Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
0
Helpful
3
Replies

Call Policy not blocking calls

pcummings
Level 1
Level 1

‎10-11-2013 09:27 AM - edited ‎03-18-2019 01:57 AM

Hi all -

I'm having some difficulty getting my call policy to function.  My current setup:  Production VCSc and VCSe, and a QA VCSc and VCSe.  The Production and QA enviornments are not connected through a neighbor zone. All running 7.2.2

What I am specifically trying to do is to block all calls in and out not from our domain.

I am testing by making a call from the free Jabber Video client to a C40 registered on my QA enviorment.  It should route as Jabber.com -> QA VCEe -> Call policy blocks as its not from .*@mydomain.net or .*@qa.mydomain.net.  Instead, it is routing the call from the QA VCSe to the VCSc and to the C40.

The CPL file I've written is:

<cpl xmlns="urn:ietf:params:xml:ns:cpl" xmlns:taa="http://www.tandberg.net/cpl-extensions"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">

<taa:routed>
<taa:rule-switch>
<!--

the next two lines block unauthenticated calls from asterisk and 100@1.1.1.1

-->

<taa:rule unauthenticated-origin="asterisk@.*" destination=".*">
<reject status="403"/>

</taa:rule>

<taa:rule unauthenticated-origin="100@.*" destination=".*">
<reject status="403"/>

</taa:rule>

<!--

the next two lines block authenticated calls from asterisk and 100@1.1.1.1

-->

<taa:rule origin="asterisk@.*" destination=".*">
<reject status="403"/>

</taa:rule>

<taa:rule origin="100@.*" destination=".*">
<reject status="403"/>

</taa:rule>

<!--

the next two lines allow authenticated calls from mydomain.net and qa.mydomain.net

-->

<taa:rule origin=".*@mydomain.net" destination=".*">
<proxy/>

</taa:rule>

<taa:rule origin=".*@qa.mydomain.net" destination=".*">
<proxy/>

</taa:rule>

<!--

the next two lines allow authenticated calls from mydomain.net and qa.mydomain.net

-->

<taa:rule unauthenticated-origin=".*@mydomain.net" destination=".*">
<proxy/>

</taa:rule>

<taa:rule unauthenticated-origin=".*@qa.grouponinc.net" destination=".*">
<proxy/>

</taa:rule>

<!--

the next two lines allow authenticated calls frommydomain.net and qa.mydomain.net

-->

<taa:rule unauthenticated-origin=".*" destination=".*@mydomain.net">
<proxy/>

</taa:rule>

<taa:rule unauthenticated-origin=".*" destination=".*@qa.mydomain.net">
<proxy/>

</taa:rule>

<!--

the next line blocks unauthenticated calls from mydomain.net and qa.mydomain.net

-->

<taa:rule unauthenticated-origin=".*" destination=".*">
<reject status="403"/>

</taa:rule>

</taa:rule-switch>

</taa:routed>

</cpl>

Any thoughts on why this is not working?  Thanks!

Labels:
0 Helpful
3 Replies 3

Zac Colton
Cisco Employee
Cisco Employee

‎10-11-2013 01:00 PM

This is a basic example that would allow all authenticated origin and only unauthenticated from specifci domains:



xmlns:taa="http://www.tandberg.net/cpl-extensions"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">


 
  
    


     
    

    
     
    
   
  
 

0 Helpful

pcummings
Level 1
Level 1
In response to Zac Colton

‎10-14-2013 11:46 AM

Thanks Zachary.

I was able to slightly modify it to get it working.

The one slight issue I'm having is with the SIP BYE message being sent.

I can now sucessfully block calls from outside domains coming in.  The issue I'm having is that if I place an outbound call, and if they end the call, the SIP bye message seems to be blocked coming back in.

Example: user@jabber.com calls into me, and it is block as expected.  I call out to user@jabber.com and it connects the call as expected.  If I end the call from my side, it sends the SIP BYE message.  If I end the call from the user@jabber.com side, it does not succesfully route the SIP bye message.

Any thoughts?  Thanks again.

0 Helpful

Zac Colton
Cisco Employee
Cisco Employee
In response to pcummings

‎10-15-2013 05:23 AM

I've been giving some thought to what you are trying to do. Using CPL to do it would get a bit complicated. You can simply reply on your search rules and zones. Plain and simply, be sure that all of you devices and clients register as authenticated. Set all of your search rules to require that the messages be authenticated. That right there will only allow internal communication only. No one from the outside will be able to dial in through your Expressway since those messages will come in as unauthenticated. If you then want to allow dialing in from a specific location, you can create neighbor zones to the locations, and you can either set the neighbor zone as Treat as Authenticated (which will blindly set all messaging from them as autheticated) or you can enable SIP authentication trust mode. This will make you VCS automatically trust any SIP message from the far site that is already considered authenticated. This will require the far site to also have proper authentication configured for their devices.

- Zac

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents