Table of Contents
Advertisement
Grey Headline (continued)
Registration control
About Allow and Deny Lists
When an endpoint attempts to register with the VCS it presents
a list of aliases. You can control which endpoints are allowed to
register by setting the
Restriction Policy
and then including any one of the endpoint's aliases on the Allow
List or the Deny list as appropriate. Each list can contain up to
2,500 entries.
When an endpoint attempts to register, each of its aliases
is compared with the patterns in the relevant list to see if it
matches. Only one of the aliases needs to appear in the Allow
List or the Deny List for the registration to be allowed or denied.
For example, If the Registration Restriction policy is set to
DenyList
and an endpoint attempts to register using three
aliases, one of which matches a pattern on the Deny list,
that endpoint's registration will be denied. Likewise, if the
Registration Restriction policy is set to AllowList, only one of the
endpoint's aliases needs to match a pattern on the Allow list for
it to be allowed to register using all its aliases.
Allow Lists and Deny Lists are mutually exclusive: only
one may be in use at any given time.
Patterns and pattern types
Entries on the Allow List and Deny List are a combination
of Pattern and Type. The
Pattern
specifies the string to be
matched; the
Type
determines whether that string;
•
must match the Pattern exactly (
Exact)
•
must appear at the start of the alias (
•
must appear at the end of the alias (
Suffix)
•
is in the form of a Regular Expression (
You can test whether a pattern will match a particular
alias by using the
Check pattern
Tools > Check
pattern).
Overview and
Introduction
Getting started
status
D14049.05
February 2009
Activating use of Allow or Deny Lists
The
Registration Configuration
an Allow List or a Deny List should be used when determining
to
AllowList
or
DenyList
which endpoints may register with the VCS.
To go to the
Registration Configuration
•
VCS configuration > Registration > Configuration
To configure this using the CLI:
•
xConfiguration Registration RestrictionPolic
The
Restriction policy
determining which endpoints may register with the VCS. The
options are:
None: Any endpoint may register.
AllowList: Only those endpoints with an alias that matches an
entry in the Allow List may register.
DenyList: All endpoints may register, unless they match an entry
on the Deny List.
The default is None.
If you have elected to use an Allow List or a Deny List,
!
you must also go to the appropriate configuration page
(VCS configuration > Registration > Allow list
configuration > Registration > Deny
used.
Prefix)
Regex).
page
(Maintenance >
System
VCS
configuration
configuration
Allow and Deny Lists
page allows you to specify whether
page:
.
option specifies the policy to be used when
or
VCS
list) to create the list to be
Zones and
Call
Bandwidth
neighbors
processing
control
70
TANDBERG
Removing existing registrations
Once an Allow List or Deny List has been activated, it will be
used to control all registration requests from that point forward.
However, any existing registrations may remain in place, even
if the new list would otherwise block them. For this reason we
recommend that you manually remove all existing unwanted
registrations after you have implemented an Allow List or Deny
List.
y
To manually remove a registration; navigate to
Registrations > By
device, select the registration(s) you wish to
remove, and click Unregister.
Re-registrations
All endpoints must periodically re-register with the VCS in order
to keep their registration active. If you do not manually delete the
registration, the registration could be removed once the endpoint
attempts to re-register, but this depends on the protocol being
used by the endpoint:
•
H.323 endpoints may use "light" re-registrations which do not
contain all the aliases presented in the initial registration, so
the re-registration may not get filtered by the Allow List or Deny
List. If this is the case, the registration will not expire at the
end of the registration timeout period and must be removed
manually.
•
SIP re-registrations contain the same information as the initial
registrations so will be filtered by the Allow List and Deny List.
This means that, after the list has been activated, all SIP
registrations will disappear at the end of the their registration
timeout period.
The frequency of re-registrations is determined by the
Registration Expire Delta
setting for SIP
Protocols > SIP >
Configuration) and the
H.323
(VCS configuration > Protocols >
Firewall
Applications
traversal
VIDEO COMMUNICATIONS SERVER
ADMINISTRATOR GUIDE
Status >
(VCS configuration >
Time to Live
setting for
H.323).
Maintenance
Appendices
Advertisement
Table of Contents
