, Starter Pack. But it also means that you are linked to this feature set (for example, you can not delete the provisioning, findme,...)

Some other limitations I see:

* officially VCS-SP-E cannot be added to the TMS, then you miss the detail records management calls...

* the starter pack provisioning can hinder the supply of MSDS if intended to be used

* TMSPE/OpenDS (also password "local-tms' database (authentication)) will not work on the VCS-SP-EP

There could be more.

VCS Starter Pack Express 7.0.1 without DOUBLE NIC / Network configuration

Hello community,

can you please explain to me how to put a VCSESTRTPACK to the Internet? Just put the public IP address to the configuration of the Interface? I have just one public IP address, so I NAT? Or is it possible to make it work. I want to register outside, devices on Internet. Some evaluation criteria are behind NAT.

What the routing configuration and deployment of the network?

I'll put the VCSESTARTPACK for the server to register of external endpoints on the internet.

And for internal services use an MCU and the TMS. So I nedd to internal and external communication to my VCSESTARTPACK. Is it possible to connect a VCSC internal in order to increase enrollment?

Thank you

Duplicate messages.

Go here: https://supportforums.cisco.com/discussion/12263321/vcs-starter-pack-exp...

UPDATE to VCSE VCS Starter Pack Express

Hello community support.

just a quick question for the upgrade process. With this key:

 Video Communication Server Starter Pack Upgrade to VCS Expressway - TMS, Cisco Jabber Video for TelePresence 100 users CTI-VCSE-SPUPG-K9 TTC2-04

I can add as an option on my VCSESTRTPACK and remove the pack before starter option. After that, I have a VCSE without refueling.

But what of the Jabber user? How did the license provided for me?

Can I install just the touch option even on MSDS and this will add 100 user of Jabber for her? Or do I have to buy a separate license for this?

Thank you for the support :)

From what I found online:

• You can convert the Starter Pack, either a control or highway depending on what part number you use (CTI-VCSC-SPUPG-K9 or CTI-VCSE-SPUPG-K9).
• You will lose the integrated supply management and Jabber video/Movi licenses.
• You will retain licensing additional call that have been purchased on top of the base call licenses.
• You will receive basic application of TMS + 100 licenses video/Movi Jabber.

VCS Starter Pack Expressway

Hello, everyone.

We have donated some equipment to set up a SIP network and there are a few problems.

For the internal endpoints, we have a customers EX90, C90 and MOVI.  We also have a single Starter Pack Expressway VCS (* without * the dual NETWORK card option).

For our firewall imagine 3 interfaces: inside, outside and DMZ.  The DMZ has public/Internet IP addresses.  There is no between the inside and the DMZ - NATing it only the NATs as it passes through the external interface (which is of course the interface connected to the Internet).

So I just have a few addresses here for the love of communication:

VCS Expressway: 20.0.0.2/25<-- public="">

Internal endpoint EX90: 10.0.0.2/24

Internal endpoint MOVI: 10.0.0.3/24

Again, there are no NATing between 10.0.0.0/24 and 20.0.0.0/25 network.

Everything works (registered through our VCS) internally.  When we make an external call, tell the customer MOVI, media gets to the external endpoint, but we do not have any media on internal endpoint (not a single UDP packet).  We also noticed the media stream that we send goes directly on the external endpoint (or its VCS) and not through our VCS Expressway.

Another interesting fact, when we put a little linksys router between the endpoints and our business network (endpoints on the local network, business network on they WAN) everything works and the media we paths through our VCS in the demilitarized zone.  The only thing I can understand is the VCS realize there is now a NAT between the internal endpoint and himself and changes the path.

I looked through a lot of different documents (VCS base Config Guide, Expressway Starter Pack Deployment Guide, use of the Port IP VCS for Firewall Traversal Deployment Guide, etc.), and none of them that I saw really cover our scenario.  Anyone got any ideas on why the media do not work properly?  I don't have access to a corporate firewall, but I told myself that the UDP stream will never return to us.

From what I've read in other discussions posted here, it seems that you only need the dual NIC option if your VCS Expressway is coordinated to the Internet (which ours isn't the case).  Is this correct?

Thank you

-Matthew Pinkston

Hi Matthew,

In addition to the advice given by Tomo and Alok, you could also take advantage of the 'media encryption Mode' area/subarea on the VCS (this is available in X7.2) to force the Express way to the media even for your internal SIP endpoints.

If you configure for example the "encryption mode Media for the sub-area by default on your VCS-E for 'Best effort', a call between two internal devices registered in the VCS-E would be routed via your VCS-E, media as well as a call between a device internal SIP an external device / remote."

Hope this helps,

Andreas

How to activate the two IPS on VCS starter pack express

I have the Starter of Cisco Express works with a single IP address using a NAT. This only works inside the LAN. To enable this machine on the internet, I bought the key option to double network interface. I enabled both interfaces, but I don't know how I should configure the two IPS by access from the internet. I tried to activate the static NAT, but it did not work.

There is only a single default gateway and this is where most of the traffic will be released and which should point to the internet router.

If you have addresses of internall more than 'LAN', you can simply add additional routes via the administration console.

As if LAN is connected to LAN2 192.168.150.0/24 and you 192.168.175.0/24 your home and where your laptops

router for tha is 192.168.150.1 you would add that, on the road to xcommand, add the command:

xcommand RouteAdd
*h 'xCommand RouteAdd'
"Adds and configures a new IP route (also known as a static route)."
Address(r): "Specifies an IP address used in conjunction with the prefix length to determine the network to which this route applies."
PrefixLength(r): <1..128> "Specifies the number of bits of the IP address which must match when determining the network to which this route applies. Default: 32"
Gateway(r): "Specifies the IP address of the gateway for this route."
Interface: "Specifies the LAN interface to use for this route. Auto: the VCS will select the most appropriate interface to use. Default: Auto"

for the example given, it would be (user admin via ssh):

xcommand road add an address: 192.168.175.0 LG: gateway interface 24 192.168.150.1: LAN2

But to be honest I'm not sure jabbervideo it works well with the highway espress in

a lan environment double anyway.

As with a vcs - c / e deployment you have the model of the internal and external with vcs

different hosts where he tries to get funding and then depending on who gets the data

for the record. It may be that in any case only get you external IP of the vcs-e.

I would therefore simply deploy a DMZ where the outside and inside can reach the starterpack with

the same address or even external ip using a NAT that is hosted in LAN1 put directly on a public ip address in a dmz...

Cisco VCS Expressway / Starter Pack = part number / Option key

Hello

I m a bit confused about ordering cisco information. My document: http://www.cisco.com/c/en/us/products/collateral/unified-communications/...

First what we want to do. Quick and short: LAN-MCU -/- DMZ-VCSE VM -/-

-set up a new environment VCSE only for remote workers.

-ensure the video service just over the internet for Jabber and SIP/h.323 conference systems

-only the MCU as a peripheral local registerd to provide several conferences

That share and option key is therefore the best choice?

Our plan:

VCSE:

R VMVCS-EXPWY-K9 (comes with the Cisco telepresence video Communication Server(OVA file) Network Interface feature, characteristic of the motorway, gateway functionality, 1800 TURN relay Option, VCS-Dual)

Options:

LIC-VCSE-50, LIC-VCS-OCS

Now the thing of Jabber:

We want to connect on WAN Jabber clients. This is why the VCSE STRATER PACK has the nice feature of 50 video of Jabber Cisco TelePresence licenses with management in there. But if we get that the CTI-VCS-STPAK-K9 instead of the VCSEVM, we have a limitation of 50 records and 10 calls trasversal, right? Only then the VCSE is intresting (culture and systems to support), but we want the Jabber options on it without buying an MSD.

Or do we buy the CTI-TMS-SW-K9 with LIC-MOVI-25 (the different today: LIC-JAB-MOB-25, LIC-TMS-EP-25)

Thanks a lot for answering

One of the first things I would consider on VCS Starter Pack is that it is almost end of sale, first of September 2014, so think of this forward.

/ EOS-EOL-Notice-C51 - 731300.html

• What these records? There are 2500 built-in?
  • A single VCS will support up to 2500 records out of the box with a valid key.
• As for the functionality of H323/SIP Interworking?
  • Interoperability is supported out of the box as long as no separate option key not required.
• Options: LIC-VCSE-50, LIC-VCS-OCS
  • LIC-VCS-OCS is necessary only if you plan to integrate with Microsoft OCS/Lync VCS, otherwise it is not necessary, especially for the video of Jabber.
• Can we install the CTI-VCS-STPAK-K9 key as an option on the VCSEVM and Jabber use 50 records without losing other features of Highway?
  • The VCS Starter Pack is a separate server from the VCS control and highway.
• Or is it possible to install the CTI-VCSE-SPUPG-K9 key as an option to enable Cisco Jabber 100 user on this VCSEVM?
  • It is possible to upgrade a VCS Starter Pack for VCS control or a highway, but you will lose the original pack starter call licenses and Jabber video optoins, like they are not transferable.  The licenses or options you have purchases on top of the basic starter pack will however is transferable.
• Or do we buy the CTI-TMS-SW-K9 with LIC-MOVI-25 (the different today: LIC-JAB-MOB-25, LIC-TMS-EP-25)
  • If you buy the VCS Starter Pack, it will manage the delivery of Jabber video for you.  If you buy a highway of VCS, you can also buy MSD and install Extension of provisioning of TMS is free.  To use TMSPE, you will need provisioning option keys installed in TMS, the difference between the start-up option keys are simply the types of devices you can fund, all kind of do the same thing really, but for the video of Jabber, you want to ICA-MOVI-XX.

Placing the VCS-E Starter Pack outside a firewall

I have what I want, it's a quick question. My client has not bought the DNI option for their VCS Starter Pack. So that means I have to assign a public IP address. In addition, the way that their firewall is set up I have to consider putting the VCS outside the firewall. Therefore, in the wild as they say. I read solutions where the VCS-E (and I guess the Starter Pack follows suit) is essentially a safety device.

I wonder if people have done this before and if anyone had any ideas on how secure (or insecure) prospective configuration is?

-Bill

Hi William!

Nice to see you here again, how are you?

I wouldn't recommend that. In addition, either get the DNI put it in a DMZ with a private ip address

or simply in a DMZ with a public ip address, which works very well also.

Even if you so not a real DMZ as long as you have access to the router, you might

being able only allow traffic to the ports required by an access list.

In particular, management should be blocked here, there may still be bugs in the different

components (such as the ssh server, web-server,...) or the password is hacked,...

then why keep it open to the public.

This is a list of open ports on a starter by default quite Pack vcs:

tcp        0      0 192.168.1.100:5060     0.0.0.0:*               LISTEN      4863/app
tcp        0      0 192.168.1.100:5061     0.0.0.0:*               LISTEN      4863/app
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      6140/httpd
tcp        0      0 0.0.0.0:4369            0.0.0.0:*               LISTEN      4180/epmd
tcp        0      0 0.0.0.0:4372            0.0.0.0:*               LISTEN      4134/beam.smp
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3610/sshd
tcp        0      0 192.168.1.100:2776     0.0.0.0:*               LISTEN      4863/app
tcp        0      0 192.168.1.100:1720     0.0.0.0:*               LISTEN      4863/app
tcp        0      0 192.168.1.100:2777     0.0.0.0:*               LISTEN      4863/app
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      6140/httpd
udp        0      0 192.168.1.100:123      0.0.0.0:*                           5395/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*                           5395/ntpd
udp        0      0 0.0.0.0:161             0.0.0.0:*                           3629/snmpd
udp        0      0 0.0.0.0:4371            0.0.0.0:*                           4134/beam.smp
udp        0      0 192.168.1.100:500      0.0.0.0:*                           3636/racoon
udp        0      0 192.168.1.100:5060     0.0.0.0:*                           4863/app
udp        0      0 192.168.1.100:1719     0.0.0.0:*                           4863/app
udp        0      0 192.168.1.100:2776     0.0.0.0:*                           4863/app
udp        0      0 192.168.1.100:2777     0.0.0.0:*                           4863/app
udp        0      0 192.168.1.100:3478     0.0.0.0:*                           4863/app

I wonder why we a VCS nonclustered needs some of these listening services on the ethernet interface (beam, empd, racon,...), but yes, this is one more reason why I don't keep without a firewall :-)

A way of conscience highly not taken in charge and not reboot and upgrade can also be

Connect to the zone as root and use the iptables linux unerlaying to allow the necessary

and block off everything else. (iptables is a firewall tool for most versions of linux)

You will find a lot of resources on internet, it was just a first success through google:

http://edgis-security.org/operating-system-and-software/iptables-tutorial-series-01-Introduction/

Guess something more userfirendly come in X7.2, Andreas post it here:

https://supportforums.Cisco.com/message/3653700#3653700

Another thing worth noting is that for the upcoming X7.2 release for the  VCS, we are looking at including a basic built-in firewall on the VCS  itself which could also be used to only permit access to certain  services from certain hosts or subnets. It is however not currently  certain whether or not this feature will actually make it into X7.2, so  you will just have to wait and see.

But even in this case I recommend to use a firewall, right from the start.

Martin

VCS Expressway Starter Pack

Hi all

First of all, let me say that I am the kind again in part "Tandberg" telepresence.

I'll put up a VCS Expressway Starter Pack (with the option to double network interface) the week next to our customers.

I read the VCS Expressway SP deployment guide, but I still have a few questions:

-What is the best place to place the SP VCSe?  (inside the DMZ, or the Public network)

Tomorrow we will hear whether or not the customer has a demilitarized area.

-I understand that the external firewall must redirect the ports 5060, 5061 and range 50000/52399 to SP VCSe

If there is a demilitarized zone we need to open the ports on the firewall inside as well?

-Is possible with MS VCSe to receive video calls to (locally) the ends registred? (For example: an E20 to another company) If so, we need to open additional ports on the firewall?

Thank you in advance,

Wouter

Hi Wouter,

Check out the link for more information below.

http://www.Cisco.com/en/us/prod/collateral/ps7060/ps11305/ps11315/ps11337/data_sheet_c78-697075.html

It gives answer to some of your questions, like which is the best place to install the VCS - SP network.

Normally, we have seen many customers put the box in the DMZ and use for incoming and outgoing calls.

Although the deployment either specifically depends on requirement and network design once.

Also see VCS starter pack deployment guide.

http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/VCs/config_guide/Cisco_VCS_Expressway_Starter_Pack_Deployment_Guide_X7-1.PDF

He gave the port information and also check the document use of port at the link below.

http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/VCs/config_guide/Cisco_VCS_IP_Port_Usage_for_Firewall_Traversal_Deployment_Guide_X4_to_X7.PDF

and answer your last questions, yes its possible to receive video call of endpoint not locally registered in VCS - SP, but then you need of DNS SRV records for your video field or you must call using ip address-SP-VCS.

SRV DNS is the preferred method.

Thank you

Alok