Solved: Tandberg VCS Expressway - Call Policy rules

Arbenjamin · ‎08-14-2012

Dear All,

We are currently deploy the DNS resolve to the VCS expressway, and it works as expected.

However, we would like to block external party to call our VIP users, so we are configuring the call policy rule.

According to Help page of VCS, both of the Source pattern and Destination pattern support regular expressions.

But we found the Call policy rule is not work as expected.

For example, we have configured

Source pattern: martin.lai@jabber

Destination pattern: ex60@domain.com

Action: Allow

As a result, the user martin.lai@jabber is not able to call the endpoint ex60domain.com .

Does anyone face the similiar problem? Or anyone has the recommendation on this issue?

Best Regards,

Ben

Tomonori Taniguchi · ‎08-14-2012

As Andreas mention, you may use CPL to control call from unregistered Endpoint by following CPL (just quick sample)

===============================================================

xmlns:taa="http://www.tandberg.net/cpl-extensions"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">

===============================================================

Other solution is to use new dial plan search rules introduced in X7.2 release.

Register VIP Endpoint in separate subzone and create specific search rules.

With X7.2, you may configure search rule detail as call protocol and source subzone level targeting specific subzone level.

Please refer page 35 of https://supportforums.cisco.com/docs/DOC-26316.

(But this still bit complicate when call come from VCS-E to VCS-C where VIP Endpoint registered).

View solution in original post

Simon Battye · ‎08-14-2012

Ben,

Do you have any other call policy rules sat underneath the rule you have outlined above? The rules will process from top, to bottom.

Have you tried using the locate tool on the VCS, is your request returned as 'forbidden'?

Thanks, Si

Arbenjamin · ‎08-14-2012

Dear Simon,

We have moved that rule to the toppest, which is the highest priority.

The locate tool show it works fine, please refer to attached picture,

Moreover, we have tried to configure the exact source and destination alias.However, it does not works.

Best Regards,

Ben

Simon Battye · ‎08-14-2012

Ben,

You screenshot is based on the 'check-pattern' tool.

If you navigate to same section on the VCS, the locate tool is underneath the check-pattern option. Try locate ex60@domain.com and configure the source alias as martin.lai@jabber, this will give you a good idea of how the VCS is handling the call.

Could you outline what over rules are configured for your call policy, or is this the only one?

Thanks, Si

Arbenjamin · ‎08-14-2012

Dear Simon,

Thank a lot

It is my first time to use the locate tool, that is very usful.

I have attached the call policy page for your reference.

As we expect, the only external jabber account-martin.lai@jabber can call internal endpoint ex60@jabber.com(by the first rule), and all external parties is not allow to call endpoint with domain.com.

Best Regards,

Ben

awinter2 · ‎08-14-2012

Ben,

as Martin points out, the external incoming call from the jabber.com domain will most likely be unauthenticated (Assuming your Default Zone is configured as 'Do not check credentials', which it normally should be), and will therefore not match your first rule but rather the second rule.

The reason for this is that when using the call policy rules, the source alias will actually be blank/non-existent for unauthenticated calls/requests, and thus match .* but not match martin.lai@jabber.com.

The solution to this is to create your own CPL which matches on the unauthenticated-origin (Unauthenticated source) rather than origin (Authenticated source).

The VCS Admin guide will have more information on how to achieve this by using CPL, and there are also a few example CPL snippets in there which should help you on your way.

- Andreas

Martin Koch · ‎08-14-2012

If I remember it correct, the web based cpl wizard only handles authenticated source addresses,

or any-un-authenticated source.

As this call comes from an external domain it will be unauthenticated.

You should be able to write your own CPL and use: unauthenticated-origin for this user. that shall do the trick.

you can download the one you have and modify it and upload it again, though I would remove the first two lines like:

Please remember to rate helpful responses and identify

Tomonori Taniguchi · ‎08-14-2012

As Andreas mention, you may use CPL to control call from unregistered Endpoint by following CPL (just quick sample)

===============================================================

xmlns:taa="http://www.tandberg.net/cpl-extensions"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">

===============================================================

Other solution is to use new dial plan search rules introduced in X7.2 release.

Register VIP Endpoint in separate subzone and create specific search rules.

With X7.2, you may configure search rule detail as call protocol and source subzone level targeting specific subzone level.

Please refer page 35 of https://supportforums.cisco.com/docs/DOC-26316.

(But this still bit complicate when call come from VCS-E to VCS-C where VIP Endpoint registered).

Arbenjamin · ‎08-15-2012

Dear Tomonri,

Thank for your sggestion, and we will upgrade the VCS to 7.2 to continuous the deployment.

Thank you,

Ben