I've got a question regarding Jabber Clients registered to the Traversal Zone of the VCS-C via VCS-E. I've set all challenging settings acording the VCS Device authentication guide 7.2 and the jabbers are able to register.
BTW: Proxying the authentication also works with Default Zone and Default Subzone set to check credentials. In the authentication guide and this discussion it is recomended to set it to "do not check credentials". I just created a search rule for the domain and pointed it to the traversal zone and set the proxy mode to "Proxy to known only".
If I try to call a local endpoint it works fine and the call is challenged and authenticated. If I try to call an external participant I'm not able to make a call. According to the guide, it should be possible, to route the call to VCS-C to check the credentials and then route it back to the VCS-E. If I check my search rules, the call is routed from Expressway to Control, but then the search rule (any alias, any source, no authentication required) does not match. So client registered to the Traversal Zone is not able to call an external participant.
If I check the search history, I see the search is routed to the VCS Control:
I created a Search Rule on the VCS-Control:
So this rule should match in any case (if the previous didn't stop searching), but it does not:
I also checked the poison mode, but it is set to off. For me it looks like, a search rule pointing to the source of the call is not considered, when making a call.
What am I missing to route the call from external -> VCS-E -> VCS-C -> VCS-E -> DNS ?
I found a solution:
I created a second Traversal Client Zone called "TraversalOut" to the same Expressway. As a call is routed to VCSC it uses the first Traversal Client as source zone and a search rule targeting the new TraversalOut zone will forward the call back to the Expressway.
With this setup it is possible the authenticate users registered to traversal zone and make use of findme source rewriting.
Is there any better solution to realize this?
Sent from Cisco Technical Support iPhone App
One way this works is to put a search rule on the VCS-E of ANY ALIAS > EXTERNAL DNS before the rule that passes any alias to the traversal zone. Logically you would think to check internal, then external, but this fixes the problem of Movi clients from outside, registering to the inside, then calling outside locations.
I had this before, but this is not quite the solution I want. The main issue is, that anyone could use your system to dial an external participant, because the source of the call is not authenticated. To get more security I added some CPL rules, so only special sources are allowed to dial out from the Expressway.
The second issue is that the source address is not rewritten to the FindeMe address, because the Expressway do not know about these addresses.
So the call has to go through the VCS-C to check the credentials and rewrite the source address.
I think looping the traffic through the vcsc is not good as it consumes additional resources and will conflict with the loop detection.
An other option I saw was to use one single local auth account. The provisioning request will be handled by the vcs-c and this tells the jabber video client wich username/password to use. Its not great, as its only one password but at least
its not revealed to your users.
I would see that the vcs-e can properly authenticate the calls. Do you use ntlm or ldap auth?
Talk to your ldap/security/firewall/win-admin guys, maybe you find a secure way for your organization
to let the vcs-e access the auth db, if its ldap or ad.
Please remember to rate helpful responses and identify