Jabber and Encryption

chrischelvy · ‎07-24-2012

Hi,

we have a situation where C Series endpoints can't see any content from a Jabber users when they are on MCU encrypted Call. But when they are on a point to point encrypted call, the content is working. When the C Series only endpoints are on a MCU call, the calls are encrypted and content is working.

Customer uses the MSE 8510 as a conference bridge. All the C Series endpoints has been configured encrption mode to " Best Effort". Jabber client encryption mode set to " Auto".

Also, MSE 8510 has been configured encryption mode " Enabled". So, by default, all the calls will be encrypted whether point to point or MCU call.

During a MCU call between C Series endpoint and Jabber, I can see Jabber client sending encrypted content, but MCU couldn't send the encrypted content to the C Series endpoint and saying " not Supported"

This particular Scenario, Jabber sending encryption content, becuase call has been setup with encryption ( by default), then content will follow the main video channel ( No seperate Channel like a C Series endpoint). So MCU received the Encrypted content.

So, my question is, does the C Series endpoint can receive or send encrypted content?.

Note: if i " turn off" the encryption on the C Series endpoint, then the content is working between the Jabber and C Series on a MCU call

Thanks

Regards,

Chris

Patrick Sparkman · ‎07-24-2012

There is a known limitation in which encryption prevents content sharing for SIP endpoints when connected to an MCU such as the MSE8510. Currently we have encryption enabled on all of our H323 endpoints, but have it disabled on SIP.

MCU v4.3 release notes:

The transmission of SIP content from the MCU using Binary Floor Control Protocol (BFCP) is not supported on encrypted calls. To allow content to be transmitted over SIP calls in a separate channel from main video, you should disable encryption on the MCU or on the target endpoint.

I'm not sure what the difference is between an encrypted point-to-point call and using the MCU, but I'd hope they would get it working, because for those that require all calls to be completly encrypted it can cause some issues since it hinders content sharing between endpoints.

Juergen Hornung · ‎07-24-2012

Is this a known limitation to MSE8510 MCU only?

I can mad an encrypted Jabber call to our 4520 MCU (latest Firmware) and can send encrypted content to a c40 codec (also latest firmware). The C codec is connected via H.323, as a Jabber client I am using CiscoFreeJabber Service.

Patrick Sparkman · ‎07-24-2012

I think it applies to any MCU that runs the current v4.3 software, you'd have to check the release notes for exact models.

Sent from Cisco Technical Support iPad App

Patrick Sparkman · ‎07-24-2012

According to the release notes the following MCU's are supported, which contain the limitation:

Cisco TelePresence MCU 4200 Series

Cisco TelePresence MCU 4500 Series

Cisco TelePresence MCU 4501 Series

Cisco TelePresence MCU MSE 8420

Cisco TelePresence MCU MSE 8510

chrischelvy · ‎07-24-2012

Thanks Patrick. Yes, it is mentioned in the release notes. it is not resolved yet.

I only tested and found this issue between the Jabber client and the C Series endpoint (SIP Regsitered).

would it be the same result when 2 C series endpoint ( SIP registered and using encryption) calling MCU virtual meeting rooms and share the Content?.

Thanks

Regards,

Chris

Patrick Pettit · ‎08-10-2012

Hi Chris. As Patrick pointed out, this is a limitation of the MCU. It can receive encrypted content over SIP but if the far end or any participant on the MCU is connected over SIP and is encrypted, they will more likely receive content in the main video channel. Other option here is to interwork and have the endpoints connect as H323 and you shouldnt see a problem.

Let us know?

Thanks.

VR

Patrick P.

Tomonori Taniguchi · ‎08-12-2012

This is limitation of MCU with current release including latest 4.3 maintenance release version.

== From MCU 4.3(2.32) release note ========

Binary Floor Control Protocol on encrypted calls

The transmission of SIP content from the MCU using Binary Floor Control Protocol (BFCP) is not supported on encrypted calls. To allow content to be transmitted over SIP calls in a separate channel from main video, you should disable encryption on the MCU or on the target endpoint.

=====================================

Several workaround has already mention in this discussion, but you may also use "Media encryption mode" on VCS introduce in X7.2 release.

You can create subzone for MCU and register MCU on it so this media encryption mode only apply on specific MCU (and also able to control encrypt/non-encrypt call per H323/SIP call by using search rule (X7.2 search rule can be define call protocol and also source/destination in low as subzone level).

For more detail of new search rule and media encryption mode, please refer to https://supportforums.cisco.com/docs/DOC-26316.

chrischelvy · ‎08-13-2012

Thanks Tom &Patrick.

Atleast, can they receive the content on the main video channel?.

Any time frame from Cisco to enable this feature on the MCU ?. Because most of the Customers are going with the SIP, it is a important feature missing from the MCU.

Thanks.

Tomonori Taniguchi · ‎08-13-2012

Yes, you still able to transmit presentation in one of main stream panel.

Unfortunately there is no clear plan to support encrypted BFCP in MCU this point.

I suggest reach out your Cisco representative and raise this as feature request (which help to priorities this RFE with customer voice).