VCS VCS - E, TMS, TMSPE, Jabber/Movi authentication

Just trying to figure the best way to approach this.

I have read the documentation and the best approach seems to get to the VCS VCS-E to Active Directory and the synchronization of the TMS with AD for user account creation. This would avoid the need to records movi proxy for control of VCS and would ensure that all (SIP and H323) registration for the VCS-E would be authenticated.

I don't think that my client will allow the VCS-E talk to AD.

So, what are my options?

If I SIP proxy of VCS-E records the VCS control, how are they managing H323? I don't want just any point endpoint h323 register with the VCS-E. I need to authenticate them. The customer has exernal h323 endpoints that they would like to sign up for VCS - E. I know I could put registration rules to restrict only some URI SIP, H323 IDs etc but it's really just security by obscurity.

The local on VCS and VCS-E database can be used for authentication Movi/SIP and H323 records? I know that I would have to duplicate accounts and passwords on both.

What books commissioning and address through registration to the VCS-E? Would it still work?

Any suggestions on the best way to handle this in the safest way possible without breaking things?

If I go with the control of VCS and VCS Expressway with authentication Active Directory (directly) on the control method of the VCS as described in the guide of authentication devices, I'm looking for the reality that I will not be able to restrict who can register for the VCS-E? At this time should I just seek to restrict the search for rules to only authenticated users?

Thank you

Jon

Hey Jon,

MOVI/Jabber you won't have to worry about authenticating H323. With your endpoints however you can just use the database local to authenticate or H350 (more can be read about in the guide of the Provisioning device referred to as Tomo). You can create a different generic for all your endpoints (less secure if which is discovered). But by combining this feature with a political appeal will ensure better security.

I highly doubt that your client will allow you to leave the talk VCSE in AD. For movi/jabber users, you can create another subfield and use a regex pattern for point movi/jabber users to authenticate it as. * (\.movi)@domain.com. In addition, you can refer to this fragment and others have used in the past.

In a secure design, the VCS (control and Highway) would require identification for registration information.

The Control of VCS would have Active Directory Service active and joins the Active Directory domain. For VCS authenticate the credentials of Movi/Jabber on Active Directory before the SUBSCRIPTION for the supply is sent to the service of commissioning, the default Zone would be set to verify the credentials. For requests for SUBSCRIPTION from the highway, the area on the VCS control would also to verify the credentials. It handles authentication for the provision.

The next part is the record of the Movi/Jabber client. The subzone to which the customer will register must also be set to verify the credentials. Here's everything you need for internal records (registration to the VCS control).

For the Highway, things get a little more complicated. For commissioning subscription, the SUBSCRIPTION is forwarded to the VCS control. With the area on the VCS game to check the credentials, you're all set. Now on registration to the highway. The subzone to which the customer will register to must be defined to check credentials. From the motorway VCS don't have direct access to Active Directory, we use local credentials on the highway. A set of credentials should be configured in VCS Configuration > authentication > devices > local database. You will create a single name and password all Movi/Jabber clients will use. The end user has NO need to know these credentials. The username and password is provided to the Movi/Jabber client via configuration data it has received. To set up these data, MSDS, you must configure a SIP of authentication user name and password for SIP authentication in the configuration of the commissioning. For these options to be available, you must ensure that you have downloaded the configuration template xml for the Movi/Jabber version you are using. The xml file is included in the zip package full of the client which can be downloaded on www.cisco.com. So, who will be recording from the highway. Now, this creates an interesting situation with VCS control. The internal Movi/Jabber client will receive the same provisioning configuration and will attempt to use those same credentials when you register for the control of VCS. The VCS control is already set to authenticate against Active Directory and Active Directory ONLY registration.

You will need to create an account in Active Directory corresponding to these credentials. The Active Directory account didn't need special access. It is used only for authentication purposes. A few things to keep in mind: SIP authentication user name and password for SIP authentication are stored in clear text configuration configuration. This means that the data is sent in clear text. To be sure that these data are not compromised on the wire, do not forget that you are using for your communication SIP Movi/Jabber TLS.

With this directories will always work as jabber should be authenticated in order to receive directories. Your physical endpoint points will work differently with how they receive books and whether or not they are able to communicate with MSDS (unless you choose to configure endpoints also if those you are capable).

It is in no way the design as safe as possible. It is to you to ensure that your environment is as secure as possible and therefore tested. The best way to fix everything is a well-defined appeal policy designed with your specific needs.

The foregoing is in no way a recommendation but just a little more information to chew while looking to choose and implement what is best for you.

Adam

Tags: Cisco Support

Similar Questions

  • MOVI authentication for VCS-TMSPE-AD?

    Hi, Expert

    Setup is X7.2 VCS, 13.2 TMSPE with MS active directory as the database of the user.

    The user account has been imported into TMSPE by system > Provisioning > users > Group XXX > import user > configure AD.

    And VCS has been integrated with TMSPE successfully.

    The problem here is how the authentication works? is the user/password full name was imported to TMSPE when importing and then go to VCS? or only modules imported to MSDS?

    I tried the connection, but he also inspired the name of username/password wrong, with logging below, but if I change the user password in TMSPE manully, then it works.

    2012 11-20 T 23: 58:18 + 08:00 VCSC tvcs: elements UTCTime = "2012-11-20 15:58:18, 406" Module ="network.http" Level = "DEBUG": Message = "Request" method = "POST", URL ="http://127.0.0.1:9998 / identification/name/lianzhao information" Ref = '0 x 3985970 '.

    2012 11-20 T 23: 58:18 + 08:00 VCSC tvcs: elements UTCTime = "2012-11-20 15:58:18, 411" Module = "network.http" Level = "DEBUG": Message = 'Response' Src - ip = "127.0.0.1" Src-port = "9998" Dst - ip = "127.0.0.1" Dst-port = '47550' response = "200 OK" ResponseTime = "0.003867' Ref = '0 x 3985970'

    2012 11-20 T 23: 58:18 + 08:00 VCSC tvcs: elements UTCTime = "2012-11-20 15:58:18, 411" Module = "network.ldap" Level = 'INFO': detail = "directory of identity authentication credentials: lianzhao"»

    2012 11-20 T 23: 58:18 + 08:00 VCSC tvcs: elements UTCTime = "2012-11-20 15:58:18, 411" Module = "developer.nomodule"Level = "NOTIFY" CodeLocation="ppcmains/sip/sipproxy/SipProxyAuthentication.cpp(453)" = thread of "SipProxyAuthentication::validateDigestAuthorisationCredentials" method = "0x7f7b9fffd700": calculated the answer does not match the answer provided, calculatedResponse = 6c510983415df744b9fc057cd5315133, answer = bfc97064a7d7e434f1a1d189e59d996e

    For authentication of device using NTLM in integrating MS AD, TMS import user account from the AD server (single user but account not password).

    This account information will export to VCS of TMS as provisioning user account (yet once does not include password).

    When VCS receive application for commissioning of Jabber client video, VCS will challenge ad server password.

    For traffic flow, please see the guide to deploy authentication https://supportforums.cisco.com/docs/DOC-25398 or peripheral.

  • Jabber/MOVI routing over VPN on VCS-E calls

    Hi all

    I have a problem with the situation to follow.

    -2 Movi Client via VPN Tunnel on the motorway-VCS connectet

    -the two VPN tunnel on the same subnet.

    -Ice set up NO!

    Now the problem is that the traffic is passing through the VCS-E but goes multimedia traffic, which is in this situation via VPN would not be allowed.

    Is it possible to configure something that all signaling and media traffic is going through the VCS-E if the two MOVI Client on the same subnet?

    Best regards

    Georg

    The call between the Jabber bot and video customers have the same contact address of sip and IP source address, then VCS will treat as non-traversal call (client is not behind the firewall).

    That's why VCS won't stay in media routing.

    You are able to configure the VPN client DHCP range for the different subnet IP address?

  • Cisco Jabber (Movi) & VCS - E receives no video & audio

    I have a Setup with a VCS Expressway Starter pack (X7.1) where the 2 Ethernet interface is connected to an internal network on 192.168.x.x and interface Ethernet 1 is connected directly to the Internet (through a router to the Internet provider).

    Inside the network I have a few points endpoint TC5 & TC4 and a MCU. Communication of all these endpoints to the Internet works very well for the SIP and H.323.

    I also have a number of accounts on the VCS E Jabber/Movi.

    Registration of Jabber accounts to the VCS-E works very well to both internal and external networks.

    Use on these (v4.3) Jabber account on the internal network or external contact points of termination/SCM on the internal network, there is no problem.

    When you use the same Jabber account to call another endpoint on the Internet, I always a one-way communication, IE the Jabber does not get the video and voice.

    I took a few traces of the VCS-E network but did not find the problem.

    Any ideas what could be the problem?

    Rgds, Geert Folens.

    Greet them salvation.

    Excellent... I am pleased that it resolved your problem. I would be grateful if you set the thread as answered!

    See you soon

    Alok

  • Replace CE500 VCS Starter Pack and keep Movi.

    Hello

    VCS STARTER PACK our users is getting old and we want to replace it. The customer uses a lot of Movi, but not with the TMS. If replace us CE500 of VCS STARTER PACK and keep Movi, TMS is required? Use Movi no TMS?

    Yes the MSDS is required to use Jabber video. in fact, you need TMS and VCS.

    The best route is to upgrade the VCS Starter Pack using the portion VCS Starter Pack Upgrade to the VCS control - TMS, Movi 100 users. Start by PN: CTI-VCSC-SPUPG-K9. This upgrade gives you full VCS and complete MSDS and 100 licenses.

    If you have more than 100 Jabber (movi) you need to migrate your licenses on.

  • Number Maximum TMSPE - Jabber Video - users?

    Hi guys,.

    (new installation)

    I have a client who seeks to use AD to add users to Jabber/Movi.  They will use the TMSPE.  They think the deployment of about 10,000 users.  Does anyone know what is the maximum number of accounts Jabber?

    What hardware/software needed for the server SQL and MSDS?

    Thank you

    Robert

    Hello

    This is all mentioned in the TMSPE deployment guide.

    http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/tmspe/Install_Guide/Cisco_TMSPE_Deployment_Guide_1-0.PDF

    "Would the VCS to exceed the limits of internal table.

    A cluster of Cisco VCS of any size supports the import of:

    10,000 users for the provision of

    10,000 accounts FindMe

    200,000 admissions in the directory

    1 VCS can support the 10,000 users imported, but you can save 2500 of them, unless you have a group of several VCS to coat with multiple records.

    Total TMSPE can support up to 100,000 users, but to be able to record all these users at the same time, it takes a minimum of 40 of VCS.

    / Magnus

  • Jabber (movi) newspaper in VCS/TMS users with any password successfully!

    Hi all

    I'm having this strange problem.

    I have configured TMS for the provision of scopes, but I just noticed something very strange.

    When I log in as any user, when I put a password in there I can successfully log in as a user.

    I tried the passwords on the wall to multiple users, and they continue to succesfully connect you regardless of password!

    Anyone have any ideas on what this could be?

    These users have been added manually.

    Thank you

    Paul

    I got the same results as well, I found is that the default Zone has been set up to "treat as certified. It should either be "do not verify the credentials" or "verify the credentials.

    Sent by Cisco Support technique iPad App

  • Removing VCS of TMS and TMSPE migration problem

    We prepare to start using TMSPE, however it must first disable replication on all VCS via MSD MSD Agent.  There is a VCS that have failed has been deleted afterwards, but we cannot delete TMS because TMS Agent replication is enabled.  We cannot have the Agent MSDS tab to disable the replication because the VCS is offline (i.e. it was removed) - it just goes to the 'Connection' tab whenever I try.

    So, how can we migrate to TMSPE if TMS don't delete us the VCS in offline mode or at least turn Replication Agent MSDS for it?

    Hey Nick

    Try to run this SQL query:

    USE TMSNG

    UPDATE field_SystemField SET BolValue = 0 WHERE field_Field_Id = 1072

    UPDATE Cluster SET EnforceTMSAgentDataReplication = 0

    This should clear the replication on all VCs added to the TMS (even the zombie ones like the one you have), once it is executed, you can try to purge the VCS.

    / Magnus

  • VCS-E for VCS - C MOVI AUTHENTICATION WITH AD AUTHENTICATION

    Hello

    We have a VCS - C and VCS-E. We have movi users currently authenticated by the local Agent of MSDS database.

    We are now in the treatment of the migration to Active Directory authentication.

    We did it by selecting "Check for credentials" on VCS - C area (entry point for provisioned client) default and each user movi on internal network is getting authenticated with credentials of the AD. (User domain\username & domain password)

    However, if a user of VCS - E attempts to authenticate the credentials of the AD, the connection fails with an invalid username and password.

    If we try to use the username and password of MSDS agent, it works very well.

    Proceed to the next step, we have activated the "Check for authentication" then the VCS - C road customer area to the VCS-E. Then authentication is fine with the AD credentials for users outside movi.

    Now, I want to know, allowing the "Check for authentication" then the VCS - C course CLient area will affect the flow of calls between VCS - C and VCS-E or any service will be interrupted.

    Best regards / / Rio

    You have all the other things listed in the VCS-E? As endpoints, gateways? In brief

    anything with the same fields that are set up on the SCV - C as well?

    You register customers movi on the VCS-E or proxy list them on the VCS - C?

    Outside calls does not at all, as the auth hits the same domain only.

    What you might try is if your movi users can always successfully connect from the outside through the

    the VCS-E to the devices registered in the VCS - C and also presence and directories.

    These are the things that break likely tend to break, if there is something else wrong.

    Not to mention that if you have configured correctly it should work correctly

    Please take some time and go through this guide, they have fine examples in the annex,

    so you can double check your configuration:

    http://www.Cisco.com/en/us/docs/Telepresence/infrastructure/VCs/config_guide/Cisco_VCS_Authenticating_Devices_Deployment_Guide_X7-0.PDF

    Maybe, Andreas has something else to add.

    Please note the answers! (click on the stars below messages)

  • VCS - C and VCS-E to register customers MOVI

    Hello

    I don't know if I'm here... It is possible to save clients MOVI on VCS - C / VCS-E deployment without TMS Server? I have no Starter Pack.

    How could I register just customers MOVI on VCS - C / VCS-E?

    See you soon

    Thorsten

    Friend,

    It is not possible to use jabber for telepresence (Movi) without going through any TMS or VCS Starter Pack.

    Jabber client must be configured to operate, it is not a common SIP client.

    Concerning

    Paulo Souza

    Sent by Samsung Mobile

  • VCS with TMS Cisco compatibility

    Hi guys,.

    one of our clients runs on VCS x5.2, they plan to upgrade the VCS to X7.2.4 due to packet loss.

    could someone answer my query 2 below...

    1. make VCS 7.2.4 compatibility with TMS 13.2.2 with legacy agent? or x7.2.4 VCS support only the TMSPE?

    2. I saw a doc of Cisco, claiming that it will go to vcs x6.1 before going directly from 5.2 7.2.4. is it mandatory?

    Cordially Vigeesh

    The answers to your questions are in the X7.2.4 release notes:

    https://www.Cisco.com/c/dam/en/us/TD/docs/Telepresence/infrastructure/VC...

    1.) Yes, no

    Yes 2).

  • Warning in VCS and TMS (inherited from TMS Agent mode)

    Hello.

    I have this massage in TMS and VCS system, how this fix?

    in TMS: #2057 - Configuration Warning - The VCS is running in a mode inherited from the officer of TMS; It is recommended to switch your system to use another mode.

    in VCS: the VCS is running in a mode inherited from the officer of TMS; It is recommended to switch your system to use another mode

    How to switch different mode?

    Thank you

    If you are not Provisioning - remove the key to implementation of the VCS.

    In the web interface, go to the maintenance, options keys, select the configuration key and press delete.

    (it might be helpful to take note of the key first, where you decide in the future that you want to install it again - but it can be retrieved otherwise if you lose, IE from the Cisco Licensing Portal).

    Wayne
    --
    Remember the frequency responses and mark your question as answered as appropriate.

  • Contacts Directory TMSPE and Jabber/Movi

    Hi, how is it Jabber watch findme and equipment placed in service in the same directory of commissioning?

    I don't know how to disable this feature. I would like to than the phone book to show only one entry per person.

    My Advanced settings in provisoning directory looks like this:

    and jabber looks like this:

    Tom br.

    Hi Tom

    The devices could already be imported. I delete the source and re-create it with this advanced setting checked (import devices put into service).

    Then provide access to the group you want and click the source directory, and click the update button. Then go to the VCS and perform a synchronization complete. This should do the trick.

    / Magnus

  • Problem with directory of TMS to Jabber Video distribution

    Hello

    Recently, I have a problem with the configuration of the directories for video Jabber clients. Looked through a few topics that seem related but found them a little different.

    In short: TMS 13.2 configured Extension commissioning and off FindMe, VCS Expressway 7.2, Cisco Jabber client video v4.5.

    Steps performed:

    1. a new user has been created (inside Provisioning > users) with [email protected] / * / and Device_Address_Pattern =

    [email protected] / * /.

    2. this user got automatically in the Provisioning directory (which already had a few other contacts inside)

    3. I have connected the video Jabber client with the new account, but can not find all the users via the search field within the customer (TMS illustrates usage of licenses) put into service.

    It is easy to manually assign phone book on a device by using the function 'Set on systems. But what do I do to get his Jabber Client video inputs?

    Thanks in advance!

    Hi Alex

    In the management of directories if you click on a directory there are Access tab control that allows you to assign access to directories for users.

    Then you must make sure that you the directory server URI in the configuration of the user model commissioning as [email protected] / * / .

    Make sure then that the TMS and the VCS is synchronized, you should now be able to search for directories if everything is correct.

    / Magnus

  • UPDATE to VCSE VCS Starter Pack Express

    Hello community support.

    just a quick question for the upgrade process. With this key:

     Video Communication Server Starter Pack Upgrade to VCS Expressway - TMS, Cisco Jabber Video for TelePresence 100 users CTI-VCSE-SPUPG-K9 TTC2-04

    I can add as an option on my VCSESTRTPACK and remove the pack before starter option. After that, I have a VCSE without refueling.

    But what of the Jabber user? How did the license provided for me?

    Can I install just the touch option even on MSDS and this will add 100 user of Jabber for her? Or do I have to buy a separate license for this?

    Thank you for the support :)

    From what I found online:

    • You can convert the Starter Pack, either a control or highway depending on what part number you use (CTI-VCSC-SPUPG-K9 or CTI-VCSE-SPUPG-K9).
    • You will lose the integrated supply management and Jabber video/Movi licenses.
    • You will retain licensing additional call that have been purchased on top of the base call licenses.
    • You will receive basic application of TMS + 100 licenses video/Movi Jabber.

Maybe you are looking for

  • Win 7 64 bit montor double problem

    have towing monitors on extended in win 7 when I insert a game and run it on my primary monitor and then click on my second monitor in minamizes the main monitor screen... is there a way to stop and be able to do two different things with them affect

  • Unknown internal error

    I bought two games on the internet that require games to be activated before they can be read online. I have a good internet connection, but the games try to save every time I get a message saying that I need to be connected to the internet. When I c

  • Windows Easy Transfer - How can I get rid of this?

    My computer is a Lenovo Thinkpad T400 with Windows 7 Professional. One of my friends scanning a lot of pictures and then sent me to a Toshiba flash drive. When I plugged the flash drive on my computer, he started something called Windows Easy Transfe

  • Waterfalls in QML JavaScript

    I already use a lot of functions in my apps now, I wanted to do some operations of strings as Text.Substring (10, text.length) but it does not work What do I have to import something in my QML? I was expecting that JavaScript standard library would b

  • BlackBerry Smartphones Syncing my BB with my computer

    I have a problem doing this lately.  It starts to sync, then when it is reading my bb calendar it comes up saying that there is a problem with the Office Manager and stops.  I tried to take the battery out of the bb for 1 minute.  I did the upgrade w