Andrey,

Thanks for the reply (+5). I need some clarification on a few statements:

In response to question 2:

 [Andrey Ganev, in response to question 2]
The authentication policy for the local subzone will be ignored and only the policy on that specific local subzone will be taken into account.

I am confused by this statement. If the local subzone authentication policy is ignored how is the policy taken into account?

[response to question 2]

And no, it should not be "Do not check credentials" because what will happen is that Movi will sign in successfully but the presence status change will fail.
The reason behind this is that once authenticated with username and password against the provisioning db the Movi will receive all the provisioning configuration and will successfully register. However the publish message will get 403 because it has not been authenticated.

I have some confusion around this statement too but it is likely because I am not clear on whether you were talking to the Default Zone or the Local Subzone (in a configuration where Movi clients are placed into a subzone via membership rules).

[response to question 3]
It does know by the search rules, so if it has searched for  'AnyAlias in the  LocalZone' , hasn’t found it and then it will continue searching for the same alias towards traversal zone , usually the VCS with the provisioning db.

OK. That makes sense. However, I wasn't going to use "AnyAlias" on the VCS-E because I thought that would be a problem since I am supporting URI and IP Addr dialing from the VCS-C. So, on the VCS-E I am using a search rule for the domain suffix that is used by Movi clients. I think that should give me the same behavior, no?

[response to question 4]
Here were are talking for non proxied registration. Same behavior is valid also for Control - if you set the DZ to "Treat As Authenticated" and the Subzone to DoNotCheck Credentials or "Do Not Check Credentials or Treat As Authenticated" this will result to registering with whatever password.

I believe I am clear on what you are saying. There is an implied relationship between the subzone and DZ. This begs another question. In my design I was planning to lock out the Default Zone by removing all links. I was going to do this as a security feature but I am now wondering if that would break Movi in some way. In my design all endpoints and Movi clients are assigned specific subzones via membership rules. I thought that subzone membership would override Default Zone being used by Movi. My interpretation of your responses is that the Default Zone still plays a rule even when Movi is pushed into a subzone. Is that accurate? If so, do I need to re-establish links to the Default Zone (like Default Zone to Default Subzone?).

[Response to AD Direct Auth questions]
 
What I would do is:
(a) VCS Expressway
Default Zone: "Check Credentials"
Default Subzone: "Check Credentials" 
(b) VCS Control
Traversal Client Zone: "Do not check credentials"
Default Zone: "Do not check Credentials"
Default Subzone: "Treat as Authenticated"
But again it is up to the particular requirements

What I don't follow here is what happens with movi clients which are hosted internally and registering to the VCS Control? If I follow all of your responses, a Movi client isn't really authenticated when registering internally. Meaning, it doesn't matter what the user provides for authentication? Keeping in mind, that I am thinking in context of the AD Direct Authentication method that I want to apply.

Thanks again.

Regards,

Bill

Hi Marwanshaw,

yes, it is possible but note that direct AD authentication can be used from Movi 4.2 and later.

There is a very useful deployment guide you can check for more details :

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Authenticating_Devices_Deployment_Guide_X6-1.pdf

Hi Andrey,

there is a point confusing me here about the Movi authentication support with AD

normally the authentication comes from TMS for provesioning ( personal en points )

now in the document you provided above it dose mention tht AD supported only with Movi in addition it states that this is not related to the provisioning

Note that Active Directory database (direct) authentication is only supported by VCS challenges, and not by provisioning server (TMS Agent) challenges

!!!

Heh, currently our Movi (4.2) users are registering to the VCS (X6.1) Default Subzone, and if I set the authentication rule to anything else but "Treat as Authenticated", Movi no longer get phonbook (searching for entries no longer works).

(Direct intergration with AD not implemented as yet).

Marwanshawi,

In the normal MOVI configuration the backend LDAP database needs to authenticate the users, you can add an additional layer by turning on authentication in the VCS too if you want.

When you deply the VCS with AD integration, then the VCS needs to authenticate the MOVI users, not the LDAP database.  The reason for this is that only the VCS can talk to the PDC, not the LDAP directory.  So when a MOVI user logs in, the VCS will forward the credentials over to the PDC.

Thanks,
Justin

Hi Justin

thanks for your input, but whats confusing me here, with VCS 5.x lets say you have provisioning configured with the TMS, then you integrate TMS with AD to get users login then send it via smtp email from TMS to per user for login

the pasword is generated by TMS, login is the AD user name

however from your above description do you mean now i can use AD username and password to login ? if this is correct what baout the TMS Role and integration in the picture with provisioning and login ?

Thanks

Marwan

Marwan,

take a look at:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Authenticating_Devices_Deployment_Guide_X6-1.pdf

This will describe the method beeing used when using X6.1, Movi4.2 and AD (older VCS or Movi versions are not suported).

To answer your question. Yes, you can use the AD username and password to login with movi.

(you have to enter the user/password in movi, to inherit this from the domain logon would be a nice future feature)

The TMS role is the same, you still need TMS to create and maintain the provisioning accounts,

the creation will still work as before via the AD import and TMS will replicate this info to the VCS.

You can also still use TMS to send out info emails (like info for the download).

The only thing whats not used (so you want to remove it from your template) is the auto generated

password in the TMS provisioning directory.

And btw, if you have additional questions, consider opening a new thread, this one gets quite hard to read :-)

You can inherit the username and password from your domain logon if you install Movi with a bat file that has the parameter USEWINDOWSUSERNAME=1.

I think that this thread is also a good place to discuss another issue.

Yes - you can do direct authentication with Movi but this means setting the default zone to "check credentials".

What does that mean for provisioning an E20 - it will have to authenticate against VCS.

And the password is generated within TMS. So for this to work you would have to manually enter all the passwords that TMS generated into the VCS local authentication database which doesn't make sense.

Has anyone tried to overcome this?

options I see if you want to enable auth on the vcs-e

* add the VCS-E to the AD as well (might not be possible firewall / security wise)

* use the local auth DB on the VCSE and add movi accounts you need (not good as it will get out of sync)

* external ldap auth db (which will not be able to sync passwords with AD)

Do you need authentication on the VCS-E? If you do not add (or remove) the sip domain on the VCS-E

sip/movi registrations shall be proxied to the VCS-C and the authentication is handled there.

Or you could also use a vpn for the movi users so they can direct register to the VCS-C

As I do not know your exact setup, there might be other option or things I mentioned might not fit your deployment. :-)