I want to restrict both incoming and outgoing calls to only specific devices. I have created call policies that seem to work as long as the end point is registered with the VCS, however if the endpoint is not registered, it simply passes the call despite the call policy. What am I doing wrong? I can't list my rules as the source and destination names are confidential, however I did attempt to create a generic catch all policy like this.
Source: .* Destination: .*. Reject
If I understand this correctly, that should mean that any source trying to call any destination would be rejected if not specifically covered by a higher priority rule correct?
you shouldn't have a second dot in your destination regex (You have .*.), you should simply use .* for both source and destination in your catch-all reject (Which should be the bottom rule on your VCS).
I've seen this issue before.... well on X6.1 if you put .* for the source it doesn't match everything all the time.
If you leave the source blank (represents an unauthenticated user) this usually works.
what alias are you calling from the unregistered device?
Are calls from this device to said endpoints hitting the Default Zone on your VCS?
What is the authentication setting for the Default Zone on your VCS?
If you take a diagnostics log on the VCS (With Network Log level = DEBUG) and place a test call, you will see the CPL logic and decision-making in the diagnostic log, this should help you pinpoint the issue if you are able to interpret the contents of the log.
I am calling one of my registered alias's. Unfortunately, I can't post the actual name of it.
How can I tell if the calls are hitting the default zone?
The authentication policy is set to "Do not check credentials" Is this where it should be set?
I started a new log and placed a test call and then stopped the log. What am I looking for in the log?
if you are calling a registered alias from an unregistered endpoint, I'm curious to know how the call actually makes it from the unregistered endpoint to the VCS. In what format is the alias which you are calling?
'Do not check credentials' is the recommended setting for the Default Zone, and means that the Source of this call will be blank as far as the CPL rule generator is concerned (Since the rule generator uses authenticated-origin for source).
In the log you are looking for lines containing 'network.cpl'. Perhaps you can send me the log via PM?
First of all it is not that hard to write a CPL file yourself. You can also check how the cpl file looks
like after you created entries with the wizzard.
But I just tried it with x7 and it worked fine:
The CPL for this looks like:
Be aware that there is also an order of the rules, the first rule matching wins.
Regards the question how to check which zone the call came from, if you look at the search details in call history of a call
you will see it under "zone":
Please remember to rate helpful responses and identify
If you are looking for call control on unregister Endpoint, you may use CPL with “
Below is example of call process for call from unregister Endpoint/MCU.
< address-switch field="registered-origin">
! reject the call from non-register device to destination alias starting 8
! redirect call to call reception Endpoint (alias 0000) if call from non-register device to destination alias starting 9