Hi Paulo,

SIP Poison -      NO on both VCS-E and VCS-C

Interworking -      "Registered only" on both VCS-E and VCS-E, however I have tried switch this off and on is different orders on both with no effect.

In fact, just double check the Interworking with all option and indeed this make no difference.

Ok Cris.

Let me perform some tests, I will use X-Lite and Jabber with proxied registration, just to see If I can have it working. I only tested this scenario with external jabbers calling each other through proxied registration.

Regards

Paulo Souza

Please rate replies and mark question as "answered" if applicable.

Hey Cris,

I simulated your problem by using a proxied registration scenario just like you have (but without VCS cluster). I used Jabber client and X-Lite client from internet registered to VCSc through proxied registration in VCSe. My test was sucessfull, I was able to make calls from Jabber to X-lite and vice versa.

After analysing the network logs and search history, this is what I have found:

1. Both clients register to VCS control normally via proxied registration
2. When jabber calls X-lite, the call is first send to VCSe and it matches VCSe's dial plan. Then VCSe route de INVITE to VCSc
3. VCSc receives the invite and matches it against its dial plan. Here is the important point, VCSc does not match the call to a search rule towards traverzal zone, instead, VCS route the call by using a search rule towards its LocalZone (this is the right behavior, because endpoints are registered to VCSc).
4. VCSc does not show any search history forwarding the invite back to VCSe, therefore only one search appears in search history and the target is localzone with the result "Found"
5. Although VCSc does not show a search attempt toward VCSe, VCSc does sends a invite back to VCSe (without matching any rule). In VCSe I do see that invite being receive again, but VCSe does not match it againt its dial plan, because VCSe recognizes the destination as proxied registered device

See the result of the call below. As I stated many time, there are two calls being showed in VCSe, because the call comes from VCSe, goes to VCSc and comes back to VCSe. So VCSe considers as being two different calls although there is only a single one.

VCS Control

VCS Expressway

Therefore, I think your scenario is not working because you don't have correct search rules in VCSc towards LocalZone. You just have correct search rules towards Traversal Zone.

Try to adjust your dial plan based upon the description I posted above.

Regards

Paulo Souza

Please rate replies and mark question as "answered" if applicable.

Hi Paulo,

I'm not sure, but I think you might have got hold of the wrong end of the stick. I think what you have demonstrated here is a External proxied client calling another external proxied client (albiet with one of those use a non Jabber client). I understand about the double call issue and this is not a problem, and NOT the probelm we are seeing. I can call other externally registered client OK.

What I meant by the third party device is something completely independent of the VCS system - i.e. registered elsewhere out in Internet land - a completely different domain not hosted on the VCSs in question (maybe I should have called it independent rather than third party). For this to happen, the call MUST egress through the VCS-E DNS Zone.

So the Internally registered device call call the independent third party - the call routes out from the VCS-C to the VCS-E, then out through the DNS Zone. However, with the externally registered device, the search stops at the VCS-C.

The only two ways I have been able to achieve this is to have a 2nd traversal zone between VCS-E and VCS-C (as mentioned above), OR open up the DNS Zone on the VCS-E to be able to route calls from its default zone (as mentiioned in the original post - so in this case, the externally registered client bypasses sending the call via the VCS-C - but this also open up the VCS-E for malicious routing of calls - or so I believe).

Does this make more sense?

Hi Chris!

First of all, thank you for the very great documented question. Your diagrams are nice made!

As the question can not be rated I gave you +5 on an other posting for that!

Some thoughts, what I bet what kills your call here is the loop detection found under

VCS Config > Calls

That is most likely on on the VCS-E (default). If you want a loop call you would need to disable it there.

Maybe there are some findme scenaios where it would need to be disabled on the VCS-C as well.

Depending on the deployment disabling loop protection can cause, yes you guessed right, loops :-)

If its just the VCS-C and -E and you have the search rules right (I would for example check that

the VCS-E does not search on your own domains towards the dns zone) it should be ok.

Anyhow, I like to keep it on and use other methods.

How do your search rules on the VCS-E look like?

If you dont mind having the risk of somebody using your vcs as a open proxy (you could also limit this

to the domains by a custom CPL) you could add a search rule allowing from zone ANY.

Then the call will not hit the VCS-C and just be handled on the VCS-E.

Paulo mentioned that in postings before, I also do not really like the proxy registration neither.

Maybe looking into using authentication on the VCS-E and keep the registrations there could be

worth investigating.

Hi Martin,

Martin Koch wrote:
Hi Chris!
First of all, thank you for the very great documented question. Your diagrams are nice made!
As the question can not be rated I gave you +5 on an other posting for that!

Well, many thanks . Even so I have updated the diagrams (and search history to match) to show the distinction between domains - even when you think you have completely covered everything it is still possible for people to misinterpret your requests - sorry for leading you astray Paulo.

Martin Koch wrote:
 
Some thoughts, what I bet what kills your call here is the loop detection found under 
VCS Config > Calls

Will look at this tomorrow, however, I think I already have! I think I have played with most settings in many differnt configurations, but will certianly double check this.

Martin Koch wrote:
 
How do your search rules on the VCS-E look like?

Martin Koch wrote:
If you dont mind having the risk of somebody using your vcs as a open proxy (you could also limit this 
to the domains by a custom CPL) you could add a search rule allowing from zone ANY. 
Then the call will not hit the VCS-C and just be handled on the VCS-E.

Yeah - sounds like a plan - I need to look into this

Martin Koch wrote:
Paulo mentioned that in postings before, I also do not really like the proxy registration neither.
Maybe looking into using authentication on the VCS-E and keep the registrations there could be
worth investigating.

TBH, our current production enviroment uses registration on the VCS-E (as per https://supportforums.cisco.com/message/3942778#3942778, although Adam talks about AD, the same can be achieved with just TMSPE and local DBs), and I quite like this. However, as we support many educations establishement, we need to be able to support third party SIP clients (such as Linphone), and I simply can't seem to find a third party client that can support this 'double' authentication. Hence the reason for looking at proxying registrations.

Hi Cris,

TBH, our current production enviroment uses registration on the VCS-E (as per https://supportforums.cisco.com/message/3942778#3942778, although Adam talks about AD, the same can be achieved with just TMSPE and local DBs), and I quite like this. However, as we support many educations establishement, we need to be able to support third party SIP clients (such as Linphone), and I simply can't seem to find a third party client that can support this 'double' authentication. Hence the reason for looking at proxying registrations.

I may be missing something here, but as far as I understand, when you attempt to register generic SIP client to VCSe, the authentication will be made on VCSe or on VCSc (if using proxied registration), but it is not double authentication. The double authentication process happens with Jabber, because with Jabber, you first authenticate when provisioning the client and then authenticate again to register the client.

I don't think you will have problems in registering generic SIP clients to VCSe directly. I have a customer that uses X-Lite from internet registered to VCSe with authentication enable. They also have internal and external jabber clients working fine. They use TMS directory as authentication database in both VCSc and VCSe, so all the clients register from internet by using the same users database for authentication. Of course, there is no LDAP authentication, only LDAP importing in TMS. They also have some CPL rules to bring security.

Regards

Paulo Souza

Please rate replies and mark question as "answered" if applicable.

Hi Paulo,

Again many thanks for the response and further  apologies for my lack of clarity (very tired at that point). Indeed, the  the 'double' authentication I was referencing was with regard to the  Jabber provisioning request, then the SIP registration.

At this moment in time, I have held off from adding the Provisioning licence to the VCS-E simply because this is recommended as something NOT to do in the documentation "Cisco TelePresenceManagement Suite Provisioning Extension - Deployment Guide", where it states:

User accounts can only reside on one Cisco VCS (or Cisco VCS cluster). Therefore if your network has a combination of Cisco VCS Expressways and Cisco VCS Controls (where some endpoints - such as soft clients - may register to either the Control or the Expressway), we recommend that you configure and enable provisioning only on the Cisco VCS Control (or Control cluster). If a soft client or other endpoint registers to a Cisco VCS Expressway, provisioning requests will be routed (using search rules) to the Cisco VCS Control associated with the Expressway via the appropriate traversal zone.

So,  because of provisioning with Jabber, I can provide a generic "SIP  Authentication" Username and Password that is sent to the client without  user knowing what it is. they can then use just their username/password  combination and all looks great from their point of view. Things aren't  too bad from my point of view either as I only have to add one  additional generic user account to the VCS-E  that I can supply a complex password for. However, in this scenario I  need to give out the Generic SIP Authentication username and password to  users that want to connect remotely an that don't use Jabber -  something I would rather avoid.

If I add a  provisioning licence to the VCS-E as well as the VCS-C, then the  relevant users from the specific group will also be added to the VCS-E,  thus adding many user accounts to the VCS-E - whilst I don't mind adding  one additional account to the VCS-E, adding many seems like I could be  asking for trouble!

So, what I REALLY  want to achieve is for the end user to be able to use their own password  and user name to be able to log on both locally and remotely. With a  provisioned client this is no problem - without, I run into issues. To  achieve what I want , I would need to either :

1. Add provisioning to the Expressway,
2. OR allow for proxying and open up the DNS Zone to route from the VCS-E (but with Authentication) and develop some CPL

Correct?

Hi Paulo,

Sorry for coming back to this one (wasn't sure whether to post a new - but really its a follow up to this conversation), but I have only just got around to trying this on our test bed.

So I'm looking to explore the possibilities to use Provisioning on the VCS-E simply to provide a method to deploy user credentials in order that a user can register to the VCS-E, however, pass on the actual provisioning and presence information to the VCS-C in order that those duties can be carried out there and not actually on the VCS-E

As a Basic setup, I have completed the following:

1. Turn off "SIP registration proxy mode" on the VCS-E
2. Add the SIP domain to the VCS-E to allow registration
3. Install the provisioning licence and set up the TMSPE to only replicate 'User' information.
4. Set up the Default Zone and Subzones to "Check Credentials" (am I correct in thinking this is OK as it will still allow inbound calls but stop unauthenticated provisioning (SUBSCRIBE) requests?)

At this point I can see the user authenticate, but (from the Network Log - see below) of course the provisioning request is directed to the VCS-E then on to the 127.0.0.1 loop back address). Assume that in this example the client is at a fictitious address of 2.2.2.2 and the VCS-E is a 1.1.1.1.

Of course this is where the "xConfig SIP Routes" setup you mention above now comes into play. So, I have read through the VCS Admin guide but it is a little vague about this subject - apart from the command being listed (although it does say that is "for developer use only"), I couldn't find much info. Do I have to add a single route for each message type I want to forward, and do I need ALL the SIP Route config for each rule?

For instance, I can see this is the Network Log (names have been changed to protect the innocent)

2013-07-31T18:52:21+01:00    tvcs: UTCTime="2013-07-31 17:52:21,232" Module="network.sip" Level="DEBUG": Src-ip="127.0.0.1" Src-port="22410"
SIPMSG:
|SIP/2.0 503 License Count Exceeded
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK7e73b84872e7059996e3845160f036fe44334.87d275781ab55f2a9b1a69d6cbb3d624;received=127.0.0.1;rport=5060;egress-zone=DefaultZone;proxy-call-id=f2f4477a-fa09-11e2-95a0-0010f31ae17c
Via: SIP/2.0/TLS 2.2.2.2:51896;branch=z9hG4bKa15082332de22bc11234fadd846b90b6.1;received=2.2.2.2;rport=51896;ingress-zone=DefaultZone
Call-ID: 909cc78999684bdb@127.0.0.1
CSeq: 202 SUBSCRIBE
Contact: "VCS Provisioning Service" <127.0.0.1:22410>
From: <>user@mydom.com>;tag=fd99431e6f439c14
To: <>provisioning@mydom.com>;tag=9329846bf91f3428
Record-Route: <127.0.0.1:5060>
Record-Route: <1.1.1.1:5061>
Expires: 300
Event: ua-profile;model=movi;vendor=tandberg.com;profile-type=user;version=4.6.3.17194;clientid="S-1-5-21-1405356030-1745526636-438344022";connectivity=1
Content-Length: 0
|

2013-07-31T18:52:21+01:00    tvcs: UTCTime="2013-07-31 17:52:21,232" Module="network.sip" Level="INFO": Src-ip="127.0.0.1" Src-port="22410" Detail="Receive Response Code=503, Method=SUBSCRIBE, To=sip:provisioning@mydom.com, Call-ID=909cc78999684bdb@127.0.0.1"

2013-07-31T18:52:21+01:00    tvcs: UTCTime="2013-07-31 17:52:21,230" Module="network.sip" Level="DEBUG": Dst-ip="127.0.0.1" Dst-port="22410"
SIPMSG:
|SUBSCRIBE sip:user@mydom.com SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;egress-zone=DefaultZone;branch=z9hG4bK7e73b84872e7059996e3845160f036fe44334.87d275781ab55f2a9b1a69d6cbb3d624;proxy-call-id=f2f4477a-fa09-11e2-95a0-0010f31ae17c;rport
Via: SIP/2.0/TLS 2.2.2.2:51896;branch=z9hG4bKa15082332de22bc11234fadd846b90b6.1;received=2.2.2.2;rport=51896;ingress-zone=DefaultZone
Call-ID: 909cc78999684bdb@127.0.0.1
CSeq: 202 SUBSCRIBE
Contact: 
From: <>user@mydom.com>;tag=fd99431e6f439c14
To: <>provisioning@mydom.com>
Max-Forwards: 69
Record-Route: <127.0.0.1:5060>
Record-Route: <1.1.1.1:5061>
User-Agent: TANDBERG/774 (MCX 4.6.3.17194) - Windows
Expires: 300
Event: ua-profile;model=movi;vendor=tandberg.com;profile-type=user;version=4.6.3.17194;clientid="S-1-5-21-1405356030-1745526636-438344022";connectivity=1
Accept: application/pidf+xml
P-Asserted-Identity: <>user@mydom.com>
X-TAATag: f2f44932-fa09-11e2-bfaa-0010f31ae17c
Content-Length: 0
|

2013-07-31T18:52:21+01:00    tvcs: UTCTime="2013-07-31 17:52:21,230" Module="network.sip" Level="INFO": Dst-ip="127.0.0.1" Dst-port="22410" Detail="Sending Request Method=SUBSCRIBE, Request-URI=sip:user@mydom.com, Call-ID=909cc78999684bdb@127.0.0.1"

2013-07-31T18:52:21+01:00    tvcs: UTCTime="2013-07-31 17:52:21,227" Module="network.ldap" Level="INFO": Detail="Authentication credential found in directory for identity: user"
2013-07-31T18:52:21+01:00    tvcs: UTCTime="2013-07-31 17:52:21,224" Module="network.sip" Level="DEBUG": Src-ip="2.2.2.2" Src-port="51896"
SIPMSG:
|SUBSCRIBE sip:user@mydom.com SIP/2.0
Via: SIP/2.0/TLS 2.2.2.2:51896;branch=z9hG4bKa15082332de22bc11234fadd846b90b6.1;received=2.2.2.2;rport=51896
Call-ID: 909cc78999684bdb@127.0.0.1
CSeq: 202 SUBSCRIBE
Contact: 
From: <>user@mydom.com>;tag=fd99431e6f439c14
To: <>provisioning@mydom.com>
Max-Forwards: 70
Route: <1.1.1.1:5061>
User-Agent: TANDBERG/774 (MCX 4.6.3.17194) - Windows
Expires: 300
Proxy-Authorization: Digest nonce="a824ed85c7b23a312439e6f9f6ae5a58f43098cd3f067fba8af094f83b8e", realm="vcs-e.mydom.com", qop=auth, opaque="AQAAANm9RZ5qOXTlkQuvg38NKgzL/cyP", username="user", uri="sip:mydom.com", response="4df9824190d8ee42f9cb93b3fdd9e5fe", algorithm=MD5, nc=00000001, cnonce="d5ad1f6e10962fe2ad18e118543dd476"
Event: ua-profile;model=movi;vendor=tandberg.com;profile-type=user;version=4.6.3.17194;clientid="S-1-5-21-1405356030-1745526636-438344022";connectivity=1
Accept: application/pidf+xml
Content-Length: 0
|
2013-07-31T18:52:21+01:00    tvcs: UTCTime="2013-07-31 17:52:21,224" Module="network.sip" Level="INFO": Src-ip="2.2.2.2" Src-port="51896" Detail="Receive Request Method=SUBSCRIBE, Request-URI=sip:user@mydom.com, Call-ID=909cc78999684bdb@127.0.0.1" 

I'm this the SIP Routes will need to take affect of the redirected SIP messages as seen above (in Purple) from the VCS-E to its loopback address, so I guessing I will need something like this:

xConfiguration SIP Routes Route 1 Address: "vcs-c.mydom.com"                                            (can I spefify FQDN?)

xConfiguration SIP Routes Route 1 Authenticated: On

xConfiguration SIP Routes Route 1 Header Name: "Event"                                                      (not sure about this)

xConfiguration SIP Routes Route 1 Header Pattern: "(ua-profile;model=movi)(.*)"                   (really not sure about this!)

xConfiguration SIP Routes Route 1 Method: "SUBSCRIBE"

xConfiguration SIP Routes Route 1 Port: 5060                                                                          (Maybe 5061 with TLS?)

xConfiguration SIP Routes Route 1 Request Line Pattern: ".*@(%localdomains%|%ip%)"     (Hmmm)

xConfiguration SIP Routes Route 1 Tag: "Tag1"                                                                        (really not sure about this!)

xConfiguration SIP Routes Route 1 Transport: TLS                                                                  (These VCS-Es will be on the public Internet)

I haven't tried any of this yet, but I will have to wait until tomorrow now.

Cheers

Chris

Oh! That's a bit easy! I had expected a lot more work and so studied the SIP packets from the Network Log to try and determine the correct format. Still, I'm sure this time spent will come in handy at some point in the future.....

I'll have a look at the current SIP route to see how they are constructed and see it I can determine how they work, but I now guess that they actually point to the loopback (127.0.0.1).

Yes, these SIP routes are used to route provisioning messages to the local provisioning server, that's why you see 127.0.0.1 as destination. By removing the SIP routes, the provioining message will be sent towards VCSc using search rules.

Good luck!

=)

Paulo Souza

Please rate replies and mark question as "answered" if applicable.