Solved: Understanding procedures and best-practices for FindMe deploymen

Michael Boscia · ‎05-08-2012

I have successfully upgraded to TMS 13.2 with TMSPE and VCS-C/E to x7.1.

I have two MCUs, a TCS, and a small number of physical endpoints and Jabber Video (JV) users inside my network directly registered to my VCS-C in a couple of different subzones based on what they are.

I have many, many more endpoints that come into the environment through my VCS-E: dozens and dozens of JV and Cisco Jabber users, a handful of EX90s, and a dozen E20s, and more endpoints are coming soon.

What I am not quite grasping is how to configure the VCS-E and the VCS-C to work together to send the signaling traffic from the VCS-E inside the network so that the URI of the devices can be transformed by FindMe when they make outgoing calls, and also so that the {first_name}.{last_name}@domain.com URI works when calling in.

I see the sections in the document Cisco_VCS_Authenticating_Devices_Deployment_Guide_X7-1.pdf, Appendix 12 beginning on page 37, but I’m not entirely sure what to do with it.

I think my deployment scenario is VCS Control and VCS Expressway with Active Directory (direct) authentication on VCS Control, but it could also be VCS Control and VCS Expressway with Active Directory (direct) authentication for proxy registration, but I don’t understand the different implications of the two choices.

There is a note in the explanation of proxy registrations that “Proxying registrations results in media traversing the firewall in more cases”, which I think would result in sending all my media from my remote sites to my VCS-E, something that I would like to avoid.

I have configured the default zone for “check credentials”, and all other zones are configured to “treat as authenticated” on the VCS-C.

On the VCS-E, all zones are set to “do not check”, and SIP Proxy Registration Mode is Off.

As a side note, I don’t yet have any of my externally registered devices talking to TMS yet, but having said that, I don’t understand how my EX90 shows up as having been provisioned for me anyway…….

So with all these VCS-E registered devices and my environment set up the way it is, what do I need to do in order to use FindMe with my VCS-E registered devices, and will it cause most (or almost all) of my media to external parties to traverse the VCS-E before heading back out?

I am happy to post whatever configuration snippets are needed to get this working.

Martin Koch · ‎05-09-2012

First of all to run findme you need the findme license (did not check if this changed with TMSPE, but I would say the free Device provisioning key) as well.

If most of your calls are VCS-E <> VCS-E calls anyhow then yes it makes sense to have findme on the VCS-E.

I would also keep the registrations on the VCS-E. I assume you did not had the domain added to the sip

domains, if you do so also the authentication will be done on the VCS. If the TMSPE also works towards the

VCS-E the passwords shall get replicated to it as well.

With the registration on the VCS-E you could also use TURN/ICE/STUN on the VCS-E to offload

JabberVideo to JabberVideo media traffic directly in between clients where possible.

If you use a EX90 you can also use the provisioning, then you do not need to have a connection to the TMS

for configuration purposes, but sure, you need to have it configured on the TMS provisioning directory

Please remember to rate helpful responses and identify

View solution in original post

Paul Woelfel · ‎05-09-2012

Hi Michael,

the difference between the two deployment scenarios is, where the Jabber client is registered. If the authentication and registration is proxied to the VCS Control, the Jabber Client is registered on the VCS Control. As a result, all calls from external Jabber clients will go over traversal zone from the VCS-E to the VCS-C and back outside, if the called party is external. In this scenario the call will traverse the firewall two times.

As you explained, most of your endpoints will be outside of your network. IMHO it would be better to register external endpoints to the VCSE. I think the best deployment scenario would be "VCS Control and VCS Expressway, each with Active Directory (direct) authentication". All Jabber clients could be authenticated via NTLM and a call between to external users will either go direct, if ICE succeeds, or through the TURN Server of the VCS Expressway, but not traverse the Firewall. For Endpoints, which do not support NTLM authentication (all other than Jabbers), you'll have to maintain the credentials on the VCSE local database or via an H.350 LDAP database.

I'm not quite sure, if TMS 13.2 could be used as a H.350 database. I've been using TMS 13.1.2 so, but I had some issues (passwords not in sync). I'll give it a try, when I finished upgrading (work in progress...).

Regards, Paul

Michael Boscia · ‎05-09-2012

But isn't where the device has to go for registration authentication only part of the solution here?

I am also trying to get FindMe working as well for all externally registered endpoints as well.

Do I need to have provisioning, now TMSPE, turned on at the Expressway as well, and have VCS-E talk directly to TMS to rewrite IDs with FindMe?

Martin Koch · ‎05-09-2012