Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
976
Views
0
Helpful
5
Replies

DNS calls from external systems via Expressway

Go to solution
Alexander Zykov
Level 1
Level 1

‎03-25-2014 11:12 PM - edited ‎03-18-2019 02:47 AM

Hello everybody.

I'm trying to close the ability to call from external systems (such like any SIP provider) to my subscribers via DNS zone. Now I don't have any restrictions for that, because traversal zone of Expressway passes all calls to VCS Control.
If I'm set "Source" from "Any" to "AllZones" in traversal zone, calls from external systems do not processing, but provisioning requests did not pass to VCS control, and registration on Expressway becomes impossible. How I can solve this problem?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Martin Koch
VIP Alumni
VIP Alumni
In response to Alexander Zykov

‎04-01-2014 05:49 PM

It would be two groups, your users which can authenticate and which would be allowed and then all the others. How I understood your first posting that would have worked.

Not sure how I have to interpret your new posting. If you need more specific call control,
please check the admin guide for the CPL. There you could specify which URIs can
call who or not. But thats a bit more like programming.

There is also the web "policy rules" but that would not really fit neither as it can
only map in between unauthenticated calls and specific authenticated uris.

 

Please remember to rate helpful responses and identify

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jens Didriksen
Level 9
Level 9

‎03-26-2014 12:16 AM

You should leave it as "Any", which is also the default. If need be, you can specify the protocol and have slightly different search rules and priorities for H.323 and SIP.

Take a look at the Admin guide applicable to the software version your are running: http://www.cisco.com/c/en/us/support/unified-communications/telepresence-video-communication-server-vcs/products-maintenance-guides-list.html

and also the VCS Basic Configuration (Control with Expressway) Deployment Guide relevant to the software version you have: http://www.cisco.com/c/en/us/support/unified-communications/telepresence-video-communication-server-vcs/products-installation-and-configuration-guides-list.html

for further information.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

 

 

 

Please rate replies and mark question(s) as "answered" if applicable.
0 Helpful

Go to solution
Martin Koch
VIP Alumni
VIP Alumni

‎03-27-2014 11:17 AM

Could you explain a bit what issues you have here?

 

Is it really DNS or is it some unwanted SIP/VoIP Scanning (like the typical 100@vcs) calls?

These typically go to the IP and depending on your search rules should not show even up on the VCS-C.

 

If this is a critical thing for you I would enable proper authentication. This would enable you to

provision and register the extneral clients and just reject all inbound calls which are not authenticated.

 

 

Please remember to rate helpful responses and identify

0 Helpful

Go to solution
Alexander Zykov
Level 1
Level 1
In response to Martin Koch

‎03-31-2014 02:28 AM

Martin, I don't have any SIP scanning (like 100@vcs etc).

With value "Any" in all options "Source" I call from external device to internal device myself: install SIP client on my smartphone, register on free SIP provider (sip2sip.info) and call to test@mydomain.ru (registered on Expressway or Control, no matter). Call was successfully.

I know, I can allow or reject calls to IP address. That is another thing.

I want have opportunity to reject all external calls excluding those, that I specify. For example: calls from user@provider1.ru, aaa@provider2.ru should allows. Other should be rejected. Subscribers user@provider1.ru, aaa@provider2.ru can't register on my Expressway. How I can authenticate calls from external systems? In "Default Zone" and "Default Subzone" I have value "Check credentials" in option "Authentication policy", but this applies only to registrations.

0 Helpful

Go to solution
Martin Koch
VIP Alumni
VIP Alumni
In response to Alexander Zykov

‎04-01-2014 05:49 PM

It would be two groups, your users which can authenticate and which would be allowed and then all the others. How I understood your first posting that would have worked.

Not sure how I have to interpret your new posting. If you need more specific call control,
please check the admin guide for the CPL. There you could specify which URIs can
call who or not. But thats a bit more like programming.

There is also the web "policy rules" but that would not really fit neither as it can
only map in between unauthenticated calls and specific authenticated uris.

 

Please remember to rate helpful responses and identify

0 Helpful

Go to solution
Alexander Zykov
Level 1
Level 1
In response to Martin Koch

‎04-10-2014 10:00 PM

Thanks, I will try CPL.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents