Solved: Codian MCU 4505 Content Encryption not possible

Paul Woelfel · ‎11-19-2012

Hi,

I'm having an issue with MCU 4505:

If I set the SIP trunk to the Codian MCU (to route calls with a specific prefix) to the MCU to TLS instead of TCP, the content channel could not be seen on other participants. I see in the participant statistics, that the content channel is sent from a endpoint to the MCU, but not received from the other particpiants. In the conference overview I see the following message:

Content tx: encryption not possible

I checked the docs, but the description of this cause is not really self explaining:

The MCU is unable to send encrypted content video to this participant.

If I set the trunk to TCP, no encryption is used and the prentation sharing works as expected. Basicly, the encrpytion works fine, because video and audio channels are received and sent as expected.

Anyone else experiencing this issue, or any ideas how to solve this?

BTW: Software Versions:

MCU 4505 4.3(1.68)

EX60 TC 5.1.4

Jabber 4.5

C20 TC 5.1.4

Regards,

Paul

Regards, Paul

luchand · ‎11-19-2012

This is noted as a known limitation in the release notes;

"The transmission of SIP content from the MCU using Binary Floor Control Protocol (BFCP) is not supported on

encrypted calls. To allow content to be transmitted over SIP calls in a separate channel from main video, you should

disable encryption on the MCU or on the target endpoint."

The MCU supports transmission of encrypted content on H.323 calls only, but not SIP.

View solution in original post

Tomonori Taniguchi · ‎11-22-2012

If encryption call is mandatory for customer, you may use Media encryption mode on VCS as workaround for now.

Idea is to have encryption call between Endpoint to VCS and then have non-encrypt call between VCS and MCU.

VCS will be taking a media and call will go through B2BUA on VCS for handling encryption/non-encryption process.

If VCS and MCU deploy in same location, this solution should maintain certain level of conference security by having encrypted call between Endpoint and VCS.

Media encryption mode is introduced from X7.2 VCS software release.

View solution in original post

luchand · ‎11-19-2012

This is noted as a known limitation in the release notes;

"The transmission of SIP content from the MCU using Binary Floor Control Protocol (BFCP) is not supported on

encrypted calls. To allow content to be transmitted over SIP calls in a separate channel from main video, you should

disable encryption on the MCU or on the target endpoint."

The MCU supports transmission of encrypted content on H.323 calls only, but not SIP.

Paul Woelfel · ‎11-22-2012

Thanks Luc for your quick answer!

Is this going to be fixed in any version soon?

Regards, Paul

Tomonori Taniguchi · ‎11-22-2012

If encryption call is mandatory for customer, you may use Media encryption mode on VCS as workaround for now.

Idea is to have encryption call between Endpoint to VCS and then have non-encrypt call between VCS and MCU.

VCS will be taking a media and call will go through B2BUA on VCS for handling encryption/non-encryption process.

If VCS and MCU deploy in same location, this solution should maintain certain level of conference security by having encrypted call between Endpoint and VCS.

Media encryption mode is introduced from X7.2 VCS software release.

Paul Woelfel · ‎11-23-2012

Hi Tomonori,

thanks, it works as expected. The only pitfall is that i have to create a seperate Zone for H323 and SIP:

H.323 cannot be enabled on this zone if SIP media encryption mode is "Force encrypted" or "Force unencrypted".

So the call rules have to be duplicated for the MCU calls. (I have special rules for different auto attendants)

Regards, Paul