Solved: VCSc - VCSe questions

Utair Corporation · ‎08-20-2012

Hi.

I've setup VCS Control and VCS Epressway, TMS also.

Everything works okay.

But found what anyone could just register on VCSe, it will ask no password and all.

If i set DafaultZone or DefaultSubZone to check credentials, then Movi clients stops regisering on VCSe.

Also, even if Movi registers with VCSe, using windows credentials (when DefaultZone or DefaultSubZone set not do not check credentials), it is listed as unauthenticated in registrations list.

So how do i deny registration of unknown clients and allowing legmate registrations?

awinter2 · ‎08-22-2012

Hi,

the REGISTER request should not be on URI format, but yours seem to be:

SIPMSG:

|REGISTER sip:domain.root@domain.root SIP/2.0

This means that that on one of your VCS's you have a transform which appends '@domain.root' to incoming SIP requests, and this transform is breaking the REGISTER.

Do you happen to have a transform on your Expressway which matches '([^@]*)' and transforms this to \1@domain.root? If so, this transform does not combine well with proxied registrations, and I'd recommend you disable this transform (And consider the implications of doing so).

This transform will basically change 'REGISTER sip:domain.root' to 'REGISTER sip:domain.root@domain.root' which is an illegal syntax for a REGISTER request.

Hope this helps,

Andreas

View solution in original post

Utair Corporation · ‎08-20-2012

Also, VCSe allows that registerd and not authenticated clients to call anywhere.

If i set DNS zone search rule to allow only authenticated clients call external aliases, then VCSe registerd Movi clients is not able to call external aliases.

Simon Battye · ‎08-20-2012

Utair,

I presume you are provisioning to only the VCS-Control, and not the VCS-Expressway.

I would create a subzone for your movi users, ensure you have a search rule based on the SIP domain your using; targeted at the VCS-Control and also remove the SIP domain from the VCS-Expressway SIP configuration. VCS-Expressway should then proxy the registration to the VCS-Control, and should register if your traversal zone and provisioning configuration is OK.

Use the local database authentication if you want to prevent endpoints registering to the VCS-Expressway

There are other posts on this forum that are similar to this:

https://supportforums.cisco.com/thread/2091751

Thanks, Si

Utair Corporation · ‎08-20-2012

I'd like to provide registration not only to Movi, but any other SIP capabale client software or device.

I've tried to remove my domain from VCSe, it stopped servicing Movi client.

There is search rules, which point to TraversalZone.

Jens Didriksen · ‎08-20-2012

Take a look at the "Authentication of devices and accounts" section found here:

http://www.cisco.com/en/US/partner/products/ps11337/products_installation_and_configuration_guides_list.html

and choose the document which corresponds to software version of your VCS.

As for endpoints registering with the VCS-E, see the admin guide for things like allow/deny lists etc.

http://www.cisco.com/en/US/partner/products/ps11337/prod_maintenance_guides_list.html

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Utair Corporation · ‎08-21-2012

Well, i've turned on proxied registration, removed domain from VCSe, and after successfull NTLM check, VCSc throws an error and nothing happens after that:

Aug 22 10:26:26 tmn-vcs-int tvcs: UTCTime="2012-08-22 04:26:26,707" Module="network.sip" Level="INFO": Src-ip="x.x.x.x" Src-port="7001" Detail="Receive Request Method=REGISTER, To=sip:galkin_dv@domain.root, Call-ID=433dd85a710153fa@192.168.222.130"

Aug 22 10:26:26 tmn-vcs-int tvcs: UTCTime="2012-08-22 04:26:26,708" Module="network.sip" Level="DEBUG": Src-ip="x.x.x.x" Src-port="7001"

SIPMSG:

|REGISTER sip:domain.root@domain.root SIP/2.0

Via: SIP/2.0/TCP x.x.x.x:7001;egress-zone=TraversalZone;branch=z9hG4bK3d6f426363f3215eca1500bff66d8a8a75411.8acaabc24e1533afea768ab6e3b5fced;proxy-call-id=89b92386-ec11-11e1-8f87-0010f3230592;received=x.x.x.x;rport=7001

Via: SIP/2.0/TCP 192.168.222.130:49448;branch=z9hG4bK0b1b97b72a73eec523ef66d51a4ccc5b.1;received=y.y.y.y;rport=49448;ingress-zone=DefaultZone

Call-ID: 433dd85a710153fa@192.168.222.130

CSeq: 27875 REGISTER

Contact: ;+sip.instance=""

From: ;tag=f8a06309c3f979e7

To:

Max-Forwards: 15

Path:

Allow: INVITE,ACK,CANCEL,BYE,INFO,OPTIONS,REFER,NOTIFY

User-Agent: TANDBERG/773 (MCX 4.4.3.14479) - Windows

Expires: 3600

Authorization: NTLM qop="auth", realm="tmnvcsint.domain.root", targetname="tmnvcsint.domain.root", opaque="d263317288deca9a", gssapi-data="TlRMTVNTUAADAAAAGAAYAIQAAAC6ALoAnAAAAAAAAABYAAAAEgASAFgAAAAaABoAagAAABAAEABWAQAAVYKAYgYBsR0AAAAPu/xIWYg6l4lJuEjsYCm6p2cAYQBsAGsAaQBuAF8AZAB2AE4ARQBUAC0AQQBEAE0ASQBOAC0ASgBVAE4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAINAFAB4f9zrVCBxRMX/P4wEBAAAAAAAAFmUqSB6AzQHjnbYxTSdUmgAAAAACABIAVQBUAEEASQBSAC4ARABPAE0ACAAwADAAAAAAAAAAAQAAAAAgAADKR/B0iB4pKoXYOheaDnsd2P4l1OLY0adP9NtQv2peygoAEAAAAAAAAAAAAAAAAAAAAAAACQAkAHQAbQBuAHYAYwBzAGkAbgB0AC4AdQB0AGEAaQByAC4AcgB1AAAAAAAAAAAAoOc1wNH5UXyUKAC3PzWL9w=="

Supported: replaces,timer,gruu

X-TAATag: 89b92462-ec11-11e1-913c-0010f3230592

Content-Length: 0

|

Aug 22 10:26:26 tmn-vcs-int tvcs: UTCTime="2012-08-22 04:26:26,708" Module="network.rpcnetlogon" Level="DEBUG": netlogon="rpc authentication request" client id="2172" username="galkin_dv" domain="" workstation=""

Aug 22 10:26:26 tmn-vcs-int tvcs: UTCTime="2012-08-22 04:26:26,711" Module="network.rpcnetlogon" Level="DEBUG": netlogon="rpc authentication succeeded" client id="2172" username="galkin_dv" domain="" workstation="" result="1" reason code="0x0 - No error" reason string=""

Aug 22 10:26:26 tmn-vcs-int tvcs: UTCTime="2012-08-22 04:26:26,712" Module="developer.nomodule" Level="ERROR" CodeLocation="ppcmains/sip/sipproxy/SipProxyLocalRegister.cpp(388)" Method="SipProxyLocalRegister::validateRegisterRequest" Thread="0x7fecdbffd700": this="0x7fecddd404d0" Found illegal userinfo=domain.root in REGISTER method

awinter2 · ‎08-22-2012

Hi,

the REGISTER request should not be on URI format, but yours seem to be:

SIPMSG:

|REGISTER sip:domain.root@domain.root SIP/2.0

This means that that on one of your VCS's you have a transform which appends '@domain.root' to incoming SIP requests, and this transform is breaking the REGISTER.

Do you happen to have a transform on your Expressway which matches '([^@]*)' and transforms this to \1@domain.root? If so, this transform does not combine well with proxied registrations, and I'd recommend you disable this transform (And consider the implications of doing so).

This transform will basically change 'REGISTER sip:domain.root' to 'REGISTER sip:domain.root@domain.root' which is an illegal syntax for a REGISTER request.

Hope this helps,

Andreas

Utair Corporation · ‎08-22-2012

Yes. That was the problem.

Actualy there were two problems.

First is transform rule, which appended my domain to any alias not containing domain, and traversal zone search rule had @mydomain pattern match.

Turned off transform rule and changed to any alias search rule and everything seems working okay.

Thanks for help.