Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
2
Replies

H.323 - SIP interworking and authentication

Eli Kagan
Level 1
Level 1

‎07-24-2014 02:12 PM - edited ‎03-18-2019 03:13 AM

I have a basic VCS-E --- FW --- VCS-C setup. VCS-C is set up to do authentication on all zones and the Expressway does SIP proxying back to the VCS-C.  Expressway does not authenticate anybody.

My problem is with proxying these authentication requests. I have H.323 - SIP interworking enabled on both VCS-E and -C and it seems like registration requests that Expressway forwards to the Control return "authentication required" and that causes the Expressway to convert those requests to H323 and forward it to the Control again, with a side effect being clients can register without authentication even though it is required. 

My question is do I need H323-SIP interworking enabled on the Expressway if all clients can communicate through SIP.

And the second question is do I need H323 enabled at all?  Are there any advantages in having both SIP and H323 enabled on an endpoint? Wouldn't one protocol be enough? What are the best current practices?

Thanks,

Eli

 

 

 

Labels:
0 Helpful
2 Replies 2

Patrick Sparkman
VIP Alumni
VIP Alumni

‎07-24-2014 09:08 PM

For a secure environment, you'd check credentials for all VCS Control zones: default, traversal, and all subzones, while for the Expressway you'll only do this on the subzones.  You would need a username/password added to each of the VCS's local device database that the endpoints can use to authenticate and register with.  For regular endpoints that aren't provisioned you'll add that username/password to each endpoint's H323 or SIP configuration so they can authenticate all there communication to the VCS with it.  For provisioned devices such as Jabber Video, the users login account will be used for the subscribe messages, and then the VCS device account you created that you'll put into the TMSPE template, will be used for the actual registration.

I recently did this about two months ago myself.  If you can provide more details of how your VCS's and endpoints are configured, we could help figure out what's happening.  Cisco VCS Authenticating Devices Deployment Guide might help, and is a good place to start on understand endpoint authentication.

You don't need to have H323-SIP interworking enabled if all your endpoints are using the same protocol, ie: SIP.  However, if you happen to get an H323 call from external of your network, you won't be able to connect, since interworking would be disabled, so I'd leave it enabled.

Have H323 or SIP both enabled is really personal preference, but most newer codecs are moving to SIP only, such as the SX10.

0 Helpful

Wayne DeNardi
VIP Alumni
VIP Alumni
In response to Patrick Sparkman

‎07-24-2014 09:08 PM

"Have H323 or SIP both enabled is really personal preference, but most newer codecs are moving to SIP only, such as the SX10."

And don't forget the SX80 which can be one, or the other, but not both/dual registered as most of the older endpoints can.

H.323 will be going the way of H.320 - and slowly disappearing - this has been publicly acknowledged by Cisco as their future direction - making things SIP only in the future.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

0 Helpful
Customers Also Viewed These Support Documents