Practical Configuration Of Authentication Policy - Cisco TelePresence Administrator's Manual

Practical configuration of authentication policy

VCS Control
The table below contains practical guidelines for configuring authentication policy on a VCS Control.
Authentication point
Default Zone
Default Subzone
Specific local subzones
Other subzones
Traversal zone
Neighbor zone
VCS Expressway
Ideally, VCS Expressway authentication policy, should follow exactly the same guidelines as for the VCS
Control. However if AD Direct or H.350 access is required, many security policies will not allow a device in a
DMZ access to those resources. Practicality therefore recommends that authentication is left to the VCS
Control.
Use registration allow and deny lists
outbound calls may only be made by authenticated users, ensure that all call requests are routed to the VCS
Control and it only forwards requests back that it can authenticate.
Cisco VCS Administrator Guide (X7.2)
Guideline
Use Check credentials.
Use Check credentials.
For known local subnets, to avoid having to configure all local endpoints with
credentials, use Treat as authenticated.
Although this is a practical solution, we recommend that no Treat as
authenticated subzones are used, and that every endpoint is populated with
appropriate and unique credentials and that Check credentials is used.
Use Check credentials.
Use Check credentials. Always check the credentials of requests coming from
the Expressway.
Use Do not check credentials and set SIP authentication trust mode to On.
to limit what can register to the Expressway. If it is required that
Device authentication
Page 110 of 498