Download Print this page

Cisco TelePresence Administrator's Manual

Video communication server
Hide thumbs

Advertisement

Table of Contents
Cisco TelePresence
Video Communication
Server
Administrator Guide
X7.2
January 2015

Advertisement

Table of Contents
loading

  Summary of Contents for Cisco TelePresence

  • Page 1 Cisco TelePresence Video Communication Server Administrator Guide X7.2 January 2015...
  • Page 2: Table Of Contents

    Contents Introduction About the Cisco TelePresence Video Communication Server (VCS) VCS base applications Standard features Optional features Installation and initial configuration About this guide Typographical conventions Using the web interface Using the command line interface (CLI) Web page features and layout What’s new in this version?
  • Page 3 VCS as a SIP registrar VCS as a SIP proxy server Proxying registration requests VCS as a SIP Presence Server SIP configuration Configuring SIP domains Configuring SIP and H.323 interworking Registration control Cisco VCS Administrator Guide (X7.2) Page 3 of 498...
  • Page 4 Configuring traversal server zones Configuring ENUM zones Configuring DNS zones Zone configuration: advanced settings Zone configuration: pre-configured profile settings TLS certificate verification of neighbor systems Configuring a zone for incoming calls only Cisco VCS Administrator Guide (X7.2) Page 4 of 498...
  • Page 5 Configuring Call Policy Configuring Call Policy rules using the web interface Configuring Call Policy using a CPL script Configuring VCS to use the Cisco TelePresence Advanced Media Gateway Configuring Cisco AM GW policy rules Dialable address formats Dialing by IP address Dialing by H.323 ID or E.164 alias...
  • Page 6 Firewall traversal and authentication Authentication and NTP Firewall configuration Configuring Expressway and traversal endpoint communications Configuring traversal server ports About ICE and TURN services About ICE About TURN Configuring TURN services Cisco VCS Administrator Guide (X7.2) Page 6 of 498...
  • Page 7 Configuring language settings Changing the language Installing language packs About login accounts Account authentication Account types Configuring login account authentication Configuring remote account authentication using LDAP Password security Configuring administrator accounts Cisco VCS Administrator Guide (X7.2) Page 7 of 498...
  • Page 8 Shutting down Developer resources Debugging and system administration tools Experimental menu Reference material Software version history X7.1 X6.1 X5.2 X5.1 About Event Log levels Event Log format Administrator and FindMe user events Cisco VCS Administrator Guide (X7.2) Page 8 of 498...
  • Page 9 Command reference — xConfiguration Command reference — xCommand Command reference — xStatus About policy services Flash status word reference table Bibliography Glossary Accessibility notice Legal notices Intellectual property rights Copyright notice Patent information Cisco VCS Administrator Guide (X7.2) Page 9 of 498...
  • Page 10: Introduction

    Introduction This section provides an overview of the Cisco TelePresence Video Communication Server, including: About the Cisco TelePresence Video Communication Server Base applications Standard features Optional features About this guide Using the web interface What’s new in this version? Cisco VCS Administrator Guide (X7.2)
  • Page 11: About The Cisco Telepresence Video Communication Server (Vcs)

    An alternative solution, suited to small to medium-sized businesses (SMBs), is the VCS Starter Pack Express. Optional packages that you can deploy include Cisco TelePresence FindMe (FindMe), Device Provisioning, and Dual Network Interfaces (VCS Expressway only).
  • Page 12: Vcs Base Applications

    Initiation Protocol (SIP)- and H.323-compliant endpoints, interworking with third-party endpoints; it integrates with the Cisco UCM and supports third-party IP private branch exchange (IP PBX) solutions. VCS Control implements the tools required for creative session management, including definition of aspects such as routing, dial plans, and bandwidth usage, while allowing organizations to define call-management applications, customized to their requirements.
  • Page 13: Standard Features

    Up to 100 traversal calls 1000 external zones with up to 2000 matches 1000 subzones and supporting up to 3000 membership rules Flexible zone configuration with prefix, suffix and regex support Cisco VCS Administrator Guide (X7.2) Page 13 of 498...
  • Page 14: Optional Features

    Control over which endpoints are allowed to register Call Policy (also known as Administrator Policy) including support for CPL Can be managed with Cisco TelePresence Management Suite (TMS) 12.6 or later AD authentication for administrators of the VCS Pre-configured defaults for:...
  • Page 15: Installation And Initial Configuration

    Virtual appliance support The VCS can run on VMware on Cisco UCS C200 M2, UCS C210 M2 or UCS B200 M2 servers. VCS Virtual machine deployment guide for more information about installing a VCS on VMware.
  • Page 16: About This Guide

    Name of the page that you will be taken to. Where command line interface (CLI) commands are included, they are shown in the format: xConfiguration <Element> <SubElement> xCommand <Command> Cisco VCS Administrator Guide (X7.2) Page 16 of 498...
  • Page 17: Using The Web Interface

    It may work with Opera and Safari, but you could encounter unexpected behavior. JavaScript and cookies must be enabled to use the VCS web interface. Cisco VCS Administrator Guide (X7.2) Page 17 of 498...
  • Page 18: Using The Command Line Interface (Cli)

    Typing an xConfiguration path into the CLI followed by a ? returns information about the usage for that element and sub-elements. Typing an xCommand command into the CLI with or without a ? returns information about the usage of that command. Cisco VCS Administrator Guide (X7.2) Page 18 of 498...
  • Page 19: Web Page Features And Layout

    Information icon or click inside a field. This box gives you information about the particular field, including where applicable the valid ranges and default value. To close the information box, click on the X at its top right corner. Cisco VCS Administrator Guide (X7.2) Page 19 of 498...
  • Page 20 VCS software version are shown at the bottom of the page. Note that you cannot change configuration settings if your administrator account has read-only privileges. Cisco VCS Administrator Guide (X7.2) Page 20 of 498...
  • Page 21: What's New In This Version

    Local administrator passwords are now stored using a SHA512 hash. In a cluster, the default admin account password is now replicated across all peers. Note that the Login Administrator set of xConfiguration CLI commands are no longer supported. Cisco VCS Administrator Guide (X7.2) Page 21 of 498...
  • Page 22: System Security Enhancements

    The VCS now supports the ability to interwork the H.323 flowControlCommand into RFC 5104 Temporary Maximum Media Stream Bit Rate Request (TMMBR). This provides the ability to stem the flow of data from a remote participant. Cisco VCS Administrator Guide (X7.2) Page 22 of 498...
  • Page 23: Enhanced Diagnostics

    When upgrading software components, the MD5 and SHA1 hash values of the software image file being uploaded are displayed for user verification (when upgrading from X7.2 or later). There is no longer a need to restart the VCS after uploading a language pack. Cisco VCS Administrator Guide (X7.2) Page 23 of 498...
  • Page 24: Overview And Status Information

    Overview and status information You can view information about the current status, registrations, current calls and call history, and configuration of the VCS by using the Status menu options. Cisco VCS Administrator Guide (X7.2) Page 24 of 498...
  • Page 25: Status Overview

    Clustered VCS systems If the VCS is part of a cluster, then details for each peer are shown as well as totals for the entire cluster. About clusters for more information. Cisco VCS Administrator Guide (X7.2) Page 25 of 498...
  • Page 26: System Information

    If an NTP server has been configured, the system time in local time (UTC adjusted according to the time local time zone) is shown. If no NTP server has been configured, the time according to the VCS’s operating system is shown. Cisco VCS Administrator Guide (X7.2) Page 26 of 498...
  • Page 27: Ethernet Status

    The MAC address of the VCS’s Ethernet device for that LAN port. Speed The speed of the connection between the LAN port on the VCS and the Ethernet switch. The Ethernet speed can be configured via the Ethernet page. Cisco VCS Administrator Guide (X7.2) Page 27 of 498...
  • Page 28: Ip Status

    Specifies the name to be appended to the host name before a query to the DNS server is executed. The IP settings can be configured via the page. The Dual network interfaces option is enabled by the addition of the corresponding option key. Cisco VCS Administrator Guide (X7.2) Page 28 of 498...
  • Page 29: Resource Usage

    To maintain the same capacity for your cluster, you should ensure that either the problem with the peer is resolved or new option keys are installed on another peer in the cluster. About clusters for more information. Cisco VCS Administrator Guide (X7.2) Page 29 of 498...
  • Page 30: Active Sessions

    This section shows the date, time and source IP address of the last successful login for this account. If applicable it also shows details of the last failed login attempt for this account, and the number of failed login attempts since the last successful login. Cisco VCS Administrator Guide (X7.2) Page 30 of 498...
  • Page 31: Registration Status

    Peer Identifies the cluster peer to which the device is registered. Actions Click View to go to the Registration details page to see further detailed information about the registration. Registration details Cisco VCS Administrator Guide (X7.2) Page 31 of 498...
  • Page 32 Deny List.) Note that if your VCS is part of a cluster you have to be logged into the peer to which the device is registered to be able to unregister it. Cisco VCS Administrator Guide (X7.2) Page 32 of 498...
  • Page 33: Call Status

    Encryption B2BUA: a call component that is routed through the B2BUA to apply a media encryption policy Microsoft OCS/Lync B2BUA: a call component that is routed through the Microsoft OCS/Lync B2BUA Cisco VCS Administrator Guide (X7.2) Page 33 of 498...
  • Page 34: Disconnecting Calls

    (audio and video) that made up the call passing through the B2BUA. For calls using the Microsoft OCS/Lync B2BUA, this comprises legs between the VCS, the OCS/Lync server and, if applicable, the transcoder. Cisco VCS Administrator Guide (X7.2) Page 34 of 498...
  • Page 35: Search History

    To limit the list of searches, enter one or more characters in the Filter field and click Filter. Only those searches that contain (in any of the displayed fields) the characters you entered are shown. To return to the full list of searches, click Reset. Cisco VCS Administrator Guide (X7.2) Page 35 of 498...
  • Page 36: Search Details

    It takes you to a new Search details page which lists full information about all the searches associated with the call's Call Tag. Cisco VCS Administrator Guide (X7.2) Page 36 of 498...
  • Page 37: Local Zone Status

    Traversal Subzone, so they will show up twice; once in the originating subzone and once in the Traversal Subzone. Bandwidth The total amount of bandwidth used by all calls passing through the subzone. used Cisco VCS Administrator Guide (X7.2) Page 37 of 498...
  • Page 38: Zone Status

    Checking: the protocol is enabled for that zone and the system is currently trying to establish a connection Search This area is used to indicate if that zone is not a target of any search rules. rule status Cisco VCS Administrator Guide (X7.2) Page 38 of 498...
  • Page 39: Bandwidth

    The total number of calls currently traversing the pipe. Note that a single call may traverse more than one pipe, depending on how your system is configured. Bandwidth The total bandwidth of all the calls currently traversing the pipe. used Cisco VCS Administrator Guide (X7.2) Page 39 of 498...
  • Page 40: Policy Service Status

    This field displays the server address currently selected for use by the VCS. Status The current status of the service. Last Indicates when the service was last requested by a VCS process. used Cisco VCS Administrator Guide (X7.2) Page 40 of 498...
  • Page 41: Turn Relays Status

    View counters for this relay takes you to the TURN relay counters page, where you can view TURN request, response and error counters, as well as media counters, for the relay. Cisco VCS Administrator Guide (X7.2) Page 41 of 498...
  • Page 42: Presence

    The number of endpoints who have requested information about that particular presentity. To view the list of all subscribers who are requesting information about a particular presentity, click on the presentity’s URI. Cisco VCS Administrator Guide (X7.2) Page 42 of 498...
  • Page 43: Presence Subscribers

    The number of local presentities about whom this endpoint is requesting information. To view the list of all local presentities whose information is being requested by a particular endpoint, click on the endpoint’s URI. Cisco VCS Administrator Guide (X7.2) Page 43 of 498...
  • Page 44: Ocs Relay Status

    FindMe ID. Subscription Indicates whether the OCS Relay application has subscribed successfully to the FindMe ID's state presence information. Doing so allows MOC clients to view the presence information of FindMe users. Cisco VCS Administrator Guide (X7.2) Page 44 of 498...
  • Page 45: Ocs/Lync B2Bua

    B2BUA) displays the status of Microsoft OCS/Lync B2BUA service. The Microsoft OCS/Lync back-to-back user agent (B2BUA) on the VCS is used to route SIP calls between the VCS and a Microsoft OCS/Lync Server. Cisco VCS Administrator Guide (X7.2) Page 45 of 498...
  • Page 46: Tms Provisioning Extension Service Status

    VCS with provisioning and FindMe data that is managed and maintained exclusively within TMS. The provisioning server status reporting provided by this page is available only when the VCS is operating in Provisioning Extension mode, or when running in Starter Pack mode. Provisioning server Cisco VCS Administrator Guide (X7.2) Page 46 of 498...
  • Page 47: User Records Provided By Tms¬†Provisioning Extension Services

    You can view the data records provided by the TMS Provisioning Extension Users service by going to Status > Applications > TMS Provisioning Extension services > Users > ... and then the relevant table: Accounts Groups Cisco VCS Administrator Guide (X7.2) Page 47 of 498...
  • Page 48: Findme Records Provided By Tms Provisioning Extension Services

    You can view the data records provided by the TMS Provisioning Extension Phone books service by going Status > Applications > TMS Provisioning Extension services > Phone book > ... and then the Cisco VCS Administrator Guide (X7.2) Page 48 of 498...
  • Page 49: Provisioned Devices

    (Status > Applications > TMS Provisioning Extension services > Users > Accounts, locate the user you want to check and then click Check provisioned data). To check provisioned data: Cisco VCS Administrator Guide (X7.2) Page 49 of 498...
  • Page 50 If the actual Version used by the endpoint is not listed, select the nearest earlier version. 3. Click Check provisioned data. The Results section will show the data that would be provisioned out to that user and device combination. Cisco VCS Administrator Guide (X7.2) Page 50 of 498...
  • Page 51: Alarms

    You can click the Alarm ID to generate a filtered view of the Event Log, showing all occurrences of when that alarm has been raised and lowered. See the alarms list for further information about the specific alarms that can be raised. Cisco VCS Administrator Guide (X7.2) Page 51 of 498...
  • Page 52: Logs

    Certain events in the Event Log are color-coded so that you can identify them more easily. These events are as follows: Green events: System Start Admin Session Start/Finish Installation of <item> succeeded Registration Accepted Cisco VCS Administrator Guide (X7.2) Page 52 of 498...
  • Page 53: Configuration Log

    To do more advanced filtering, click more options. This gives you additional filtering methods: Contains the string: only includes events containing the exact phrase entered here. Contains any of the words: includes any events that contain at least one of the words entered here. Cisco VCS Administrator Guide (X7.2) Page 53 of 498...
  • Page 54: Network Log

    Not containing any of the words: filters out any events containing any of the words entered here. Note: use spaces to separate each word you want to filter by. Click Filter to reapply any modified filter conditions. To return to the complete Network Log listing, click Reset. Cisco VCS Administrator Guide (X7.2) Page 54 of 498...
  • Page 55 Module= filters the list to show all the events of that particular type. The events that appear in the Network Log are dependent on the log levels configured on the Network Log configuration page. Cisco VCS Administrator Guide (X7.2) Page 55 of 498...
  • Page 56: Hardware Status

    The LCD panel on the front of the VCS hardware unit has a rotating display of the VCS's system name, IP addresses, alarms, and the number of current traversal calls, non-traversal calls and registrations. Cisco VCS Administrator Guide (X7.2) Page 56 of 498...
  • Page 57: Network And System Settings

    These options enable you to configure the VCS in relation to the network in which it is located, for example its IP settings, firewall rules and the external services used by the VCS (for example DNS, NTP and SNMP). Cisco VCS Administrator Guide (X7.2) Page 57 of 498...
  • Page 58: Network Settings

    IP routes can be configured using the CLI only: routes can be added by using the xCommand RouteAdd command and can be modified by using the xConfiguration IP Route commands. Cisco VCS Administrator Guide (X7.2) Page 58 of 498...
  • Page 59: Lan Configuration

    LAN 1. If the Cisco VCS Expressway is in the DMZ, the outside IP address of the Cisco VCS Expressway must be a public IP address, or if static NAT mode is enabled, the static NAT address must be publicly accessible.
  • Page 60: Configuring Ethernet Settings

    (for example ldapserver.mydomain.com) or is in the form of an IP address, the domain name is not appended to the server address before querying the DNS server. It applies to the following configuration settings in the VCS: Cisco VCS Administrator Guide (X7.2) Page 60 of 498...
  • Page 61 In addition to the 5 default DNS servers, you can specify 5 additional explicit DNS servers for specified domains. This can be useful in deployments where specific domain hierarchies need to be routed to their explicit authorities. Cisco VCS Administrator Guide (X7.2) Page 61 of 498...
  • Page 62: Configuring Quality Of Service Settings

    The following table shows the built-in rules, and the sequence in which the built-in and the user-configured rules are applied: Source Destination Protocol Port Action Comment address address Allow VCS loopback interface Cisco VCS Administrator Guide (X7.2) Page 62 of 498...
  • Page 63 New or modified rules are shown as Pending. Deleted rules are shown as Pending delete. 3. When you have finished configuring the new set of firewall rules, click Activate firewall rules. Cisco VCS Administrator Guide (X7.2) Page 63 of 498...
  • Page 64 IP addresses. Description An optional free-form description If you have a lot of rules you can use the Filter by description of the firewall rule. options to find related sets of rules. Cisco VCS Administrator Guide (X7.2) Page 64 of 498...
  • Page 65: Current Active Firewall Rules

    If you want to change the rules you must go to the Firewall rules configuration page from where you can set up and activate a new set of rules. Cisco VCS Administrator Guide (X7.2) Page 65 of 498...
  • Page 66: Network Services

    (for a physical system) or VMware console (for a virtual machine). Default is On. Cisco VCS Administrator Guide (X7.2) Page 66 of 498...
  • Page 67 CA and authentication configuration page. contains the client's Note that this setting does not affect client verification of the authentication credentials. VCS's server certificate. Default: Not required Cisco VCS Administrator Guide (X7.2) Page 67 of 498...
  • Page 68 Default: Treat as not revoked Redirect Determines whether HTTP HTTPS must also be enabled for access via HTTP to function. HTTP requests are redirected to the requests to HTTPS port. Default is On. HTTPS Cisco VCS Administrator Guide (X7.2) Page 68 of 498...
  • Page 69 Note that compliant browsers only respect Strict-Transport-Security headers if they access the server through its fully qualified name (rather than its IP address). Cisco VCS Administrator Guide (X7.2) Page 69 of 498...
  • Page 70: Configuring Snmp Settings

    You can configure the front panel to hide this identifying information, if required for security reasons for example, by using the CLI command xConfiguration Administration LCDPanel Mode. If the mode is set to Off the front panel only displays "Cisco". Configuring SNMP settings...
  • Page 71: Configuring Time Settings

    Time) is used to configure the VCS's NTP servers and specify your local time zone. An NTP server is a remote server with which the VCS synchronizes in order to ensure its time is accurate. The NTP server provides the VCS with UTC time. Cisco VCS Administrator Guide (X7.2) Page 71 of 498...
  • Page 72 FQDN or IP address for the NTP server Three of the Address fields default to NTP servers provided by Cisco. You can configure the Authentication method used by the VCS when connecting to an NTP server. Use one...
  • Page 73 UTC time by the number of hours (or fractions of hours) associated with the selected time zone. It also adjusts the local time to account for summer time (also known as daylight saving time) when appropriate. Cisco VCS Administrator Guide (X7.2) Page 73 of 498...
  • Page 74: Other Settings

    VCS's connection to an external management system. An external manager is a remote system, such as the Cisco TelePresence Management Suite (TMS), used to monitor events occurring on the VCS, for example call attempts, connections and disconnections, and as a place for where the VCS can send alarm information.
  • Page 75: Configuring Tms Provisioning Extension Services

    You must add the certificate of the issuer of the TMS server's certificate to the file containing the VCS's trusted CA certificates. This is done from the Trusted CA certificate page (Maintenance > Certificate management > Trusted CA certificate). Cisco VCS Administrator Guide (X7.2) Page 75 of 498...
  • Page 76 VCS then click Check for updates instead. Further status information The menu options under Status > Applications > TMS Provisioning Extension services provide full status information about the TMS Provisioning Extension services, including: Cisco VCS Administrator Guide (X7.2) Page 76 of 498...
  • Page 77 Provisioning Extension mode. The Revert to TMS Agent legacy mode button allows you to switch back to the legacy mode if any problems are encountered. The switchover between modes can take several seconds to complete; a VCS restart is not required. Cisco VCS Administrator Guide (X7.2) Page 77 of 498...
  • Page 78: Protocols

    H.323 configuration options available on the VCS overview of SIP and the SIP configuration options available on the VCS how to configure the VCS to act as a SIP to H.323 gateway Cisco VCS Administrator Guide (X7.2) Page 78 of 498...
  • Page 79: About H.323

    H.323 is enabled or not H.323 gatekeeper settings whether to insert the prefix of the ISDN gateway into the caller's E.164 number presented on the destination endpoint The configurable options are: Cisco VCS Administrator Guide (X7.2) Page 79 of 498...
  • Page 80 Specifies whether the prefix of Including the prefix allows the recipient to directly return the call. the ISDN gateway is inserted into the caller's E.164 number presented on the destination endpoint. Cisco VCS Administrator Guide (X7.2) Page 80 of 498...
  • Page 81: About Sip

    If the VCS is not configured with any SIP domains, the VCS will act as a SIP server. It may proxy registration requests to another registrar, depending upon the SIP registration proxy mode setting. Cisco VCS Administrator Guide (X7.2) Page 81 of 498...
  • Page 82: Vcs As A Sip Proxy Server

    Off: requests containing Route Sets are rejected. This setting provides the highest level of security. Proxy to known only: requests containing Route Sets are proxied only if the request was received from a known zone. Proxy to any: requests containing Route Sets are always proxied. Cisco VCS Administrator Guide (X7.2) Page 82 of 498...
  • Page 83: Proxying Registration Requests

    SIP is enabled or not SIP-specific transport modes and ports certificate revocation checking modes for TLS connections registration settings for standard and outbound registrations The configurable options are: Field Description Usage tips Configuration section: Cisco VCS Administrator Guide (X7.2) Page 83 of 498...
  • Page 84 VCS, downloaded automatically from preconfigured URIs (see management), or downloaded automatically from a CRL distribution point (CDP) URI contained in the X.509 certificate. Cisco VCS Administrator Guide (X7.2) Page 84 of 498...
  • Page 85 Requests for a refresh value greater than this will result in a lower value being maximum returned (calculated according to the Standard registration refresh strategy). The default is 60 seconds. Cisco VCS Administrator Guide (X7.2) Page 85 of 498...
  • Page 86: Configuring Sip Domains

    (VCS configuration > Protocols > SIP > Domains) lists the SIP domains for which the VCS is authoritative. The VCS will act as a SIP registrar and Presence Server for these domains, and will Cisco VCS Administrator Guide (X7.2) Page 86 of 498...
  • Page 87 Note that values shown in the Index column correspond to the numeric elements of the %localdomain1%, %localdomain2%, . . . %localdomain200% pattern matching variables. You can configure up to 200 SIP domains. Cisco VCS Administrator Guide (X7.2) Page 87 of 498...
  • Page 88: Configuring Sip And H.323 Interworking

    See the pre-search transforms section for information about how to configure pre-search transforms, and stripping @domain for dialing to H.323 numbers section for an example of how to do this. Cisco VCS Administrator Guide (X7.2) Page 88 of 498...
  • Page 89: Registration Control

    This section provides information about the pages that appear under the VCS configuration > Registration menu. It includes the following information: overview of the VCS's registration policies how to control registrations using Allow Lists and Deny Lists Cisco VCS Administrator Guide (X7.2) Page 89 of 498...
  • Page 90: About Registrations

    If a traversal-enabled endpoint registers directly with a VCS Expressway, the VCS Expressway will provide the same services to that endpoint as a VCS Control, with the addition of firewall traversal. Traversal- enabled endpoints include all Cisco TelePresence Expressway™ endpoints and third-party endpoints which support the ITU H.460.18 and H.460.19 standards.
  • Page 91: Mcu, Gateway And Content Server Registration

    Note that the Cisco TelePresence MPS 200 and MPS 800, and the Cisco TelePresence Content Server both support Expressway. They can therefore register directly with a VCS Expressway for firewall traversal.
  • Page 92: Registering Aliases

    When registering, the SIP endpoint presents the VCS with its contact address (IP address) and logical address (Address of Record). The logical address is considered to be its alias, and will generally be in the form of a URI. Cisco VCS Administrator Guide (X7.2) Page 92 of 498...
  • Page 93 SIP re-registrations contain the same information as the initial registrations so will be filtered by the restriction policy. This means that, after the list has been activated, all SIP registrations will disappear at the end of their registration timeout period. Cisco VCS Administrator Guide (X7.2) Page 93 of 498...
  • Page 94 The frequency of re-registrations is determined by the Registration expire delta setting for (VCS configuration > Protocols > SIP > Configuration) and the Time to live setting for H.323 (VCS configuration > Protocols > H.323). Cisco VCS Administrator Guide (X7.2) Page 94 of 498...
  • Page 95: About Allow And Deny Lists

    Prefix: the alias must begin with the pattern string. Suffix: the alias must end with the pattern string. Regex: the pattern string is a regular expression. Pattern The pattern against which an string alias is compared. Cisco VCS Administrator Guide (X7.2) Page 95 of 498...
  • Page 96: Configuring The Registration Deny List

    Prefix: the alias must begin with the pattern string. Suffix: the alias must end with the pattern string. Regex: the pattern string is a regular expression. Pattern The pattern against which an string alias is compared. Cisco VCS Administrator Guide (X7.2) Page 96 of 498...
  • Page 97: Device Authentication

    H.350 directory a connection to an Active Directory Service how to configure the username and password that is used by the VCS whenever it is required to authenticate with external systems Cisco VCS Administrator Guide (X7.2) Page 97 of 498...
  • Page 98: About Device Authentication

    Along with one of the above methods, for those devices that support NTLM challenges, the VCS can alternatively verify credentials via direct access to an Active Directory server using a Kerberos connection. The various VCS authentication entry points and credential checking methods are shown below: Cisco VCS Administrator Guide (X7.2) Page 98 of 498...
  • Page 99: Configuring Vcs Authentication Policy

    Device provisioning and authentication policy for more information. Presence and device authentication The Presence Server on VCS accepts presence PUBLISH messages only if they have already been authenticated: Cisco VCS Administrator Guide (X7.2) Page 99 of 498...
  • Page 100: Controlling System Behavior For Authenticated And Non-Authenticated Devices

    Call Policy User Policy (FindMe) When the Cisco VCS uses a policy service it sends information about the call or registration request to the service in a POST message using a set of name-value pair parameters. Those parameters include information about whether the request has come from an authenticated source or not.
  • Page 101: Authentication Policy Configuration Options

    (meaning whether the VCS trusts any pre-existing authenticated indicators - known as P-Asserted-Identity headers - within the received message) and whether the message was received from a local domain (a domain for which the VCS is authoritative) or a non-local domain. Cisco VCS Administrator Guide (X7.2) Page 101 of 498...
  • Page 102 All messages are classified as authenticated. unauthenticated. Any existing P-Asserted-Identity header Any existing P-Asserted-Identity headers is removed and a new one containing are removed. the VCS's originator ID is inserted into the message. Cisco VCS Administrator Guide (X7.2) Page 102 of 498...
  • Page 103 Message credentials are not checked and all messages are classified as authenticated. authenticated The behavior for SIP messages depends upon whether the message was received from a local domain (a domain for which the VCS is authoritative) or a non-local domain. Cisco VCS Administrator Guide (X7.2) Page 103 of 498...
  • Page 104: Sip Authentication Trust

    You are recommended to enable authentication trust only if the neighbor zone is part of a network of trusted SIP servers. Authentication trust is automatically implied between traversal server and traversal client zones. Cisco VCS Administrator Guide (X7.2) Page 104 of 498...
  • Page 105: Device Provisioning And Authentication Policy

    Initial provisioning authentication (of a subscribe message) is controlled by the authentication policy setting on the Default Zone. (The Default Zone is used as the device is not yet registered.) Cisco VCS Administrator Guide (X7.2) Page 105 of 498...
  • Page 106 The Provisioning Server checks device account credentials against the TMS Agent database only. It does not check against any other credential store. The following diagram shows the flow of provisioning messages from an endpoint to the Provisioning Server, together with the credential checking processes: Cisco VCS Administrator Guide (X7.2) Page 106 of 498...
  • Page 107 Provisioning Extension mode – it does not challenge provisioning requests. It provisions devices only if the request has already been authenticated by the VCS (at the zone or subzone entry point). Cisco VCS Administrator Guide (X7.2) Page 107 of 498...
  • Page 108: Presence And Authentication Policy

    Note that if the VCS is using the local database, this will include any credentials supplied by TMS (in either TMS Agent legacy mode or TMS Provisioning Extension mode). Cisco VCS Administrator Guide (X7.2) Page 108 of 498...
  • Page 109: Hierarchical Dial Plans And Authentication Policy

    Each directory VCS will still be able to optimize itself out of the call signaling path for calls entirely within each subnetwork. You must also ensure that you have sufficient non-traversal and traversal licenses on each directory VCS to handle those calls going between each subnetwork. Cisco VCS Administrator Guide (X7.2) Page 109 of 498...
  • Page 110: Practical Configuration Of Authentication Policy

    Expressway. If it is required that outbound calls may only be made by authenticated users, ensure that all call requests are routed to the VCS Control and it only forwards requests back that it can authenticate. Cisco VCS Administrator Guide (X7.2) Page 110 of 498...
  • Page 111: Configuring Vcs Authentication Methods

    NTLM challenge. At the time of writing, all supported endpoints respond to an NTLM challenge in preference to a Digest challenge. The following diagram shows the process followed by the VCS when authenticating credentials: Cisco VCS Administrator Guide (X7.2) Page 111 of 498...
  • Page 112: Authentication Using The Local Database

    VCS, for example when attempting to register and the relevant subzone's Authentication policy is set to Check credentials. For Cisco endpoints using H.323, the username is typically the endpoint’s Authentication ID; for Cisco endpoints using SIP it is typically the endpoint’s Authentication username.
  • Page 113: Starter Pack

    If the Starter Pack option key is installed, the local authentication database will include a pre-configured set of authentication credentials. To ensure correct operation of the TURN server in conjunction with the Starter Pack, do not delete or modify the StarterPackTURNUser entry in the local authentication database. Cisco VCS Administrator Guide (X7.2) Page 113 of 498...
  • Page 114: Using An H.350 Directory Service Lookup Via Ldap

    Note that if the authentication policy is Do not check credentials or Treat as authenticated, then the Source of aliases for registration setting is ignored and the aliases presented by the endpoint are used. LDAP server settings Cisco VCS Administrator Guide (X7.2) Page 114 of 498...
  • Page 115 Distinguished Name (DN) in the LDAP directory under which the H.350 objects reside. The current status of the connection to the specified LDAP server is displayed at the bottom of the page. Cisco VCS Administrator Guide (X7.2) Page 115 of 498...
  • Page 116: Device Authentication H.350 Schemas

    NTLM challenges are offered in addition to the standard Digest challenge. Endpoints that support NTLM will respond to the NTLM challenge in preference to the Digest challenge, and the VCS will attempt to authenticate that NTLM response. Cisco VCS Administrator Guide (X7.2) Page 116 of 498...
  • Page 117: Configuration Prerequisites

    Note that setting up your VCS’s authentication policy to check credentials will affect all devices (not just Movi / Jabber Video) that send provisioning, registration, presence, phone book and call requests to the VCS. Endpoint Cisco VCS Administrator Guide (X7.2) Page 117 of 498...
  • Page 118: Active Directory Service (Ads) Configuration

    Short The short domain name used by the VCS It is also known as the NetBIOS domain name. domain when it joins the AD domain. name Cisco VCS Administrator Guide (X7.2) Page 118 of 498...
  • Page 119 DNS SRV lookup of the AD domain to obtain the KDC addresses manually enter the IP addresses and port numbers of up to 5 KDCs Port numbers default to 88. Cisco VCS Administrator Guide (X7.2) Page 119 of 498...
  • Page 120 LDAP communications with the Domain Controller TCP/389 Microsoft-DS RPC communications with the Domain TCP/445 Controller (used for the authentication of client Note that if TCP/445 cannot be reached, the system credentials) falls back to using TCP/139. Cisco VCS Administrator Guide (X7.2) Page 120 of 498...
  • Page 121: Authenticating With External Systems

    Note that these settings are not used by traversal client zones. Traversal clients, which must always authenticate with traversal servers before they can connect, configure their connection credentials per traversal client zone. Cisco VCS Administrator Guide (X7.2) Page 121 of 498...
  • Page 122: Zones And Neighbors

    Local Zone and its subzones an overview of the Default Zone and its access rules media encryption capabilities for SIP calls flowing through zones and subzones how to configure different zone types Cisco VCS Administrator Guide (X7.2) Page 122 of 498...
  • Page 123: About Your Video Communications Network

    The Local Zone is also connected to external VCSs and to the internet via different types of zones. All these components are described in more detail in the sections that follow. Cisco VCS Administrator Guide (X7.2) Page 123 of 498...
  • Page 124: Structuring Your Dial Plan

    VCS as a neighbor zone search rules for each zone that have a Mode of Alias pattern match and the target VCS's prefix (as with the structured dial plan) as the Pattern string Cisco VCS Administrator Guide (X7.2) Page 124 of 498...
  • Page 125 VCSs managed by the same directory VCS – and then configure the neighbor zones between each directory VCS so that they stay in the call signaling path on calls crossing subnetworks between those directory VCSs. To do this: Cisco VCS Administrator Guide (X7.2) Page 125 of 498...
  • Page 126 Each directory VCS will still be able to optimize itself out of the call signaling path for calls entirely within each subnetwork. You must also ensure that you have sufficient non-traversal and traversal licenses on each directory VCS to handle those calls going between each subnetwork. Cisco VCS Administrator Guide (X7.2) Page 126 of 498...
  • Page 127: About The Local Zone And Subzones

    Local Zone and out to external zones, and speed up the search process. For further information about how to configure search rules for the Local Zone, see the Configuring search and zone transform rules section. Cisco VCS Administrator Guide (X7.2) Page 127 of 498...
  • Page 128: About Zones

    See the Configuring search and zone transform rules section for information about including zones as targets for search rules. Cisco VCS Administrator Guide (X7.2) Page 128 of 498...
  • Page 129: About The Default Zone

    Default Zone. For example, you can: delete the default links to prevent any incoming calls from unrecognized endpoints apply pipes to the default links to control the bandwidth consumed by incoming calls from unrecognized endpoints Cisco VCS Administrator Guide (X7.2) Page 129 of 498...
  • Page 130: Configuring Default Zone Access Rules

    Use this setting when making or testing configuration changes, or to temporarily enable or disable certain rules. Any disabled rules still appear in the rules list but are ignored. Up to 10,000 rules can be configured. Cisco VCS Administrator Guide (X7.2) Page 130 of 498...
  • Page 131: Media Encryption Policy

    B2BUA can be identified in the call history details as having a component type of Encryption B2BUA the B2BUA runs as internal application within the VCS and does not require any manual configuration Cisco VCS Administrator Guide (X7.2) Page 131 of 498...
  • Page 132: Zone Configuration

    You create a neighbor relationship with the other system by adding it as a neighbor zone on your local VCS. After you have added it, you can: Cisco VCS Administrator Guide (X7.2) Page 132 of 498...
  • Page 133 (depending on which SIP Transport mode is in use). Transport Determines which transport type is used for SIP calls to and from the neighbor system. The default is TLS. Cisco VCS Administrator Guide (X7.2) Page 133 of 498...
  • Page 134 Do not use the Custom option or Custom: allows you to configure each setting configure the individual Advanced individually. settings except on the advice of Cisco Alternatively choose one of the preconfigured customer support. profiles to automatically use the appropriate settings required for connections to that type of system.
  • Page 135: Configuring Traversal Client Zones

    Protocol Determines which of the two firewall traversal Firewall traversal protocols and protocols (Assent or H.460.18) to use for calls to the ports for more information. traversal server. Cisco VCS Administrator Guide (X7.2) Page 135 of 498...
  • Page 136 SIP messages that originate from non-local domains. Client settings section: Retry interval The interval in seconds with which a failed attempt to establish a connection to the traversal server should be retried. Location section: Cisco VCS Administrator Guide (X7.2) Page 136 of 498...
  • Page 137: Configuring Traversal Server Zones

    This count assigned, the lower of the two field specifies the hop count to use when sending a values is used. search request to this particular zone. Connection credentials section: Cisco VCS Administrator Guide (X7.2) Page 137 of 498...
  • Page 138 If TLS verify mode is enabled, a TLS verify subject name must be specified. This is the certificate holder's name to look for in the traversal client's X.509 certificate. Cisco VCS Administrator Guide (X7.2) Page 138 of 498...
  • Page 139 The interval (in seconds) with which the traversal alive interval client sends a TCP probe to the VCS Expressway when a call is in place, in order to maintain the firewall’s NAT bindings. Cisco VCS Administrator Guide (X7.2) Page 139 of 498...
  • Page 140: Configuring Enum Zones

    DNS zones. The configurable options for a DNS zone are: Field Description Usage tips Name The name acts as a unique identifier, allowing you to distinguish between zones of the same type. Cisco VCS Administrator Guide (X7.2) Page 140 of 498...
  • Page 141: Zone Configuration: Advanced Settings

    The table below describes the Advanced and Custom zone configuration options. Some of these settings only apply to specific zone types. Note: you should only use the Custom zone profile settings on the advice of Cisco customer support. Cisco VCS Administrator Guide (X7.2)
  • Page 142 Note: from VCS software version X7 you are recommended to use the Microsoft OCS/Lync B2BUA to route SIP calls between the VCS and a Microsoft OCS/Lync Server. Cisco Unified Communications Manager (see Cisco Unified Communications Manager with VCS deployment guide for more...
  • Page 143 Note that the settings for the pre-configured SDP are configurable via the CLI using the xConfiguration Zones Zone [1..1000] [Neighbor/DNS] Interworking SIP commands. They should only be changed on the advice of Cisco customer support. SIP poison On: SIP requests sent to systems located via this zone are "poisoned"...
  • Page 144 SIP devices that do not support the UDP/BFCP protocol, so this must be set to On for connections to a Cisco Unified Communications Manager. zones On: any media line referring to the UDP/BFCP protocol is replaced with TCP/BFCP and disabled.
  • Page 145 Off: the VCS will not query for A and AAAA records and instead will continue with the search, querying the remaining lower priority zones. Cisco VCS Administrator Guide (X7.2) Page 145 of 498...
  • Page 146: Zone Configuration: Pre-Configured Profile Settings

    Options Options search strategy SIP UDP/BFCP filter mode SIP Duo Video filter mode SIP record route Hostname address type SIP Proxy-Require <blank> <blank> "com. <blank> <blank> header strip list nortelnetworks. firewall" Cisco VCS Administrator Guide (X7.2) Page 146 of 498...
  • Page 147: Tls Certificate Verification Of Neighbor Systems

    In this scenario, when viewing the zone, you can ignore the warning indicating that search rules have not been configured. Cisco VCS Administrator Guide (X7.2) Page 147 of 498...
  • Page 148: Clustering And Peers

    FindMe, Presence the purpose of the cluster subzone how to neighbor a local VCS or cluster to a remote VCS cluster Cisco VCS Administrator Guide (X7.2) Page 148 of 498...
  • Page 149: About Clusters

    You should only make configuration changes on the master VCS. Any changes made on other peers are not reflected across the cluster, and will be overwritten the next time the master’s configuration is replicated across the peers. The only exceptions to this are: Cisco VCS Administrator Guide (X7.2) Page 149 of 498...
  • Page 150 For H.323 the Alternates returned in a Registration Confirm message list all the peers in the cluster. Also note that some versions of TMS refer to peers as "members". Cisco VCS Administrator Guide (X7.2) Page 150 of 498...
  • Page 151: Resource Usage Within A Cluster

    If any one of the peers is temporarily taken out of service the full set of call licenses will remain available to the entire cluster. However, we recommend that, where possible, the number of licenses is configured evenly across all peers in the cluster. Cisco VCS Administrator Guide (X7.2) Page 151 of 498...
  • Page 152: Managing Clusters And Peers

    The Cluster pre-shared key is the common IPsec access key used by each peer to access every other peer in the cluster. Each peer in the cluster must be configured with the same Cluster pre-shared key. Setting configuration for the cluster Cisco VCS Administrator Guide (X7.2) Page 152 of 498...
  • Page 153: Adding And Removing Peers From A Cluster

    Monitoring the status of the cluster The status sections at the bottom of the Clustering page show you the current status of the cluster, and the time of the previous and next synchronization. Cisco VCS Administrator Guide (X7.2) Page 153 of 498...
  • Page 154: Peer-Specific Configuration

    MCU is peer-specific, as it must be unique for each peer in the cluster. CA certificates The security certificates and certificate revocation lists (CRLs) used by the VCS must be uploaded individually per peer. Cisco VCS Administrator Guide (X7.2) Page 154 of 498...
  • Page 155: Sharing Registrations Across Peers

    For general information on how the VCS manages bandwidth, see the bandwidth control section. Cisco VCS Administrator Guide (X7.2) Page 155 of 498...
  • Page 156: Cluster Upgrades, Backup And Restore

    You can do this by running the transferfindmeaccounts script. Instructions for how to do this are contained in VCS Cluster creation and maintenance deployment guide. Cisco VCS Administrator Guide (X7.2) Page 156 of 498...
  • Page 157: Clustering And Presence

    Subzone will no longer appear in the call route and the call will appear as having come from (or being routed to) the Default Subzone. The two situations in which a call will pass via the Cluster Subzone are: Cisco VCS Administrator Guide (X7.2) Page 157 of 498...
  • Page 158: Neighboring The Local Vcs To Another Vcs Cluster

    This zone will represent the connection to the cluster. 2. In the Location section, enter the IP address or FQDN of each peer in the remote cluster in the Peer 1 to Peer 6 address fields. Note that: Cisco VCS Administrator Guide (X7.2) Page 158 of 498...
  • Page 159: Tms Agent Replication Status

    Note that the TMS Agent replication status is only relevant if the VCS has the FindMe or Device Provisioning option keys enabled and is using the legacy TMS Agent database. Cisco VCS Administrator Guide (X7.2) Page 159 of 498...
  • Page 160: Troubleshooting Cluster Replication Problems

    This will delete the non-master VCS configuration and force it to update its configuration from the master VCS. CAUTION: never issue this command on the master VCS, otherwise all configuration for the cluster will be lost. Cisco VCS Administrator Guide (X7.2) Page 160 of 498...
  • Page 161: Dial Plan And Call Processing

    Call Policy to manage calls routing calls via the Cisco TelePresence Advanced Media Gateway the different address dial formats that can be used to initiate a call how to set up your network to handle incoming and outgoing calls made via...
  • Page 162: Call Routing Process

    Neighbor zone: one of the VCS's configured external neighbor zones, or a DNS or ENUM lookup zone. Policy service: an external service or application, such as a Cisco TelePresence Conductor. The service will return some CPL which could, for example, specify the zone to which the call should be routed, or it could specify a new destination alias.
  • Page 163 Dial plan and call processing Cisco VCS Administrator Guide (X7.2) Page 163 of 498...
  • Page 164: About The Vcs's Directory Service

    You can configure the VCS to use the directory service in the following areas: Registration restriction policies: as an alternative to using Allow and Deny Lists Call Policy configuration: where it can be applied in addition to locally-defined Call Policy Cisco VCS Administrator Guide (X7.2) Page 164 of 498...
  • Page 165: About Hop Counts

    3. In the Configuration section, in the Hop count field, enter the hop count value you want to use for this zone. For full details on other zone options, see the Zone configuration section. Cisco VCS Administrator Guide (X7.2) Page 165 of 498...
  • Page 166: Dial Plan Configuration

    You may want to configure your fallback alias to be that of your receptionist, so that all calls that do not specify an alias are still answered personally and can then be redirected appropriately. Cisco VCS Administrator Guide (X7.2) Page 166 of 498...
  • Page 167 This means that any calls made directly to example.com (that is, without being prefixed by an alias), are forwarded to reception@example.com, where the receptionist can answer the call and direct it appropriately. Cisco VCS Administrator Guide (X7.2) Page 167 of 498...
  • Page 168: About Transforms And Search Rules

    (because it will interwork the call only if one of the endpoints is locally registered). If Interworking mode is set to On, or the request has come from a locally registered endpoint, the VCS searches the Local Zone and all external zones using both protocols. Cisco VCS Administrator Guide (X7.2) Page 168 of 498...
  • Page 169: About Pre-Search Transforms

    Pattern in the manner specified by the pattern Type. The alias is then transformed according to the Pattern behavior and Replace string rules before the search takes place (either locally or to external zones). Cisco VCS Administrator Guide (X7.2) Page 169 of 498...
  • Page 170 Indicates if the transform is enabled or not. Use this setting when making or testing configuration changes, or to temporarily enable or disable certain rules. Any disabled rules still appear in the rules list but are ignored. Cisco VCS Administrator Guide (X7.2) Page 170 of 498...
  • Page 171: Search And Zone Transform Process

    (if one has been defined) appears as a tooltip. Up to 2000 search rules can be configured. Priority 1 search rules are applied first, followed by all priority 2 search rules, and so on. Cisco VCS Administrator Guide (X7.2) Page 171 of 498...
  • Page 172 Alias pattern match: the alias must match the specified Pattern type and Pattern string. Any alias: any alias (providing it is not an IP address) is allowed. Any IP Address: the alias must be an IP address. Cisco VCS Administrator Guide (X7.2) Page 172 of 498...
  • Page 173 Indicates if the search rule is enabled or not. Use this setting when making or testing configuration changes, or to temporarily enable or disable certain rules. Any disabled rules still appear in the rules list but are ignored. Cisco VCS Administrator Guide (X7.2) Page 173 of 498...
  • Page 174 (Maintenance > Tools > Locate). You can test whether a pattern matches a particular alias and is transformed in the expected way by using Check pattern tool (Maintenance > Tools > Check pattern). Cisco VCS Administrator Guide (X7.2) Page 174 of 498...
  • Page 175: Example Searches And Transforms

    New) set up an associated search rule as follows: Field Value Rule name Regional sales office Description Calls to aliases with a suffix of @sales.example.com Priority Source Request must be authenticated Mode Alias pattern match Pattern type Suffix Cisco VCS Administrator Guide (X7.2) Page 175 of 498...
  • Page 176: Always Query A Zone With Original Alias (No Transforms)

    Create search rule page (VCS configuration > Dial plan > Search rules > New) set up a search rule as follows: Field Value Rule name Transform to example.co.uk Description Transform example.com to example.co.uk Cisco VCS Administrator Guide (X7.2) Page 176 of 498...
  • Page 177: Query A Zone For Original And Transformed Alias

    Overseas office - original alias Description Query overseas office with the original alias Priority Source Request must be authenticated Mode Any alias On successful match Continue Target zone Overseas office State Enabled  Rule #2 Cisco VCS Administrator Guide (X7.2) Page 177 of 498...
  • Page 178: Query A Zone For Two Or More Transformed Aliases

    New) set up two search rules as follows:  Rule #1 Field Value Rule name Transform to example.co.uk Description Transform example.com to example.co.uk Priority Source Request must be authenticated Mode Alias pattern match Cisco VCS Administrator Guide (X7.2) Page 178 of 498...
  • Page 179: Stripping @Domain For Dialing To H.323 Numbers

    Together these will let users place calls from both SIP and H.323 endpoints to H.323 endpoints registered using their H.323 E.164 number only. Cisco VCS Administrator Guide (X7.2) Page 179 of 498...
  • Page 180 Request must be authenticated Mode Alias pattern match Pattern type Regex Pattern string (\d+)@domain Pattern behavior Replace Replace string On successful match Continue Target zone Local Zone State Enabled Rule #2 Cisco VCS Administrator Guide (X7.2) Page 180 of 498...
  • Page 181: Transforms For Alphanumeric H.323 Id Dial Strings

    ID or a full URI — but uses a different regex (regular expression) that supports alphanumeric characters. Pre-search transform On the Create transforms page (VCS configuration > Dial plan > Transforms > New): Field Value Priority Description Append @domain to any alphanumeric dial string Pattern type Regex Cisco VCS Administrator Guide (X7.2) Page 181 of 498...
  • Page 182 On successful match Continue Target zone Local Zone State Enabled Rule #2 Field Value Rule name Dialing H.323 strings with domain Description Place calls to string@domain with no alias transform Priority Source Cisco VCS Administrator Guide (X7.2) Page 182 of 498...
  • Page 183: Allowing Calls To Ip Addresses Only If They Come From Known Zones

    Allow calls to IP addresses only from a known zone Priority Source All zones Request must be authenticated Mode Any IP address On successful match Continue Target zone Overseas office State Enabled Cisco VCS Administrator Guide (X7.2) Page 183 of 498...
  • Page 184: Configuring Policy Services

    :<port> to the address. Path The URL of the service. Status path The path for obtaining the remote service status. Username The username used by the VCS to log in and query the service. Cisco VCS Administrator Guide (X7.2) Page 184 of 498...
  • Page 185 This defaults to <reject status='403' service is unavailable. reason='Service Unavailable'/> but you could change it, for example, to redirect to an answer service or recorded message. About policy services for more information. Cisco VCS Administrator Guide (X7.2) Page 185 of 498...
  • Page 186: About Call Policy

    CPL script that has been uploaded. If Local CPL is enabled but no policy is configured or uploaded, then a default policy is applied that allows all calls, regardless of source or destination. Cisco VCS Administrator Guide (X7.2) Page 186 of 498...
  • Page 187 This defaults to <reject status='403' service is unavailable. reason='Service Unavailable'/> but you could change it, for example, to redirect to an answer service or recorded message. About policy services for more information. Cisco VCS Administrator Guide (X7.2) Page 187 of 498...
  • Page 188: Configuring Call Policy Rules Using The Web Interface

    You can use CPL scripts to configure advanced Call Policy. To do this, you must first create and save the CPL script as a text file, after which you upload it to the VCS. However, due to the complexity of writing CPL Cisco VCS Administrator Guide (X7.2) Page 188 of 498...
  • Page 189 The VCS polls for CPL script changes every 5 seconds, so the VCS will almost immediately start using the updated CPL script. Deleting an existing CPL script If a CPL script has already been uploaded, a Delete uploaded file button will be visible. Click it to delete the file. Cisco VCS Administrator Guide (X7.2) Page 189 of 498...
  • Page 190: Configuring Vcs To Use The Cisco Telepresence Advanced Media Gateway

    By default, all OCS calls are routed via the Cisco AM GW. If you want to control which calls go through the Cisco AM GW you have to set up policy rules. To do this, set Policy mode to On and then go to the Advanced Media Gateway policy rules page.
  • Page 191: Configuring Cisco Am Gw Policy Rules

    Cisco AM GW. By default, after a VCS has been configured with the Cisco AM GW to use for OCS calls, all calls to or from the OCS zone are routed via the Cisco AM GW.
  • Page 192 The action to take if the source or destination alias of the call matches this policy rule. Allow: the call can connect via the Cisco AM GW. Deny: the call can connect but it will not use Cisco AM GW resources.
  • Page 193: Dialable Address Formats

    DNS zone. Full instructions on how to configure the VCS to support URI dialing via DNS (both outbound and inbound) are given in the URI dialing section. Cisco VCS Administrator Guide (X7.2) Page 193 of 498...
  • Page 194: Dialing By Enum

    To support ENUM dialing on the VCS you must configure it with at least one DNS server and the appropriate ENUM zones. Full instructions on how to configure the VCS to support ENUM dialing (both outbound and inbound) are given in the ENUM dialing section. Cisco VCS Administrator Guide (X7.2) Page 194 of 498...
  • Page 195: Ip Dialing

    URI (this requires that the local VCS is configured to support URI dialing, and a DNS record exists for that URI that resolves to the unregistered endpoint's IP address) Cisco VCS Administrator Guide (X7.2) Page 195 of 498...
  • Page 196 Any IP Address against the traversal server zone. 3. The VCS Expressway receives the call and because its Calls to unknown IP addresses setting is Direct, it will make the call directly to the called IP address. Cisco VCS Administrator Guide (X7.2) Page 196 of 498...
  • Page 197: About Uri Dialing

    Stripping @domain for dialing to H.323 numbers for an example of how to do this. SIP endpoints always register with an AOR in the form of a URI, so no special configuration is required. Cisco VCS Administrator Guide (X7.2) Page 197 of 498...
  • Page 198: Uri Dialing Via Dns

    IP addresses, and the VCS then routes the call, in priority order to the IP addresses returned in those records. (An exception to this is where the original dial string has a port Cisco VCS Administrator Guide (X7.2) Page 198 of 498...
  • Page 199: Uri Dialing Via Dns For Outgoing Calls

    Below is the process that is followed when a URI address is dialed from an endpoint registered with your VCS, or received as a query from a neighbor system: Cisco VCS Administrator Guide (X7.2) Page 199 of 498...
  • Page 200 For most deployments, this option should be left as Default. profile 5. Click Create zone. Configuring search rules for DNS zones If you want your local VCS to use DNS to locate endpoints outside your network, you must: Cisco VCS Administrator Guide (X7.2) Page 200 of 498...
  • Page 201: Uri Dialing Via Dns For Incoming Calls

    SRV record format The format of SRV records is defined by RFC 2782 _Service._Proto.Name TTL Class SRV Priority Weight Port Target For the VCS, these are as follows: Cisco VCS Administrator Guide (X7.2) Page 201 of 498...
  • Page 202: Configuring Sip Srv Records

    If you want the VCS to be contactable using SIP URI dialing, you should configure an SRV record for each SIP transport protocol enabled on the VCS (that is, UDP, TCP or TLS) as follows: Cisco VCS Administrator Guide (X7.2) Page 202 of 498...
  • Page 203: Example Dns Record Configuration

    In this case you would configure a pre-search transform that would strip the IP_address suffix from the incoming URI and replace it with the suffix of example.com. Cisco VCS Administrator Guide (X7.2) Page 203 of 498...
  • Page 204: Uri Dialing And Firewall Traversal

    Expressway as the authoritative gatekeeper/proxy for the enterprise (the DNS configuration examples section for more information). This ensures that incoming calls placed using URI dialing enter the enterprise through the VCS Expressway, allowing successful traversal of the firewall. Cisco VCS Administrator Guide (X7.2) Page 204 of 498...
  • Page 205: About Enum Dialing

    To allow locally registered endpoints to dial out to other endpoints using ENUM, you must: configure at least one ENUM zone, and configure at least one DNS Server This is described in the ENUM dialing for outgoing calls section. Incoming calls Cisco VCS Administrator Guide (X7.2) Page 205 of 498...
  • Page 206: Enum Dialing For Outgoing Calls

    The digits are reversed and separated by a dot. ii. The DNS suffix configured for that ENUM zone is appended. 5. DNS is then queried for the resulting ENUM domain. Cisco VCS Administrator Guide (X7.2) Page 206 of 498...
  • Page 207: Zone Configuration For Enum Dialing

    2. Click New. You are taken to the Create zone page. 3. Enter a Name for the zone and select a Type of ENUM. 4. Configure the ENUM zone settings as follows: Cisco VCS Administrator Guide (X7.2) Page 207 of 498...
  • Page 208 Pattern string of 44 Pattern type of Prefix This results in an ENUM query being sent to that zone only when someone dials a number starting with 44. Configuring transforms for ENUM zones Cisco VCS Administrator Guide (X7.2) Page 208 of 498...
  • Page 209: Enum Dialing For Incoming Calls

    NAPTR records are processed. The record with the lowest order is processed first, with those with the lowest preference being processed first in the case of matching order. Cisco VCS Administrator Guide (X7.2) Page 209 of 498...
  • Page 210: Configuring Dns Servers For Enum And Uri Dialing

    2. Enter in the Address 1 to Address 5 fields the IP addresses of up to 5 DNS servers that the VCS will query when attempting to locate a domain. These fields must use an IP address, not a FQDN. Cisco VCS Administrator Guide (X7.2) Page 210 of 498...
  • Page 211: Call Signaling Configuration

    Off: the VCS will not detect and fail search loops. You are recommended to use this setting only in advanced deployments. Cisco VCS Administrator Guide (X7.2) Page 211 of 498...
  • Page 212: Identifying Calls

    Call Tag. Note: Call Tags are supported by VCS (version X3.0 or later) and Cisco TelePresence Conductor. If a call passes through a system that is not a VCS or Conductor then the Call Tag information will be lost.
  • Page 213 Dial plan and call processing Cisco VCS Administrator Guide (X7.2) Page 213 of 498...
  • Page 214: Disconnecting Calls

    Note that endpoints that support SIP session timers (see 4028) have a call refresh timer which allows them to detect a hung call (signaling lost between endpoints). The endpoints will release their resources after the next session-timer message exchange. Cisco VCS Administrator Guide (X7.2) Page 214 of 498...
  • Page 215: Bandwidth Control

    (VCS configuration > Local Zone VCS configuration > Bandwidth). It includes the following information: an overview of bandwidth control subzones how to configure subzones membership rules how to configure links pipes some bandwidth control examples Cisco VCS Administrator Guide (X7.2) Page 215 of 498...
  • Page 216: About Bandwidth Control

    In this example each pool of endpoints has been assigned to a different subzone, so that suitable limitations can be applied to the bandwidth used within and between each subzone based on the amount of bandwidth they have available via their internet connections. Cisco VCS Administrator Guide (X7.2) Page 216 of 498...
  • Page 217: Bandwidth Configuration

    In this situation endpoint users will get one of the following messages, depending on the system that initiated the search: "Exceeds Call Capacity" "Gatekeeper Resources Unavailable" Cisco VCS Administrator Guide (X7.2) Page 217 of 498...
  • Page 218: About Subzones

    You must ensure that the port range is large enough to support the maximum number of traversal calls available on your VCS. A single traversal call can take up to 40 ports. So for example, if your VCS is licensed Cisco VCS Administrator Guide (X7.2) Page 218 of 498...
  • Page 219: About The Default Subzone

    Default Subzone, to be denied. Note that registration requests have to fulfill any registration restriction policy rules before any subzone membership and subzone registration policy rules are applied. Cisco VCS Administrator Guide (X7.2) Page 219 of 498...
  • Page 220: Configuring Subzone Membership Rules

    A descriptive name for the membership rule. Description An optional free-form description of the rule. The description appears as a tooltip if you hover your mouse pointer over a rule in the list. Cisco VCS Administrator Guide (X7.2) Page 220 of 498...
  • Page 221: Applying Bandwidth Limitations To Subzones

    Applying bandwidth limitations to subzones You can apply bandwidth limits to the Default Subzone, Traversal Subzone and all manually configured subzones. The limits you can apply vary depending on the type of subzone, as follows: Cisco VCS Administrator Guide (X7.2) Page 221 of 498...
  • Page 222 Traversal Subzone, and again for the call from the Traversal Subzone back to the originating subzone. In addition, as this call passes through the Traversal Subzone, it will consume an amount of bandwidth from the Traversal Subzone equal to that of the call. Cisco VCS Administrator Guide (X7.2) Page 222 of 498...
  • Page 223: Links And Pipes

    You can edit any of these default links in the same way you would edit manually configured links. If any of these links have been deleted you can re-create them, either: Cisco VCS Administrator Guide (X7.2) Page 223 of 498...
  • Page 224: Configuring Pipes

    Shows the total number of calls currently traversing all links to which the pipe is applied. Bandwidth Shows the total amount of bandwidth currently being consumed by all calls traversing all links to used which the pipe is applied. You can configure up to 1000 pipes. Cisco VCS Administrator Guide (X7.2) Page 224 of 498...
  • Page 225: Applying Pipes To Links

    Pipe B, which represents the Home Office’s dial-up connection to the internet. Each pipe would have bandwidth restrictions placed on it to represent its maximum capacity, and a call placed via this link would have the lower of the two bandwidth restrictions applied. Cisco VCS Administrator Guide (X7.2) Page 225 of 498...
  • Page 226 Bandwidth control Cisco VCS Administrator Guide (X7.2) Page 226 of 498...
  • Page 227: Bandwidth Control Examples

    With a firewall If the example deployment above is modified to include firewalls between the offices, we can use Cisco’s Expressway firewall traversal solution to maintain connectivity. We do this by adding a VCS Expressway Cisco VCS Administrator Guide (X7.2)
  • Page 228 All of the endpoints in the Head Office are assigned to the Default Subzone. This is linked to the Traversal Subzone, through which all calls leaving the Head Office must pass. Cisco VCS Administrator Guide (X7.2) Page 228 of 498...
  • Page 229: Firewall Traversal

    It includes the following information: an overview of firewall traversal how to configure VCSs for firewall traversal firewall traversal protocols and ports firewall configuration guidelines an overview of ICE and TURN services Cisco VCS Administrator Guide (X7.2) Page 229 of 498...
  • Page 230: About Firewall Traversal

    However, firewalls can be configured to allow outgoing requests to certain trusted destinations, and to allow responses from those destinations. This principle is used by Cisco's Expressway technology to enable secure traversal of any firewall.
  • Page 231: Configuring Vcss For Firewall Traversal

    The VCS Expressway has all the functionality of a VCS Control (including being able to act as a firewall traversal client). However, its main feature is that it can act as a firewall traversal server for other Cisco systems and any traversal-enabled endpoints that are registered directly to it. It can also provide TURN relay services to ICE-enabled endpoints.
  • Page 232 Configuring other traversal server features For the VCS Expressway to act as a firewall traversal server for traversal-enabled endpoints (such as Cisco MXP endpoints and any other endpoints that support the ITU H.460.18 and H.460.19 standards), no additional configuration is required. See Configuring Expressway and traversal endpoint communications for more information.
  • Page 233: Configuring A Traversal Client And Server

    Configure all the modes and ports in the H.323 and SIP protocol sections to match identically those of the traversal server zone on the VCS Expressway. Enter the VCS Expressway’s IP address or FQDN in the Peer 1 address field. Cisco VCS Administrator Guide (X7.2) Page 233 of 498...
  • Page 234 Firewall traversal Cisco VCS Administrator Guide (X7.2) Page 234 of 498...
  • Page 235: Firewall Traversal Protocols And Ports

    H.323 firewall traversal protocols The VCS supports two different firewall traversal protocols for H.323: Assent and H.460.18/H.460.19. Assent is Cisco’s proprietary protocol. H.460.18 and H.460.19 are ITU standards which define protocols for the firewall traversal of signaling and media respectively. These standards are based on the original Assent protocol.
  • Page 236 TURN ports The VCS Expressway can be enabled to provide TURN services (Traversal Using Relays around NAT) which can be used by SIP endpoints that support the ICE firewall traversal protocol. Cisco VCS Administrator Guide (X7.2) Page 236 of 498...
  • Page 237 TCP/5061: signaling UDP/3478 (default): TURN services UDP/1719: signaling UDP/5060 (default): signaling UDP/60000-61200 (default range): media UDP/50000-54999: media UDP/50000-54999: media TCP/15000-19999: signaling TCP: a temporary port in the range 25000-29999 is allocated Cisco VCS Administrator Guide (X7.2) Page 237 of 498...
  • Page 238: Firewall Traversal And Authentication

    Authentication, in the External > Edit zone, in the Connection credentials section. Registration Credentials section. There must also be an entry in the VCS Expressway’s authentication database with the corresponding client username and password. Cisco VCS Administrator Guide (X7.2) Page 238 of 498...
  • Page 239: Authentication And Ntp

    The system time on a VCS is provided by a remote NTP server. Therefore, for firewall traversal to work, all systems involved must be configured with details of an server. Cisco VCS Administrator Guide (X7.2) Page 239 of 498...
  • Page 240: Firewall Configuration

    VCS Expressway back to the originating client Cisco offers a downloadable tool, the Expressway Port Tester, that allows you to test your firewall configuration for compatibility issues with your network and endpoints. It will advise if necessary which ports may need to be opened on your firewall in order for the Expressway™...
  • Page 241: Configuring Traversal Server Ports

    H.323 Assent call signaling port Port used for Assent signaling. Default is 2776. H.323 H.460.18 call signaling port Port used for H.460.18 signaling. Default is 2777. Firewall traversal protocols and ports for more information. Cisco VCS Administrator Guide (X7.2) Page 241 of 498...
  • Page 242: About Ice And Turn Services

    TURN server. Note that the signaling always goes via the VCS, regardless of the final media communication path chosen by the endpoints. Capabilities and limitations Cisco VCS Administrator Guide (X7.2) Page 242 of 498...
  • Page 243: Configuring Turn Services

    TURN relay status information TURN relays page lists all the currently active TURN relays on the VCS. You can also review further details of each TURN relay including permissions, channel bindings and counters. Cisco VCS Administrator Guide (X7.2) Page 243 of 498...
  • Page 244: Applications

    You may need to purchase the appropriate option key in order to use each of these applications. They are: Conference Factory Presence services OCS Relay Microsoft OCS/Lync B2BUA FindMe TMS Provisioning Starter Pack Provisioning Cisco VCS Administrator Guide (X7.2) Page 244 of 498...
  • Page 245: Conference Factory

    Multiway is supported in Cisco TelePresence endpoints including the E20 (software version TE1.0 or later) and MXP range (software version F8.0 or later). Check with your Cisco representative for an up-to-date list of the Cisco endpoints and infrastructure products that support Multiway.
  • Page 246 (VCS configuration > Protocols > Interworking). Multiway deployment guide for full details on how to configure individual components of your network (endpoints, MCUs and VCSs) in order to use Multiway in your deployment. Cisco VCS Administrator Guide (X7.2) Page 246 of 498...
  • Page 247: Presence

    Presentity Manager for information about that presentity, and forwards the information that is returned to the subscriber. The Subscription Manager also receives notifications from the Presentity Manager when a presentity’s status has changed, and sends this information to all subscribers. Cisco VCS Administrator Guide (X7.2) Page 247 of 498...
  • Page 248: Presence User Agent (Pua)

    However, endpoints that support presence may provide other, more detailed status, for example away or do not disturb. For this reason, information provided by the PUA is used by the Presentity Manager as follows: Cisco VCS Administrator Guide (X7.2) Page 248 of 498...
  • Page 249: Configuring Presence

    These services can be enabled and disabled separately from each other, depending on the nature of your deployment. Both are disabled by default. Note that SIP mode must be enabled for the Presence services to function. Cisco VCS Administrator Guide (X7.2) Page 249 of 498...
  • Page 250 PUA (if enabled) remote SIP Proxies Note that Presence Server is automatically enabled when the Starter Pack option key is installed. Cisco VCS Administrator Guide (X7.2) Page 250 of 498...
  • Page 251 VCS clusters: for information about how Presence works within a VCS cluster, see Clustering and Presence. Note: any defined transforms also apply to any Publication, Subscription or Notify URIs handled by the Presence Services. Cisco VCS Administrator Guide (X7.2) Page 251 of 498...
  • Page 252: Ocs Relay

    OCS, including configuring Call Policy and Presence. As this is a complex procedure beyond the scope of this guide, you are recommended to see Microsoft OCS 2007, Lync 2010 and VCS deployment guide which describes in detail all the steps required. Cisco VCS Administrator Guide (X7.2) Page 252 of 498...
  • Page 253: Microsoft Ocs/Lync B2Bua (Back-To-Back User Agent)

    VCS to the B2BUA uses a special zone profile of Microsoft OCS Lync — this profile is only used by the B2BUA and cannot be selected against any manually configured zones. Cisco VCS Administrator Guide (X7.2) Page 253 of 498...
  • Page 254: Configuring The Microsoft Ocs/Lync B2Bua

    Applications For more information about configuring VCS, OCS/Lync and the Cisco AM GW, see the following documents: Microsoft Lync 2010 and VCS deployment guide. Microsoft Lync 2010, Cisco AM GW and VCS deployment guide. Configuring the Microsoft OCS/Lync B2BUA Microsoft OCS/Lync B2BUA configuration page (Applications >...
  • Page 255 TURN services The password to access the TURN server. password Advanced settings: you should only modify the advanced settings on the advice of Cisco customer support. Encryption Controls how the B2BUA handles encrypted A call via the B2BUA comprises two legs: and unencrypted call legs.
  • Page 256: Configuring The B2Bua's Trusted Hosts

    The B2BUA will only accept messages from devices whose IP address is included in the list of trusted hosts. service restart is required to enable changes to the list of trusted hosts to take effect. Cisco VCS Administrator Guide (X7.2) Page 256 of 498...
  • Page 257: Configuring Transcoder Policy Rules

    The type of device that may send signaling messages to the B2BUA. OCS/Lync device: this includes Hardware Load Balancers, Directors and Front End Processors Transcoder: a transcoder device such as a Cisco TelePresence Advanced Media Gateway Configuring transcoder policy rules Microsoft OCS/Lync B2BUA transcoder policy rules page (Applications >...
  • Page 258: Configuring B2Bua Transcoders

    B2BUA is the Cisco TelePresence Advanced Media Gateway (Cisco AM GW). The B2BUA can use the Cisco AM GW to transcode between standard codecs (such as H.264) and Microsoft RT Video and RT Audio to allow high definition calls between Microsoft Office Communicator (MOC) clients and Cisco endpoints.
  • Page 259: Restarting The B2Bua Service

    On a clustered VCS you have to restart the B2BUA service on every peer. You are recommended to ensure the service is configured and running correctly on the master peer before restarting the B2BUA service on the other peers. Cisco VCS Administrator Guide (X7.2) Page 259 of 498...
  • Page 260: Findme

    A user's account should be configured with one or more principal devices. These are the main devices associated with that account. Users are not allowed to delete or change the address of their principal devices. This is to stop users from unintentionally changing their basic FindMe configuration. Cisco VCS Administrator Guide (X7.2) Page 260 of 498...
  • Page 261: Findme Process Overview

    Configuration) is used to enable and configure FindMe User Policy. Note that the FindMe configuration page can only be accessed if the FindMe option key is installed. The configurable options are: Cisco VCS Administrator Guide (X7.2) Page 261 of 498...
  • Page 262 This setting does not apply if users configure their FindMe settings via TMS (when VCS and TMS are running in TMS Provisioning Extension mode). Cisco VCS Administrator Guide (X7.2) Page 262 of 498...
  • Page 263 If you use FindMe without TMS (known as "standalone FindMe") you are recommended to switch from using the TMS Agent to using the VCS’s local database for storing FindMe data as soon as is practicable. Cisco VCS Administrator Guide (X7.2) Page 263 of 498...
  • Page 264: Searching For Findme Users

    See Clustering and FindMe for more information. This page only applies if the VCS is using the legacy TMS Agent database to store FindMe data. Cisco VCS Administrator Guide (X7.2) Page 264 of 498...
  • Page 265: Tms Provisioning

    The Phone books service provides the data that allows users to search for contacts within phone books books. Access to phone books is controlled on a per user basis according to any access control lists that have been defined (within TMS). Cisco VCS Administrator Guide (X7.2) Page 265 of 498...
  • Page 266: Vcs Provisioning Server

    FindMe data between VCS and TMS. This is the mode used by earlier versions of VCS and TMS. TMS Provisioning Extension mode: this uses the TMS Provisioning Extension services to provide the VCS with provisioning and FindMe data that is managed and maintained exclusively within TMS. Cisco VCS Administrator Guide (X7.2) Page 266 of 498...
  • Page 267 VCS. The Provisioning Server does not do its own authentication challenge and will reject any unauthenticated messages. Device provisioning and authentication policy for more information. Cisco VCS Administrator Guide (X7.2) Page 267 of 498...
  • Page 268: Starter Pack Provisioning

    User accounts are also used to configure a user's FindMe settings. VCS Starter Pack Express deployment guide for full details on setting up Starter Pack provisioning. Cisco VCS Administrator Guide (X7.2) Page 268 of 498...
  • Page 269: Maintenance

    VCS restart, reboot shut down the VCS Cisco VCS Administrator Guide (X7.2) Page 269 of 498...
  • Page 270: About Upgrading Software Components

    (the .ova file is only required for the initial install of the VCS software on VMware) release notes for the software version you are upgrading to — additional manual steps may be required Contact your Cisco representative for more information on how to obtain these. Backing up before upgrading You should backup your system configuration before upgrading.
  • Page 271: Upgrade Procedure

    New features may also become available with each major release of the VCS platform component, and you may need to install new option keys to take advantage of these new features. Contact your Cisco representative for more information on all the options available for the latest release of VCS software.
  • Page 272: Upgrading Using Secure Copy (Scp/Pscp)

    2. Upload the software image using SCP/PSCP. For the VCS platform component: Upload to the /tmp folder on the system. The target name must be /tmp/tandberg-image.tar.gz, for example: scp s42700x5.tar.gz root@10.0.0.1:/tmp/tandberg-image.tar.gz Cisco VCS Administrator Guide (X7.2) Page 272 of 498...
  • Page 273 CLI, and reboot the VCS. After about five minutes the system will be ready to use. Note: if you make any further configuration changes before rebooting, those changes will be lost when the system restarts, so you are recommended to reboot your system immediately. Cisco VCS Administrator Guide (X7.2) Page 273 of 498...
  • Page 274: Logging Configuration

    The Event Log is always stored locally on the VCS. However, it is often convenient to collect copies of all event logs from various systems in a single location. This is referred to as remote logging. This is particularly Cisco VCS Administrator Guide (X7.2) Page 274 of 498...
  • Page 275 If more than one remote syslog server is configured, the same information is sent to each server. The VCS may use any of the 23 available syslog facilities for different messages. Specifically, LOCAL0..LOCAL7 (facilities 16..23) are used by different software components of the VCS. Cisco VCS Administrator Guide (X7.2) Page 275 of 498...
  • Page 276: Option Keys

    Options are used to add additional features to the VCS. Your VCS may have been shipped with one or more optional features pre-installed. To purchase further options, contact your Cisco representative. The System information section summarizes the existing features installed on the VCS. The options that you may see here include: Expressway: enables the VCS to work as an Expressway™...
  • Page 277 To see which indexes are currently in use, type xConfiguration option. Cisco VCS Administrator Guide (X7.2) Page 277 of 498...
  • Page 278: About Security Certificates

    This will replace any previously uploaded CA certificates. To replace the currently uploaded file with a default list of trusted CA certificates, click Reset to default CA certificate. To view the currently uploaded file, click Show CA certificate. Cisco VCS Administrator Guide (X7.2) Page 278 of 498...
  • Page 279: Managing The Vcs's Server Certificate

    (the exact wording depends on your browser). View the current request. When the signed server certificate is received back from the certificate authority it must be uploaded to the VCS as described below. Cisco VCS Administrator Guide (X7.2) Page 279 of 498...
  • Page 280: Crl Management

    CRL sources The VCS can obtain CRL information from multiple sources: manual upload of CRL data automatic downloads of CRL data from CRL distribution points Cisco VCS Administrator Guide (X7.2) Page 280 of 498...
  • Page 281 3. Enter the Daily update time (in UTC). This is the approximate time of day when the VCS will attempt to update its CRLs from the distribution points. 4. Click Save. Cisco VCS Administrator Guide (X7.2) Page 281 of 498...
  • Page 282: Certificate-Based Authentication Configuration

    The following diagram shows an example authorization and authentication process. It shows how a certificate is obtained from a card reader and then validated by the VCS. It then shows how the VCS obtains the user's authorization level from an Active Directory service. Cisco VCS Administrator Guide (X7.2) Page 282 of 498...
  • Page 283: Client Certificate Testing

    You can: test whether a client certificate is valid when checked against the VCS's current trusted CA list and, if loaded, the revocation list (see management) Cisco VCS Administrator Guide (X7.2) Page 283 of 498...
  • Page 284 Browse again and select the new or modified file to upload Cisco VCS Administrator Guide (X7.2) Page 284 of 498...
  • Page 285 The regex is applied to a plain text version of an encoded certificate. The system uses the command openssl x509 -text -nameopt RFC2253 -noout to extract the plain text certificate from its encoded format. Cisco VCS Administrator Guide (X7.2) Page 285 of 498...
  • Page 286: Advanced Account Security

    SSH, Telnet, and through the serial port is disabled and cannot be turned on (the pwrec password recovery function is also unavailable) access over HTTPS is enabled and cannot be turned off Cisco VCS Administrator Guide (X7.2) Page 286 of 498...
  • Page 287 The Event Log, Configuration Log, Network Log, call history, search history and registration history are cleared whenever the VCS is taken out of advanced account security mode. Cisco VCS Administrator Guide (X7.2) Page 287 of 498...
  • Page 288: Configuring Language Settings

    You can install new language packs or install an updated version of an existing language pack. Language packs are downloaded from the same area on cisco.com from where you obtain your VCS software files. All available languages are contained in one language pack zip file. Download the appropriate language pack version that matches your software release.
  • Page 289: About Login Accounts

    You can configure the complexity requirements for local administrator passwords on the Password security page (Maintenance > Login accounts > Password security). All passwords and usernames are case sensitive. Note that: Cisco VCS Administrator Guide (X7.2) Page 289 of 498...
  • Page 290: Configuring Login Account Authentication

    (Maintenance > Login accounts > Configuration) is used to configure where administrator and user account credentials are authenticated (and authorized) before access is allowed to the VCS. The configurable options are: Cisco VCS Administrator Guide (X7.2) Page 290 of 498...
  • Page 291: Configuring Remote Account Authentication Using Ldap

    LDAP server configuration: this section specifies the connection details to the LDAP server. Server The IP address or FQDN (or server address, address if a DNS Domain name has also been configured) of the LDAP server. Cisco VCS Administrator Guide (X7.2) Page 291 of 498...
  • Page 292 The username used by the VCS when username binding to the LDAP server with SASL. Directory configuration: this section specifies the base distinguished names to use when searching for account and group names. Cisco VCS Administrator Guide (X7.2) Page 292 of 498...
  • Page 293: Password Security

    "abc" or "123" contain too few different characters be palindromes If Enforce strict passwords is set to Off, no checks are made on administrator passwords. Note that: Cisco VCS Administrator Guide (X7.2) Page 293 of 498...
  • Page 294: Configuring Administrator Accounts

    API interfaces, but not the CLI. The configurable options are: Field Description Usage tips Name The username for the administrator account. Some names such as "root" are reserved. Local administrator account user names are case sensitive. Cisco VCS Administrator Guide (X7.2) Page 294 of 498...
  • Page 295: Configuring Administrator Groups

    If the administrator account belongs to more than one group, the highest level permission is assigned. The configurable options are: Cisco VCS Administrator Guide (X7.2) Page 295 of 498...
  • Page 296 For example, if the following groups were configured: Group name Access level Web access API access Administrators Read-write Region A Read-only Region B Read-only Region C Read-only Cisco VCS Administrator Guide (X7.2) Page 296 of 498...
  • Page 297: Configuring User Accounts

    FindMe ID by mapping incoming numbers through an ISDN gateway. to the FindMe ID using ENUM, search rules or CPL. See FindMe deployment guide for more information. Cisco VCS Administrator Guide (X7.2) Page 297 of 498...
  • Page 298 The device URI is based on a combination of the Username, FindMe ID and device type. It takes the format <username>.<device type>@<domain portion of FindMe ID>. For example, if the Username is Alice.Smith and the FindMe ID is asmith@example.com, then the URI for an E20 device would be alice.smith.e20@example.com. Cisco VCS Administrator Guide (X7.2) Page 298 of 498...
  • Page 299: Configuring A User's Principal Devices

    To set devices so they are no longer principal devices, select the required devices and click Unset as principal device. Note that only an administrator (and not users themselves) can configure which of a user's devices are their principal devices. Cisco VCS Administrator Guide (X7.2) Page 299 of 498...
  • Page 300: Configuring User Groups

    1. Connect a PC to the VCS using the serial cable as per the instructions in VCS Getting Started Guide. Serial port / console access is always enabled for one minute following a restart, even if it is normally disabled. 2. Restart the VCS. Cisco VCS Administrator Guide (X7.2) Page 300 of 498...
  • Page 301: Root Account

    You may want to enable access over Telnet, but for security reasons this is not recommended. To enable and disable access to the root account using SSH and Telnet: Cisco VCS Administrator Guide (X7.2) Page 301 of 498...
  • Page 302 3. Type exit to log out of the root account. If you have disabled SSH access while logged in using SSH, your current session will remain active until you log out, but all future SSH access will be denied. Cisco VCS Administrator Guide (X7.2) Page 302 of 498...
  • Page 303: Backing Up And Restoring Vcs Data

    5. Save the file to a designated location. Note that log files are not included in the system backup file. Legacy TMS Agent database Cisco VCS Administrator Guide (X7.2) Page 303 of 498...
  • Page 304: Restoring A Previous Backup

    Click Abort system restore if you need to exit the restore process and return to the Backup and restore page. After the system restarts, you are taken to the login page. Legacy TMS Agent database Cisco VCS Administrator Guide (X7.2) Page 304 of 498...
  • Page 305 5. The VCS checks the file and restores its contents. If the backup file is not valid or an incorrect decryption password is entered, you will receive an error message at the top of the Backup and restore page. Cisco VCS Administrator Guide (X7.2) Page 305 of 498...
  • Page 306: Diagnostics Tools

    7. Click Download log to save the diagnostic log to your local file system. You are prompted to save the file (the exact wording depends on your browser). 8. Send the downloaded diagnostic log file to your Cisco support representative, if you have been requested to do so.
  • Page 307: Creating A System Snapshot

    2. Click Download snapshot. A pop-up window appears and prompts you to save the file (the exact wording depends on your browser). Select a location from where you can easily send the file to your support representative. Cisco VCS Administrator Guide (X7.2) Page 307 of 498...
  • Page 308: Configuring Network Log Levels

    Network Log message modules. CAUTION: changing the logging levels can affect the performance of your system. You should only change a log level on the advice of Cisco customer support. To change a logging level: 1.
  • Page 309: Incident Reporting

    AUTOMATIC CONFIGURATION FEATURE. Instead, copy the data from the Incident detail page and paste it into a text file. You can then edit out any sensitive information before forwarding the file on to Cisco customer support. Incident reports are always saved locally, and can be viewed via the Incident view page.
  • Page 310: Sending Incident Reports Manually

    If you need to edit the report before sending it to Cisco (for example, if you need to remove any potentially sensitive information) you must copy and paste the information from the...
  • Page 311: Incident Report Details

    To view the information contained in a particular incident report, click on the report's Time. You will be taken to the Incident detail page, from where you can view the report on screen, or download it as an XML file for forwarding manually to Cisco customer support. Incident report details Incident detail page (Maintenance >...
  • Page 312: Checking The Effect Of A Pattern

    VCS Cisco AM GW policy rules to determine which calls are routed via the Cisco AM GW To use this tool: 1. Enter an Alias against which you want to test the transform.
  • Page 313: Locating An Alias

    The locate process performs the search as though the VCS received a call request from the selected Source zone. For more information, see the Call routing process section. Cisco VCS Administrator Guide (X7.2) Page 313 of 498...
  • Page 314: Port Usage

    (Maintenance > Tools > Port usage > Local VCS outbound ports) shows the source IP ports used by this VCS. These are the IP ports on the VCS used to send outbound communications to other systems. Cisco VCS Administrator Guide (X7.2) Page 314 of 498...
  • Page 315: Remote Listening Ports

    VCS will be able to communicate with all remote devices. You only need to use the information on this page if you want to limit the IP ports opened on your firewall to these remote systems and ports. Cisco VCS Administrator Guide (X7.2) Page 315 of 498...
  • Page 316: Network Utilities

    1. In the Host field, enter the IP address or hostname of the host system to which you want to trace the path. 2. Click Traceroute. A new section will appear with a banner stating the results of the trace, and showing the following information for each router in the path: Cisco VCS Administrator Guide (X7.2) Page 316 of 498...
  • Page 317: Tracepath

    (for reverse lookups the Query type is ignored - the search automatically looks for PTR records) Option Searches for... any type of record A (IPv4 address) a record that maps the hostname to the host's IPv4 address Cisco VCS Administrator Guide (X7.2) Page 317 of 498...
  • Page 318 The length of time (in seconds) that the results of this query will be cached by the VCS. Class IN (internet) indicates that the response was a DNS record involving an internet hostname, server or IP address. Type The record type contained in the response to the query. Cisco VCS Administrator Guide (X7.2) Page 318 of 498...
  • Page 319 All would result in the following DNS queries: host_name.example.com AAAA host_name.example.com NAPTR host_name.example.com host_name.example.com _h323ls._udp.host_name.example.com _h323cs._tcp.host_name.example.com _sips._tcp.host_name.example.com _sip._tcp.host_name.example.com _sip._udp.host_name.example.com In each of these cases, if the query is unsuccessful an additional query would be made for host_name only. Cisco VCS Administrator Guide (X7.2) Page 319 of 498...
  • Page 320: Restarting

    VCS while the red ALM LED on the front of the box is on. This indicates a hardware fault. Contact your Cisco representative. The restart function shuts down and restarts the VCS application software, but not the operating system or hardware.
  • Page 321: Rebooting

    VCS while the red ALM LED on the front of the box is on. This indicates a hardware fault. Contact your Cisco representative. The reboot function shuts down and restarts the VCS application software, operating system and hardware.
  • Page 322: Shutting Down

    VCS while the red ALM LED on the front of the box is on. This indicates a hardware fault. Contact your Cisco representative. The system must be shut down before it is unplugged. Avoid uncontrolled shutdowns, in particular the removal of power to the VCS during normal operation.
  • Page 323: Developer Resources

    The VCS web interface contains a number of pages that are not intended for use by customers. These pages exist for the use of Cisco support and development teams only. Do not access these pages unless it is under the advice and supervision of your Cisco support representative.
  • Page 324: Reference Material

    TMS agent TMS agent passwords what constitutes traversal calls restoring the system to its default settings alarms xConfiguration commands xCommand commands xStatus commands policy services bibliography glossary Cisco VCS Administrator Guide (X7.2) Page 324 of 498...
  • Page 325: Software Version History

    Call processing Improved interworking between VCS and Cisco Unified Communications Manager (CUCM). VCS now always stays in the call signaling route for calls to neighbor zones that are configured with the Cisco Unified Communications Manager or the Infrastructure device zone profiles.
  • Page 326 They can be configured separately for standard and Outbound registration connections. These settings supersede the previous Registration expire delta setting. Improved diagnostics Cisco VCS Administrator Guide (X7.2) Page 326 of 498...
  • Page 327 It allows you to generate a diagnostic log of system activity over a period of time, and then to download the log so that it can be sent to your Cisco customer support representative.
  • Page 328: X6.1

    TMS Agent database credentials included within local authentication database lookups In addition to any manually created entries, the Cisco VCS now checks credentials stored within the TMS Agent database when the device authentication database type is set to Local database.
  • Page 329 Reference material The Cisco VCS Starter Pack now supports the provisioning of ClearPath to Movi / Jabber Video. Improved cluster set-up process The process for setting-up a cluster has been simplified such that the replication of configuration and FindMe information is set up automatically when a new peer is added into a cluster via the web interface.
  • Page 330: X5.2

    Reference material Multiple language support has been enabled on the VCS's web interface. Language packs will be made available for download in the future. Contact your Cisco support representative for more information on supported languages. Enhanced online help The context-sensitive help available through the Help link at the top of every page on the web interface now contains additional conceptual and reference information.
  • Page 331: X5.1

    "Please select" in drop-down fields: when creating configuration items some of the default values presented in drop-down selection fields have been replaced with a "please select" value. This helps prevent potentially undesirable default values being selected by mistake. Cisco VCS Administrator Guide (X7.2) Page 331 of 498...
  • Page 332 10-999 will generate aliases 010 through 999. Cisco TelePresence Advanced Media Gateway support The Cisco TelePresence Advanced Media Gateway (Cisco AM GW) provides support for transcoding between standard codecs (such as H.264) and Microsoft RT Video to allow high definition calls between Microsoft Office Communicator (MOC) clients and Cisco endpoints.
  • Page 333 Advanced Media Gateway zone profile: automatically configures the VCS with the zone settings required for connection to an Cisco AM GW. Policy rules: ability to define policy rules to control whether all or only selected calls to or from MOC clients are diverted through the Cisco AM GW.
  • Page 334 Number of links increased from 600 to 3000. Zone configuration VCS now supports up to 1000 zones (previously 200). New Cisco Unified Communications Manager zone profile option configures the settings required for connections to a Cisco UCM. Cisco VCS Administrator Guide (X7.2)
  • Page 335 Improved media statistics can be viewed on the Call media page: counters are now per call rather than per socket lost, duplicate and out of order packet counts jitter on each RTP channel in a call Clustering Cisco VCS Administrator Guide (X7.2) Page 335 of 498...
  • Page 336 Local host name. This is the DNS host name that this VCS is known by. The NTP server field on the Time page now defaults to one of four NTP servers provided by Cisco, either: 0.ntp.tandberg.com, 1.ntp.tandberg.com, 2.ntp.tandberg.com or 3.ntp.tandberg.com. SIP configuration New parameters have been added to the SIP configuration page.
  • Page 337 H.323 and SIP. Administrator tools The Check pattern tool allows you to test the outcome of a pattern or transform before configuring it live on the VCS. Cisco VCS Administrator Guide (X7.2) Page 337 of 498...
  • Page 338 VCS, regardless of whether these belong to the same device. Login banner You can upload an image and text that will be displayed when administrators or FindMe users log in the VCS. Cisco VCS Administrator Guide (X7.2) Page 338 of 498...
  • Page 339: About Event Log Levels

    VCS. message_details The body of the message (see the Message details field section for further information). Administrator and FindMe user events Administrator session related events are: Cisco VCS Administrator Guide (X7.2) Page 339 of 498...
  • Page 340: Message Details Field

    The source IP address of the user who has logged in. Protocol Specifies which protocol was used for the communication. Valid values are: Reason Textual string containing any reason information associated with the event. Cisco VCS Administrator Guide (X7.2) Page 340 of 498...
  • Page 341 The Tag is common to all searches and protocol messages across a VCS network for all forks of a call. Call- Indicates if the VCS took the signaling for the call. routed Cisco VCS Administrator Guide (X7.2) Page 341 of 498...
  • Page 342: Events And Levels

    Application Exit The VCS application has been exited. Further information may be provided in the Detail event parameter. Application The VCS application is out of service due to an unexpected failure. Failed Cisco VCS Administrator Guide (X7.2) Page 342 of 498...
  • Page 343 Cleared Decode Error A syntax error was encountered when decoding a SIP or H.323 message. Diagnostic Indicates that diagnostic logging is in progress. The Detail event parameter provides Logging additional details. Cisco VCS Administrator Guide (X7.2) Page 343 of 498...
  • Page 344 FindMe user accounts have been migrated across clusters. The Detail event parameter Transfer provides additional details. Hardware There is an issue with the VCS hardware. If the problem persists, contact your Cisco Failure support representative. Cisco VCS Administrator Guide (X7.2)
  • Page 345 Possible values for the detail field are: Non Traversal Call Limit Reached Traversal Call Limit Reached If this occurs frequently, you may want to contact your Cisco representative to purchase more licenses. Message An incoming RAS message has been received.
  • Page 346 Response Sent A non-call-related SIP response has been sent. Restart A system restart has been requested. The Reason event parameter provides specific Requested information. Search A search has been attempted. Attempted Cisco VCS Administrator Guide (X7.2) Page 346 of 498...
  • Page 347 An error occurred while attempting a system restore. error System restore The system restore process has started. started System The operating system was shutdown. Shutdown System A system snapshot has been initiated. snapshot started Cisco VCS Administrator Guide (X7.2) Page 347 of 498...
  • Page 348 An unsuccessful attempt has been made to log in as a FindMe user. This could be Login failure because either an incorrect username or password (or both) was entered. User session A FindMe user has logged on to the system. start Cisco VCS Administrator Guide (X7.2) Page 348 of 498...
  • Page 349: Cpl Reference

    Selected field and subfield contain the given string. Note that the CPL standard only allows for this matching on the display subfield; however the VCS allows it on any type of field. Cisco VCS Administrator Guide (X7.2) Page 349 of 498...
  • Page 350 If the selected field contains multiple aliases then the VCS will attempt to match each address node with all of the aliases before proceeding to the next address node, that is, an address node matches if it matches any alias. Cisco VCS Administrator Guide (X7.2) Page 350 of 498...
  • Page 351: Otherwise

    The taa:location node allows the location set to be modified so that calls can be redirected to different destinations. At the start of script execution the location set is initialized to the original destination. Cisco VCS Administrator Guide (X7.2) Page 351 of 498...
  • Page 352: Rule-Switch

    If multiple entries are in the location set then this results in a forked call. If the current location set is empty the call is forwarded to its original destination. The proxy node supports the following optional parameters: Cisco VCS Administrator Guide (X7.2) Page 352 of 498...
  • Page 353: Reject

    VCS will continue to use its existing policy. The following elements are not currently supported: time-switch string-switch language-switch priority-switch redirect mail subaction Cisco VCS Administrator Guide (X7.2) Page 353 of 498...
  • Page 354: Cpl Examples

    In this example, user ceo will only accept calls from users vpsales, vpmarketing or vpengineering. <?xml version="1.0" encoding="UTF-8" ?> <cpl xmlns="urn:ietf:params:xml:ns:cpl" xmlns:taa="http://www.tandberg.net/cpl-extensions" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd"> <taa:routed> <address-switch field="destination"> <address is="ceo"> <address-switch field="authenticated-origin"> <address regex="vpsales|vpmarketing|vpengineering"> Cisco VCS Administrator Guide (X7.2) Page 354 of 498...
  • Page 355 In this example, Example Inc has changed its domain from example.net to example.com. For a period of time some users are still registered at example.net. The following script would attempt to connect calls Cisco VCS Administrator Guide (X7.2) Page 355 of 498...
  • Page 356 Default Zone or Default Subzone. <?xml version="1.0" encoding="UTF-8" ?> <cpl xmlns="urn:ietf:params:xml:ns:cpl" xmlns:taa="http://www.tandberg.net/cpl-extensions" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd"> <taa:routed> <address-switch field="registered-origin"> <not-present> <address-switch field="originating-zone"> <address is="DefaultZone"> Cisco VCS Administrator Guide (X7.2) Page 356 of 498...
  • Page 357 <!-- Reject call with a status code of 403 (Forbidden) --> <reject status="403" reason="Denied by policy"/> </address> </address-switch> </address> </address-switch> </taa:routed> </cpl> Using the taa:rule-switch node <?xml version="1.0" encoding="UTF-8" ?> <cpl xmlns="urn:ietf:params:xml:ns:cpl" xmlns:taa="http://www.tandberg.net/cpl-extensions" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd"> <taa:routed> <taa:rule-switch> Cisco VCS Administrator Guide (X7.2) Page 357 of 498...
  • Page 358 <!-- Call attempt failed with 404 (Not Found) --> <taa:location url="notfound-message@example.com" clear="yes"> <proxy/> </taa:location> </failure> <failure> <!-- General catch-all failure handler for all other error responses --> <taa:location url="failed-message@example.com" clear="yes"> <proxy/> </taa:location> </failure> </proxy> </taa:routed> </cpl> Cisco VCS Administrator Guide (X7.2) Page 358 of 498...
  • Page 359 <taa:rule-switch> <taa:rule origin=".*" destination="user@example.com" message-regex="^SUBSCRIBE.*"> <!-- Cannot subscribe to user@example.com --> <!-- Reject call with a status code of 403 (Forbidden) --> <reject status="403" reason="Denied by policy"/> </taa:rule> </taa:rule-switch> </taa:routed> </cpl> Cisco VCS Administrator Guide (X7.2) Page 359 of 498...
  • Page 360: Ldap Server Configuration For Device Authentication

    Installing the H.350 schemas After you have downloaded the H.350 schemas, install them as follows: Open a command prompt and for each file execute the following command: ldifde -i -c DC=X <ldap_base> -f filename.ldf Cisco VCS Administrator Guide (X7.2) Page 360 of 498...
  • Page 361 For information about what happens when an alias is not in the LDAP database see Source of aliases for registration in the Using an H.350 directory service lookup via LDAP section. Cisco VCS Administrator Guide (X7.2) Page 361 of 498...
  • Page 362: Configuring An Openldap Server

    2. Edit /etc/openldap/slapd.conf to add the new schemas. You need to add the following lines: include /etc/openldap/schemas/commobject.ldif include /etc/openldap/schemas/h323identity.ldif include /etc/openldap/schemas/h235identity.ldif include /etc/openldap/schemas/sipidentity.ldif The OpenLDAP daemon (slapd) must be restarted for the new schemas to take effect. Cisco VCS Administrator Guide (X7.2) Page 362 of 498...
  • Page 363 For information about what happens when an alias is not in the LDAP database see Source of aliases for registration in the Using an H.350 directory service lookup via LDAP section. Cisco VCS Administrator Guide (X7.2) Page 363 of 498...
  • Page 364: Securing With Tls

    To configure the VCS to use TLS on the connection to the LDAP server you must upload the CA’s certificate as a trusted CA certificate. This can be done on the VCS by going to: Maintenance > Certificate management > Trusted CA certificate. Cisco VCS Administrator Guide (X7.2) Page 364 of 498...
  • Page 365: Dns Configuration Examples

    BIND is a commonly used DNS server on UNIX and Linux systems. Configuration is based around two sets of text files: named.conf which describes which zones are represented by the server, and a selection of zone files which describe the detail of each zone. Cisco VCS Administrator Guide (X7.2) Page 365 of 498...
  • Page 366 For more details of how to configure BIND servers and the DNS system in general see the publication DNS and BIND. Cisco VCS Administrator Guide (X7.2) Page 366 of 498...
  • Page 367: Changing The Default Ssh Key

    VCS has changed. Please follow the appropriate process for your SSH client to suppress this warning. If your VCS is subsequently downgraded to an earlier version of VCS firmware, the default SSH keys will be restored. Cisco VCS Administrator Guide (X7.2) Page 367 of 498...
  • Page 368: Restoring Default Configuration

    Keep ssh keys [YES/NO]? Keep ssl certificates and keys Keep root and admin passwords [YES/NO]? Save log files [YES/NO]? Replace hard disk [YES/NO]? 4. Finally, confirm that you want to proceed. Cisco VCS Administrator Guide (X7.2) Page 368 of 498...
  • Page 369: Password Security

    SHA512; other passwords are stored in an encrypted format when a password is encrypted and stored, it uses more characters than the original plain text version of the password Cisco VCS Administrator Guide (X7.2) Page 369 of 498...
  • Page 370: Pattern Matching Variables

    2 IPv4 address. Applies to all peer addresses If the VCS is part of if the VCS is part of a cluster. a cluster, the address of the local peer is always used. Cisco VCS Administrator Guide (X7.2) Page 370 of 498...
  • Page 371 VCS’s System Name. You can test whether a pattern matches a particular alias and is transformed in the expected way by using Check pattern tool (Maintenance > Tools > Check pattern). Cisco VCS Administrator Guide (X7.2) Page 371 of 498...
  • Page 372: Port Reference

    Also used to replicate FindMe data if the VCS is part of a cluster with FindMe enabled and is using the legacy TMS Agent database. Reserved for future use inbound configurable Cisco VCS Administrator Guide (X7.2) Page 372 of 498...
  • Page 373 Used on the VCS 2776 UDP inbound 1024 - 65534 VCS configuration > demultiplexing RTP Expressway for outbound Expressway > Ports demultiplexing xConfiguration RTP media. Traversal Server Media Demultiplexing RTP Port Cisco VCS Administrator Guide (X7.2) Page 373 of 498...
  • Page 374 Configuration xConfiguration SIP UDP Port SIP TCP Listens for 5060 TCP inbound 1024 - 65534 VCS configuration > incoming SIP TCP Protocols > SIP > calls. Configuration xConfiguration SIP TCP Port Cisco VCS Administrator Guide (X7.2) Page 374 of 498...
  • Page 375 VCS configuration > range used by outbound 29999 Protocols > SIP > TCP/TLS SIP Configuration connections to a xConfiguration SIP remote SIP device. TCP Outbound Port Start xConfiguration SIP TCP Outbound Port Cisco VCS Administrator Guide (X7.2) Page 375 of 498...
  • Page 376 TMS Agent (legacy Used to connect to uses a TCP source port from the mode) another VCS or ephemeral range TMS for data replication. Cisco VCS Administrator Guide (X7.2) Page 376 of 498...
  • Page 377 Service Domain Controller for account authentication. Note that the range of ephemeral ports can be configured by using the CLI commands xConfiguration IP Ephemeral PortRange Start and xConfiguration IP Ephemeral PortRange End. Cisco VCS Administrator Guide (X7.2) Page 377 of 498...
  • Page 378: Regular Expressions

    \1\2\3 would transform it to js@example.com Matches against one expression or an .*@example.(net|com) matches against any URI for alternate expression. the domain example.com or the domain example.net Cisco VCS Administrator Guide (X7.2) Page 378 of 498...
  • Page 379 .*(?<!net) matches any string that does not end with subexpression that must not be present. Note that regex comparisons are not case sensitive. For an example of regular expression usage, see the CPL examples section. Cisco VCS Administrator Guide (X7.2) Page 379 of 498...
  • Page 380: Supported Characters

    Administrator user groups Case sensitivity Text items entered through the CLI and web interface are case insensitive. The only exceptions are passwords and local administrator account names which are case sensitive. Cisco VCS Administrator Guide (X7.2) Page 380 of 498...
  • Page 381: Tms Agent (Legacy)

    TMS and also across to other VCS clusters managed by the same TMS. Note that the FindMe option key must be installed on the VCS. Device Provisioning Cisco VCS Administrator Guide (X7.2) Page 381 of 498...
  • Page 382 Note that if your VCS is subsequently reconfigured to use TMS, the password must first be reset to the default value of TANDBERG. See the TMS Agent passwords section for full instructions on changing passwords. Cisco VCS Administrator Guide (X7.2) Page 382 of 498...
  • Page 383: Tms Agent Passwords

    3. Type exit to log out of the root account. To change the password for the TMS Agent replication account: 1. From the CLI, logged in as root, type tmsagent_replication_passwd. You are asked for the new password. Cisco VCS Administrator Guide (X7.2) Page 383 of 498...
  • Page 384 3. Type exit to log out of the root account. Note: if your VCS is subsequently reconfigured to use TMS, the password must first be reset to the default value of TANDBERG. Cisco VCS Administrator Guide (X7.2) Page 384 of 498...
  • Page 385: What Are Traversal Calls

    (in this situation, the call will remain a non-traversal call — the VCS Expressway will not take the media, even though it is using a traversal license). Cisco VCS Administrator Guide (X7.2) Page 385 of 498...
  • Page 386: Alarms

    The system is shutting down, Alert busy or starting 15008 Failed to load The database failed to load; Restore system data from backup Warning database some configuration data has been lost Cisco VCS Administrator Guide (X7.2) Page 386 of 498...
  • Page 387 Error failed was detected in <module> 15012 Language pack Some text labels may not be Contact your Cisco representative to see Warning mismatch translated if an up-to-date language pack is available 15013 Factory reset Factory reset failed...
  • Page 388 25002 Date and time The system is unable to obtain Check the time configuration Warning not validated the correct time and date from an NTP server Cisco VCS Administrator Guide (X7.2) Page 388 of 498...
  • Page 389 IPv6, but the VCS does not have any IPv6 addresses defined 25015 Restart required SSH service has been Restart the system Warning changed, however a restart is required for this to take effect Cisco VCS Administrator Guide (X7.2) Page 389 of 498...
  • Page 390 30008 Invalid release The release key is not valid; if Add/Remove option keys Warning you do not have a valid key, contact your Cisco support representative Cisco VCS Administrator Guide (X7.2) Page 390 of 498...
  • Page 391 <details>. 30018 Provisioning The number of concurrently Provisioning limits are set by Cisco TMS; Warning licenses limit provisioned devices has contact your Cisco representative if you reached reached the licensed limit require more licenses Cisco VCS Administrator Guide (X7.2)
  • Page 392 You have reached your If the problem persists, contact your Warning reached license limit of <n> concurrent Cisco representative to buy more call non-traversal call licenses licenses 30020 Call license limit You have reached your If the problem persists, contact your...
  • Page 393 If the problem persists, contact your Warning for CRL automatic updates Cisco representative 40008 Security alert The SSH service is using the View instructions on replacing the default Warning default key SSH key Cisco VCS Administrator Guide (X7.2) Page 393 of 498...
  • Page 394 40019 External You are recommended to Configure external manager Warning manager has enable external manager certificate certificate checking when in checking advanced account security disabled mode Cisco VCS Administrator Guide (X7.2) Page 394 of 498...
  • Page 395 40031 Security alert Unable to restore previous Check your firewall rules configuration, Warning firewall configuration fix any rejected rules, activate and accept the rules; if the problem persists, contact your Cisco representative Cisco VCS Administrator Guide (X7.2) Page 395 of 498...
  • Page 396 Set authentication policy to either 'Check Warning warning correctly, authentication policy credentials' or 'Treat as authenticated' for must be enabled on the each relevant zone Default Zone and any other relevant zone that receives provisioning requests Cisco VCS Administrator Guide (X7.2) Page 396 of 498...
  • Page 397 Default Subzone required for encryption. 55001 B2BUA service Some B2BUA service specific Restart the B2BUA service Warning restart required configuration has changed, however a restart is required for this to take effect Cisco VCS Administrator Guide (X7.2) Page 397 of 498...
  • Page 398 (transcoder Warning misconfiguration transcoder communications is settings) misconfigured 55018 B2BUA Transcoder address and/or Check B2BUA configuration (transcoder Warning misconfiguration port details are misconfigured settings) and the configured addresses of trusted hosts Cisco VCS Administrator Guide (X7.2) Page 398 of 498...
  • Page 399 Configure at least one OCS/Lync trusted Warning misconfiguration devices have been configured host device 55034 B2BUA No transcoder trusted hosts Configure at least one transcoder trusted Warning misconfiguration have been configured host Cisco VCS Administrator Guide (X7.2) Page 399 of 498...
  • Page 400 Warning misconfiguration contact address persists, contact your Cisco representative 55111 B2BUA Invalid B side encryption mode Restart the service; if the problem Warning misconfiguration persists, contact your Cisco representative Cisco VCS Administrator Guide (X7.2) Page 400 of 498...
  • Page 401 Warning misconfiguration configuration persists, contact your Cisco representative 55126 B2BUA Invalid VCS authorized host IP Restart the service; if the problem Warning misconfiguration address persists, contact your Cisco representative Cisco VCS Administrator Guide (X7.2) Page 401 of 498...
  • Page 402 B2BUA trusted hosts impact performance, or in page and then restart the B2BUA service extreme cases it may prevent calls from accessing enough network resources to connect Cisco VCS Administrator Guide (X7.2) Page 402 of 498...
  • Page 403: Command Reference - Xconfiguration

    For example IP Route [1..50] Address <S: 0,39> means that up to 50 IP routes can be specified with each route requiring an address of up to 39 characters in length. xConfiguration commands All of the available xConfiguration commands are listed in the table below: Cisco VCS Administrator Guide (X7.2) Page 403 of 498...
  • Page 404 Administration Telnet Mode: <On/Off> Determines whether the VCS can be accessed via Telnet. You must restart the system for any changes to take effect. Default: Off Example: xConfiguration Administration Telnet Mode: Off Cisco VCS Administrator Guide (X7.2) Page 404 of 498...
  • Page 405 Example: Applications ConferenceFactory Template: "563%%@example.com" Applications External Status [1..10] Filename: <S:0,255> XML file containing status that is to be attached for an external application. Example: xConfiguration Applications External Status 1 Filename: "foo.xml" Cisco VCS Administrator Guide (X7.2) Page 405 of 498...
  • Page 406 Enables and disables the SIMPLE Presence User Agent (PUA). The PUA provides presence information on behalf of registered endpoints. SIP mode must also be enabled for the PUA to function. Default: Off Example: xConfiguration Applications Presence User Agent Mode: Off Cisco VCS Administrator Guide (X7.2) Page 406 of 498...
  • Page 407 Authentication ADS KDC [1..5] Port: <1..65534> Specifies the port of a KDC that can be used when the VCS joins the AD domain. Default: 88 Example: xConfiguration Authentication ADS KDC 1 Port: 88 Cisco VCS Administrator Guide (X7.2) Page 407 of 498...
  • Page 408 Sets the bandwidth (in kbps) to be used on calls managed by the VCS in cases where no bandwidth has been specified by the endpoint. Default: 384 Example: xConfiguration Bandwidth Default: 384 Cisco VCS Administrator Guide (X7.2) Page 408 of 498...
  • Page 409 Determines whether or not this pipe is limiting the bandwidth of individual calls. NoBandwidth: no bandwidth available. No calls can be made on this pipe. Default: Unlimited Example: xConfiguration Bandwidth Pipe 1 Bandwidth PerCall Mode: Limited Cisco VCS Administrator Guide (X7.2) Page 409 of 498...
  • Page 410 Specifies the alias to which incoming calls are placed for calls where the IP address or domain name of the VCS has been given but no callee alias has been specified. Example: xConfiguration Call Services Fallback Alias: "reception@example.com" Cisco VCS Administrator Guide (X7.2) Page 410 of 498...
  • Page 411 Sets the URL of the external manager. Default: tms/public/external/management/SystemManagementService.asmx Example: xConfiguration ExternalManager Path: "tms/public/external/management/SystemManagementService.asmx" ExternalManager Protocol: <HTTP/HTTPS> The protocol used to connect to the external manager. Default: HTTPS Example: xConfiguration ExternalManager Protocol: HTTPS Cisco VCS Administrator Guide (X7.2) Page 411 of 498...
  • Page 412 Example: xConfiguration H323 Gatekeeper Registration ConflictMode: Reject H323 Gatekeeper Registration UDP Port: <1024..65534> Specifies the port to be used for H.323 UDP registrations. Default: 1719 Example: xConfiguration H323 Gatekeeper Registration UDP Port: 1719 Cisco VCS Administrator Guide (X7.2) Page 412 of 498...
  • Page 413 On: the VCS will act as SIP-H.323 gateway regardless of whether the endpoints are locally registered. RegisteredOnly: the VCS will act as a SIP-H.323 gateway but only if at least one of the endpoints is locally registered. Default: RegisteredOnly Example: xConfiguration Interworking Mode: RegisteredOnly Cisco VCS Administrator Guide (X7.2) Page 413 of 498...
  • Page 414 Example: xConfiguration IP External Interface: LAN1 IP Gateway: <S: 7,15> Specifies the IPv4 gateway of the VCS. Note: you must restart the system for any changes to take effect. Default: 127.0.0.1 Example: xConfiguration IP Gateway: "192.168.127.0" Cisco VCS Administrator Guide (X7.2) Page 414 of 498...
  • Page 415 Example: xConfiguration IP Route 1 PrefixLength: 16 IP V6 Gateway: <S: 0, 39> Specifies the IPv6 gateway of the VCS. You must restart the system for any changes to take effect. Example: xConfiguration IP V6 Gateway: "3dda:80bb:6::9:144" Cisco VCS Administrator Guide (X7.2) Page 415 of 498...
  • Page 416 Sets the SASL (Simple Authentication and Security Layer) mechanism to use when binding to the LDAP server. None: no mechanism is used. DIGEST-MD5: The DIGEST-MD5 mechanism is used. Default: DIGEST-MD5 Example: xConfiguration Login Remote LDAP SASL: DIGEST-MD5 Cisco VCS Administrator Guide (X7.2) Page 416 of 498...
  • Page 417 Specifies the option key of your software option. These are added to the VCS in order to add extra functionality, such as increasing the VCS’s capacity. Contact your TANDBERG representative for further information. Example: xConfiguration Option 1 Key: "1X4757T5-1-60BAD5CD" Cisco VCS Administrator Guide (X7.2) Page 417 of 498...
  • Page 418 Controls certificate revocation list checking of the certificate supplied by the policy service. When enabled, the server's X.509 certificate will be checked against the revocation list of the certificate authority of the certificate. Default: Off Example: xConfiguration Policy AdministratorPolicy Service TLS CRLCheck Mode: Off Cisco VCS Administrator Guide (X7.2) Page 418 of 498...
  • Page 419 Policy FindMe Server UserName: <S: 0, 30> Specifies the user name used by the VCS to log in and query the remote FindMe Manager. Example: xConfiguration Policy FindMe Server UserName: "user123" Cisco VCS Administrator Guide (X7.2) Page 419 of 498...
  • Page 420 Example: xConfiguration Policy Services Service 1 Server 1 Address: "192.168.0.0" Policy Services Service [1..20] Status Path: <S: 0..255> Specifies the path for obtaining the remote service status. Default: status Example: xConfiguration Policy Services Service 1 Status Path: status Cisco VCS Administrator Guide (X7.2) Page 420 of 498...
  • Page 421 Specifies an entry to be added to the Deny List. If one of an endpoint’s aliases matches one of the patterns in the Deny List, the registration will not be permitted. Example: xConfiguration Registration DenyList 1 Pattern String: "john.jones@example.com" Cisco VCS Administrator Guide (X7.2) Page 421 of 498...
  • Page 422 Registration RestrictionPolicy Service Server [1..3] Address: <S: 0,128> Specifies the IP address or Fully Qualified Domain Name (FQDN) of the remote service. Example: xConfiguration Registration RestrictionPolicy Service Server 1 Address: "192.168.0.0" Cisco VCS Administrator Guide (X7.2) Page 422 of 498...
  • Page 423 Services AdvancedMediaGateway Policy Rules Rule [1..200] Description: <S: 0,64> A free-form description of the Advanced Media Gateway policy rule. Example: xConfiguration Services AdvancedMediaGateway Policy Rules Rule 1 Description: "Deny all calls to branch office" Cisco VCS Administrator Guide (X7.2) Page 423 of 498...
  • Page 424 Example: xConfiguration SIP Authentication Digest Nonce ExpireDelta: 300 SIP Authentication Digest Nonce Length: <32..512> Length of nonce or cnonce to generate for use in SIP Digest authentication. Default: 60 Example: xConfiguration SIP Authentication Digest Nonce Length: 60 Cisco VCS Administrator Guide (X7.2) Page 424 of 498...
  • Page 425 An example valid domain name is "100.example- name.com". Example: xConfiguration SIP Domains Domain 1 Name: "100.example-name.com" SIP GRUU Mode: <On/Off> Controls whether GRUU (RFC5627) support is active. Default: On Example: xConfiguration SIP GRUU Mode: On Cisco VCS Administrator Guide (X7.2) Page 425 of 498...
  • Page 426 Variable: generates a random value between the configured minimum refresh value and the lesser of the configured maximum refresh value and the value requested in the registration. Default: Variable Example: xConfiguration SIP Registration Outbound Refresh Strategy: Variable Cisco VCS Administrator Guide (X7.2) Page 426 of 498...
  • Page 427 Specifies the IP address of the next hop for this route, where matching SIP requests will be forwarded. Note: this command is intended for developer use only. Example: xConfiguration SIP Routes Route 1 Address: "127.0.0.1" Cisco VCS Administrator Guide (X7.2) Page 427 of 498...
  • Page 428 Determines which transport type will be used for SIP messages forwarded along this route. Default: TCP Note: this command is intended for developer use only. Example: xConfiguration SIP Routes Route 1 Transport: TCP Cisco VCS Administrator Guide (X7.2) Page 428 of 498...
  • Page 429 SIP TLS Certificate Revocation Checking CRL Network Fetch Mode: <On/Off> Controls whether the download of CRLs from the CDP URIs contained in X.509 certificates is allowed. Default: On Example: xConfiguration SIP TLS Certificate Revocation Checking CRL Network Fetch Mode: Cisco VCS Administrator Guide (X7.2) Page 429 of 498...
  • Page 430 SystemUnit Maintenance Mode: <On/Off> Sets the VCS into maintenance mode. New calls and registrations are disallowed and existing registrations are allowed to expire. Default: Off Example: xConfiguration SystemUnit Maintenance Mode: Off Cisco VCS Administrator Guide (X7.2) Page 430 of 498...
  • Page 431 Default: 1 Example: xConfiguration Transform 1 Priority: 10 Transform [1..100] State: <Enabled/Disabled> Indicates if the transform is enabled or disabled. Disabled transforms are ignored. Example: xConfiguration Transform 1 State: Enabled Cisco VCS Administrator Guide (X7.2) Page 431 of 498...
  • Page 432 Example: xConfiguration Traversal Server TURN Authentication Realm: "TANDBERG" Traversal Server TURN Media Port End: <1024..65534> The upper port in the range used for TURN relays. Default: 61799 Example: xConfiguration Traversal Server TURN Media Port End: 61799 Cisco VCS Administrator Guide (X7.2) Page 432 of 498...
  • Page 433 VCS. If enabled, the certificate hostname (also known as the Common Name) is checked against the patterns specified in the Default Zone access rules. Default: Off Example: xConfiguration Zones DefaultZone SIP TLS Verify Mode: Off Cisco VCS Administrator Guide (X7.2) Page 433 of 498...
  • Page 434 Determines whether the Default Subzone has a limit on the total bandwidth being used by its endpoints at any one time. NoBandwidth: no bandwidth available. No calls can be made to, from, or within the Default Subzone. Default: Unlimited Example: xConfiguration Zones LocalZone DefaultSubZone Bandwidth Total Mode: Limited Cisco VCS Administrator Guide (X7.2) Page 434 of 498...
  • Page 435 If multiple Subnet rules have the same priority the rule with the largest prefix length is applied first. Alias Pattern Match rules at the same priority are searched in configuration order. Default: 100 Example: xConfiguration Zones LocalZone SubZones MembershipRules Rule 1 Priority: 100 Cisco VCS Administrator Guide (X7.2) Page 435 of 498...
  • Page 436 Specifies the bandwidth limit (in kbps) on any one call to or from an endpoint in this subzone (applies only if Mode is set to Limited). Default: 1920 Example: xConfiguration Zones LocalZone SubZones SubZone 1 Bandwidth PerCall Inter Limit: 1920 Cisco VCS Administrator Guide (X7.2) Page 436 of 498...
  • Page 437 Example: xConfiguration Zones LocalZone SubZones SubZone 1 Name: "BranchOffice" Zones LocalZone SubZones SubZone [1..1000] Registrations: <Allow/Deny> Controls whether registrations assigned to this subzone are accepted. Default: Allow Example: xConfiguration Zones LocalZone SubZones SubZone 1 Registrations: Allow Cisco VCS Administrator Guide (X7.2) Page 437 of 498...
  • Page 438 Sets the number of times traversal-enabled endpoints registered directly with the VCS will attempt to send a TCP probe to the VCS. Default: 5 Example: xConfiguration Zones LocalZone Traversal H323 TCPProbe RetryCount: 5 Cisco VCS Administrator Guide (X7.2) Page 438 of 498...
  • Page 439 Determines whether or not there is a limit to the total bandwidth of all traversal calls being handled by the VCS. NoBandwidth: no bandwidth available. No traversal calls can be made. Default: Unlimited Example: xConfiguration Zones LocalZone TraversalSubZone Bandwidth Total Mode: Limited Cisco VCS Administrator Guide (X7.2) Page 439 of 498...
  • Page 440 Zones Policy SearchRules Rule [1..2000] Pattern String: <S: 0,60> The pattern against which the alias is compared. (Applies to Alias Pattern Match mode only.) Example: xConfiguration Zones Policy SearchRules Rule 1 Pattern String: "@example.com" Cisco VCS Administrator Guide (X7.2) Page 440 of 498...
  • Page 441 Zones Policy SearchRules Rule [1..2000] State: <Enabled/Disabled> Indicates if the search rule is enabled or disabled. Disabled search rules are ignored. Default: Enabled Example: xConfiguration Zones Policy SearchRules Rule 1 State: Enabled Cisco VCS Administrator Guide (X7.2) Page 441 of 498...
  • Page 442 Zones Zone [1..1000] DNS Interworking SIP Video DefaultResolution: <None/QCIF/CIF/4CIF/SIF/4SIF/VGA/SVGA/XGA> Specifies which video resolution to use when empty INVITEs are not allowed. Default: CIF Example: xConfiguration Zones Zone 1 DNS Interworking SIP Video DefaultResolution: CIF Cisco VCS Administrator Guide (X7.2) Page 442 of 498...
  • Page 443 On: the length will be truncated to the maximum length specified by the SIP SDP attribute line limit length setting. Off: the length will not be truncated. Example: xConfiguration Zones Zone 1 DNS SIP SDP Attribute Line Limit Mode: Off Cisco VCS Administrator Guide (X7.2) Page 443 of 498...
  • Page 444 Specifies the DNS zone to be appended to the transformed E.164 number to create an ENUM host name which this zone is then queried for. Example: xConfiguration Zones Zone 2 ENUM DNSSuffix: "e164.arpa" Cisco VCS Administrator Guide (X7.2) Page 444 of 498...
  • Page 445 Off: an LRQ message will be sent to the zone. On: searches will be responded to automatically, without being forwarded to the zone. Default: Off Example: xConfiguration Zones Zone 3 Neighbor H323 SearchAutoResponse: Off Cisco VCS Administrator Guide (X7.2) Page 445 of 498...
  • Page 446 Zones Zone [1..1000] Neighbor Interworking SIP Video DefaultResolution: <None/QCIF/CIF/4CIF/SIF/4SIF/VGA/SVGA/XGA> Specifies which video resolution to use when empty INVITEs are not allowed. Default: CIF Example: xConfiguration Zones Zone 3 Neighbor Interworking SIP Video DefaultResolution: Cisco VCS Administrator Guide (X7.2) Page 446 of 498...
  • Page 447 On: the second video line in any outgoing INVITE request is removed. Off: INVITE requests are not modified. Default: Off Example: xConfiguration Zones Zone 3 Neighbor SIP Duo Video Filter Mode: Off Cisco VCS Administrator Guide (X7.2) Page 447 of 498...
  • Page 448 Zones Zone [1..1000] Neighbor SIP Port: <1024..65534> Specifies the port on the neighbor to be used for SIP calls to and from this VCS. Default: 5061 Example: xConfiguration Zones Zone 3 Neighbor SIP Port: 5061 Cisco VCS Administrator Guide (X7.2) Page 448 of 498...
  • Page 449 Zones Zone [1..1000] Neighbor SIP Transport: <UDP/TCP/TLS> Determines which transport type will be used for SIP calls to and from this neighbor. Default: TLS Example: xConfiguration Zones Zone 3 Neighbor SIP Transport: TLS Cisco VCS Administrator Guide (X7.2) Page 449 of 498...
  • Page 450 SIP messages that originate from non-local domains. See the Administrator Guide for full details about each of the Authentication Policy options. Default: DoNotCheckCredentials Example: xConfiguration Zones Zone 4 TraversalClient Authentication Mode: DoNotCheckCredentials Cisco VCS Administrator Guide (X7.2) Page 450 of 498...
  • Page 451 Off: All media must be unencrypted. BestEffort: Use encryption if available otherwise fallback to unencrypted media. Auto: No media encryption policy is applied. Default: Auto Example: xConfiguration Zones Zone 4 TraversalClient SIP Media Encryption Mode: Auto Cisco VCS Administrator Guide (X7.2) Page 451 of 498...
  • Page 452 VCS, this must be the VCS’s authentication user name. If the traversal client is a gatekeeper, this must be the gatekeeper’s System Name. For other types of traversal clients, refer to the VCS Admin Guide for further information. Example: xConfiguration Zones Zone 5 TraversalServer Authentication UserName: "User123" Cisco VCS Administrator Guide (X7.2) Page 452 of 498...
  • Page 453 Specifies the port on the VCS being used for SIP firewall traversal from this traversal client. Default: 7001, incrementing by 1 for each new zone. Example: xConfiguration Zones Zone 5 TraversalServer SIP Port: 5061 Cisco VCS Administrator Guide (X7.2) Page 453 of 498...
  • Page 454 Zones Zone [1..1000] TraversalServer UDPProbe RetryCount: <1..65534> Sets the number of times the traversal client will attempt to send a UDP probe to the VCS. Default: 5 Example: xConfiguration Zones Zone 5 TraversalServer UDPProbe RetryCount: 5 Cisco VCS Administrator Guide (X7.2) Page 454 of 498...
  • Page 455 TraversalServer: there is a firewall between the zones and the local VCS is a traversal server for the new zone. ENUM: the new zone contains endpoints discoverable by ENUM lookup. DNS: the new zone contains endpoints discoverable by DNS lookup. Example: xConfiguration Zones Zone 3 Type: Neighbor Cisco VCS Administrator Guide (X7.2) Page 455 of 498...
  • Page 456: Command Reference - Xcommand

    Assigns a name to this Advanced Media Gateway policy rule. Description: <S: 0,64> A free-form description of the membership rule. Example: xCommand AMGWPolicyRuleAdd Name: "Deny branch calls" Description: "Deny all calls to branch office" Cisco VCS Administrator Guide (X7.2) Page 456 of 498...
  • Page 457 Specifies the port of a KDC that can be used when the VCS joins the AD domain. Default: 88 Example: xCommand AdsKdcAdd KerberosKDCAddress: "192.168.0.0" KerberosKDCPort: 88 AdsKdcDelete Deletes a configured Kerberos KDC. KerberosKDCId(r): <1..5> The index of the Kerberos KDC to be deleted. Example: xCommand AdsKdcDelete KerberosKDCId: 1 Cisco VCS Administrator Guide (X7.2) Page 457 of 498...
  • Page 458 The requested bandwidth of the call (in kbps). CallType(r): <Traversal/NonTraversal> Whether the call type is Traversal or Non-traversal. Example: xCommand CheckBandwidth Node1: "DefaultSubzone" Node2: "UK Sales Office" Bandwidth: 512 CallType: nontraversal Cisco VCS Administrator Guide (X7.2) Page 458 of 498...
  • Page 459 Example: xCommand DenyListAdd PatternString: "sally.jones@example.com" PatternType: exact Description: "Deny Sally Jones" DenyListDelete Deletes an entry from the Deny List. DenyListId(r): <1..2500> The index of the entry to be deleted. Example: xCommand DenyListDelete DenyListId: 2 Cisco VCS Administrator Guide (X7.2) Page 459 of 498...
  • Page 460 Descriptive name for the external application whose status is being referenced. Example: xCommand ExtAppStatusDelete Name: foo FeedbackDeregister Deactivates a particular feedback request. ID: <1..3> The index of the feedback request to be deactivated. Example: xCommand FeedbackDeregister ID: 1 Cisco VCS Administrator Guide (X7.2) Page 460 of 498...
  • Page 461 Specifies the first pipe to be associated with this link. Pipe2: <S: 1, 50> Specifies the second pipe to be associated with this link. Example: xCommand LinkAdd LinkName: "Subzone1 to UK" Node1: "Subzone1" Node2: "UK Sales Office" Pipe1: "512Kb ASDL" Cisco VCS Administrator Guide (X7.2) Page 461 of 498...
  • Page 462 OptionKeyAdd Adds a new option key to the VCS. These are added to the VCS in order to add extra functionality, such as increasing the VCS's capacity. Contact your Cisco representative for further information. Key(r): <S: 0, 90> Specifies the option key of your software option.
  • Page 463 Example: xCommand PipeAdd PipeName: "512k ADSL" TotalMode: Limited Total: 512 PerCallMode: Limited PerCall: 128 PipeDelete Deletes a pipe. PipeId(r): <1..1000> The index of the pipe to be deleted. Example: xCommand PipeDelete PipeId: 2 Cisco VCS Administrator Guide (X7.2) Page 463 of 498...
  • Page 464 "service" StatusPath: "status" UserName: "user123" Password: "password123" DefaultCPL: "<reject status='403' reason='Service Unavailable'/>" PolicyServiceDelete Deletes a policy service. PolicyServiceId(r): <1..20> The index of the policy service to be deleted. Example: xCommand PolicyServiceDelete PolicyServiceId: 1 Cisco VCS Administrator Guide (X7.2) Page 464 of 498...
  • Page 465 The zone or policy service to query if the alias matches the search rule. Description: <S: 0, 64> A free-form description of the search rule. Example: xCommand SearchRuleAdd Name: "DNS lookup" ZoneName: "Sales Office" Description: "Send query to the DNS zone" Cisco VCS Administrator Guide (X7.2) Page 465 of 498...
  • Page 466 The index of the SIP route to be deleted. Tag: <S:0, 64> Tag value specified by external applications to uniquely identify routes that they create. Example: xCommand SIPRouteDelete SipRouteId: Tag: "Tag1" Cisco VCS Administrator Guide (X7.2) Page 466 of 498...
  • Page 467 The subzone to which an endpoint is assigned if its address satisfies this rule. Description: <S: 0, 64> A free-form description of the membership rule. Example: xCommand SubZoneMembershipRuleAdd Name: "Home Workers" Type: Subnet SubZoneName: "Home Workers" Description: "Staff working at home" Cisco VCS Administrator Guide (X7.2) Page 467 of 498...
  • Page 468 The index of the transform to be deleted. Example: xCommand TransformDelete TransformId: 2 WarningAcknowledge Acknowledges an existing warning. Note: this command is intended for developer use only. WarningID(r): <S:36, 36> The warning ID Example: xCommand WarningAcknowledge WarningID: "ab3d63f6-c0bb-4a9c-a121-e683abfedff0" Cisco VCS Administrator Guide (X7.2) Page 468 of 498...
  • Page 469 Note that this command does not change any existing system configuration. Alias(r): <S: 1, 60> The alias to be searched for. Example: xCommand ZoneList Alias: "john.smith@example.com" Cisco VCS Administrator Guide (X7.2) Page 469 of 498...
  • Page 470: Command Reference - Xstatus

    The current xStatus elements are: Alternates Applications Calls Ethernet ExternalManager Feedback FindMeManager H323 LDAP Links Loggers Options Pipes Policy Registrations ResourceUsage SystemUnit TURN Zones Each element has the sub-elements as described below: Alternates Cisco VCS Administrator Guide (X7.2) Page 470 of 498...
  • Page 471 Count: <0..10000> Max: <0..10000> Presentity [1..10000]: URI: <S: 1,255> Subscriber: Count: <1..100> ConferenceFactory: Status: <Inactive/Initializing/Active/Failed> NextAlias: <0.. 4294967295> External Status: Relay: Registrations: Count: <1..2500> Subscriptions: Count: <1..2500> User 1: Alias: <S: 1,255> Cisco VCS Administrator Guide (X7.2) Page 471 of 498...
  • Page 472 CheckCode: <S: 1,60> {visible if Leg = H323 and call is interworked} Targets: Target [1..1]: Type: <E164/H323Id/URL> Origin: <S: 1,255> Value: <S: 1,60> BandwidthNode: <S: 1,50 Node name> Registration: ID: <1..2500> SerialNumber: <S: 1,255> Cisco VCS Administrator Guide (X7.2) Page 472 of 498...
  • Page 473 Lost: <0.. 4294967295> OutOfOrder: <0.. 4294967295> Jitter: <0.. 4294967295> Incoming: Leg: <1..300> Outgoing: Leg: <1..300> Ethernet Ethernet [1..2]: MacAddress: <S: 17> Speed: <10half/10full/100half/100full/1000full/down> IPv4: Address: <IPv4Addr> SubnetMask: <IPv4Addr> IPv6: Address: <IPv6Addr> External Manager Cisco VCS Administrator Guide (X7.2) Page 473 of 498...
  • Page 474 Address: <IPv4Addr> {1..2 entries} IPv6: {Visible if Status=Active} Address: <IPv6Addr> {1..2 entries} H46018: CallSignaling: Status: <Active/Inactive/Failed> IPv4: {Visible if Status=Active} Address: <IPv4Addr> {1..2 entries} IPv6: {Visible if Status=Active} Address: <IPv6Addr> {1..2 entries} Cisco VCS Administrator Guide (X7.2) Page 474 of 498...
  • Page 475 LocalUsage: <0..100000000> ClusterUsage: <0..100000000> Calls: Call [0..900]: {0..900 entries} CallSerialNumber: <S: 1,255> Loggers Loggers Logger [1..6] Module: TraceLevel: Options Options: Option [1-64]: Key: <S: 1, 90> Description: <S: 1, 128> Pipes Cisco VCS Administrator Guide (X7.2) Page 475 of 498...
  • Page 476 Address: <IPv4Addr/[IPv6Addr]>:<1..65534> RASAddresses: Address: <IPv4Addr/[IPv6Addr]>:<1..65534> Apparent: <IPv4Addr/[IPv6Addr]>:<1..65534> Prefix: <S: 1,20> {0..50 entries} Aliases: Alias [1..50]: Type: <E164/H323Id/URL/Email/GW Prefix/MCU Prefix/Prefix/Suffix/IPAddress> Origin: <Endpoint/LDAP/Combined> Value: <S: 1,60> Traversal: <Assent/H46018> {visible for Traversal registration} OutOfResources: <True/False> Cisco VCS Administrator Guide (X7.2) Page 476 of 498...
  • Page 477 SIP: Ethernet [1..2] IPv4: UDP: Status: <Active/Inactive/Failed> Address: <IPv4Addr> TCP: Status: <Active/Inactive/Failed> Address: <IPv4Addr> TLS: Status: <Active/Inactive/Failed> Address: <IPv4Addr> IPv6: UDP: Status: <Active/Inactive/Failed> Address: <IPv6Addr> TCP: Status: <Active/Inactive/Failed> Address: <IPv6Addr> TLS: Cisco VCS Administrator Guide (X7.2) Page 477 of 498...
  • Page 478 TURN: Server: Status: <Active/Inactive> Interface [1..2]: Address: <IPv4Addr/IPv6Addr> Relays: Count: <0..1400> Relay [1..1400]: Address: <IPv4Addr/IPv6Addr> Client: Address: <IPv4Addr/IPv6Addr> CreationTime: <Date Time> ExpireTime: <Date Time> Permissions: Count: <0..65535> Permission [0..65535]: Address: <IPv4Addr/IPv6Addr> Cisco VCS Administrator Guide (X7.2) Page 478 of 498...
  • Page 479 NoPermission: <0..65535> InvalidType: <0..65535> FilterFailure: <0..65535> NoChannel: <0..65535> NoPermission: <0..65535> InvalidType: <0..65535> FilterFailure: <0..65535> Zones Zones: DefaultZone: Name: “DefaultZone” Bandwidth: LocalUsage: <0..100000000> ClusterUsage: <0..100000000> Calls: {visible only if there are calls} Cisco VCS Administrator Guide (X7.2) Page 479 of 498...
  • Page 480 Status: <Active/Failed/Warning> Cause: {Visible if status is Failed or Warning} <System unreachable/ Systems unreachable> Type: <Neighbor/TraversalClient/TraversalServer/ENUM/DNS> Neighbor: {Visible if Type is Neighbor} Peer [1..6]: H323: {visible if H323 Mode=On for Zone} Cisco VCS Administrator Guide (X7.2) Page 480 of 498...
  • Page 481 SIP: {visible if SIP Mode=On for Zone} Status: Active Address: <IPv4Addr/IPv6Addr> {One Address line per address from DNS lookup} Port: <1..65534> LastStatusChange: <Time not set/Date Time> Calls: {0..900 entries} Call [0..900]: CallID: <S: 1,255> Cisco VCS Administrator Guide (X7.2) Page 481 of 498...
  • Page 482: About Policy Services

    Policy service request parameters When the Cisco VCS uses a policy service it sends information about the call or registration request to the service in a POST message using a set of name-value pair parameters. The service can then make decisions based upon these parameters combined with its own policy decision logic and supporting data (for example lists of aliases that are allowed to register or make and receive calls, via external data lookups such as an LDAP database or other information sources).
  • Page 483 The service response must be a 200 OK message with CPL contained in the body. Cryptography support External policy servers should support TLS and AES-256/AES-128/3DES-168. SHA-1 is required for MAC and Diffie-Hellman / Elliptic Curve Diffie-Hellman key exchange; the VCS does not support MD5. Cisco VCS Administrator Guide (X7.2) Page 483 of 498...
  • Page 484: Flash Status Word Reference Table

    Autokey sequence error 0100 TEST9 pkt_crypto Autokey protocol error 0200 TEST10 peer_stratum invalid header or stratum 0400 TEST11 peer_dist distance threshold exceeded 0800 TEST12 peer_loop synchronization loop 1000 TEST13 peer_unreach unreachable or nonselect Cisco VCS Administrator Guide (X7.2) Page 484 of 498...
  • Page 485: Bibliography

    ITU Specification: H.350 Directory services architecture for http://www.itu.int/rec/T-REC-H.350/en multimedia conferencing Management Information Base for Network Management of http://tools.ietf.org/html/rfc1213 TCP/IP-based internets: MIB-II Microsoft Lync 2010, Cisco AM GW and VCS deployment D14652 www.cisco.com guide Microsoft Lync 2010 and VCS deployment guide D14269 www.cisco.com...
  • Page 486 Traversal Using Relays around NAT (TURN): Relay http://tools.ietf.org/html/rfc5766 Extensions to Session Traversal Utilities for NAT (STUN) VCS Administrator Guide (this document) D14049 www.cisco.com VCS and Cisco Unity Connection Voicemail Integration D14809 www.cisco.com deployment guide VCS Cluster creation and maintenance deployment guide D14367 www.cisco.com...
  • Page 487 Reference material Title Reference Link VCS Virtual Machine deployment guide D14951 www.cisco.com Cisco VCS Administrator Guide (X7.2) Page 487 of 498...
  • Page 488: Glossary

    Cisco TMS A Cisco product used for the management of video networks. Cisco TelePresence Management Suite Cisco VCS A generic term for the Cisco product which acts as a gatekeeper and SIP proxy/server. Cisco TelePresence Video Communication Server Cisco VCS Control A VCS whose main function is to act as a gatekeeper, SIP proxy and firewall traversal client.
  • Page 489 The act of crossing a firewall or NAT device. FindMe™ Cisco TelePresence FindMe is a User Policy feature that allows users to have a single alias on which they can be reached regardless of the endpoints they are currently using.
  • Page 490 2460. Internet Protocol version A request sent to an endpoint requesting information about its status. Information Request A geographically limited computer network, usually with a high bandwidth throughput. Local Area Network Cisco VCS Administrator Guide (X7.2) Page 490 of 498...
  • Page 491 The MOC client can be used for instant messaging, presence, voice and video calls client and ad hoc conferences. Multiway Cisco TelePresence Multiway enables endpoint users to create a conference while in a call even if their endpoint does not have this functionality built in. See the Conference Factory section for more information.
  • Page 492 An encrypted protocol used to provide a secure CLI. Secure Shell SIMPLE An instant messaging and presence protocol based on SIP. Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions Cisco VCS Administrator Guide (X7.2) Page 492 of 498...
  • Page 493 Traversal-enabled Any endpoint that supports the Assent and/or ITU H.460.18 and H.460.19 standards endpoint for firewall traversal. This includes all Cisco TelePresence MXP endpoints. TURN Relay extensions to STUN (Session Traversal Utilities for NAT). Traversal Using Relays around NAT Cisco VCS Administrator Guide (X7.2)
  • Page 494 VCS has a neighbor, traversal client or traversal server relationship, and to configure the way in which the VCS performs ENUM and DNS searches. Cisco VCS Administrator Guide (X7.2) Page 494 of 498...
  • Page 495: Accessibility Notice

    Reference material Accessibility notice Cisco is committed to designing and delivering accessible products and technologies. The Voluntary Product Accessibility Template (VPAT) for Cisco TelePresence Video Communication Server is available here: http://www.cisco.com/web/about/responsibility/accessibility/legal_regulatory/vpats.html#telepresence Cisco VCS Administrator Guide (X7.2) Page 495 of 498...
  • Page 496: Legal Notices

    This product is Copyright © 2012, Tandberg Telecom UK Limited. All rights reserved. TANDBERG is now part of Cisco. Tandberg Telecom UK Limited is a wholly owned subsidiary of Cisco Systems, Inc. The terms and conditions of use can be found at: http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/license_info/Cisco_VCS_EULA.pdf.
  • Page 497: Patent Information

    MPEG LA prior to any use of AVC/H.264 encoders and/or decoders. Patent information This product is covered by one or more of the following patents: US7,512,708 EP1305927 EP1338127 A complete list of patents is available at: http://www.tandberg.com/tandberg_pm.jsp. Cisco VCS Administrator Guide (X7.2) Page 497 of 498...
  • Page 498 MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners.

This manual is also suitable for:

Telepresence x7.2