Re: Jabber provision from Internet

pat.mar.paj · ‎12-11-2012

Hi all.

I have the following architecture:

Internet --> VCS-E -- (Traversal Zone) --> VCS-C plus a TMS server for provisioning.

I would like to implement Jabber from Internet, registering on the VCS-C. I know that I have to pass the registration request through the VCS-E, but I don't know how to configure it. Can anybody help me?

Thank you very much.

Best regards.

Patricia

Martin Koch · ‎12-11-2012

Check the following guides:

from here:

http://www.cisco.com/en/US/products/ps11337/products_installation_and_configuration_guides_list.html

http://www.cisco.com/en/US/products/ps11338/products_installation_and_configuration_guides_list.html

especially the

Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway) Deployment Guide

Cisco TelePresence Management Suite Provisioning Extension Deployment Guide (1.0) if you use TMSPE), which is the recommended way)

Cisco TelePresence Video Communication Server Authenticating Devices Deployment Guide (X7.2)

The guides are dependent on the version you use, but I would recomend TMS >=13.2 VCS >=X7.1

Please remember to rate helpful responses and identify

Tomonori Taniguchi · ‎12-11-2012

Please follow the deployment guide in reply from Martin which should give you step by step guide.

Here is quick overview for what you need configure at minimum.

First assume provisioning DB run on VCS-C and VCS-W will proxy provisioning request & provisioning clients will register on VCS-E (the client sending provisioning request to VCS-E, not proxy registration to VCS-C).

On VCS-E

VCS-E must have a search rule that allow to send subscribe message to VCS-C. (For example, search rule with regex “.+@(%localdomains%)” pointing to VCS-C)
Configure SIP domain for provisioning domain and disable “SIP registration proxy mode”
Authentication policy for Default Zone should configured as “Do not check credential”.

On VCS-C

Configure SIP domain for provisioning domain
Authentication policy for Default Zone and Traversal Zone (to VCS-E) should configured as “Check credential” and Default Subzone as either “Check credential” or “Treat as Authenticated”.

On TMS

Should configure VCS-E IP address or SRV/A record for “Public SIP Server Address” provisioning template parameter and assign this specific template to provisioning user account/group. The “Public SIP Server Address” define where provisioning client send registration request.
The “Public Presence Server URI”, and “Public Phone Book Server URI” parameter configuration is option but recommend to configure (i.e. presence@yourdomain.com, phonebook@yourdomain.com)
You may also configure TURN parameters on template if wish to use ICE feature on provisioning client registered on VCS-E to optimize media routing, but this is option,

Paul Woelfel · ‎12-12-2012

With the Default Zone set to "Do not check credentials" anyone could register to VSC-E without providing credentials. IMHO this is not a good solution, because anyone could use your infrastructure to initiate toll fraud calls over the internet.

Regards, Paul

Tomonori Taniguchi · ‎12-12-2012

Please note this is discussion of Jabber Video provisioning design.

VCS-E is not provisioning server, therefore Jabber Vide client won’t able to register until provisioning challenge success on VCS-C (VCS-E will forward request to VCS-C and handle it on VCS-C) then VCS-C send back notify message via VCS-E.

pat.mar.paj · ‎01-17-2013

Thank you Tomonori.

Sorry for the delay answering you.

I think I have understood your procedure. As soon as I can probe it, I will tell you.

rasimyigit · ‎12-11-2012

Hi Tomo,

*On VCS-EVCS-E must have a search rule that allow to send subscribe message to VCS-E. (For example, search rule with regex “.+@(%localdomains%)” pointing to VCS-C)
Configure SIP domain for provisioning domain and disable “SIP registration proxy mode”Authentication policy for Default Zone should configured as “Do not check credential”.*

Do you mean a create a search rule from Vcs-c to Vcse ?

Sent from Cisco Technical Support iPhone App

Tomonori Taniguchi · ‎12-11-2012

Ops, typo on original post.

I mean to write “allow to send subscribe message to VCS-“C”.

This search rule is on VCS-E to forward SIP message to VCS-C.

VCS-E will receive Subscribe message (provisioning@yourdomain.com) from provisioning client (i.e. Jabber Video).

So VCS-E must have search rule to forward SIP message relating to provisioning to VCS-C in order to handle user authentication and provide back provisioning information by Notify message.

rasimyigit · ‎12-11-2012

Ok,
Now it's good;-).
You mean really the rule on the VCS-E with regex “.+@(%localdomains%)” to the VCS-C . But the rule any / any with prio with I.e 110 on the VCS-E to the VCS-C Is not nice? On the VCS-c everything on check credentials and safe. Or you prefere your rule with localdomains

Sent from Cisco Technical Support iPhone App

Tomonori Taniguchi · ‎12-11-2012

Creating “Any alias match” search rule on VCS-E and pointing it to VCS-C works fine as well.

Above regex search rule is to minimize SIP signal forwarding to VCS-C.

rasimyigit · ‎12-12-2012

That's not correct . You need minimum a sip domain in Vcse to register something. But with our solution the sip domain is only on the VCS control and all is check credentials on the Vcsc

Sent from Cisco Technical Support iPhone App

Paul Woelfel · ‎12-13-2012

But H323 will work wirthout a domain, if you don't disable H323 registration.

Regards, Paul