05-24-2012 02:00 PM - edited 03-17-2019 11:13 PM
I want to restrict both incoming and outgoing calls to only specific devices. I have created call policies that seem to work as long as the end point is registered with the VCS, however if the endpoint is not registered, it simply passes the call despite the call policy. What am I doing wrong? I can't list my rules as the source and destination names are confidential, however I did attempt to create a generic catch all policy like this.
Source: .* Destination: .*. Reject
If I understand this correctly, that should mean that any source trying to call any destination would be rejected if not specifically covered by a higher priority rule correct?
05-24-2012 02:35 PM
Did you check in the configuration - dial plan - configuration if it is off ?
Sent from Cisco Technical Support iPad App
05-25-2012 01:03 AM
Norm,
you shouldn't have a second dot in your destination regex (You have .*.), you should simply use .* for both source and destination in your catch-all reject (Which should be the bottom rule on your VCS).
- Andreas
05-25-2012 04:49 AM
Hi Norm,
I've seen this issue before.... well on X6.1 if you put .* for the source it doesn't match everything all the time.
If you leave the source blank (represents an unauthenticated user) this usually works.
Thanks
Pinkesh
05-25-2012 06:14 AM
Andreas,
I have corrected the destination string and made it (.*) however I am still able to call my endpoints from an unregistered device at my desk.
Pink,
I added another rule with source being blank, and destination being (.*), this also has not solved the problem.
In addition to these rules, I have specific rules in place allowing calls between the specific endpoint and rules rejecting all unauthenticated endpoints from calling each of these endpoints meaning Source is blank, and Destination is the specific alias of every endpoint I want isolated. What else could I be missing?
05-25-2012 07:20 AM
Hi Norm,
what alias are you calling from the unregistered device?
Are calls from this device to said endpoints hitting the Default Zone on your VCS?
What is the authentication setting for the Default Zone on your VCS?
If you take a diagnostics log on the VCS (With Network Log level = DEBUG) and place a test call, you will see the CPL logic and decision-making in the diagnostic log, this should help you pinpoint the issue if you are able to interpret the contents of the log.
- Andreas
05-25-2012 07:42 AM
I am calling one of my registered alias's. Unfortunately, I can't post the actual name of it.
How can I tell if the calls are hitting the default zone?
The authentication policy is set to "Do not check credentials" Is this where it should be set?
I started a new log and placed a test call and then stopped the log. What am I looking for in the log?
05-25-2012 07:49 AM
Norm,
if you are calling a registered alias from an unregistered endpoint, I'm curious to know how the call actually makes it from the unregistered endpoint to the VCS. In what format is the alias which you are calling?
'Do not check credentials' is the recommended setting for the Default Zone, and means that the Source of this call will be blank as far as the CPL rule generator is concerned (Since the rule generator uses authenticated-origin for source).
In the log you are looking for lines containing 'network.cpl'. Perhaps you can send me the log via PM?
- Andreas
05-27-2012 03:07 AM
Hi!
First of all it is not that hard to write a CPL file yourself. You can also check how the cpl file looks
like after you created entries with the wizzard.
But I just tried it with x7 and it worked fine:
The CPL for this looks like:
Be aware that there is also an order of the rules, the first rule matching wins.
Regards the question how to check which zone the call came from, if you look at the search details in call history of a call
you will see it under "zone":
...
Please remember to rate helpful responses and identify
05-29-2012 09:57 PM
If you are looking for call control on unregister Endpoint, you may use CPL with “
Below is example of call process for call from unregister Endpoint/MCU.
xmlns:taa="http://www.tandberg.net/cpl-extensions"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">
< address-switch field="registered-origin">
! reject the call from non-register device to destination alias starting 8
! redirect call to call reception Endpoint (alias 0000) if call from non-register device to destination alias starting 9
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide