Page 1 Cisco TelePresence Video Communication Server Administrator Guide Software version: X8.1.1 D14049.16 April 2014...
Page 2: Table Of Contents
Contents Introduction About the Cisco TelePresence Video Communication Server (VCS) VCS base applications Standard features Optional features Installation and initial configuration About this guide Related documentation Training Glossary Accessibility notice Using the web interface Using the command line interface (CLI) Web page features and layout What’s new in this version?
Page 3 Configuring registration restriction policy Registering aliases About Allow and Deny Lists Configuring the registration Allow List Configuring the registration Deny List Configuring Registration Policy to use an external service Device authentication Cisco VCS Administrator Guide (X8.1.1) Page 3 of 507...
Page 4 License usage within a cluster Managing clusters and peers Setting up a cluster Maintaining a cluster Specifying peer-specific items in clustered systems Sharing registrations across peers Sharing bandwidth across peers Cluster upgrades, backup and restore Cisco VCS Administrator Guide (X8.1.1) Page 4 of 507...
Page 5 ENUM dialing for outgoing calls Configuring zones and search rules for ENUM dialing ENUM dialing for incoming calls Configuring DNS servers for ENUM and URI dialing Configuring call routing and signaling Cisco VCS Administrator Guide (X8.1.1) Page 5 of 507...
Page 6 Account types Configuring password security Configuring administrator accounts Viewing active administrator sessions Login history Configuring remote account authentication using LDAP Checking the LDAP server connection status Configuring administrator groups Configuring FindMe groups Cisco VCS Administrator Guide (X8.1.1) Page 6 of 507...
Page 7 Incident reporting caution: privacy-protected personal data Enabling automatic incident reporting Sending incident reports manually Viewing incident reports Incident report details Checking the effect of a pattern Locating an alias Port usage Cisco VCS Administrator Guide (X8.1.1) Page 7 of 507...
Page 8 TMS Provisioning Extension service status Provisioning Server device requests status (Cisco TMSPE) User records provided by Cisco TMSPE services FindMe records provided by Cisco TMSPE services Phone book records provided by Cisco TMSPE services Provisioned devices Checking provisioned data Starter Pack Provisioning Server status...
Page 9 Unified Communications port reference Microsoft Lync B2BUA port reference Device authentication port reference H.350 directory service Active Directory (direct) Regular expressions Supported characters Call types and licensing Call types What are traversal calls? Alarms Cisco VCS Administrator Guide (X8.1.1) Page 9 of 507...
Page 10 External policy request parameters Default CPL for policy services Flash status word reference table Supported RFCs Software version history X7.2.1 X7.2 X7.1 Related documentation Legal notices Intellectual property rights Copyright notice Patent information Cisco VCS Administrator Guide (X8.1.1) Page 10 of 507...
Page 11: Introduction
Introduction This section provides an overview of the Cisco TelePresence Video Communication Server. About the Cisco TelePresence Video Communication Server (VCS) About this guide What’s new in this version? Cisco VCS Administrator Guide (X8.1.1) Page 11 of 507...
Page 12: About The Cisco Telepresence Video Communication Server (Vcs)
TMS). The VCS interworks transparently with Cisco Unified Communications Manager (Unified CM), bringing rich telepresence services to organizations with Unified CM. It also offers interoperability with third-party unified communications, IP telephony networks, and voice-over-IP (VoIP) systems. The VCS supports on-premises and cloud applications and is available as a dedicated appliance or as a virtualized application on VMware, with additional support for Cisco Unified Computing System (Cisco UCS) platforms.
Page 13: Vcs Base Applications
SIP or H.323 protocol. Standard features The primary purpose of the VCS is to provides secure firewall traversal and session-based access to Cisco Unified Communications Manager for remote workers, without the need for a separate VPN client.
Page 14: Optional Features
Control over which endpoints are allowed to register Call Policy (also known as Administrator Policy) including support for CPL Support for external policy servers Can be managed with Cisco TelePresence Management Suite (Cisco TMS) 13.2 or later AD authentication for administrators of the VCS Pre-configured defaults for:...
Page 15 EX and MX Series can request to be provisioned.) All configuration and phone book information is managed in Cisco TMS. The data is then transferred to the VCS, from where it is distributed to endpoint clients through the Provisioning Server running on the VCS.
Page 16: Installation And Initial Configuration
Introduction About the Cisco TelePresence Video Communication Server (VCS) Virtual appliance support The VCS can run on VMware on a range of Cisco UCS servers. See VCS on Virtual Machine Installation Guide for more information. Installation and initial configuration Full installation and initial configuration instructions for the VCS are contained in VCS Getting Started Guide.
Page 17: About This Guide
A glossary of TelePresence terms is available at: https://tp-tools-web01.cisco.com/start/glossary/. Accessibility notice Cisco is committed to designing and delivering accessible products and technologies. The Voluntary Product Accessibility Template (VPAT) for Cisco TelePresence Video Communication Server is available here: http://www.cisco.com/web/about/responsibility/accessibility/legal_regulatory/vpats.html#telepresence You can find more information about accessibility here: http://www.cisco.com/web/about/responsibility/accessibility/index.html...
Page 18: Using The Web Interface
IP address of the system the FQDN of the system 2. Click Administrator Login. (This step only applies if you are using "standalone FindMe" i.e. FindMe without Cisco TMSPE.) 3. Enter a valid administrator Username and Password and click Login (see the user accounts section for details on setting up administrator accounts).
Page 19: Using The Command Line Interface (Cli)
Typing an xConfiguration path into the CLI followed by a ? returns information about the usage for that element and sub-elements. Typing an xCommand command into the CLI with or without a ? returns information about the usage of that command. Cisco VCS Administrator Guide (X8.1.1) Page 19 of 507...
Page 20: Web Page Features And Layout
Log out This icon appears on the top right corner of every page. Clicking on this icon ends your administrator session. Cisco VCS Administrator Guide (X8.1.1) Page 20 of 507...
Page 21 LAN 1 IPv4 address if no system name is configured), local system time, currently selected language, serial number and VCS software version are shown at the bottom of the page. Note that you cannot change configuration settings if your administrator account has read-only privileges. Cisco VCS Administrator Guide (X8.1.1) Page 21 of 507...
Page 22: What's New In This Version
X8.1.1 Unified Communications: mobile and remote access Cisco Unified Communications mobile and remote access is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning, messaging and presence services provided by Cisco Unified Communications Manager (Unified CM) when the endpoint is not within the enterprise network.
Page 23 1 video call or 2 audio-only SIP calls. Hence, a 100 traversal call license would allow, for example, 90 video and 20 SIP audio-only simultaneous calls. Any other audio-only call (non-traversal, H.323 or interworked) will consume a standard video call license (traversal or non-traversal as appropriate). Cisco VCS Administrator Guide (X8.1.1) Page 23 of 507...
Page 24 Instead, we recommend that you use the Microsoft Lync B2BUA to route SIP calls between the VCS and a Microsoft Lync Server, and to configure your Cisco AM GWs as B2BUA transcoders. Note that B2BUA connections to Microsoft OCS are no longer supported from X8.1.
Page 25 The online help has a new skin and an improved search capability. There is a new Cisco Unified Communications Manager (8.6.1 or later) zone profile. This profile supports BFCP and should be used in SIP trunk neighbor zones to Unified CM running version 8.6.1 or later.
Page 26 The Local option has also been renamed to Local only. Note: do not use Remote only if VCS is managed by Cisco TMS. The Reboot, Restart and Shutdown maintenance options have been combined into one Restart options page.
Page 27 Require UDP BFCP mode and Require Duo Video mode. They existed to provide support for interoperability issues with old versions of Cisco TelePresence MXP endpoints. These settings can still be configured via the CLI if necessary. Login account authentication configuration...
Page 28: Network And System Settings
IP settings, firewall rules, intrusion protection and the external services used by the VCS (for example DNS, NTP and SNMP). Network settings Intrusion protection Network services Configuring external manager settings Configuring TMS Provisioning Extension services Cisco VCS Administrator Guide (X8.1.1) Page 28 of 507...
Page 29: Network Settings
IP Route commands. You can configure routes for up to 50 network and host combinations. Do not configure IP routes by logging into the system as root and using "ip route" statements. Cisco VCS Administrator Guide (X8.1.1) Page 29 of 507...
Page 30: Lan Configuration
The VCS Expressway may also be used to traverse internal firewalls within an enterprise. In this case the "public" IP address may not be publicly accessible, but is an IP address accessible to other parts of the enterprise. Cisco VCS Administrator Guide (X8.1.1) Page 30 of 507...
Page 31: Configuring Ethernet Settings
A mismatch in Ethernet speed settings between the VCS and Ethernet switch will at best result in packet loss; at worst it will make the system inaccessible for endpoints and system administrators. Cisco VCS Administrator Guide (X8.1.1) Page 31 of 507...
Page 32: Configuring Dns Settings
Note that setting a small source port range will increase your vulnerability to DNS spoofing attacks. Configuring DNS server addresses You must specify at least one DNS server to be queried for address resolution if you want to: Cisco VCS Administrator Guide (X8.1.1) Page 32 of 507...
Page 33: Configuring Quality Of Service Settings
The VCS supports the DiffServ (Differentiated Services) mechanism which puts the specified Tag value in the TOS (Type Of Service) field of the IPv4 header or TC (Traffic Class) field of the IPv6 header. Cisco VCS Administrator Guide (X8.1.1) Page 33 of 507...
Page 34: Intrusion Protection
Any changes made at this stage to the current active rules are held in a pending state. When you have completed making all the necessary changes you can activate the new rules, replacing the previous set. Cisco VCS Administrator Guide (X8.1.1) Page 34 of 507...
Page 35 Transport The transport protocol to Only applies if specifying a Custom service. which the rule applies. Cisco VCS Administrator Guide (X8.1.1) Page 35 of 507...
Page 36: Current Active Firewall Rules
The rules by which specific log file messages are associated with each category are also pre-configured and cannot be altered. You can view example log file entries that would be treated as an access failure/intrusion Cisco VCS Administrator Guide (X8.1.1) Page 36 of 507...
Page 37 1. Go to System > Protection > Automated detection > Configuration. 2. Click on the name of the category you want to configure. You are taken to the configuration page for that category. Cisco VCS Administrator Guide (X8.1.1) Page 37 of 507...
Page 38 The system will display all the relevant events for that category. You can then search through the list of triggering events for the relevant event details such as a user name, address or alias. Cisco VCS Administrator Guide (X8.1.1) Page 38 of 507...
Page 39: Additional Information
Its running totals of failures and blocks are reset to zero. You can view all Event Log entries associated with the automated protection service by clicking View all intrusion protection events on the Automated detection overview page. Cisco VCS Administrator Guide (X8.1.1) Page 39 of 507...
Page 40: Network Services
Determines whether the VCS can be Cisco TMS accesses the VCS via the web server. If (over HTTPS) accessed via the web interface. HTTPS mode is turned off, Cisco TMS will not be able to Default is On. access it. Session limits Cisco VCS Administrator Guide (X8.1.1)
Page 41 1 year expiry time. Off: the Strict-Transport-Security header is not sent, and browsers work as normal. Default is On. Cisco VCS Administrator Guide (X8.1.1) Page 41 of 507...
Page 42 Treat as revoked: treat the certificate as revoked (and thus do not allow the TLS connection). Treat as not revoked: treat the certificate as not revoked. Default: Treat as not revoked Cisco VCS Administrator Guide (X8.1.1) Page 42 of 507...
Page 43: Configuring Snmp Settings
SNMP) is used to configure the VCS's SNMP settings. Tools such as Cisco TMS or HP OpenView may act as SNMP Network Management Systems (NMS). They allow you to monitor your network devices, including the VCS, for conditions that might require administrative attention.
Page 44 By default, SNMP is Disabled, therefore to allow the VCS to be monitored by an SNMP NMS (including Cisco TMS), you must select an alternative SNMP mode. The configurable options are: Field Description...
Page 45: Configuring Time Settings
FQDN or IP address for the NTP server Three of the Address fields default to NTP servers provided by Cisco. You can configure the Authentication method used by the VCS when connecting to an NTP server. Use one...
Page 46 UTC time by the number of hours (or fractions of hours) associated with the selected time zone. It also adjusts the local time to account for summer time (also known as daylight saving time) when appropriate. Cisco VCS Administrator Guide (X8.1.1) Page 46 of 507...
Page 47: Configuring The Login Page
If the VCS is using the TMS Provisioning Extension services to provide FindMe account data, then users log into their FindMe accounts through Cisco TMS, not through VCS. Note that this feature is not configurable using the CLI. Cisco VCS Administrator Guide (X8.1.1)
Page 48: Configuring External Manager Settings
Note that: the VCS will continue to operate without loss of service if its connection to Cisco TMS fails. This applies even if the VCSs are clustered. No specific actions are required as the VCS and Cisco TMS will automatically start communicating with each other again after the connection is re-established.
Page 49: Configuring Tms Provisioning Extension Services
Configuring TMS Provisioning Extension services Configuring TMS Provisioning Extension services Cisco TMSPE services are hosted on Cisco TMS. They provide the user, device and phone book data that is used by the VCS's Provisioning Server to service provisioning requests from endpoint devices. They also provide the VCS with the FindMe account configuration data that it uses to provide FindMe services.
Page 50 Note that this will result in a temporary (a few seconds) lack of service on the VCS while the data is deleted and fully refreshed. If you only need to ensure that all of the latest updates within Cisco TMS have been supplied to the VCS then click Check for updates instead.
Page 51 VCS's Provisioning Server Cisco VCS Administrator Guide (X8.1.1) Page 51 of 507...
Page 52: Firewall Traversal
This section describes how to configure your VCS Control and VCS Expressway in order to traverse firewalls. About firewall traversal Configuring a traversal client and server Configuring ports for firewall traversal Firewall traversal and authentication Configuring Expressway and traversal endpoint communications About ICE and TURN services Cisco VCS Administrator Guide (X8.1.1) Page 52 of 507...
Page 53: About Firewall Traversal
VCS Expressway before you create the traversal client zone on the VCS Control. Note that the traversal client and the traversal server must both be VCS systems (neither can be a Cisco Expressway).
Page 54: Endpoint Traversal Technology Requirements
H.323 firewall traversal protocols The VCS supports two different firewall traversal protocols for H.323: Assent and H.460.18/H.460.19. Assent is Cisco’s proprietary protocol. H.460.18 and H.460.19 are ITU standards which define protocols for the firewall traversal of signaling and media respectively. These standards are based on the original Assent protocol.
Page 55: Firewall Traversal Configuration Overview
To act as a firewall traversal client, the VCS must be configured with information about the systems that will act as its firewall traversal server. Cisco VCS Administrator Guide (X8.1.1) Page 55 of 507...
Page 56: Vcs As A Firewall Traversal Server
The VCS Expressway has all the functionality of a VCS Control (including being able to act as a firewall traversal client). However, its main feature is that it can act as a firewall traversal server for other Cisco systems and any traversal-enabled endpoints that are registered directly to it. It can also provide TURN relay services to ICE-enabled endpoints.
Page 57: Configuring A Traversal Client And Server
Configure all the modes and ports in the H.323 and SIP protocol sections to match identically those of the traversal server zone on the VCS Expressway. Enter the VCS Expressway’s IP address or FQDN in the Peer 1 address field. Cisco VCS Administrator Guide (X8.1.1) Page 57 of 507...
Page 58: Configuring Ports For Firewall Traversal
In most cases the default ports should be used. However, you have the option to change these ports if necessary by going to the Ports page (Configuration > Traversal > Ports). The configurable ports are: Cisco VCS Administrator Guide (X8.1.1) Page 58 of 507...
Page 59: Configuring Ports For Connections From Traversal Clients
X8.1. The call signaling ports are configured via Configuration > Traversal > Ports. The traversal media port range is configured via Configuration > Local Zone > Traversal Subzone. Cisco VCS Administrator Guide (X8.1.1) Page 59 of 507...
Page 60 3478 – 3483. The default TURN relay media port range of 24000 – 29999 applies to new installations of X8.1 or later. The previous default range of 60000 – 61799 still applies to earlier releases that have upgraded to X8.1. Cisco VCS Administrator Guide (X8.1.1) Page 60 of 507...
Page 61: Firewall Traversal And Authentication
The system time on a VCS is provided by a remote NTP server. Therefore, for firewall traversal to work, all systems involved must be configured with details of an server. Cisco VCS Administrator Guide (X8.1.1) Page 61 of 507...
Page 62: Configuring Expressway And Traversal Endpoint Communications
The interval (in seconds) with which locally registered endpoints send a TCP probe to the VCS keep alive Expressway after a call is established, in order to keep the firewall’s NAT bindings open. interval Cisco VCS Administrator Guide (X8.1.1) Page 62 of 507...
Page 63: About Ice And Turn Services
After the media route has been selected, the TURN relay allocations are released if the chosen connection paths do not involve routing via the TURN server. Note that the signaling always goes via the VCS, regardless of the final media communication path chosen by the endpoints. Cisco VCS Administrator Guide (X8.1.1) Page 63 of 507...
Page 64: Configuring Turn Services
The default range is 3478 – 3483. If TURN services are already enabled, any changes to the port numbers do not come into effect until the TURN services are restarted. Cisco VCS Administrator Guide (X8.1.1) Page 64 of 507...
Page 65 TURN relay status information TURN relays page lists all the currently active TURN relays on the VCS. You can also review further details of each TURN relay including permissions, channel bindings and counters. Cisco VCS Administrator Guide (X8.1.1) Page 65 of 507...
Page 66: Unified Communications
Unified Communications This section describes how to configure the VCS Control and VCS Expressway for Unified Communications functionality, a core part of the Cisco Collaboration Edge Architecture: Mobile and remote access Configuring mobile and remote access on VCS Cisco VCS Administrator Guide (X8.1.1)
Page 67: Mobile And Remote Access
Mobile and remote access Mobile and remote access Cisco Unified Communications mobile and remote access is a core part of the Cisco Collaboration Edge Architecture. It allows endpoints such as Cisco Jabber to have their registration, call control, provisioning, messaging and presence services provided by Cisco Unified Communications Manager (Unified CM) when the endpoint is not within the enterprise network.
Page 68: Jabber Client Connectivity Without Vpn
Note that Jabber Web and Cisco Jabber Video for TelePresence (Jabber Video) are not supported. Cisco VCS Administrator Guide (X8.1.1) Page 68 of 507...
Page 69: Configuring Mobile And Remote Access On Vcs
SIP registrar and Presence Server for the domain, and accepts registration requests for any SIP endpoints attempting to register with an alias that includes this domain. The default is On. Cisco VCS Administrator Guide (X8.1.1) Page 69 of 507...
Page 70 IM&P server for XMPP-related communications. If the IM&P server is using self-signed certificates, the VCS Control's trusted CA list must include a copy of the tomcat certificate from every IM&P server. Cisco VCS Administrator Guide (X8.1.1) Page 70 of 507...
Page 71 The rules are created with a priority of 45. If the Unified CM node that is targeted by the search rule has a long name, the search rule will use a regex for its address pattern match. Cisco VCS Administrator Guide (X8.1.1) Page 71 of 507...
Page 72: Setting Up The Vcs Expressway
VCS certificate includes the correct subject alternate names for Unified Communications and to establish a secure traversal zone. Ensure that the CA that signs the request does not strip out the client authentication extension. Cisco VCS Administrator Guide (X8.1.1) Page 72 of 507...
Page 73 Certificate Creation and Use With VCS Deployment Guide for full information about how to create and upload the VCS’s server certificate and how to upload a list of trusted certificate authorities. Cisco VCS Administrator Guide (X8.1.1) Page 73 of 507...
Page 74: Setting Up Secure Vcs Traversal Zones
Name attributes). If there is a cluster of traversal clients, specify the cluster name here and ensure that it is included in each client's certificate. Media encryption Force encrypted Force encrypted mode Authentication section Cisco VCS Administrator Guide (X8.1.1) Page 74 of 507...
Page 75: Checking The Status Of Unified Communications Services
"allow list" of servers to be configured to which the VCS will grant access for HTTP traffic originating from outside the enterprise. The features and services that may be required, and would need whitelisting, include: Cisco VCS Administrator Guide (X8.1.1) Page 75 of 507...
Page 76 Access is granted if the server portion of the client-supplied URI matches one of the names entered here, or if it resolves via DNS lookup to a specified IP address. Cisco VCS Administrator Guide (X8.1.1) Page 76 of 507...
Page 77: Protocols
This section provides information about how to configure the VCS to support the SIP and H.323 protocols. About H.323 Configuring H.323 About SIP Configuring SIP Configuring domains Configuring SIP and H.323 interworking Cisco VCS Administrator Guide (X8.1.1) Page 77 of 507...
Page 78: About H.323
VCS only. Preventing automatic H.323 registrations You can prevent H.323 endpoints being able to register automatically with the VCS by disabling Auto Discovery on the VCS (Configuration > Protocols > H.323). Cisco VCS Administrator Guide (X8.1.1) Page 78 of 507...
Page 79: Configuring H.323
IRQ to the endpoint to functioning. Default is 1800. verify that it is still functioning. Cisco VCS Administrator Guide (X8.1.1) Page 79 of 507...
Page 80 Specifies whether the prefix of Including the prefix allows the recipient to directly return the call. the ISDN gateway is inserted into the caller's E.164 number presented on the destination endpoint. Cisco VCS Administrator Guide (X8.1.1) Page 80 of 507...
Page 81: About Sip
(VCS or VCS cluster) with which they want to register, and the endpoint will attempt to register with that registrar only. The VCS is a SIP server and a SIP registrar. Cisco VCS Administrator Guide (X8.1.1) Page 81 of 507...
Page 82: Vcs As A Sip Proxy Server
Route Set cannot be trusted. For this reason, you can configure how the VCS proxies requests that contain Route Sets by setting the SIP registration proxy mode as follows: Cisco VCS Administrator Guide (X8.1.1) Page 82 of 507...
Page 83: Proxying Registration Requests
Agent for any of the SIP domains for which it is authoritative. For full information on how to enable and use the VCS as a SIP Presence server, see the Presence section. Cisco VCS Administrator Guide (X8.1.1) Page 83 of 507...
Page 84: Configuring Sip
SIP calls. Default is 500 seconds. definition of Min-SE header in refresh 4028. interval Certificate revocation checking modes This section controls the certificate revocation checking modes for SIP TLS connections. The configurable options are: Cisco VCS Administrator Guide (X8.1.1) Page 84 of 507...
Page 85: Registration Controls
Treat as not revoked: treat the certificate as not revoked. accepted. Default: Treat as not revoked Registration controls This section contains the registration controls for standard and outbound SIP registrations. The configurable options are: Cisco VCS Administrator Guide (X8.1.1) Page 85 of 507...
Page 86 Requests for a value refresh lower than this will result in the registration being rejected minimum with a 423 Interval Too Brief response. The default is 600 seconds. Cisco VCS Administrator Guide (X8.1.1) Page 86 of 507...
Page 87: Authentication Controls
(local database, Active Directory Service or H.350 delegated credential checking directory via LDAP) on the VCS performing the for more information. authentication challenge. On: delegate the credential checking to a traversal client. The default is Off. Cisco VCS Administrator Guide (X8.1.1) Page 87 of 507...
Page 88: Configuring Domains
VCS can be reached over the traversal zone and, additionally, if it is able to perform credential checking for both NTLM and SIP digest type challenges. Cisco VCS Administrator Guide (X8.1.1) Page 88 of 507...
Page 89 If you are not using NTLM authentication in your video network, and thus the receiving VCS is not configured with a connection to an Active Directory Service, then the NTLM check will be expected to fail. Cisco VCS Administrator Guide (X8.1.1) Page 89 of 507...
Page 90: Configuring Sip And H.323 Interworking
So if you dial 123 from a SIP endpoint, the search will be placed for 123@domain. If the H.323 endpoint being dialed is just registered as 123, the VCS will not be able to locate the alias 123@domain and the call will fail. The solutions are to either: Cisco VCS Administrator Guide (X8.1.1) Page 90 of 507...
Page 91 See the pre-search transforms section for information about how to configure pre-search transforms, and stripping @domain for dialing to H.323 numbers section for an example of how to do this. Cisco VCS Administrator Guide (X8.1.1) Page 91 of 507...
Page 92: Registration Control
Registration control This section provides information about the pages that appear under the Configuration > Registration menu. About registrations About Allow and Deny Lists Configuring Registration Policy to use an external service Cisco VCS Administrator Guide (X8.1.1) Page 92 of 507...
Page 93: About Registrations
If a traversal-enabled endpoint registers directly with a VCS Expressway, the VCS Expressway will provide the same services to that endpoint as a VCS Control, with the addition of firewall traversal. Traversal- enabled endpoints include all Cisco TelePresence Expressway™ endpoints and third-party endpoints which support the ITU H.460.18 and H.460.19 standards.
Page 94: Mcu, Gateway And Content Server Registration
Note that the Cisco TelePresence MPS 200 and MPS 800, and the Cisco TelePresence Content Server both support Expressway. They can therefore register directly with a VCS Expressway for firewall traversal.
Page 95 H.323: the call is taken down. SIP: the call stays up by default. This SIP behavior can be changed but only via the CLI by using the command xConfiguration SIP Registration Call Remove. Cisco VCS Administrator Guide (X8.1.1) Page 95 of 507...
Page 96 The frequency of re-registrations is determined by the Registration expire delta setting for (Configuration > Protocols > SIP) and the Time to live setting for H.323 (Configuration > Protocols > H.323). Cisco VCS Administrator Guide (X8.1.1) Page 96 of 507...
Page 97: About Allow And Deny Lists
Prefix: the alias must begin with the pattern string. Suffix: the alias must end with the pattern string. Regex: the pattern string is a regular expression. Pattern The pattern against which an string alias is compared. Cisco VCS Administrator Guide (X8.1.1) Page 97 of 507...
Page 98: Configuring The Registration Deny List
Prefix: the alias must begin with the pattern string. Suffix: the alias must end with the pattern string. Regex: the pattern string is a regular expression. Pattern The pattern against which an string alias is compared. Cisco VCS Administrator Guide (X8.1.1) Page 98 of 507...
Page 99: Configuring Registration Policy To Use An External Service
The username used by the VCS to log in and query the service. Password The password used by the VCS to log in and The maximum plaintext length is 30 query the service. characters (which is subsequently encrypted). Cisco VCS Administrator Guide (X8.1.1) Page 99 of 507...
Page 100 Any connection problems will be reported on this page. Check the Status area at the bottom of the page and check for additional information messages against the Server address fields. Cisco VCS Administrator Guide (X8.1.1) Page 100 of 507...
Page 101: Device Authentication
Device authentication This section provides information about the VCS's authentication policy and the pages that appear under the Configuration > Authentication menu. About device authentication Authenticating with external systems Cisco VCS Administrator Guide (X8.1.1) Page 101 of 507...
Page 102: About Device Authentication
The local database also includes checking against credentials supplied by Cisco TMS if your system is using device provisioning. If the username is not found in the local database, the VCS may then attempt to verify the credentials via a real-time LDAP connection to an external H.350 directory service.
Page 103: Configuring Vcs Authentication Policy
Device provisioning and authentication policy [p.112] for more information. Presence and device authentication The Presence Server accepts presence PUBLISH messages only if they have already been authenticated: Cisco VCS Administrator Guide (X8.1.1) Page 103 of 507...
Page 104: Controlling System Behavior For Authenticated And Non-Authenticated Devices
To check the authenticated origin (only available for authenticated or “treat as authenticated” devices) the CPL should use authenticated-origin. Cisco VCS Administrator Guide (X8.1.1) Page 104 of 507...
Page 105: Authentication Policy Configuration Options
(meaning whether the VCS trusts any pre-existing authenticated indicators - known as P-Asserted-Identity headers - within the received message) and whether the message was received from a local domain (a domain for which the VCS is authoritative) or a non-local domain. Cisco VCS Administrator Guide (X8.1.1) Page 105 of 507...
Page 106 All messages are classified as authenticated. unauthenticated. Any existing P-Asserted-Identity header is Any existing P-Asserted-Identity headers removed and a new one containing the are removed. VCS's originator ID is inserted into the message. Cisco VCS Administrator Guide (X8.1.1) Page 106 of 507...
Page 107 Messages are not All messages are classified as unauthenticated. challenged for authentication. Treat as Messages are not challenged for authentication. All messages are classified authenticated All messages are classified as authenticated. as unauthenticated. Cisco VCS Administrator Guide (X8.1.1) Page 107 of 507...
Page 108: Sip Authentication Trust
We recommend that you enable authentication trust only if the neighbor zone is part of a network of trusted SIP servers. Authentication trust is automatically implied between traversal server and traversal client zones. Cisco VCS Administrator Guide (X8.1.1) Page 108 of 507...
Page 109: Configuring Delegated Credential Checking (Sip Only)
VCS’s certificate is valid both as a client and as a server. If a H.323 or a non-encrypted connection is required, a separate pair of traversal zones must be configured. Cisco VCS Administrator Guide (X8.1.1) Page 109 of 507...
Page 110 VCS Expressway and you also want to delegate the credential checking of TURN server requests: 1. Go to Configuration > Traversal > TURN. 2. Set Delegated credential checking to On. Cisco VCS Administrator Guide (X8.1.1) Page 110 of 507...
Page 111 VCS Control. Enabling delegated credential checking does not affect any other message routing; there is no need to amend any existing transforms, search rules and so on. Cisco VCS Administrator Guide (X8.1.1) Page 111 of 507...
Page 112: Device Provisioning And Authentication Policy
In each case, the VCS performs its authentication checking against the appropriate credential store, according to whichever authentication methods are configured. Note that if the VCS is using the local database, this will include all credentials supplied by Cisco TMS. Cisco VCS Administrator Guide (X8.1.1)
Page 113 Guide. VCS Starter Pack Express The Provisioning Server on a VCS Starter Pack Express operates in the same manner as when using Cisco TMS provisioning – it does not challenge provisioning requests. It provisions devices only if the request has already been authenticated by the VCS (at the zone or subzone entry point).
Page 114: Presence And Authentication Policy
In each case, the VCS performs its authentication checking against the appropriate credential store, according to whichever authentication methods are configured. Note that if the VCS is using the local database, this will include any credentials supplied by Cisco TMS. Cisco VCS Administrator Guide (X8.1.1)
Page 115: Hierarchical Dial Plans And Authentication Policy
Each directory VCS will still be able to optimize itself out of the call signaling path for calls entirely within each subnetwork. You must also ensure that you have sufficient call licenses (traversal and non-traversal) on each directory VCS to handle those calls going between each subnetwork. Cisco VCS Administrator Guide (X8.1.1) Page 115 of 507...
Page 116: Practical Configuration Of Authentication Policy
The local database also includes checking against credentials supplied by Cisco TMS if your system is using device provisioning. If the username is not found in the local database, the VCS may then attempt to verify the credentials via a real-time LDAP connection to an external H.350 Cisco VCS Administrator Guide (X8.1.1)
Page 117: Authentication Mechanism
The direct Active Directory authentication via Kerberos method is only supported by a limited range of endpoints – at the time of writing, only Cisco Jabber for iPad and Jabber Video. If used, other non-supported endpoint devices will continue to authenticate using one of the other two authentication methods.
Page 118 VCS, for example when attempting to register and the relevant subzone's Authentication policy is set to Check credentials. For Cisco endpoints using H.323, the username is typically the endpoint’s Authentication ID; for Cisco endpoints using SIP it is typically the endpoint’s Authentication username.
Page 119: Configuring Authentication To Use The Local Database
Incorporating Cisco TMS credentials within the local database means that VCS can authenticate all messages (i.e. not just provisioning requests) against the same set of credentials used within Cisco TMS. Local database authentication in combination with H.350 directory authentication You can configure the VCS to use both the local database and an H.350 directory.
Page 120: Using An H.350 Directory Service Lookup Via Ldap
LDAP server. 2. Configure the directory with the aliases of endpoints that will register with the VCS. LDAP server configuration for device authentication [p.377] for instructions on configuring LDAP servers. Cisco VCS Administrator Guide (X8.1.1) Page 120 of 507...
Page 121 The user distinguished name used by the For example, uid=admin, ou=system VCS when binding to the LDAP server. Bind The password used by the VCS when binding password to the LDAP server. Cisco VCS Administrator Guide (X8.1.1) Page 121 of 507...
Page 122 If Active Directory (direct) authentication has been configured and NTLM protocol challenges is set to Auto, then NTLM authentication challenges are offered to those devices that support NTLM. Devices that do not support NTLM will continue to receive a standard Digest challenge. Cisco VCS Administrator Guide (X8.1.1) Page 122 of 507...
Page 123: Using Active Directory Database (Direct)
If the connection is going to use TLS encryption, a valid CA certificate, private key and server certificate must be uploaded to the VCS. The VCS must be configured to challenge for authentication on the relevant zones and subzones: Cisco VCS Administrator Guide (X8.1.1) Page 123 of 507...
Page 124: Configuring The Connection To Active Directory Service (Ads)
The default is Auto. NTLM (and therefore they may crash or otherwise misbehave). The VCS must be connected to an Active Directory Service to send NTLM challenges. Cisco VCS Administrator Guide (X8.1.1) Page 124 of 507...
Page 125 If the lookup cannot provide the addresses addresses then set this field to No and enter the IP address of the primary Domain Controller into the Address 1 field that will be displayed. Cisco VCS Administrator Guide (X8.1.1) Page 125 of 507...
Page 126 5. If the VCS is part of a cluster, check that the configuration entered on the master peer has been replicated to each other peer. Clustered VCS systems In a clustered system, each VCS must join the AD domain separately. To do this: Cisco VCS Administrator Guide (X8.1.1) Page 126 of 507...
Page 127 3. In the Password field, enter the password as configured in the Active Directory database for the chosen user. 4. Click Sign in. A successful registration confirms that authentication of provisioning and registration of Jabber Video to VCS now works using Active Directory database (direct) authentication. Cisco VCS Administrator Guide (X8.1.1) Page 127 of 507...
Page 128 By default the VCS uses SPNEGO when communicating with an AD Domain Controller. It can only be enabled or disabled through the CLI by using the command xConfiguration Authentication ADS SPNEGO. Cisco VCS Administrator Guide (X8.1.1) Page 128 of 507...
Page 129: Authenticating With External Systems
Note that these settings are not used by traversal client zones. Traversal clients, which must always authenticate with traversal servers before they can connect, configure their connection credentials per traversal client zone. Cisco VCS Administrator Guide (X8.1.1) Page 129 of 507...
Page 130: Zones And Neighbors
About your video communications network Structuring your dial plan About zones Configuring media encryption policy Configuring ICE messaging support About the Local Zone and subzones The Default Zone Configuring Default Zone access rules Configuring zones Cisco VCS Administrator Guide (X8.1.1) Page 130 of 507...
Page 131: About Your Video Communications Network
The Local Zone is also connected to external VCSs and to the internet via different types of zones. All these components are described in more detail in the sections that follow. Cisco VCS Administrator Guide (X8.1.1) Page 131 of 507...
Page 132: Structuring Your Dial Plan
Mode of Alias pattern match and the target VCS's prefix (as with the structured dial plan) as the Pattern string Each VCS is configured with: Cisco VCS Administrator Guide (X8.1.1) Page 132 of 507...
Page 133 Hierarchical dial plan (directory VCS) deployments and device authentication Hierarchical dial plans and authentication policy [p.115] for important information about how to configure your authentication policy within a hierarchical dial plan. Cisco VCS Administrator Guide (X8.1.1) Page 133 of 507...
Page 134: About Zones
Unified Communications mobile and remote access. A VCS automatically generates a neighbor zone named "To Microsoft Lync server via B2BUA" when the Lync B2BUA is enabled. Cisco VCS Administrator Guide (X8.1.1) Page 134 of 507...
Page 135: Configuring Media Encryption Policy
VCS Expressway, and every zone and subzone on VCS Expressway use static NAT on the VCS Expressway only With this configuration the encryption B2BUA will be enabled on the VCS Control only. Cisco VCS Administrator Guide (X8.1.1) Page 135 of 507...
Page 136: Configuring The B2Bua For Media Encryption
The B2BUA used for encryption (and ICE support) is a different instance to the B2BUA used for Microsoft Lync integration. Whereas the Lync B2BUA has to be manually configured and enabled, the B2BUA used for encryption is automatically enabled whenever an encryption policy is applied. Cisco VCS Administrator Guide (X8.1.1) Page 136 of 507...
Page 137: Configuring Ice Messaging Support
A traversal call license is consumed when a call goes via the encryption B2BUA. There is a limit of 100 concurrent calls (500 calls on Large VM servers) that can be routed via the encryption B2BUA. Cisco VCS Administrator Guide (X8.1.1) Page 137 of 507...
Page 138: About The Local Zone And Subzones
Local Zone and out to external zones, and speed up the search process. For further information about how to configure search rules for the Local Zone, see the Configuring search and zone transform rules section. Cisco VCS Administrator Guide (X8.1.1) Page 138 of 507...
Page 139: The Default Zone
Default Zone. For example, you can: delete the default links to prevent any incoming calls from unrecognized endpoints apply pipes to the default links to control the bandwidth consumed by incoming calls from unrecognized endpoints Cisco VCS Administrator Guide (X8.1.1) Page 139 of 507...
Page 140: Configuring Default Zone Access Rules
Indicates if the rule is enabled or not. Use this setting to test configuration changes, or to temporarily disable certain rules. Any disabled rules still appear in the rules list but are ignored. Cisco VCS Administrator Guide (X8.1.1) Page 140 of 507...
Page 141: Configuring Zones
A neighbor zone could be a collection of endpoints registered to another system (such as another VCS), or it could be a SIP device (for example Cisco Unified Communications Manager). The other system or SIP device is referred to as a neighbor. Neighbors can be part of your own enterprise network, part of a separate network, or even standalone systems.
Page 142 TCP, SIP TLS or SIP UDP listening port (depending on which SIP Transport mode is in use). Transport Determines which transport type is used for SIP calls to and from the neighbor system. The default is TLS. Cisco VCS Administrator Guide (X8.1.1) Page 142 of 507...
Page 143 Advanced section: Cisco VCS Administrator Guide (X8.1.1) Page 143 of 507...
Page 144: Configuring Traversal Client Zones
Alternatively. choose one of the preconfigured with VCS Deployment Guide for more profiles to automatically use the appropriate information about the Cisco Unified settings required for connections to that type of Communications Manager profiles. system. The options include: Cisco Unified Communications Manager Cisco Unified Communications Manager (8.6.1 or later)
Page 145 TLS verify mode Controls X.509 certificate checking and mutual TLS certificate verification of authentication between this VCS and the traversal neighbor systems [p.155] for more server when communicating over TLS. information. Cisco VCS Administrator Guide (X8.1.1) Page 145 of 507...
Page 146: Configuring Traversal Server Zones
Expressway and configure it with the details of the corresponding zone on the traversal client. (The client must also be configured with details of the VCS Expressway.) After you have neighbored with the traversal client you can: Cisco VCS Administrator Guide (X8.1.1) Page 146 of 507...
Page 147 Configuring ports for firewall to traverse the firewall/NAT. traversal [p.58] for more information. Port The port on the local VCS Expressway to use for H.323 calls to and from the traversal client. Cisco VCS Administrator Guide (X8.1.1) Page 147 of 507...
Page 148 Poison mode Determines if SIP requests sent to systems located via this zone are "poisoned" such that if they are received by this VCS again they will be rejected. Authentication section: Cisco VCS Administrator Guide (X8.1.1) Page 148 of 507...
Page 149: Configuring Enum Zones
The configurable options for an ENUM zone are: Field Description Usage tips Name The name acts as a unique identifier, allowing you to distinguish between zones of the same type. Cisco VCS Administrator Guide (X8.1.1) Page 149 of 507...
Page 150: Configuring Dns Zones
Determines whether H.323 calls are allowed to mode systems and endpoints located using DNS lookups via this zone. SIP mode Determines whether SIP calls are allowed to systems and endpoints located using DNS lookups via this zone. Cisco VCS Administrator Guide (X8.1.1) Page 150 of 507...
Page 151: Zone Configuration: Advanced Settings
Always: signaling is always taken for calls to or from this neighbor, regardless of the Call signaling optimization configuration. Calls via traversal zones or the B2BUA always take the signaling. Cisco VCS Administrator Guide (X8.1.1) Page 151 of 507...
Page 152 Note that the settings for the pre-configured SDP are configurable via the CLI using the xConfiguration Zones Zone [1..1000] [Neighbor/DNS] Interworking SIP commands. They should only be changed on the advice of Cisco customer support. SIP poison On: SIP requests sent to systems located via this zone are "poisoned" such...
Page 153 UDP/BFCP protocol. On: any media line referring to the UDP/BFCP protocol is replaced with TCP/BFCP and disabled. Off: INVITE requests are not modified. Cisco VCS Administrator Guide (X8.1.1) Page 153 of 507...
Page 154: Zone Configuration: Pre-Configured Profile Settings
We recommend that SIP UDP/IX filter mode is set to On for: business-to-business calls routed through neighbor zones that connect to external networks / non-Cisco infrastructure calls that connect internally to Unified CM 8.x or earlier (use Off for 9.x or...
Page 155: Tls Certificate Verification Of Neighbor Systems
X.509 certificate presented by that system. (The name has to be contained in either the Subject Cisco VCS Administrator Guide (X8.1.1) Page 155 of 507...
Page 156: Configuring A Zone For Incoming Calls Only
In this scenario, when viewing the zone, you can ignore the warning indicating that search rules have not been configured. Cisco VCS Administrator Guide (X8.1.1) Page 156 of 507...
Page 157: Clustering And Peers
This section describes how to set up a cluster of VCS peers. Clustering is used to increase the capacity of your VCS deployment and to provide resiliency. About clusters License usage within a cluster Managing clusters and peers Troubleshooting cluster replication problems Cisco VCS Administrator Guide (X8.1.1) Page 157 of 507...
Page 158: About Clusters
The only exceptions to this are some peer-specific configuration items. You may need to wait up to one minute before changes are updated across all peers in the cluster. Cisco VCS Administrator Guide (X8.1.1) Page 158 of 507...
Page 159 Authentication is carried out through the use of a pre-shared access key. Each peer in the cluster must be individually configured with the IP address and associated access key of every other peer in that cluster. Cisco VCS Administrator Guide (X8.1.1) Page 159 of 507...
Page 160: License Usage Within A Cluster
90% of the capacity of the cluster the number of concurrent traversal/non-traversal calls on any one unit reaches 90% of the physical capacity of the unit Cisco VCS Administrator Guide (X8.1.1) Page 160 of 507...
Page 161 If any one of the peers is temporarily taken out of service the full set of call licenses will remain available to the entire cluster. However, we recommend that, where possible, the number of licenses is configured evenly across all peers in the cluster. Cisco VCS Administrator Guide (X8.1.1) Page 161 of 507...
Page 162: Managing Clusters And Peers
The VCS must be restarted after installing some option keys in order to fully activate them. Cisco TMS, if used, is running version 13.2 or later (12.6 or later is permitted if you are not using Cisco TMS for provisioning or FindMe).
Page 163: Maintaining A Cluster
Deploying all peers in a cluster on the same LAN means they can be configured with the same routing information such as local domain names and local domain subnet masks. Changing the master peer You should only need to change the Configuration master when: Cisco VCS Administrator Guide (X8.1.1) Page 163 of 507...
Page 164: Specifying Peer-Specific Items In Clustered Systems
Note that the IP protocol is applied to all peers, because each peer must support the same protocols. System name (System > Administration) The System name must be different for each peer in the cluster. Cisco VCS Administrator Guide (X8.1.1) Page 164 of 507...
Page 165 The template used by the Conference Factory application to route calls to the MCU is peer-specific, as it must be unique for each peer in the cluster. VCS front panel display mode (configurable through CLI only) The xConfiguration Administration LCDPanel Mode CLI setting is specific to each peer. Cisco VCS Administrator Guide (X8.1.1) Page 165 of 507...
Page 166: Sharing Registrations Across Peers
For general information on how the VCS manages bandwidth, see the bandwidth control section. Cisco VCS Administrator Guide (X8.1.1) Page 166 of 507...
Page 167: Cluster Upgrades, Backup And Restore
Subscribers shows each endpoint from which a subscription request has been received on the local VCS only. Clustering and Cisco TMS Cisco TMS version 13.2 or later is mandatory if your cluster is configured to use FindMe or Device Provisioning. From X8.1 onwards you must use Cisco TelePresence Management Suite Provisioning Extension.
Page 168: About The Cluster Subzone
Note that if Call signaling optimization is set to On and the call is H.323, the call will not appear on Peer 2, and on Peer 1 the route will be Branch Office > Default Subzone. Cisco VCS Administrator Guide (X8.1.1) Page 168 of 507...
Page 169: Neighboring The Local Vcs To Another Vcs Cluster
Whenever you add an extra VCS to a cluster (to increase capacity or improve redundancy, for example) you will need to modify any VCSs which neighbor to that cluster to let them know about the new cluster peer. Cisco VCS Administrator Guide (X8.1.1) Page 169 of 507...
Page 170: Troubleshooting Cluster Replication Problems
This will delete the non-master VCS configuration and force it to update its configuration from the master VCS. CAUTION: never issue this command on the master VCS, otherwise all configuration for the cluster will be lost. Cisco VCS Administrator Guide (X8.1.1) Page 170 of 507...
Page 171: Dial Plan And Call Processing
About Call Policy Supported address formats Dialing by IP address About URI dialing About ENUM dialing Configuring DNS servers for ENUM and URI dialing Configuring call routing and signaling Identifying calls Disconnecting calls Cisco VCS Administrator Guide (X8.1.1) Page 171 of 507...
Page 172: Call Routing Process
Neighbor zone: one of the VCS's configured external neighbor zones, or a DNS or ENUM lookup zone. Policy service: an external service or application, such as a Cisco TelePresence Conductor. The service will return some CPL which could, for example, specify the zone to which the call should be routed, or it could specify a new destination alias.
Page 173 Dial plan and call processing Call routing process Cisco VCS Administrator Guide (X8.1.1) Page 173 of 507...
Page 174: Configuring Hop Counts
Hop count field, enter the hop count value you want to use for this zone. For full details on other zone options, see the Configuring zones [p.141] section. Cisco VCS Administrator Guide (X8.1.1) Page 174 of 507...
Page 175: Configuring Dial Plan Settings
This means that any calls made directly to example.com (that is, without being prefixed by an alias), are forwarded to reception@example.com, where the receptionist can answer the call and direct it appropriately. Cisco VCS Administrator Guide (X8.1.1) Page 175 of 507...
Page 176: About Transforms And Search Rules
The pre-search transform function allows you to modify the alias in an incoming search request. The transformation is applied by the VCS before any Call Policy or User Policy is applied, and before any Cisco VCS Administrator Guide (X8.1.1) Page 176 of 507...
Page 177: Configuring Pre-Search Transforms
After the alias has been transformed, it remains changed. and all further call processing is applied to the new alias. Note that transforms also apply to any Publication, Subscription or Notify URIs handled by the Presence Services, and to any Unified Communications messages. The configurable options are: Cisco VCS Administrator Guide (X8.1.1) Page 177 of 507...
Page 178: Search And Zone Transform Process
Click on the transform you want to configure (or click New to create a new transform, or click Delete to remove a transform). Search and zone transform process The search rules and zone transform process is applied after all pre-search transforms, Call Policy User Policy have been applied. Cisco VCS Administrator Guide (X8.1.1) Page 178 of 507...
Page 179: Configuring Search Rules
A descriptive name for the search rule. Description An optional free-form description of the search The description appears as a tooltip if you rule. hover your mouse pointer over a rule in the list. Cisco VCS Administrator Guide (X8.1.1) Page 179 of 507...
Page 180 Prefix: the string must appear at the beginning tool (Maintenance > Tools > Check pattern). of the alias. Suffix: the string must appear at the end of the alias. Regex: treats the string as a regular expression. Cisco VCS Administrator Guide (X8.1.1) Page 180 of 507...
Page 181 This could be used, for example, to call out to an external service or application, such as a TelePresence Conductor. The service will return some CPL which could, for example, specify a new destination alias which would start the search process over again.
Page 182: Example Searches And Transforms
You can filter the search requests sent to a zone so that it is only queried for aliases that match certain criteria. For example, assume all endpoints in your regional sales office are registered to their local Cisco VCS with a suffix of @sales.example.com. In this situation, it makes sense for your Head Office VCS to query the Sales Office VCS only when it receives a search request for an alias with a suffix of @sales.example.com.
Page 183: Always Query A Zone With Original Alias (No Transforms)
(Configuration > Dial plan > Search rules > New) set up a search rule as follows: Field Value Rule name Transform to example.co.uk Description Transform example.com to example.co.uk Priority Source Cisco VCS Administrator Guide (X8.1.1) Page 183 of 507...
Page 184: Query A Zone For Original And Transformed Alias
Mode Any alias On successful match Continue Target zone Overseas office State Enabled Rule #2 Field Value Rule name Overseas office - strip domain Description Query overseas office with domain removed Cisco VCS Administrator Guide (X8.1.1) Page 184 of 507...
Page 185: Query A Zone For Two Or More Transformed Aliases
Rule #1 Field Value Rule name Transform to example.co.uk Description Transform example.com to example.co.uk Priority Source Request must be authenticated Mode Alias pattern match Pattern type Suffix Pattern string example.com Cisco VCS Administrator Guide (X8.1.1) Page 185 of 507...
Page 186: Stripping @Domain For Dialing To H.323 Numbers
SIP and H.323 endpoints to H.323 endpoints registered using their H.323 E.164 number only. Pre-search transform On the Create transforms page (Configuration > Dial plan > Transforms > New): Cisco VCS Administrator Guide (X8.1.1) Page 186 of 507...
Page 187 Replace Replace string On successful match Continue Target zone Local Zone State Enabled Rule #2 Field Value Rule name Dialing H.323 numbers Description Place calls to number@domain with no alias transform Cisco VCS Administrator Guide (X8.1.1) Page 187 of 507...
Page 188: Transforms For Alphanumeric H.323 Id Dial Strings
(Configuration > Dial plan > Transforms > New): Field Value Priority Description Append @domain to any alphanumeric dial string Pattern type Regex Pattern string ([^@]*) Pattern behavior Replace Replace string \1@domain State Enabled Cisco VCS Administrator Guide (X8.1.1) Page 188 of 507...
Page 189 Place calls to string@domain with no alias transform Priority Source Request must be authenticated Mode Alias pattern match Pattern type Regex Pattern string (.+)@domain Pattern behavior Leave On successful match Continue Target zone Local Zone State Enabled Cisco VCS Administrator Guide (X8.1.1) Page 189 of 507...
Page 190: Allowing Calls To Ip Addresses Only If They Come From Known Zones
Allow calls to IP addresses only from a known zone Priority Source All zones Request must be authenticated Mode Any IP address On successful match Continue Target zone Overseas office State Enabled Cisco VCS Administrator Guide (X8.1.1) Page 190 of 507...
Page 191: Configuring Search Rules To Use An External Service
FQDN to be to the address. resolved. For resiliency, up to three server addresses can be supplied. Path Enter the URL of the service on the server. Cisco VCS Administrator Guide (X8.1.1) Page 191 of 507...
Page 192 CPL. Target Select the policy service that was created in the previous step. Cisco VCS Administrator Guide (X8.1.1) Page 192 of 507...
Page 193 Your search rules must be configured in such a way that they will result in a match for the initial alias, and then either not match or not return a reject for any aliases to which the policy server has routed the call. Cisco VCS Administrator Guide (X8.1.1) Page 193 of 507...
Page 194: About Call Policy
CPL script that has been uploaded. If Local CPL is enabled but no policy is configured or uploaded, then a default policy is applied that allows all calls, regardless of source or destination. Cisco VCS Administrator Guide (X8.1.1) Page 194 of 507...
Page 195: Configuring Call Policy Rules Using The Web Interface
You can use CPL scripts to configure advanced Call Policy. To do this, you must first create and save the CPL script as a text file, after which you upload it to the VCS. However, due to the complexity of writing CPL Cisco VCS Administrator Guide (X8.1.1) Page 195 of 507...
Page 196 CPL script. CPL scripts cannot be uploaded using the command line interface. Deleting an existing CPL script If a CPL script has already been uploaded, a Delete uploaded file button will be visible. Click it to delete the file. Cisco VCS Administrator Guide (X8.1.1) Page 196 of 507...
Page 197: Configuring Call Policy To Use An External Service
The username used by the VCS to log in and query the service. Password The password used by the VCS to log in and The maximum plaintext length is 30 query the service. characters (which is subsequently encrypted). Cisco VCS Administrator Guide (X8.1.1) Page 197 of 507...
Page 198 The VCS should connect to the policy service server and start using the service for Call Policy decisions. Any connection problems will be reported on this page. Check the Status area at the bottom of the page and check for additional information messages against the Server address fields. Cisco VCS Administrator Guide (X8.1.1) Page 198 of 507...
Page 199: Supported Address Formats
DNS zone. Full instructions on how to configure the VCS to support URI dialing via DNS (both outbound and inbound) are given in the URI dialing section. Cisco VCS Administrator Guide (X8.1.1) Page 199 of 507...
Page 200: Dialing By Enum
To support ENUM dialing on the VCS you must configure it with at least one DNS server and the appropriate ENUM zones. Full instructions on how to configure the VCS to support ENUM dialing (both outbound and inbound) are given in the ENUM dialing section. Cisco VCS Administrator Guide (X8.1.1) Page 200 of 507...
Page 201: Dialing By Ip Address
URI (this requires that the local VCS is configured to support URI dialing, and a DNS record exists for that URI that resolves to the unregistered endpoint's IP address) by dialing its IP address Cisco VCS Administrator Guide (X8.1.1) Page 201 of 507...
Page 202 Any IP Address against the traversal server zone. 3. The VCS Expressway receives the call and because its Calls to unknown IP addresses setting is Direct, it will make the call directly to the called IP address. Cisco VCS Administrator Guide (X8.1.1) Page 202 of 507...
Page 203: About Uri Dialing
Stripping @domain for dialing to H.323 numbers [p.186] for an example of how to do this. SIP endpoints always register with an AOR in the form of a URI, so no special configuration is required. Cisco VCS Administrator Guide (X8.1.1) Page 203 of 507...
Page 204: Uri Dialing Via Dns
(An exception to this is where the original dial string has a port specified - for example, user@example.com:1719 - in which case the address returned is queried via an LRQ for the full URI address.) Cisco VCS Administrator Guide (X8.1.1) Page 204 of 507...
Page 205: Uri Dialing Via Dns For Outgoing Calls
1. The VCS checks its search rules to see if any of them are configured with a Mode of either: Any alias, or Alias pattern match with a pattern that matches the URI address Cisco VCS Administrator Guide (X8.1.1) Page 205 of 507...
Page 206 VCS for DNS queries create a DNS zone and set up associated search rules that use the Pattern string and Pattern type fields to define the aliases that will trigger a DNS query Cisco VCS Administrator Guide (X8.1.1) Page 206 of 507...
Page 207: Uri Dialing Via Dns For Incoming Calls
_Service and _Proto will be different for H.323 and SIP, and will depend on the protocol and transport type being used Name is the domain in the URI that the VCS is hosting (such as example.com) Cisco VCS Administrator Guide (X8.1.1) Page 207 of 507...
Page 208: Configuring Sip Srv Records
If you want the VCS to be contactable using SIP URI dialing, you should configure an SRV record for each SIP transport protocol enabled on the VCS (that is, UDP, TCP or TLS) as follows: Valid combinations of _Service and _Proto are: _sips._tcp _sip._tcp _sip._udp (although not recommended) Cisco VCS Administrator Guide (X8.1.1) Page 208 of 507...
Page 209: Uri Dialing And Firewall Traversal
VCS Expressway and any VCSs on the public network only. VCSs behind the firewall should not have any DNS zones configured. This will ensure that any outgoing URI calls made by endpoints registered with the VCS will be routed through the VCS Expressway. Cisco VCS Administrator Guide (X8.1.1) Page 209 of 507...
Page 210 Expressway as the authoritative gatekeeper/proxy for the enterprise (the DNS configuration examples [p.383] section for more information). This ensures that incoming calls placed using URI dialing enter the enterprise through the VCS Expressway, allowing successful traversal of the firewall. Cisco VCS Administrator Guide (X8.1.1) Page 210 of 507...
Page 211: About Enum Dialing
To enable endpoints in your enterprise to receive incoming calls from other endpoints via ENUM dialing, you must configure a DNS NAPTR record mapping your endpoints’ E.164 numbers to their SIP/H.323 URIs. See ENUM dialing for incoming calls [p.215] section for instructions on how to do this. Cisco VCS Administrator Guide (X8.1.1) Page 211 of 507...
Page 212: Enum Dialing For Outgoing Calls
7. The VCS then initiates a new search for that URI (maintaining the existing hop count). The VCS starts at the beginning of the search process (applying any pre-search transforms, then searching local and external Cisco VCS Administrator Guide (X8.1.1) Page 212 of 507...
Page 213: Configuring Zones And Search Rules For Enum Dialing
The suffix to append to a transformed E.164 number to create an ENUM host name. It represents the DNS zone (in the domain name space) to be queried for a NAPTR record. Cisco VCS Administrator Guide (X8.1.1) Page 213 of 507...
Page 214 For example, you want to enable ENUM dialing from your network to endpoints at a remote site using a prefix of 8 followed by the last 4 digits of the remote endpoints’ E.164 number. You would configure an ENUM zone on your VCS and then an associated search rule with: Cisco VCS Administrator Guide (X8.1.1) Page 214 of 507...
Page 215: Enum Dialing For Incoming Calls
E.164 number to an H.323 or SIP URI. replacement is not currently used by the VCS and should be set to . (the full stop character). Cisco VCS Administrator Guide (X8.1.1) Page 215 of 507...
Page 216 H.323 URI that will be generated. In this example, h323:\1@example.com states that the E.164 number will be concatenated with @example.com. For example, 1234 will be mapped to 1234@example.com. . shows that the replacement field has not been used. Cisco VCS Administrator Guide (X8.1.1) Page 216 of 507...
Page 217: Configuring Dns Servers For Enum And Uri Dialing
2. Enter in the Address 1 to Address 5 fields the IP addresses of up to 5 DNS servers that the VCS will query when attempting to locate a domain. These fields must use an IP address, not a FQDN. Cisco VCS Administrator Guide (X8.1.1) Page 217 of 507...
Page 218: Configuring Call Routing And Signaling
Off: the VCS will not detect and fail search loops. You are recommended to use this setting only in advanced deployments. Cisco VCS Administrator Guide (X8.1.1) Page 218 of 507...
Page 219: Identifying Calls
(depending on whether any transforms were applied). However, the call will still have the same Call Tag. Note: If a call passes through a system that is not a VCS or TelePresence Conductor then the Call Tag information will be lost.
Page 220: Disconnecting Calls
Note that endpoints that support SIP session timers (see 4028) have a call refresh timer which allows them to detect a hung call (signaling lost between endpoints). The endpoints will release their resources after the next session-timer message exchange. Cisco VCS Administrator Guide (X8.1.1) Page 220 of 507...
Page 221: Bandwidth Control
This section describes how to control the bandwidth that is used for calls within your Local Zone, as well as calls out to other zones (Configuration > Local Zone Configuration > Bandwidth). About bandwidth control Configuring bandwidth controls About subzones Links and pipes Bandwidth control examples Cisco VCS Administrator Guide (X8.1.1) Page 221 of 507...
Page 222: About Bandwidth Control
In this example each pool of endpoints has been assigned to a different subzone, so that suitable limitations can be applied to the bandwidth used within and between each subzone based on the amount of bandwidth they have available via their internet connections. Cisco VCS Administrator Guide (X8.1.1) Page 222 of 507...
Page 223: Configuring Bandwidth Controls
In this situation endpoint users will get one of the following messages, depending on the system that initiated the search: "Exceeds Call Capacity" "Gatekeeper Resources Unavailable" Cisco VCS Administrator Guide (X8.1.1) Page 223 of 507...
Page 224: About Subzones
The port range can be changed to any values between 1024 and 65533. Ports are allocated from this range in pairs, with the first port number of each pair being an even number. Therefore the range must start with an even number and end with an odd number. Cisco VCS Administrator Guide (X8.1.1) Page 224 of 507...
Page 225: Configuring The Default Subzone
Subzone membership rules which control which subzone an endpoint device is assigned to when it registers with the VCS as opposed to defaulting to the Default Subzone. The configurable options are: Cisco VCS Administrator Guide (X8.1.1) Page 225 of 507...
Page 226: Configuring Subzone Membership Rules
The page lists all the subzone membership rules that have been configured on the VCS, and lets you create, edit, delete, enable and disable rules. Rule properties include: rule name and description priority Cisco VCS Administrator Guide (X8.1.1) Page 226 of 507...
Page 227 Indicates if the rule is enabled or not. Use this setting to test configuration changes, or to temporarily disable certain rules. Any disabled rules still appear in the rules list but are ignored. Cisco VCS Administrator Guide (X8.1.1) Page 227 of 507...
Page 228: Applying Bandwidth Limitations To Subzones
Subzone B with a pipe of 128kbps, any calls between the two subzones will still be limited to 128kbps. Bandwidth consumption of traversal calls A non-traversal call between two endpoints within the same subzone would consume from that subzone the amount of bandwidth of that call. Cisco VCS Administrator Guide (X8.1.1) Page 228 of 507...
Page 229 Traversal Subzone, and again for the call from the Traversal Subzone back to the originating subzone. In addition, as this call passes through the Traversal Subzone, it will consume an amount of bandwidth from the Traversal Subzone equal to that of the call. Cisco VCS Administrator Guide (X8.1.1) Page 229 of 507...
Page 230: Links And Pipes
You can edit any of these default links in the same way you would edit manually configured links. If any of these links have been deleted you can re-create them, either: manually through the web interface automatically by using the CLI command xCommand DefaultLinksAdd Cisco VCS Administrator Guide (X8.1.1) Page 230 of 507...
Page 231: Configuring Pipes
You can configure up to 1000 pipes. Applying bandwidth limitations to subzones [p.228] for more information about how the bandwidth limits are set and managed. Cisco VCS Administrator Guide (X8.1.1) Page 231 of 507...
Page 232: Applying Pipes To Links
Pipe B, which represents the Home Office’s dial-up connection to the internet. Each pipe would have bandwidth restrictions placed on it to represent its maximum capacity, and a call placed via this link would have the lower of the two bandwidth restrictions applied. Cisco VCS Administrator Guide (X8.1.1) Page 232 of 507...
Page 233: Bandwidth Control Examples
With a firewall If the example deployment above is modified to include firewalls between the offices, we can use Cisco’s Expressway firewall traversal solution to maintain connectivity. We do this by adding a VCS Expressway outside the firewall on the public internet, which will work in conjunction with the VCS Control and Home and Branch office endpoints to traverse the firewalls.
Page 234 All of the endpoints in the Head Office are assigned to the Default Subzone. This is linked to the Traversal Subzone, through which all calls leaving the Head Office must pass. Cisco VCS Administrator Guide (X8.1.1) Page 234 of 507...
Page 235: Applications
This section provides information about each of the additional services that are available under the Applications menu of the VCS. Configuring Conference Factory Presence B2BUA (back-to-back user agent) overview FindMe™ Cisco TMS provisioning Cisco VCS Administrator Guide (X8.1.1) Page 235 of 507...
Page 236: Configuring Conference Factory
Multiway is supported in Cisco TelePresence endpoints including the E20 (software version TE1.0 or later) and MXP range (software version F8.0 or later). Check with your Cisco representative for an up-to-date list of the Cisco endpoints and infrastructure products that support Multiway.
Page 237 Registered only or On (Configuration > Protocols > Interworking). Cisco TelePresence Multiway Deployment Guide for full details on how to configure individual components of your network (endpoints, MCUs and VCSs) in order to use Multiway in your deployment.
Page 238: Presence
Presentity Manager: an interface to the Presence Database. It is used to support VCS features such as FindMe and the PUA, where the presence information provided by a number of different devices must be Cisco VCS Administrator Guide (X8.1.1) Page 238 of 507...
Page 239: Presence User Agent (Pua)
PUA presence information. This is because it is assumed that the other source of information is the presentity itself, and this information is more accurate. Cisco VCS Administrator Guide (X8.1.1) Page 239 of 507...
Page 240: Configuring Presence
Both are disabled by default. Note that SIP mode must be enabled for the Presence services to function. Presence User Agent (PUA) The PUA provides presence information on behalf of registered endpoints. Cisco VCS Administrator Guide (X8.1.1) Page 240 of 507...
Page 241 VCS Control is to enable the PUA and disable the Presence Server on the VCS Expressway, and enable the Presence Server on the VCS Control. This will ensure that all PUBLISH messages generated by the PUA are routed to the VCS Control. Cisco VCS Administrator Guide (X8.1.1) Page 241 of 507...
Page 242 VCS clusters: for information about how Presence works within a cluster, see Clustering and Presence [p.167]. Note: any defined transforms also apply to any Publication, Subscription or Notify URIs handled by the Presence Services. Cisco VCS Administrator Guide (X8.1.1) Page 242 of 507...
Page 243: B2Bua (Back-To-Back User Agent) Overview
TURN server. password If the TURN server is running on a Large VM VCS Expressway, you can make use of its scaling capabilities by specifying additional address/port combinations. Cisco VCS Administrator Guide (X8.1.1) Page 243 of 507...
Page 244: Microsoft Lync B2Bua
Lync 2013. Lync 2013 no longer supports H.263, so X8.1 or later software is required to interoperate successfully with Lync 2013. X7.2 or earlier software will work with Lync 2013 only if calls are routed through a Cisco AM GW transcoder.
Page 245 For more information about configuring VCS and Microsoft Lync see: Microsoft Lync B2BUA port reference [p.397] Microsoft Lync and VCS Deployment Guide Microsoft Lync 2010, Cisco AM GW and VCS Deployment Guide Configuring the Microsoft Lync B2BUA Microsoft Lync B2BUA configuration page (Applications >...
Page 246 Microsoft Lync Edge server. To configure the associated TURN servers, click Configure B2BUA TURN servers. Advanced settings: you should only modify the advanced settings on the advice of Cisco customer support. Cisco VCS Administrator Guide (X8.1.1) Page 246 of 507...
Page 247 It is provided only to help distinguish between multiple devices, rather than having to rely on their IP addresses. IP address The IP address of the trusted host device. Cisco VCS Administrator Guide (X8.1.1) Page 247 of 507...
Page 248: Configuring Transcoder Policy Rules
The type of device that may send signaling messages to the B2BUA. Lync device: this includes Hardware Load Balancers, Directors and Front End Processors Transcoder: a transcoder device such as a Cisco TelePresence Advanced Media Gateway Configuring transcoder policy rules Microsoft Lync B2BUA transcoder policy rules page (Applications >...
Page 249: Configuring B2Bua Transcoders
Lync B2BUA is the Cisco TelePresence Advanced Media Gateway (Cisco AM GW). The B2BUA can use the Cisco AM GW to transcode between standard codecs (such as H.264) and Microsoft RT Video and RT Audio to allow high definition calls between Microsoft Lync clients and Cisco endpoints.
Page 250: Restarting The B2Bua Service
On a clustered VCS you have to restart the Lync B2BUA service on every peer. You are recommended to ensure the service is configured and running correctly on the master peer before restarting the B2BUA service on the other peers. Cisco VCS Administrator Guide (X8.1.1) Page 250 of 507...
Page 251: Findme
User account and FindMe data is provided by Cisco TMS to VCS via the TMS Provisioning Extension services. If you are using FindMe without Cisco TMS (known as "standalone FindMe") then users manage their FindMe settings by logging into their FindMe account via VCS.
Page 252: Findme Process Overview
FindMe) is used to enable and configure FindMe User Policy. Note that the FindMe configuration page can only be accessed if the FindMe option key is installed. The configurable options are: Cisco VCS Administrator Guide (X8.1.1) Page 252 of 507...
Page 253 This setting only applies if you are using FindMe without Cisco TMS (known as "standalone FindMe"). Cisco VCS Administrator Guide (X8.1.1) Page 253 of 507...
Page 254 VCS’s local database is used to store FindMe data and share it across all peers in a cluster. If you use FindMe and want to use Cisco TMS to manage your FindMe data, you must configure Cisco TMSPE services to provide the VCS with FindMe data.
Page 255: Cisco Tms Provisioning
Cisco TMS provisioning Cisco TMS provisioning Cisco TMS provisioning is the mechanism through which the VCS and Cisco TMS share FindMe and device provisioning data. The shared data includes: user account, device and phone book data that is used by the VCS to service...
Page 256: Vcs Provisioning Server
Note that this will result in a temporary (a few seconds) lack of service on the VCS while the data is deleted and fully refreshed. If you only need to ensure that all of the latest updates within Cisco TMS have been supplied to the VCS then click Check for updates instead.
Page 257 The VCS is provided with the current number of free licenses available across the range of VCS clusters being managed by Cisco TMS, and the VCS updates Cisco TMS with the status of provisioning licenses being used by this VCS (or VCS cluster). License limits can be managed at a per device type basis.
Page 258: Starter Pack Provisioning
The VCS's Starter Pack Provisioning Server provides basic device provisioning, including phone book support, for a range of endpoint device types without the need for Cisco TMS. The Starter Pack option key must be installed to use basic device provisioning. It cannot be used in combination with device provisioning managed through TMS.
Page 259: User Accounts
FindMe sessions. About user accounts Configuring password security Configuring administrator accounts Configuring remote account authentication using LDAP Configuring FindMe accounts Resetting forgotten passwords Using the root account Cisco VCS Administrator Guide (X8.1.1) Page 259 of 507...
Page 260: About User Accounts
Remotely managed administrator accounts can be used to access the VCS using the web and API interfaces only. You can configure the complexity requirements for local administrator passwords on the Password security page (Users > Password security). All passwords and usernames are case sensitive. Note that: Cisco VCS Administrator Guide (X8.1.1) Page 260 of 507...
Page 261 FindMe devices and locations, and for enabling basic Starter Pack provisioning. We recommend that you use Cisco TMS if you need to provision a large number of FindMe accounts. See Cisco TMS Provisioning Extension Deployment Guide for more details on configuring FindMe and user accounts.
Page 262: Configuring Password Security
VCS such as in the local authentication database, LDAP server, external registration credentials, user account passwords, or administrator account passwords stored on remote credential directories. All passwords and usernames are case sensitive. Cisco VCS Administrator Guide (X8.1.1) Page 262 of 507...
Page 263: Configuring Administrator Accounts
Some pages, such as the Upgrade page, are blocked to read-only accounts. Auditor: allows access to the Event Log, Configuration Log, Network Log, Alarms Overview pages only . Default: Read-write Cisco VCS Administrator Guide (X8.1.1) Page 263 of 507...
Page 264: Viewing Active Administrator Sessions
Default: Yes API access Determines whether this account is allowed to This controls access to the XML and REST APIs access the system's status and configuration by systems such as Cisco TMS. using the Application Programming Interface (API). Default: Yes State Indicates if the account is enabled or disabled.
Page 265: Configuring Remote Account Authentication Using Ldap
(Users > LDAP configuration) is used to configure an LDAP connection to a remote directory service for administrator account authentication. It can also provide user account authentication if you are using FindMe without Cisco TMS. The configurable options are: Field...
Page 266 Layer) mechanism to use when binding to the LDAP Security Layer if it is company policy to server. do so. None: no mechanism is used. DIGEST-MD5: the DIGEST-MD5 mechanism is used. The default is DIGEST-MD5. Cisco VCS Administrator Guide (X8.1.1) Page 266 of 507...
Page 267: Checking The Ldap Server Connection Status
Failure connecting to server. Returned Other non-specific problem. code<return code> Invalid Base DN for accounts Check Base DN for accounts; the current value does not describe a valid part of the LDAP directory. Cisco VCS Administrator Guide (X8.1.1) Page 267 of 507...
Page 268: Configuring Administrator Groups
It cannot contain any of the following characters: in the remote directory service to manage / \ [ ] : ; | = , + * ? > < @ " administrator access to this VCS. Cisco VCS Administrator Guide (X8.1.1) Page 268 of 507...
Page 269 Determines whether members of this group are This controls access to the XML and REST access allowed to access the system's status and APIs by systems such as Cisco TMS. configuration using the Application Programming Interface (API). Default: Yes State Indicates if the group is enabled or disabled.
Page 270: Configuring Findme Groups
Note that this page does not apply if the VCS is using TMS Provisioning Extension services to provide FindMe account data; in this case, FindMe accounts are maintained through Cisco TMS. FindMe groups are only active when remote FindMe authentication is enabled.
Page 271: Configuring Findme Accounts
TMS Provisioning Extension services to provide FindMe account data; in this case, FindMe accounts are maintained through Cisco TMS. FindMe accounts are used by individuals in an enterprise to configure the devices and locations on which they can be contacted through their FindMe ID. Each FindMe account is accessed using a username and password.
Page 272 You can specify an additional principal device by setting Other device to On and then specifying the required URI of the device. If required, you can add further non-principal devices by clicking Edit user from Edit FindMe account page. Cisco VCS Administrator Guide (X8.1.1) Page 272 of 507...
Page 273: Configuring A Findme Account's Principal Devices
TMS Provisioning Extension services to provide FindMe account data; in this case, FindMe accounts are maintained through Cisco TMS. Users are not allowed to delete or change the address of their principal devices; they can only change the Device name. This is to stop users from unintentionally changing their basic FindMe configuration. Principal devices are also used by the VCS to decide which FindMe name to display as a Caller ID if the same device address is associated with more than one account.
Page 274: Resetting Forgotten Passwords
2. Enter the new password to be used when logging into this account into the New password and Confirm password fields and click Save. This procedure only applies if local FindMe account authentication is enabled. If remote authentication enabled, passwords are managed through your remote directory server instead. Cisco VCS Administrator Guide (X8.1.1) Page 274 of 507...
Page 275: Using The Root Account
3. Type exit to log out of the root account. If you have disabled SSH access while logged in using SSH, your current session will remain active until you log out, but all future SSH access will be denied. Cisco VCS Administrator Guide (X8.1.1) Page 275 of 507...
Page 276: Maintenance
Configuring language settings Backing up and restoring VCS data Diagnostics tools Incident reporting Checking the effect of a pattern Locating an alias Port usage Network utilities Restarting, rebooting and shutting down Developer resources Cisco VCS Administrator Guide (X8.1.1) Page 276 of 507...
Page 277: Enabling Maintenance Mode
You can monitor the Resource usage page (Status > System > Resource usage) to check how many registrations and calls are currently being handled by that peer. Maintenance mode is automatically disabled if the peer is restarted. Cisco VCS Administrator Guide (X8.1.1) Page 277 of 507...
Page 278: About Upgrading Software Components
This guide describes how both of these methods are used to perform upgrades. You can also upgrade the System platform component using Cisco TMS (see the Cisco TMS documentation for more information). We recommended that you upgrade VCS components while the system is inactive.
Page 279: Upgrading Vcs Software
New features may also become available with each major release of the System platform component, and you may need to install new option keys to take advantage of these new features. Contact your Cisco representative for more information on all the options available for the latest release of VCS software.
Page 280: Upgrading Using Secure Copy (Scp/Pscp)
CLI, and reboot the VCS. After about five minutes the system will be ready to use. Note: if you make any further configuration changes before rebooting, those changes will be lost when the system restarts, so you are recommended to reboot your system immediately. Cisco VCS Administrator Guide (X8.1.1) Page 280 of 507...
Page 281: Configuring Logging
The Event Log is always stored locally on the VCS. However, it is often convenient to collect copies of all event logs from various systems in a single location. This is referred to as remote logging. This is particularly recommended for peers in a cluster. Cisco VCS Administrator Guide (X8.1.1) Page 281 of 507...
Page 282 If more than one remote syslog server is configured, the same information is sent to each server. The VCS may use any of the 23 available syslog facilities for different messages. Specifically, LOCAL0..LOCAL7 (facilities 16..23) are used by different software components of the VCS. Cisco VCS Administrator Guide (X8.1.1) Page 282 of 507...
Page 283: Managing Option Keys
Jabber Video, E20, and the EX and MX Series can request to be provisioned.) Note that the VCS must use Cisco TMS to obtain configuration and phone book information for distribution. Starter Pack: allows the VCS to offer basic device provisioning without the need for Cisco TMS (see Provisioning (Starter Pack)).
Page 284 To see which indexes are currently in use, type xConfiguration option. Cisco VCS Administrator Guide (X8.1.1) Page 284 of 507...
Page 285: About Security Certificates
This will append any new certificates to the existing list of CA certificates. Note that if you are replacing existing certificates for a particular issuer and subject, you have to manually delete the previous Cisco VCS Administrator Guide (X8.1.1) Page 285 of 507...
Page 286: Managing The Vcs's Server Certificate
3. Enter the required properties for the certificate. Server certificates and clustered systems [p.287] if your VCS is part of a cluster. Server certificates and Unified Communications [p.287] if this VCS is part of a Unified Communications solution. Cisco VCS Administrator Guide (X8.1.1) Page 286 of 507...
Page 287 Server certificates and Unified Communications VCS Control server certificate requirements The VCS Control server certificate needs to include the following elements in its list of subject alternate names: Cisco VCS Administrator Guide (X8.1.1) Page 287 of 507...
Page 288: Managing Certificate Revocation Lists (Crls)
OCSP (Online Certificate Status Protocol) responder URIs in the certificate to be checked (SIP TLS only) manual upload of CRL data CRL data embedded within the VCS's Trusted CA certificate file The following limitations and usage guidelines apply: Cisco VCS Administrator Guide (X8.1.1) Page 288 of 507...
Page 289 Click Remove revocation list if you want to remove the manually uploaded file from the VCS. Note that if a certificate authority's CRL expires, all certificates issued by that CA will be treated as revoked. Cisco VCS Administrator Guide (X8.1.1) Page 289 of 507...
Page 290: Configuring Certificate-Based Authentication
— typically provided via a smart card (also referred to as a Common Access Card or CAC) — and the certificate contains appropriate credentials that have a suitable authorization level. Cisco VCS Administrator Guide (X8.1.1) Page 290 of 507...
Page 291 The following diagram shows an example authorization and authentication process. It shows how a certificate is obtained from a card reader and then validated by the VCS. It then shows how the VCS obtains the user's authorization level from an Active Directory service. Cisco VCS Administrator Guide (X8.1.1) Page 291 of 507...
Page 292: Testing Client Certificates
You can: Test whether a client certificate is valid when checked against the VCS's current trusted CA list and, if loaded, the revocation list (see Managing certificate revocation lists (CRLs) [p.288]). Cisco VCS Administrator Guide (X8.1.1) Page 292 of 507...
Page 293 5. If you have changed the Regex and Username format fields from their default values and want to use these values in the VCS's actual configuration (as specified on the Certificate-based authentication configuration page) then click Make these settings permanent. Note: Cisco VCS Administrator Guide (X8.1.1) Page 293 of 507...
Page 294 The regex is applied to a plain text version of an encoded certificate. The system uses the command openssl x509 -text -nameopt RFC2253 -noout to extract the plain text certificate from its encoded format. Cisco VCS Administrator Guide (X8.1.1) Page 294 of 507...
Page 295: Advanced Security
Enabling advanced account security To enable advanced account security: 1. Go to Maintenance > Advanced security. 2. Enter a Classification banner. The text entered here is displayed on every web page. Cisco VCS Administrator Guide (X8.1.1) Page 295 of 507...
Page 296: Configuring Fips140-2 Cryptographic Mode
If login authentication via a remote LDAP server is configured, ensure that it uses TLS encryption if it is using SASL binding. The Advanced Account Security option key must be installed. FIPS140-2 compliance also requires the following configuration settings: Cisco VCS Administrator Guide (X8.1.1) Page 296 of 507...
Page 297 6 minutes to complete. FIPS140-2 compliant features The following VCS features are FIPS140-2 compliant / use FIPS140-2 compliant algorithms: Cisco VCS Administrator Guide (X8.1.1) Page 297 of 507...
Page 298 Any SIP media encryption policy other than Auto SIP authentication over NTLM / Active Directory SIP/H.323 device authentication against an H.350 directory service Microsoft Lync B2BUA Unified Communications mobile and remote access Clustering Use of Cisco TMSPE Cisco VCS Administrator Guide (X8.1.1) Page 298 of 507...
Page 299: Configuring Language Settings
You can install new language packs or install an updated version of an existing language pack. Language packs are downloaded from the same area on cisco.com from where you obtain your VCS software files. All available languages are contained in one language pack zip file. Download the appropriate language pack version that matches your software release.
Page 300: Removing Language Packs
2. From the list of installed language packs, select the language packs you want to remove. 3. Click Remove. 4. Click Yes when asked to confirm their removal. The selected language packs are then removed. This may take several seconds. Cisco VCS Administrator Guide (X8.1.1) Page 300 of 507...
Page 301: Backing Up And Restoring Vcs Data
Creating a system backup To create a backup of VCS system data: 1. Go to Maintenance > Backup and restore. 2. Optionally, enter an Encryption password with which to encrypt the backup file. Cisco VCS Administrator Guide (X8.1.1) Page 301 of 507...
Page 302: Restoring A Previous Backup
7. Click Continue with system restore to continue with the restore process. This will restart your system, so ensure that there are no active calls. After the system restarts, you are taken to the Login page. Cisco VCS Administrator Guide (X8.1.1) Page 302 of 507...
Page 303: Diagnostics Tools
6. Click Download log to save the diagnostic log to your local file system. You are prompted to save the file (the exact wording depends on your browser). The downloaded diagnostic log file can be sent to your Cisco support representative, if you have been requested to do so.
Page 304: Creating A System Snapshot
Network Log message modules. CAUTION: changing the logging levels can affect the performance of your system. You should only change a log level on the advice of Cisco customer support. To change a logging level: Cisco VCS Administrator Guide (X8.1.1)
Page 305: Configuring Support Log Levels
Support Log message modules. CAUTION: changing the logging levels can affect the performance of your system. You should only change a log level on the advice of Cisco customer support. To change a logging level: 1.
Page 306: Incident Reporting
AUTOMATIC CONFIGURATION FEATURE. Instead, copy the data from the Incident detail page and paste it into a text file. You can then edit out any sensitive information before forwarding the file on to Cisco customer support. Incident reports are always saved locally, and can be viewed via the Incident view page.
Page 307: Sending Incident Reports Manually
If you need to edit the report before sending it to Cisco (for example, if you need to remove any potentially sensitive information) you must copy and paste the information from the...
Page 308: Incident Report Details
To view the information contained in a particular incident report, click on the report's Time. You will be taken to the Incident detail page, from where you can view the report on screen, or download it as an XML file for forwarding manually to Cisco customer support. Incident report details Incident detail page (Maintenance >...
Page 309: Checking The Effect Of A Pattern
3. Click Check pattern to test whether the alias matches the pattern. Result section shows whether the alias matched the pattern, and displays the resulting alias (including the effect of any transform if appropriate). Cisco VCS Administrator Guide (X8.1.1) Page 309 of 507...
Page 310: Locating An Alias
The locate process performs the search as though the VCS received a call request from the selected Source zone. For more information, see the Call routing process [p.172] section. Cisco VCS Administrator Guide (X8.1.1) Page 310 of 507...
Page 311: Port Usage
IP ports on the VCS that are used to send outbound communications to other systems. For each port listed on this page, if there is a firewall between the VCS and the destination of the outbound communications, your firewall must allow: Cisco VCS Administrator Guide (X8.1.1) Page 311 of 507...
Page 312: Remote Listening Ports
VCS will be able to communicate with all remote devices. You only need to use the information on this page if you want to limit the IP ports opened on your firewall to these remote systems and ports. Cisco VCS Administrator Guide (X8.1.1) Page 312 of 507...
Page 313: Network Utilities
To use this tool: 1. In the Host field, enter the IP address or hostname of the host system to which you want to trace the path. 2. Click Traceroute. Cisco VCS Administrator Guide (X8.1.1) Page 313 of 507...
Page 314: Tracepath
(for reverse lookups the Query type is ignored - the search automatically looks for PTR records) Option Searches for... any type of record A (IPv4 address) a record that maps the hostname to the host's IPv4 address Cisco VCS Administrator Guide (X8.1.1) Page 314 of 507...
Page 315 A new section will appear showing the results of all of the queries. If successful, it will display the following information: Query The type of query that was sent by the VCS. type Name The hostname contained in the response to the query. Cisco VCS Administrator Guide (X8.1.1) Page 315 of 507...
Page 316 IN (internet) indicates that the response was a DNS record involving an internet hostname, server or IP address. Type The record type contained in the response to the query. Response The content of the record received in response to the query for this Name and Type. Cisco VCS Administrator Guide (X8.1.1) Page 316 of 507...
Page 317: Restarting, Rebooting And Shutting Down
CAUTION: do not restart, reboot or shut down the VCS while the red ALM LED on the front of the unit is on. This indicates a hardware fault. Contact your Cisco customer support representative. Restarting The restart function shuts down and restarts the VCS application software, but not the operating system or hardware.
Page 318 Shutdown: the Shutting down page appears. This page remains in place after the system has successfully shut down but any attempts to refresh the page or access the VCS will be unsuccessful. Cisco VCS Administrator Guide (X8.1.1) Page 318 of 507...
Page 319: Developer Resources
The VCS web interface contains a number of pages that are not intended for use by customers. These pages exist for the use of Cisco support and development teams only. Do not access these pages unless it is under the advice and supervision of your Cisco support representative.
Page 320: Overview And Status Information
Zone status Bandwidth Policy server status and resiliency TURN relays status Unified Communications status Presence Lync B2BUA TMS Provisioning Extension service status Starter Pack Provisioning Server status Managing alarms Logs Hardware status Cisco VCS Administrator Guide (X8.1.1) Page 320 of 507...
Page 321: Status Overview
5 seconds. Total usage statistics are also shown (unless Unified Communications Mobile and remote access is enabled, in which case this data is shown on the Resource usage page only). Cisco VCS Administrator Guide (X8.1.1) Page 321 of 507...
Page 322 Clustered VCS systems If the VCS is part of a cluster, then details for each peer are shown as well as totals for the entire cluster. About clusters [p.158] for more information. Cisco VCS Administrator Guide (X8.1.1) Page 322 of 507...
Page 323: System Information
The number of current active administrator sessions. Click on the link to see the list of active sessions sessions. FindMe sessions The number of current active FindMe sessions. Click on the link to see the list of active sessions. Cisco VCS Administrator Guide (X8.1.1) Page 323 of 507...
Page 324: Ethernet Status
The MAC address of the VCS’s Ethernet device for that LAN port. Speed The speed of the connection between the LAN port on the VCS and the Ethernet switch. The Ethernet speed can be configured via the Ethernet page. Cisco VCS Administrator Guide (X8.1.1) Page 324 of 507...
Page 325: Ip Status
5 DNS servers may be configured. Domain Specifies the name to be appended to the host name before a query to the DNS server is executed. The IP settings can be configured via the page. Cisco VCS Administrator Guide (X8.1.1) Page 325 of 507...
Page 326: Resource Usage
If two endpoints are registered to different cluster peers, and a SIP call is made between them, two non- traversal licenses are used. If the call is made over H.323, only one non-traversal license is used. Cisco VCS Administrator Guide (X8.1.1) Page 326 of 507...
Page 327 You can see a summary of all of the call, registration and TURN relay licenses installed on each cluster peer by going to the Option keys page and scrolling down to the Current licenses section. About clusters [p.158] for more information. Cisco VCS Administrator Guide (X8.1.1) Page 327 of 507...
Page 328: Registration Status
The reason why the registration was terminated. (Registration history view only.) Peer Identifies the cluster peer to which the device is registered. Actions Click View to go to the Registration details page to see further detailed information about the registration. Cisco VCS Administrator Guide (X8.1.1) Page 328 of 507...
Page 329 Deny List.) Note that if your VCS is part of a cluster you have to be logged into the peer to which the device is registered to be able to unregister it. Cisco VCS Administrator Guide (X8.1.1) Page 329 of 507...
Page 330: Call Status
Encryption B2BUA: a call component that is routed through the B2BUA to apply a media encryption policy or ICE messaging support Microsoft Lync B2BUA: a call component that is routed through the Microsoft Lync B2BUA Cisco VCS Administrator Guide (X8.1.1) Page 330 of 507...
Page 331: Disconnecting Calls
B2BUA (where the Type is B2BUA), the call will fully disconnect. Note that the call may take a few seconds to disappear from the Call status page — you may have to refresh the page on your browser. Cisco VCS Administrator Guide (X8.1.1) Page 331 of 507...
Page 332: B2Bua Calls
(audio and video) that made up the call passing through the B2BUA. For calls using the Microsoft Lync B2BUA, this comprises legs between the VCS, the Lync server and, if applicable, the transcoder. Cisco VCS Administrator Guide (X8.1.1) Page 332 of 507...
Page 333: Search History
To limit the list of searches, enter one or more characters in the Filter field and click Filter. Only those searches that contain (in any of the displayed fields) the characters you entered are shown. To return to the full list of searches, click Reset. Cisco VCS Administrator Guide (X8.1.1) Page 333 of 507...
Page 334: Search Details
It takes you to a new Search details page which lists full information about all the searches associated with the call's Call Tag. Cisco VCS Administrator Guide (X8.1.1) Page 334 of 507...
Page 335: Local Zone Status
Traversal Subzone, so they will show up twice; once in the originating subzone and once in the Traversal Subzone. Bandwidth The total amount of bandwidth used by all calls passing through the subzone. used Cisco VCS Administrator Guide (X8.1.1) Page 335 of 507...
Page 336: Zone Status
Checking: the protocol is enabled for that zone and the system is currently trying to establish a connection Search This area is used to indicate if that zone is not a target of any search rules. rule status Cisco VCS Administrator Guide (X8.1.1) Page 336 of 507...
Page 337: Bandwidth
The total number of calls currently traversing the pipe. Note that a single call may traverse more than one pipe, depending on how your system is configured. Bandwidth The total bandwidth of all the calls currently traversing the pipe. used Cisco VCS Administrator Guide (X8.1.1) Page 337 of 507...
Page 338: Policy Server Status And Resiliency
This field displays the server address currently selected for use by the VCS. Status The current status of the service based on the last attempt to poll that server. Last Indicates when the service was last requested by the VCS. used Cisco VCS Administrator Guide (X8.1.1) Page 338 of 507...
Page 339: Turn Relays Status
View counters for this relay takes you to the TURN relay counters page, where you can view TURN request, response and error counters, as well as media counters, for the relay. Cisco VCS Administrator Guide (X8.1.1) Page 339 of 507...
Page 340: Unified Communications Status
You can also view some advanced status information, including: a list of all current and recent (shown in red) provisioning sessions (VCS Control only) a list of the automatically-generated SSH tunnels servicing requests through the traversal zone Cisco VCS Administrator Guide (X8.1.1) Page 340 of 507...
Page 341: Presence
The number of endpoints who have requested information about that particular presentity. To view the list of all subscribers who are requesting information about a particular presentity, click on the presentity’s URI. Cisco VCS Administrator Guide (X8.1.1) Page 341 of 507...
Page 342: Presence Subscribers
The number of local presentities about whom this endpoint is requesting information. To view the list of all local presentities whose information is being requested by a particular endpoint, click on the endpoint’s URI. Cisco VCS Administrator Guide (X8.1.1) Page 342 of 507...
Page 343: Lync B2Bua
VCS and a Microsoft Lync Server. The information shown includes: the number of current calls passing through the Lync B2BUA resource usage as a percentage of the number of allowed Lync B2BUA calls Cisco VCS Administrator Guide (X8.1.1) Page 343 of 507...
Page 344: Tms Provisioning Extension Service Status
VCS in the cluster has the actual connection to the Cisco TMSPE services (only displayed if the VCS is part of a cluster) details of each of the data tables provided by the service, including the revision number of the most recent...
Page 345: User Records Provided By Cisco Tmspe Services
The license limit and the number of free licenses indicate the overall number of licenses that are available to all of the VCSs or VCS clusters that are being managed by Cisco TMS, hence the difference between the license limit and free counts may not equal the sum of the number of used licenses shown for this particular...
Page 346: Findme Records Provided By Cisco Tmspe Services
Phone book records provided by Cisco TMSPE services You can view the data records provided by the Cisco TMSPE Phone books service by going to Status > Applications > TMS Provisioning Extension services > Phone book > ...
Page 347: Provisioned Devices
If the actual Version used by the endpoint is not listed, select the nearest earlier version. 3. Click Check provisioned data. Results section will show the data that would be provisioned out to that user and device combination. Cisco VCS Administrator Guide (X8.1.1) Page 347 of 507...
Page 348: Starter Pack Provisioning Server Status
Starter Pack. The Starter Pack Provisioning Server provides basic provisioning-related services to provisioned devices, without the need for Cisco TMS. Provisioning server This section displays the server's status and summarizes the subscription requests received by the server since the VCS was last restarted.
Page 349: Managing Alarms
55nnn B2BUA issues All alarms raised on the VCS are also raised as Cisco TMS tickets. All the attributes of an alarm (its ID, severity and so on) are included in the information sent to Cisco TMS. Alarms are dealt with by clicking each Action hyperlink and making the necessary configuration changes to resolve the problem.
Page 350: Logs
Likewise, clicking on a particular Call-Id shows just those events that contain a reference to that particular call. Event Log color coding Certain events in the Event Log are color-coded so that you can identify them more easily. These events are as follows: Green events: Cisco VCS Administrator Guide (X8.1.1) Page 350 of 507...
Page 351: Configuration Log
The Configuration Log holds a maximum of 30MB of data; when this size is reached, the oldest entries are overwritten. The entire Configuration Log can be displayed through the web interface. Cisco VCS Administrator Guide (X8.1.1) Page 351 of 507...
Page 352: Network Log
The Filter section lets you filter the Network Log. It is displayed only if there is more than one page of information to display. Log pages show 1000 records per page. Cisco VCS Administrator Guide (X8.1.1) Page 352 of 507...
Page 353 Module= filters the list to show all the events of that particular type. The events that appear in the Network Log are dependent on the log levels configured on the Network Log configuration page. Cisco VCS Administrator Guide (X8.1.1) Page 353 of 507...
Page 354: Hardware Status
The LCD panel on the front of the VCS hardware unit has a rotating display of the VCS's system name, IP addresses, alarms, and the number of current traversal calls, non-traversal calls and registrations. Cisco VCS Administrator Guide (X8.1.1) Page 354 of 507...
Page 355: Reference Material
Call types and licensing Alarms Command reference — xConfiguration Command reference — xCommand Command reference — xStatus External policy overview Flash status word reference table Supported RFCs Software version history Related documentation Legal notices Cisco VCS Administrator Guide (X8.1.1) Page 355 of 507...
Page 356: Performance Capabilities
Supports the following set of concurrent calls and registrations: 100 encrypted traversal calls @ 768kbps; and 500 non-traversal calls; and 2500 registrations This assumes a maximum sustained call rate of 5 calls per second. Cisco VCS Administrator Guide (X8.1.1) Page 356 of 507...
Page 357: About Event Log Levels
VCS Control and the VCS Expressway but will differ for messages from other applications running on the VCS. message_details The body of the message (see the Message details field section for further information). Cisco VCS Administrator Guide (X8.1.1) Page 357 of 507...
Page 358: Administrator And Findme User Events
The source IP address of the user who has logged in. Protocol Specifies which protocol was used for the communication. Valid values are: Reason Textual string containing any reason information associated with the event. Cisco VCS Administrator Guide (X8.1.1) Page 358 of 507...
Page 359 The Tag is common to all searches and protocol messages across a VCS network for all forks of a call. Call- Indicates if the VCS took the signaling for the call. routed Cisco VCS Administrator Guide (X8.1.1) Page 359 of 507...
Page 360: Events And Levels
Application The VCS application is out of service due to an unexpected failure. Failed Application The VCS has started. Further detail may be provided in the Detail event parameter. Start Cisco VCS Administrator Guide (X8.1.1) Page 360 of 507...
Page 361 Indicates that diagnostic logging is in progress. The Detail event parameter provides Logging additional details. Error Response The TURN server has sent an error message to a client (using STUN protocol). Sent Eventlog An operator cleared the Event Log. Cleared Cisco VCS Administrator Guide (X8.1.1) Page 361 of 507...
Page 362 FindMe Search A search of the FindMe database has failed, for example due to no alias being provided. 1 Failed Hardware There is an issue with the VCS hardware. If the problem persists, contact your Cisco Failure support representative. License Limit Licensing limits for a given feature have been reached.
Page 363 A non-call-related SIP request has been received. Received Request Sent A call-related SIP request has been sent. Request Sent A non-call-related SIP request has been sent. Request A successful request was sent to the Conference Factory. Successful Cisco VCS Administrator Guide (X8.1.1) Page 363 of 507...
Page 364 Changed System restore The system restore process has completed. completed System restore System restore process has started backing up the current configuration backing up current config Cisco VCS Administrator Guide (X8.1.1) Page 364 of 507...
Page 365 An unsuccessful attempt has been made to log in as a FindMe user. This could be Login failure because either an incorrect username or password (or both) was entered. User session A FindMe user has logged on to the system. start Cisco VCS Administrator Guide (X8.1.1) Page 365 of 507...
Page 366: Cpl Reference
The address-switch has two node parameters: field and subfield. address The address construct is used within an address-switch to specify addresses to match. It supports the use of regular expressions. Valid values are: Cisco VCS Administrator Guide (X8.1.1) Page 366 of 507...
Page 367 If the selected field contains multiple aliases then the VCS will attempt to match each address node with all of the aliases before proceeding to the next address node, that is, an address node matches if it matches any alias. Cisco VCS Administrator Guide (X8.1.1) Page 367 of 507...
Page 368: Otherwise
At the start of script execution the location set is initialized to the original destination. The following attributes are supported on taa:location nodes. It supports the use of regular expressions. Cisco VCS Administrator Guide (X8.1.1) Page 368 of 507...
Page 369: Rule-Switch
The message-regex parameter allows a regular expression to be matched against the entire incoming SIP message. Note that any rule containing a message-regex parameter will never match an H.323 call. Cisco VCS Administrator Guide (X8.1.1) Page 369 of 507...
Page 370: Proxy
VCS will continue to use its existing policy. The following elements are not currently supported: time-switch string-switch language-switch Cisco VCS Administrator Guide (X8.1.1) Page 370 of 507...
Page 371: Cpl Examples
CPL example: call screening based on alias In this example, user ceo will only accept calls from users vpsales, vpmarketing or vpengineering. <?xml version="1.0" encoding="UTF-8" ?> <cpl xmlns="urn:ietf:params:xml:ns:cpl" xmlns:taa="http://www.tandberg.net/cpl-extensions" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd"> Cisco VCS Administrator Guide (X8.1.1) Page 371 of 507...
Page 372  <reject status="403" reason="Denied by policy"/> </not-present> <otherwise>  <proxy/> </otherwise> </address-switch> </address> </address-switch> </taa:routed> </cpl> Cisco VCS Administrator Guide (X8.1.1) Page 372 of 507...
Page 373 Default Zone or Default Subzone. <?xml version="1.0" encoding="UTF-8" ?> <cpl xmlns="urn:ietf:params:xml:ns:cpl" xmlns:taa="http://www.tandberg.net/cpl-extensions" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd"> Cisco VCS Administrator Guide (X8.1.1) Page 373 of 507...
Page 374  <reject status="403" reason="Denied by policy"/> </address> </address-switch> </address> </address-switch> </taa:routed> </cpl> Using the taa:rule-switch node <?xml version="1.0" encoding="UTF-8" ?> <cpl xmlns="urn:ietf:params:xml:ns:cpl" xmlns:taa="http://www.tandberg.net/cpl-extensions" Cisco VCS Administrator Guide (X8.1.1) Page 374 of 507...
Page 375  <taa:location url="notfound-message@example.com" clear="yes"> <proxy/> </taa:location> </failure> <failure>  <taa:location url="failed-message@example.com" clear="yes"> <proxy/> </taa:location> Cisco VCS Administrator Guide (X8.1.1) Page 375 of 507...
Page 376 <taa:rule-switch> <taa:rule origin=".*" destination="user@example.com" message-regex="^SUBSCRIBE.*">   <reject status="403" reason="Denied by policy"/> </taa:rule> </taa:rule-switch> </taa:routed> </cpl> Cisco VCS Administrator Guide (X8.1.1) Page 376 of 507...
Page 377: Ldap Server Configuration For Device Authentication
Open an elevated command prompt by right-clicking Command Prompt and selecting 'Run as administrator'. For each file execute the following command: ldifde -i -c DC=X <ldap_base> -f filename.ldf where: Cisco VCS Administrator Guide (X8.1.1) Page 377 of 507...
Page 378: Securing With Tls
Using an H.350 directory service lookup via LDAP [p.120] section. Securing with TLS To enable Active Directory to use TLS, you must request and install a certificate on the Active Directory server. The certificate must meet the following requirements: Cisco VCS Administrator Guide (X8.1.1) Page 378 of 507...
Page 379: Configuring An Openldap Server
The following examples use a standard OpenLDAP installation on the Linux platform. For installations on other platforms the location of the OpenLDAP configuration files may be different. See the OpenLDAP installation documentation for details. Cisco VCS Administrator Guide (X8.1.1) Page 379 of 507...
Page 380 2. Add the ldif file to the server via slapadd using the format: slapadd -l <ldif_file> This organizational unit will form the BaseDN to which the VCS will issue searches. In this example the BaseDN will be: ou=h350,dc=my-domain,dc=com. Cisco VCS Administrator Guide (X8.1.1) Page 380 of 507...
Page 381 The LDAP server must be configured to use the certificate. To do this: Edit /etc/openldap/slapd.conf and add the following three lines: TLSCACertificateFile <path to CA certificate> TLSCertificateFile <path to LDAP server certificate> TLSCertificateKeyFile <path to LDAP private key> Cisco VCS Administrator Guide (X8.1.1) Page 381 of 507...
Page 382 To configure the VCS to use TLS on the connection to the LDAP server you must upload the CA’s certificate as a trusted CA certificate. This can be done on the VCS by going to: Maintenance > Security certificates > Trusted CA certificate. Cisco VCS Administrator Guide (X8.1.1) Page 382 of 507...
Page 383: Dns Configuration Examples
BIND is sometimes run chrooted for increased security. This gives the program a new root directory, which means that the configuration files may not appear where you expect them to be. To see if this is the case on your system, run ps aux | grep named Cisco VCS Administrator Guide (X8.1.1) Page 383 of 507...
Page 384 For more details of how to configure BIND servers and the DNS system in general see the publication DNS and BIND. Cisco VCS Administrator Guide (X8.1.1) Page 384 of 507...
Page 385: Changing The Default Ssh Key
VCS has changed. Please follow the appropriate process for your SSH client to suppress this warning. If your VCS is subsequently downgraded to an earlier version of VCS firmware, the default SSH keys will be restored. Cisco VCS Administrator Guide (X8.1.1) Page 385 of 507...
Page 386: Restoring Default Configuration (Factory Reset)
4. Finally, confirm that you want to proceed. Resetting via USB stick Cisco TAC may also suggest an alternative reset method. This involves downloading the software image onto a USB stick and then rebooting the system with the USB stick plugged in.
Page 387 If you use this method you must clear down and rebuild the USB stick after use. Do not reset one system and then take the USB stick and re-use it on another system. Cisco VCS Administrator Guide (X8.1.1) Page 387 of 507...
Page 388: Password Encryption
SHA512; other passwords are stored in an encrypted format when a password is encrypted and stored, it uses more characters than the original plain text version of the password Cisco VCS Administrator Guide (X8.1.1) Page 388 of 507...
Page 389: Pattern Matching Variables
2 IPv4 address. Applies to all peer addresses If the VCS is part of if the VCS is part of a cluster. a cluster, the address of the local peer is always used. Cisco VCS Administrator Guide (X8.1.1) Page 389 of 507...
Page 390 VCS’s System Name. You can test whether a pattern matches a particular alias and is transformed in the expected way by using Check pattern tool (Maintenance > Tools > Check pattern). Cisco VCS Administrator Guide (X8.1.1) Page 390 of 507...
Page 391: Port Reference
If the VCS is part of a cluster, outbound Protocols > H.323 Clustering this port is used for inbound and outbound communication with peers, even if H.323 is disabled. Cisco VCS Administrator Guide (X8.1.1) Page 391 of 507...
Page 392 (The default range of 30000 – 35999 applies to new installations of X8.1 or later; the previous default range of 40000 – 49999 still applies to earlier releases that have upgraded to X8.1.) Cisco VCS Administrator Guide (X8.1.1) Page 392 of 507...
Page 393: Remote Listening Ports
These tables show the default listening (destination) ports on the remote systems with which the VCS communicates. The source port on the VCS for all of these communications is assigned from the VCS's ephemeral range. Cisco VCS Administrator Guide (X8.1.1) Page 393 of 507...
Page 394 LDAP account LDAP queries for login account 389 / 636 TCP Users > LDAP authentication authentication. configuration TMS Provisioning Connection to Cisco TMSPE services. 443 TCP System > TMS Extension Provisioning Extension services Incident reporting Sending application failure details. 443 TCP Maintenance >...
Page 395: Unified Communications Port Reference
* The default media port range of 36000 to 59999 applies to new installations of X8.1 or later. The first 2 ports in the range are used for multiplexed traffic only (with Large VM deployments the first 12 ports in the range – Cisco VCS Administrator Guide (X8.1.1) Page 395 of 507...
Page 396 (higher number) rule that drops all traffic for the SSH tunnels service (on the internal LAN interface if appropriate, and if so, another rule to drop all traffic on the external interface) Cisco VCS Administrator Guide (X8.1.1) Page 396 of 507...
Page 397: Microsoft Lync B2Bua Port Reference
External Lync client and Edge server Purpose Protocol Edge server Lync client SIP/MTLS used between Lync Client 5061 5061 and Edge server for signaling (including any ICE messaging to the Edge Server) SIP/TLS Cisco VCS Administrator Guide (X8.1.1) Page 397 of 507...
Page 398 60000 – 61799 still applies to earlier releases that have upgraded to X8.1. Between B2BUA and transcoder Purpose Protocol B2BUA IP port Transcoder B2BUA communications with transcoder 65080 5061 (Cisco AM GW) Cisco VCS Administrator Guide (X8.1.1) Page 398 of 507...
Page 399: Device Authentication Port Reference
389 / 636 TCP Client credential authentication with the Domain TCP ephemeral port 445 / 139 TCP Controller (Microsoft-DS). VCS initially tries port 445, but if that cannot be reached it tries port 139. Cisco VCS Administrator Guide (X8.1.1) Page 399 of 507...
Page 400: Regular Expressions
\1\2\3 would transform it to js@example.com Matches against one expression or an .*@example.(net|com) matches against any URI for alternate expression. the domain example.com or the domain example.net Cisco VCS Administrator Guide (X8.1.1) Page 400 of 507...
Page 401 .*(?<!net) matches any string that does not end with subexpression that must not be present. Note that regex comparisons are not case sensitive. For an example of regular expression usage, see the CPL examples section. Cisco VCS Administrator Guide (X8.1.1) Page 401 of 507...
Page 402: Supported Characters
Case sensitivity Text items entered through the CLI and web interface are case insensitive. The only exceptions are passwords and local administrator account names which are case sensitive. Cisco VCS Administrator Guide (X8.1.1) Page 402 of 507...
Page 403: Call Types And Licensing
VCS. Other VCSs in the route may need to take the media as well, and so the call will count as a traversal call on that particular VCS. Cisco VCS Administrator Guide (X8.1.1) Page 403 of 507...
Page 404 (in this situation, the call will remain a non-traversal call — the VCS Expressway will not take the media, even though it is using a traversal license). Cisco VCS Administrator Guide (X8.1.1) Page 404 of 507...
Page 405: Alarms
55nnn B2BUA issues All alarms raised on the VCS are also raised as Cisco TMS tickets. All the attributes of an alarm (its ID, severity and so on) are included in the information sent to Cisco TMS. List of alarms The following table lists the alarms that can be raised on the VCS.
Page 406 View the incident reporting page Error failed detected in <module> 15012 Language pack Some text labels may not be Contact your Cisco representative to Warning mismatch translated see if an up-to-date language pack is available 15013 Factory reset Factory reset failed...
Page 407 Check the list of peers for this cluster Warning replication error 20017 Cluster Configuration master ID is View cluster replication instructions Warning replication error inconsistent, manual synchronization of configuration is required Cisco VCS Administrator Guide (X8.1.1) Page 407 of 507...
Page 408 IPv6, but the VCS does not have any IPv6 addresses defined 25015 Restart required SSH service has been changed, Restart the system Warning however a restart is required for this to take effect Cisco VCS Administrator Guide (X8.1.1) Page 408 of 507...
Page 409 Debug or Trace Info, unless advised otherwise by your Cisco support representative. If diagnostic logging is in progress they will be reset automatically when diagnostic logging is stopped...
Page 410 <details>. 30018 Provisioning The number of concurrently Provisioning limits are set by Cisco Warning licenses limit provisioned devices has reached TMS; contact your Cisco reached the licensed limit...
Page 411 You have reached your license limit If the problem persists, contact your Warning reached of <n> concurrent non-traversal call Cisco representative to buy more call licenses licenses 30020 Call license limit You have reached your license limit If the problem persists, contact your...
Page 412 Certificate-based required authentication when in advanced account security mode 40005 Insecure The admin user has the default Change the admin password Error password in use password set Cisco VCS Administrator Guide (X8.1.1) Page 412 of 507...
Page 413 40020 Security alert The connection to the Active Configure Active Directory Service Warning Directory Service is not using TLS connection settings encryption Cisco VCS Administrator Guide (X8.1.1) Page 413 of 507...
Page 414 Unable to restore previous firewall Check your firewall rules Warning configuration configuration, fix any rejected rules, activate and accept the rules; if the problem persists, contact your Cisco representative 40032 Security alert Unable to initialize firewall Restart the system; if the problem Warning...
Page 415 40045 Restart required FIPS140-2 mode has been Restart the system Warning disabled; a system restart is required to complete this process Cisco VCS Administrator Guide (X8.1.1) Page 415 of 507...
Page 416 Default and any other relevant subzone; Subzone and each relevant subzone authentication must also be enabled and zone on the Default Zone if the endpoints are not registered Cisco VCS Administrator Guide (X8.1.1) Page 416 of 507...
Page 417 55006 B2BUA The Lync signaling destination port Check B2BUA configuration Warning misconfiguration is misconfigured 55007 B2BUA The Lync transport type is Check B2BUA configuration Warning misconfiguration misconfigured Cisco VCS Administrator Guide (X8.1.1) Page 417 of 507...
Page 418 55029 B2BUA The media port ranges used by the Check the port configuration for both Warning misconfiguration B2BUA overlap with the media port services ranges used by <module> Cisco VCS Administrator Guide (X8.1.1) Page 418 of 507...
Page 419 55101 B2BUA Invalid VCS authorized host IP Restart the service; contact your Warning misconfiguration address Cisco representative if the problem persists 55102 B2BUA Invalid URI format of VCS contact Restart the service; contact your Warning misconfiguration address...
Page 420 Solution Severity 55108 B2BUA Invalid VCS next hop port Restart the service; contact your Warning misconfiguration Cisco representative if the problem persists 55109 B2BUA Invalid VCS transport type Restart the service; contact your Warning misconfiguration Cisco representative if the problem...
Page 421 Solution Severity 55123 B2BUA The transcoding service transport Restart the service; contact your Warning misconfiguration type is misconfigured Cisco representative if the problem persists 55124 B2BUA The mandatory TURN server setting Restart the service; contact your Warning misconfiguration is misconfigured...
Page 422: Command Reference - Xconfiguration
Determines whether HTTP calls will be redirected to the HTTPS port. You must restart the system for any changes to take effect. Default: On. On: calls will be redirected to HTTPS. Off: no HTTP access will be available. Example: xConfiguration Administration HTTP Mode: On Cisco VCS Administrator Guide (X8.1.1) Page 422 of 507...
Page 423 Applications ConferenceFactory Range Start: <1..65535> The first number of the range that replaces %% in the template used to generate a conference alias. Default: 65535. Example: xConfiguration Applications ConferenceFactory Range Start: 10000 Cisco VCS Administrator Guide (X8.1.1) Page 423 of 507...
Page 424 Example: xConfiguration Applications Presence User Agent RetryDelta: 1800 Authentication ADS ADDomain: <S: 0,255> The Kerberos realm used when the VCS joins the AD domain. Note: this field is case sensitive. Example: xConfiguration Authentication ADS ADDomain: “CORPORATION.INT” Cisco VCS Administrator Guide (X8.1.1) Page 424 of 507...
Page 425 Indicates if data transmitted from the VCS to an AD domain controller is sent over a secure channel. Default: Auto. Example: xConfiguration Authentication ADS SecureChannel: Auto Authentication ADS Workgroup: <S: 0,15> The workgroup used when the VCS joins the AD domain. Example: xConfiguration Authentication ADS Workgroup: "corporation" Cisco VCS Administrator Guide (X8.1.1) Page 425 of 507...
Page 426 Default: Ignore. Ignore: treat the certificate as not revoked. Fail: treat the certificate as revoked (and thus do not allow the TLS connection). Example: xConfiguration Authentication Certificate Crlinaccessible: Ignore Cisco VCS Administrator Guide (X8.1.1) Page 426 of 507...
Page 427 Authentication H350 LdapServerAddress: <S: 0, 256> The IP address or Fully Qualified Domain Name of the LDAP server to use when making LDAP queries for device authentication. Example: xConfiguration Authentication H350 LdapServerAddress: "ldap_server.example.com" Cisco VCS Administrator Guide (X8.1.1) Page 427 of 507...
Page 428 Default: Off. On : local administrator account passwords must meet the complexity requirements. Off : passwords are not checked for complexity. Example: xConfiguration Authentication StrictPassword Enabled: Off Cisco VCS Administrator Guide (X8.1.1) Page 428 of 507...
Page 429 Determines whether the VCS attempts to downspeed a call if there is insufficient total bandwidth available to fulfill the request. Default: On. On: the VCS will attempt to place the call at a lower bandwidth. Off: the call will be rejected. Example: xConfiguration Bandwidth Downspeed Total Mode: On Cisco VCS Administrator Guide (X8.1.1) Page 429 of 507...
Page 430 Always: the VCS will always route the call signaling. Optimal: if possible, the VCS will remove itself from the call signaling path, which may mean the call does not consume a call license. Example: xConfiguration Call Routed Mode: Always Cisco VCS Administrator Guide (X8.1.1) Page 430 of 507...
Page 431 Example: xConfiguration ErrorReport Proxy: https://proxy_address/submiterror/ ErrorReport Url: <S: 0, 128> The URL of the web service to which details of application failures are sent. Default: https://cc- reports.cisco.com/submitapplicationerror/ Example: xConfiguration ErrorReport Url: https://cc-reports.cisco.com/submitapplicationerror/ Cisco VCS Administrator Guide (X8.1.1) Page 431 of 507...
Page 432 H323 Gatekeeper CallSignaling PortRange End: <1024..65534> Specifies the upper port in the range to be used by calls once they are established. Default: 19999. Example: xConfiguration H323 Gatekeeper CallSignaling PortRange End: 19999 Cisco VCS Administrator Guide (X8.1.1) Page 432 of 507...
Page 433 Determines whether or not the VCS will allow encrypted calls between SIP and H.323 endpoints. Default: Auto. Off: interworked calls will never be encrypted. Auto: interworked calls will be encrypted if the endpoints request it. Example: xConfiguration Interworking Encryption Mode: Auto Cisco VCS Administrator Guide (X8.1.1) Page 433 of 507...
Page 434 IP Ephemeral PortRange End: <1024..65534> The highest port in the range used for ephemeral outbound connections not otherwise constrained by VCS call processing. Default: 35999. Example: xConfiguration IP Ephemeral PortRange End: 35999 Cisco VCS Administrator Guide (X8.1.1) Page 434 of 507...
Page 435 Example: xConfiguration IP Route 1 PrefixLength: 16 IP V6 Gateway: <S: 0, 39> Specifies the IPv6 gateway of the VCS. You must restart the system for any changes to take effect. Example: xConfiguration IP V6 Gateway: "3dda:80bb:6::9:144" Cisco VCS Administrator Guide (X8.1.1) Page 435 of 507...
Page 436 The SASL (Simple Authentication and Security Layer) mechanism to use when binding to the LDAP server. Default: DIGEST-MD5. None: no mechanism is used. DIGEST-MD5: The DIGEST-MD5 mechanism is used. Example: xConfiguration Login Remote LDAP SASL: DIGEST-MD5 Cisco VCS Administrator Guide (X8.1.1) Page 436 of 507...
Page 437 Local: credentials are verified against a local database stored on the VCS. Example: xConfiguration Login Source User: Local Login User [1..n] Name: <S: 0,60> Defines the name for this entry in the local authentication database. Example: xConfiguration Login User 1 Name: "alice" Cisco VCS Administrator Guide (X8.1.1) Page 437 of 507...
Page 438 Specifies the option key of your software option. These are added to the system in order to add extra functionality, such as increasing the system’s capacity. Contact your Cisco support representative for further information. Example: xConfiguration Option 1 Key: "1X4757T5-1-60BAD5CD"...
Page 439 Policy FindMe Mode: <Off/On/ThirdPartyManager> Configures how the FindMe application operates. Default: Off. Off: disables FindMe. On: enables FindMe. ThirdPartyManager: uses an off-box, third-party FindMe manager. Example: xConfiguration Policy FindMe Mode: On Cisco VCS Administrator Guide (X8.1.1) Page 439 of 507...
Page 440 Example: xConfiguration Policy Services Service 1 Password: "password123" Policy Services Service [1..20] Path: <S: 0,255> Specifies the URL of the remote service. Example: xConfiguration Policy Services Service 1 Path: "service" Cisco VCS Administrator Guide (X8.1.1) Page 440 of 507...
Page 441 Specifies an entry to be added to the Deny List. If one of an endpoint’s aliases matches one of the patterns in the Deny List, the registration will not be permitted. Example: xConfiguration Registration DenyList 1 Pattern String: "john.jones@example.com" Cisco VCS Administrator Guide (X8.1.1) Page 441 of 507...
Page 442 Controls certificate revocation list checking of the certificate supplied by the policy service. When enabled, the server's X.509 certificate will be checked against the revocation list of the certificate authority of the certificate. Default: Off. Example: xConfiguration Registration RestrictionPolicy Service TLS CRLCheck Mode: Off Cisco VCS Administrator Guide (X8.1.1) Page 442 of 507...
Page 443 Example: xConfiguration SIP Authentication Digest Nonce Length: 60 SIP Authentication Digest Nonce Limit: <1..65535> Maximum limit on the number of nonces to store. Default: 10000. Example: xConfiguration SIP Authentication Digest Nonce Limit: 10000 Cisco VCS Administrator Guide (X8.1.1) Page 443 of 507...
Page 444 Controls whether the VCS takes the media for an ICE to non-ICE call where the ICE participant is thought to be behind a NAT device. Default: Off. Example: xConfiguration SIP MediaRouting ICE Mode: Off Cisco VCS Administrator Guide (X8.1.1) Page 444 of 507...
Page 445 The minimum allowed value for a SIP registration refresh period for standard registrations. Requests for a value lower than this value will result in the registration being rejected with a 423 Interval Too Brief response. Default: 45 seconds. Example: xConfiguration SIP Registration Standard Refresh Minimum: 45 Cisco VCS Administrator Guide (X8.1.1) Page 445 of 507...
Page 446 SIP Routes Route [1..20] Tag: <S:0,64> Tag value specified by external applications to identify routes that they create. Note: this command is intended for developer use only. Example: xConfiguration SIP Routes Route 1 Tag: "Tag1" Cisco VCS Administrator Guide (X8.1.1) Page 446 of 507...
Page 447 Controls whether the Online Certificate Status Protocol (OCSP) may be used to perform certificate revocation checking. To use OCSP, the X.509 certificate to be checked must contain an OCSP responder URI. Default: On. Example: xConfiguration SIP TLS Certificate Revocation Checking OCSP Mode: On Cisco VCS Administrator Guide (X8.1.1) Page 447 of 507...
Page 448 Enables or disables SNMP Version 3 authentication. Default: On. Example: xConfiguration SNMP V3AuthenticationMode: On SNMP V3AuthenticationPassword: <S: 0,215> Sets SNMP Version 3 authentication password. It must be at least 8 characters. Example: xConfiguration SNMP V3AuthenticationPassword: "password123" Cisco VCS Administrator Guide (X8.1.1) Page 448 of 507...
Page 449 Replace: substitutes the matching part of the alias with the text in replace string. AddPrefix: prepends the replace string to the alias. AddSuffix: appends the replace string to the alias. Example: xConfiguration Transform 1 Pattern Behavior: Replace Cisco VCS Administrator Guide (X8.1.1) Page 449 of 507...
Page 450 Example: xConfiguration Traversal Server H323 H46018 CallSignaling Port: 2777 Traversal Server TURN Authentication Realm: <S: 1,128> The realm sent by the server in its authentication challenges. Default: TANDBERG . Example: xConfiguration Traversal Server TURN Authentication Realm: "TANDBERG" Cisco VCS Administrator Guide (X8.1.1) Page 450 of 507...
Page 451 The behavior varies for H.323 messages, SIP messages that originate from a local domain and SIP messages that originate from non-local domains. Default: DoNotCheckCredentials. Example: xConfiguration Zones LocalZone DefaultSubZone Authentication Mode: DoNotCheckCredentials Cisco VCS Administrator Guide (X8.1.1) Page 451 of 507...
Page 452 Example: xConfiguration Zones LocalZone SIP Record Route Address Type: IP Zones LocalZone SubZones MembershipRules Rule [1..3000] Description: <S: 0,64> A free-form description of the membership rule. Example: xConfiguration Zones LocalZone SubZones MembershipRules Rule 1 Description: "Office-based staff" Cisco VCS Administrator Guide (X8.1.1) Page 452 of 507...
Page 453 The bandwidth limit (in kbps) on any one call to or from an endpoint in this subzone (applies only if Mode is set to Limited). Default: 1920. Example: xConfiguration Zones LocalZone SubZones SubZone 1 Bandwidth PerCall Inter Limit: 1920 Cisco VCS Administrator Guide (X8.1.1) Page 453 of 507...
Page 454 Controls whether H.323 calls using H460.18 mode for firewall traversal are allowed. Applies to traversal-enabled endpoints registered directly with the VCS. Default: On . Example: xConfiguration Zones LocalZone Traversal H323 H46018 Mode: On Cisco VCS Administrator Guide (X8.1.1) Page 454 of 507...
Page 455 Determines whether there is a limit on the bandwidth of any one traversal call being handled by the VCS. Default: Unlimited. NoBandwidth: no bandwidth available. No traversal calls can be made. Example: xConfiguration Zones LocalZone TraversalSubZone Bandwidth PerCall Mode: Limited Cisco VCS Administrator Guide (X8.1.1) Page 455 of 507...
Page 456 Zones Policy SearchRules Rule [1..2000] Pattern String: <S: 0,60> The pattern against which the alias is compared. (Applies to Alias Pattern Match mode only.) Example: xConfiguration Zones Policy SearchRules Rule 1 Pattern String: "@example.com" Cisco VCS Administrator Guide (X8.1.1) Page 456 of 507...
Page 457 Example: xConfiguration Zones Policy SearchRules Rule 1 Target Name: "Sales Office" Zones Policy SearchRules Rule [1..2000] Target Type: <Zone/PolicyService> The type of target this search rule applies to. Example: xConfiguration Zones Policy SearchRules Rule 1 Target Type: Zone Cisco VCS Administrator Guide (X8.1.1) Page 457 of 507...
Page 458 Off: All media must be unencrypted. BestEffort: Use encryption if available otherwise fallback to unencrypted media. Auto: No media encryption policy is applied. Example: xConfiguration Zones Zone 1 DNS SIP Media Encryption Mode: Auto Cisco VCS Administrator Guide (X8.1.1) Page 458 of 507...
Page 459 On: any media line referring to the UDP/BFCP protocol is replaced with TCP/BFCP and disabled. Off: INVITE requests are not modified. Example: xConfiguration Zones Zone 1 DNS SIP UDP BFCP Filter Mode: Off Cisco VCS Administrator Guide (X8.1.1) Page 459 of 507...
Page 460 Zones Zone [1..1000] Neighbor Interworking SIP Audio DefaultCodec: <G711u/G711a/G722_48/G722_56/ G722_64/G722_1_16/G722_1_24/G722_1_32/G722_1_48/G723_1/G728/G729/AACLD_48/AACLD_56/AACLD_64/AMR> Specifies which audio codec to use when empty INVITEs are not allowed. Default: G711u . Example: xConfiguration Zones Zone 3 Neighbor Interworking SIP Audio DefaultCodec: G711u Cisco VCS Administrator Guide (X8.1.1) Page 460 of 507...
Page 461 Controls if authenticated SIP messages (ones containing a P-Asserted-Identity header) from this zone are trusted. Default: Off . On: messages are trusted without further challenge. Off: messages are challenged for authentication. Example: xConfiguration Zones Zone 3 Neighbor SIP Authentication Trust Mode: On Cisco VCS Administrator Guide (X8.1.1) Page 461 of 507...
Page 462 (latching). Otherwise it will forward the media to the IP address and port signaled in the SDP (signaled). Example: xConfiguration Zones Zone 3 Neighbor SIP MediaRouting Mode: Auto Cisco VCS Administrator Guide (X8.1.1) Page 462 of 507...
Page 463 X.509 certificate (in either the Subject Common Name or the Subject Alternative Name attributes). Default: Off . Example: xConfiguration Zones Zone 3 Neighbor SIP TLS Verify Mode: On Cisco VCS Administrator Guide (X8.1.1) Page 463 of 507...
Page 464 The behavior varies for H.323 messages, SIP messages that originate from a local domain and SIP messages that originate from non-local domains. Default: DoNotCheckCredentials. Example: xConfiguration Zones Zone 4 TraversalClient Authentication Mode: DoNotCheckCredentials Cisco VCS Administrator Guide (X8.1.1) Page 464 of 507...
Page 465 Specifies the port on the traversal server to be used for SIP calls from this VCS. If your traversal server is a VCS Expressway, this must be the port number that has been configured in the traversal server zone for this VCS. Example: xConfiguration Zones Zone 4 TraversalClient SIP Port: 5061 Cisco VCS Administrator Guide (X8.1.1) Page 465 of 507...
Page 466 Example: xConfiguration Zones Zone 5 TraversalServer H323 Protocol: Assent Zones Zone [1..1000] TraversalServer Registrations: <Allow/Deny> Controls whether proxied SIP registrations routed through this zone are accepted. Default: Allow . Example: xConfiguration Zones Zone 5 TraversalServer Registrations: Allow Cisco VCS Administrator Guide (X8.1.1) Page 466 of 507...
Page 467 Sets the frequency (in seconds ) with which the traversal client will send a TCP probe to the VCS. Default: 2 . Example: xConfiguration Zones Zone 5 TraversalServer TCPProbe RetryInterval: 2 Cisco VCS Administrator Guide (X8.1.1) Page 467 of 507...
Page 468 TraversalServer: there is a firewall between the zones and the local VCS is a traversal server for the new zone. ENUM: the new zone contains endpoints discoverable by ENUM lookup. DNS: the new zone contains endpoints discoverable by DNS lookup. Example: xConfiguration Zones Zone 3 Type: Neighbor Cisco VCS Administrator Guide (X8.1.1) Page 468 of 507...
Page 469: Command Reference - Xcommand
Enabled: <On/Off> Indicates if the account is enabled or disabled. Access is denied to disabled accounts. Default: On. Example: xCommand AdminAccountAdd Name: "bob_smith" Password: "abcXYZ_123" AccessAPI: On AccessWeb: On Enabled: On Cisco VCS Administrator Guide (X8.1.1) Page 469 of 507...
Page 470 DNS SRV queries to find a KDC. KerberosKDCPort: <1..65534> Specifies the port of a KDC that can be used when the VCS joins the AD domain. Default: 88 Example: xCommand AdsKdcAdd KerberosKDCAddress: "192.168.0.0" KerberosKDCPort: 88 Cisco VCS Administrator Guide (X8.1.1) Page 470 of 507...
Page 471 The requested bandwidth of the call (in kbps). CallType(r): <Traversal/NonTraversal> Whether the call type is Traversal or Non-traversal. Example: xCommand CheckBandwidth Node1: "DefaultSubzone" Node2: "UK Sales Office" Bandwidth: 512 CallType: nontraversal Cisco VCS Administrator Guide (X8.1.1) Page 471 of 507...
Page 472 The FQDN or IP address of the Unified CM publisher. Example: xCommand Cucmconfigdelete Address: "cucm.example.com" DefaultLinksAdd Restores links between the Default Subzone, Traversal Subzone and the Default Zone. This command has no parameters. Example: xCommand DefaultLinksAdd Cisco VCS Administrator Guide (X8.1.1) Page 472 of 507...
Page 473 The domain to associate with the specific DNS server. Domain2(r): <Value> An optional second domain to associate with the specific DNS server. Index: <0..5> The index of the server to add. Example: xCommand DNSServerAdd Address: "192.168.12.0" Index: 1 Cisco VCS Administrator Guide (X8.1.1) Page 473 of 507...
Page 474 Example: xCommand DomainAdd Name: "100.example-name.com" Authzone: "Traversal zone" Edge: Off Sip: On DomainDelete Deletes a domain. DomainId(r): <1..200> The index of the domain to be deleted. Example: xCommand DomainDelete DomainId: 2 Cisco VCS Administrator Guide (X8.1.1) Page 474 of 507...
Page 475 Example: xCommand Fail2ban Argument "192.0.12.0" Command: addignoreip Jail: sip-auth FeedbackDeregister Deactivates a particular feedback request. ID: <1..3> The index of the feedback request to be deactivated. Example: xCommand FeedbackDeregister ID: 1 Cisco VCS Administrator Guide (X8.1.1) Page 475 of 507...
Page 476 Example: xCommand Fips Command: enter ForceConfigUpdate Forces the relevant configuration on this peer to be updated to match that of the cluster master. This command has no parameters. Example: xCommand ForceConfigUpdate Cisco VCS Administrator Guide (X8.1.1) Page 476 of 507...
Page 477 Returns a list of all subscribers who are watching for the presence information of a particular presentity. Presentity(r): <S:1, 255> The URI of the presentity being watched. Example: xCommand ListSubscribers Presentity: "mary.jones@example.com" Cisco VCS Administrator Guide (X8.1.1) Page 477 of 507...
Page 478 OptionKeyAdd Adds a new option key to the VCS. These are added to the VCS in order to add extra functionality, such as increasing the VCS's capacity. Contact your Cisco representative for further information. Key(r): <S: 0, 90> Specifies the option key of your software option.
Page 479 Example: xCommand PipeAdd PipeName: "512k ADSL" TotalMode: Limited Total: 512 PerCallMode: Limited PerCall: 128 PipeDelete Deletes a pipe. PipeId(r): <1..1000> The index of the pipe to be deleted. Example: xCommand PipeDelete PipeId: 2 Cisco VCS Administrator Guide (X8.1.1) Page 479 of 507...
Page 480 Verify: On CRLCheck: On Address: "service.example.com" Path: "service" StatusPath: "status" UserName: "user123" Password: "password123" DefaultCPL: "<reject status='403' reason='Service Unavailable'/>" PolicyServiceDelete Deletes a policy service. PolicyServiceId(r): <1..20> The index of the policy service to be deleted. Example: xCommand PolicyServiceDelete PolicyServiceId: 1 Cisco VCS Administrator Guide (X8.1.1) Page 480 of 507...
Page 481 The serial number of the registration to be removed. Example: xCommand RemoveRegistration RegistrationSerialNumber: "a761c4bc-25c9-11b2-a37f-0010f30f521c" Restart Restarts the VCS without a full system reboot. This command has no parameters. Example: xCommand Restart Cisco VCS Administrator Guide (X8.1.1) Page 481 of 507...
Page 482 Example: xCommand SearchRuleAdd Name: "DNS lookup" ZoneName: "Sales Office" Description: "Send query to the DNS zone" SearchRuleDelete Deletes a search rule. SearchRuleId(r): <1..2000> The index of the search rule to be deleted. Example: xCommand SearchRuleDelete SearchRuleId: 1 Cisco VCS Administrator Guide (X8.1.1) Page 482 of 507...
Page 483 The index of the SIP route to be deleted. Tag: <S:0, 64> Tag value specified by external applications to uniquely identify routes that they create. Example: xCommand SIPRouteDelete SipRouteId: Tag: "Tag1" Cisco VCS Administrator Guide (X8.1.1) Page 483 of 507...
Page 484 The subzone to which an endpoint is assigned if its address satisfies this rule. Description: <S: 0, 64> A free-form description of the membership rule. Example: xCommand SubZoneMembershipRuleAdd Name: "Home Workers" Type: Subnet SubZoneName: "Home Workers" Description: "Staff working at home" Cisco VCS Administrator Guide (X8.1.1) Page 484 of 507...
Page 485 Example: xCommand TransformAdd Pattern: "example.net" Type: suffix Behavior: replace Replace: "example.com" Priority: 3 Description: "Change example.net to example.com" State: Enabled TransformDelete Deletes a transform. TransformId(r): <1..100> The index of the transform to be deleted. Example: xCommand TransformDelete TransformId: 2 Cisco VCS Administrator Guide (X8.1.1) Page 485 of 507...
Page 486 The username used to access the IM and Presence publisher. CertValidationDisabled: <On/Off> Controls X.509 certificate checking against the certificate presented by the IM and Presence publisher. Default: On Example: xCommand Xmppdiscovery Address: "imp.example.com" Axlpassword: "xyz" Axlusername: "abc" Cisco VCS Administrator Guide (X8.1.1) Page 486 of 507...
Page 487 Note that this command does not change any existing system configuration. Alias(r): <S: 1, 60> The alias to be searched for. Example: xCommand ZoneList Alias: "john.smith@example.com" Cisco VCS Administrator Guide (X8.1.1) Page 487 of 507...
Page 488: Command Reference - Xstatus
The current xStatus elements are: Alarm Alternates Applications B2BUACalls B2buapresencerelayservice B2buapresencerelayuser Calls Cluster ExternalManager Fail2banjailbannedaddress Feedback FindMeManager Fips Firewall H323 Hardware Iptablesacceptedrule Iptablesrule License Links NetworkInterface Ntpcertificates Options Phonebookserver Pipes Cisco VCS Administrator Guide (X8.1.1) Page 488 of 507...
Page 489 Reference material Command reference — xStatus Policy Portusage ProvisioningServer Provisioningdevice Provisioningdevicestatussynch Provisioningservice Registrations ResourceUsage SipServiceDomains SipServiceZones SystemUnit TURN Time Warnings Zones Cisco VCS Administrator Guide (X8.1.1) Page 489 of 507...
Page 490: External Policy Overview
Default CPL can be configured, to be processed by the VCS as a fallback, if the service is not available. The status and reachability of the service can be queried via a status path. If you require FindMe functionality beyond that provided by VCS / Cisco TMS, we recommend that you implement it through Call Policy.
Page 491: External Policy Request Parameters
SEARCH / ADMIN / USER ü ü ü ü PROTOCOL SIP / H323 ü ü ü REGISTERED_ALIAS SOURCE_ADDRESS ü ü ü ü ü ü ü ü SOURCE_IP ü ü ü ü SOURCE_PORT Cisco VCS Administrator Guide (X8.1.1) Page 491 of 507...
Page 492: Default Cpl For Policy Services
We recommend that you use unique reason values for each type of service, so that if calls or registrations are rejected it is clear why and which service is rejecting the request. Cisco VCS Administrator Guide (X8.1.1) Page 492 of 507...
Page 493: Flash Status Word Reference Table
Autokey sequence error 0100 TEST9 pkt_crypto Autokey protocol error 0200 TEST10 peer_stratum invalid header or stratum 0400 TEST11 peer_dist distance threshold exceeded 0800 TEST12 peer_loop synchronization loop 1000 TEST13 peer_unreach unreachable or nonselect Cisco VCS Administrator Guide (X8.1.1) Page 493 of 507...
Page 494: Supported Rfcs
3863 Presence Information Data Format (PIDF) 3880 Call Processing Language (CPL): A Language for User Control of Internet Telephony Services 3891 Replaces header 3892 Referred-by header 3903 Session Initiation Protocol (SIP) Extension for Event State Publication Cisco VCS Administrator Guide (X8.1.1) Page 494 of 507...
Page 495 5766 Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN) 5806 Diversion Indication in SIP 6156 Traversal Using Relays around NAT (TURN) Extension for IPv6 Cisco VCS Administrator Guide (X8.1.1) Page 495 of 507...
Page 496: Software Version History
X7.1 For information about earlier software releases, see the online help or previous versions of this document. X7.2.1 The VCS Starter Pack Express supports Cisco Jabber for iPad. X7.2 Controlled SIP TLS connections to the Default Zone Default Zone access rules that control which external systems are allowed to connect over SIP TLS to the VCS via the Default Zone can now be configured.
Page 497 The VCS now supports the ability to interwork the H.323 flowControlCommand into RFC 5104 Temporary Maximum Media Stream Bit Rate Request (TMMBR). This provides the ability to stem the flow of data from a remote participant. Cisco VCS Administrator Guide (X8.1.1) Page 497 of 507...
Page 498 There is no longer a need to restart the VCS after uploading a language pack. Support for some xConfiguration commands removed The following xConfiguration CLI command sets are no longer supported: xConfiguration Administration HTTPS RequireClientCertificate xConfiguration Administration MaxConcurrentSessions xConfiguration Administration TimeOut xConfiguration Authentication Database Cisco VCS Administrator Guide (X8.1.1) Page 498 of 507...
Page 499: X7.1
Call processing Improved interworking between VCS and Cisco Unified Communications Manager. VCS now always stays in the call signaling route for calls to neighbor zones that are configured with the Cisco Unified Communications Manager or the Infrastructure device zone profiles.
Page 500 Reference material Software version history Default incident reporting server is now https://cc-reports.cisco.com/submitapplicationerror/ The VCS Starter Pack Express supports device provisioning for MX200 endpoints. An optional free-form description of a B2BUA transcoder can be specified. Alarms status page now shows when an alarm was first raised.
Page 501 It allows you to generate a diagnostic log of system activity over a period of time, and then to download the log so that it can be sent to your Cisco customer support representative.
Page 502 TMS Agent database credentials included within local authentication database lookups In addition to any manually created entries, the Cisco VCS now checks credentials stored within the TMS Agent database when the device authentication database type is set to Local database.
Page 503: Related Documentation
FindMe Deployment Guide www.cisco.com VCS Getting Started Guide www.cisco.com VCS IP Port Usage for Firewall Traversal www.cisco.com Microsoft Lync 2010, Cisco AM GW and VCS Deployment Guide www.cisco.com Microsoft Lync and VCS Deployment Guide www.cisco.com Multiway Deployment Guide www.cisco.com VCS Starter Pack Express Deployment Guide www.cisco.com...
Page 504 RFC 5806: Diversion Indication in SIP http://tools.ietf.org/html/rfc5806 Session Traversal Utilities for NAT (STUN) http://tools.ietf.org/html/rfc5389 Traversal Using Relays around NAT (TURN): Relay Extensions to Session http://tools.ietf.org/html/rfc5766 Traversal Utilities for NAT (STUN) Cisco VCS Administrator Guide (X8.1.1) Page 504 of 507...
Page 505: Legal Notices
This product is Copyright © 2014, Tandberg Telecom UK Limited. All rights reserved. TANDBERG is now part of Cisco. Tandberg Telecom UK Limited is a wholly owned subsidiary of Cisco Systems, Inc. The terms and conditions of use can be found at: http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/license_info/Cisco_VCS_EULA.pdf.
Page 506: Patent Information
MPEG LA prior to any use of AVC/H.264 encoders and/or decoders. Patent information This product is covered by one or more of the following patents: US7,512,708 EP1305927 EP1338127 Cisco VCS Administrator Guide (X8.1.1) Page 506 of 507...
Page 507 MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners.

This manual is also suitable for:

Telepresence x8.1.1

Cisco TelePresence Administrator's Manual

Quick Links

Related Manuals for Cisco TelePresence

Summary of Contents for Cisco TelePresence