Table of Contents
Advertisement
Grey Headline (continued)
Call Policy
About Call Policy
The VCS lets you set up rules to control which
calls are allowed, which calls are rejected, and
which calls are to be redirected to a different
destination. These rules are known as Call
Policy (or Administrator Policy).
If Call Policy is enabled and has been
configured, each time a call is made the VCS
will execute the policy in order to decide, based
on the source and destination of the call,
whether to
•
proxy the call to its original destination
•
redirect the call to a different destination or
set of destinations
•
reject the call.
When enabled, Call Policy is executed
for all calls going through the VCS.
You can set up Call Policy in two ways:
•
by
configuring basic Call Policy using the
web interface
(note that this only lets you
Allow or Reject specified calls)
•
by
uploading a script written in the Call
Processing Language
(CPL)
Only one of these two methods can be
used at any one time to specify Call
Policy. If a CPL script has been
uploaded, this will disable use of the web
interface to configure Call Policy. To use the
web interface, you must delete the CPL script
that has been uploaded.
Use Call Policy to determine which
callers can make or receive calls via the
VCS. Use
Allow and Deny lists
to
determine which aliases can or cannot register
with the VCS.
Overview and
System
Introduction
status
configuration
D14049.07
March 2010
Call Policy uses the source and destination of a
call to determine the action to be taken. Policy
interacts with
authentication
when considering
the source alias of the call. If your VCS is part
of a secure environment, any policy decisions
based on the source of the call should only be
made when that source can be authenticated.
Whether or not the VCS considers an
endpoint to be authenticated depends on the
Authentication Mode setting of the VCS.
Authentication mode off
When Authentication Mode is set to Off, calls
will be accepted from any endpoint or neighbor.
The assumption is that the source alias is
trusted, so authentication is not required.
Authentication mode on
When
Authentication mode
is set to On,
all endpoints and neighbors are required
to authenticate with it before calls will
be accepted. If a call is received from an
unauthenticated source (e.g. neighbor or
endpoint) the call's source aliases will be
removed from the call request and replaced with
an empty field before the Call Policy is executed.
This is because there is a possibility that the
source aliases could be forged and therefore
they should not be used for policy decisions in
a secure environment. This means that, when
Authentication Mode is On and you configure
policy based on the source alias, it will only
apply to authenticated sources.
The VCS determines whether or not an endpoint
is authenticated as follows:
VCS
Zones and
Clustering and
configuration
neighbors
peers
Call Policy and authentication
H.323
When
Authentication mode
is set to On, for the
purposes of Call Policy, an H.323 endpoint is
considered to be authenticated if either of the
following conditions apply:
•
it is a locally registered endpoint. (Because
Authentication Mode is On, the registration
will have been accepted only after the
endpoint authenticated successfully with the
VCS.)
•
it is a remote endpoint that is registered
to and authenticated with a VCS that is a
neighbor, traversal client or traversal server
of the local VCS, and that remote VCS has in
turn authenticated with the local VCS.
An H.323 endpoint is considered to be
unauthenticated when:
•
it is a remote endpoint registered to
a neighbor and that neighbor has not
authenticated with the VCS. This is
regardless of whether or not the endpoint
authenticated with the neighbor.
Call
Bandwidth
processing
control
100
TANDBERG
VIDEO COMMUNICATION SERVER
SIP
When
Authentication mode
the purposes of Call Policy a SIP endpoint is
considered to be authenticated when:
•
it falls within one of the domains for which
the VCS is authoritative and has successfully
responded to an authentication challenge.
This endpoint could be registered to the
local VCS or a VCS that is a traversal server
or traversal client of the local VCS, as long
as it is authoritative for the domain in the
endpoint's AOR.
A SIP endpoint is considered to be
unauthenticated if any of the following
conditions apply:
•
it does not fall within one of the domains for
which the VCS is authoritative, or
•
it has failed to successfully respond to an
authentication challenge, or
•
it has successfully responded to an
authentication challenge but its From or
Reply-To addresses are not compatible with
the alias origin settings.
Firewall
Applications
Maintenance
traversal
ADMINISTRATOR GUIDE
is set to On, for
Appendices
Advertisement
Table of Contents
