Movi Provisioning and Zone Authentication Rules - Page 2

William Bell · ‎06-29-2011

I have a couple of questions concerning Zone authentication policies and Movi provisioning/registration.

Environment:

Movi version: 4.2

VCS Expressway cluster (2 peers): X6.1

VCS Control cluster (2 peers): X6.1

Microsoft AD 2003

Authentication method (standard devices): Local Database

I have read through the VCS admin guide, the TMS provisioning guide (13.0), the VCS X6 release notes, the VCS X6.1 release notes, and the VCS Device Authentication Deployment Guide. I am trying to piece the story together for zone and authentication policies for Movi. Please bear with me here. In general I am trying to understand what zones/subzones play a role in the whole Movi provisioning and registration process.

Questions (assuming Local Database authentication and VCS-C is configured with TMS agent for provisioning):

1. When a Movi client is connecting to the VCS Control (Internal) my understanding is that the Default Zone is handling the initial Subcribe message and that it is recommended that the Default Zone's authentication policy is set to "Do not check credentials". The idea is that the TMS agent will handle authentication at this point (for provisioning). Is this accurate?

2. Now, if I were to create a membership rule that places Movi clients into a specific local subzone, what would be the requirements for Authentication Policy for the local subzone? Should it still be "Do not check credentials"? Also, would the Default Zone still be used for the provisioning step? Meaning, that both the Default Zone and the Movi local subzone would need the same authentication policies.

3. When a Movi client is connecting to the VCS Expressway, how does the Expressway know to push the subscribe message to the VCS Control? I saw a mention of search rules in one of the guides, but it wasn't clear how the expressway knows to forward the provisioning request. What is used? Where is it set?

4. Again, with authentication my understanding from the VCS X6 release notes is that the Default Zone on the VCS Expressway is configured with "Do Not Check Credentials" and the Traversal Client Zone on the VCS Control is also configured for "Do Not Check Credentials". The idea (from my understanding) is to get the TMS agent on the VCS Control to do the authentication. Is this an accurate understanding?

5. Where does the Movi actually register in this case? The Expressway or the Control?

6. If #5 is the Expressway, what considerations are needed if the Expressway has a local subzone membership rule for Movi clients? Does it need to have "Do not check credentials" as well?

As if i haven't asked enough, I am wondering what happens if one were to use the Active Directory Direct method for authenticating Movi clients. My read on this method is that the whole approach to authentication policies change. Instead of "Do not check credentials" you want to "Check credentials" (along with some other configs related to NTLM authentication).

In the VCS Device Authentication Deployment Guide it says that the "Default Zone" should be configured to "Check credentials". What isn't clear is what does this mean when you have a VCS Expressway and a VCS Control. I am going to guess that it means the following:

(a) VCS Expressway

Default Zone: "Do not check credentials"

(b) VCS Control

Traversal Client Zone: "Do not check credentials"

Default Zone: "Check credentials"

1. Is the above accurate? Or would I also need to check credentials on the Traversal client zone?

2. What if I were to have membership rules pointing the Movi client to a subzone?

Clearly I am missing a fundamental piece to the puzzle. Or, more accurately, I have pieced things together from different documents and my confidence that I have done so accurately is in question.

Thanks in advance,

Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

maciej_wilk · ‎07-19-2011

Martin,

As you notcied yourself the three methods you mentioned are unacceptable.

I could proxy the registrations to VCS-C but why would I want to force all the RTP streams for external users (who would normally register to VCS-E) to the VCS-C through the firewall? for example 2 movi users registered to the VCS-E, if they make a call the media stream will traverse the VCS-E, if they are proxied to VCS-C the media will traverse not only VCS-E, but also VCS-C, is that correct?

And the big advantage of Expressway is NOT to use a VPN client

Marwan ALshawi · ‎07-19-2011

if the proxy registration will fix this issue its better to go with it, unless you have many users register to the VCSE and have direct calles between them !

Martin Koch · ‎07-20-2011

I do not agree with the "unacceptable".

Its always like that with integration projects, you have to see the limitations, cross check with the priorities of

the wanted requirements and make the best out of it.

Many enterprise customers already have a VPN infrastructure in place, then it can is an easy fix.

Sure it will put more load on the system as it has to encrypt the video and then again encrypt it for the vpn

and will lower the mtu, but for most it will work great.

If it is a requirement I could picture you could have a stripped down AD server which gets only the movi users replicated.

Regarding RTP, yes, if you have a traversal zone this is what most likely will happen, from what I red even if you

try to use ICE/TURN/STUN, but in theory this could be something which could be fixed by Cisco.

Btw, if you use findme on the VCS-C you will most likely end up anyhow on having calls looped through the VCS-C.

Please vote answers.

Please remember to rate helpful responses and identify

maciej_wilk · ‎07-21-2011

Martin,

I think I was misunderstood What I meant is that the suggested solutions are unacceptable for my deployment.

But your answers are highly appreciated!

Anyway, I think that Cisco should come up with a better solution in the next software release.