Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2510
Views
0
Helpful
7
Replies

VCS Expressway CPL rules and AD authentication

Maksim Petlin
Level 1
Level 1

‎02-10-2014 01:48 AM - edited ‎03-18-2019 02:34 AM

Hi to All,

I have some problem with writting CPL script.

I've succesfully setup AD direct authentication deployment "VCS Control and VCS Expressway with Active Directory (direct) authentication on VCS Control". Now I've faced with the next task. There is necessary to adjust external registration requests and calls via VCS E. There are two requrements:

  1. to allow all registration requests from external Movi clients with SIP domain "vc.met.com" (for corporate domain users). These authentication requests should be checked via AD domain controllers. Those users, who pass the authentication process, will be allowed all local and external calls.
  2. for external (guest) call requests I want to restrict access to one destination (E.164 alias "7089" or SIP URI "7089@vc.met.com"). All other requests should be denied.

What I've already done:


<taa:routed>

<address-switch field="unauthenticated-origin" subfield="host">

   <address subdomain-of="vc.met.com">

    <proxy/>

   </address>

     <otherwise>

      <reject status="403" reason="Denied by policy"/>

     </otherwise>

  </address-switch>

</taa:routed>

This script allows to pass Movi registration requests with sip domain "vc.met.com" as I need.


But how can I modify the rule for the second requirement ?

I would appreciate any help.

Thanks in advance!

Maksim.

Labels:
0 Helpful
7 Replies 7

Maksim Petlin
Level 1
Level 1

‎02-11-2014 11:37 AM

Dear colleages and experts,

does anyone have any thoughts about CPL scripting for that task? or another way to solve?

0 Helpful

Derek Ody
Level 1
Level 1
In response to Maksim Petlin

‎03-25-2014 05:36 PM

Replace VCSzoneName with the exact name of your VCS control zone

Replace ExpresswaysIPaddress with the external IP of your expressway

Set your expressways default zone to "Do Not check credentials", set whichever zone jabbers register on your VCS control to "Check credentials", Set your VCS control to accept proxied registrations.

If you don't already have a transform or a search rule that strips part of the regex or suffix, you'll need to strip the IP address off of the E164@expresswaysipaddress

 

<?xml version="1.0" encoding="UTF-8"?>
<cpl xmlns="urn:ietf:params:xml:ns:cpl" 
  xmlns:taa="http://www.tandberg.net/cpl-extensions" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
  xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">
 <taa:routed>
  <taa:rule-switch>

    <!-- allow calls originating from endpoints registered to VCS Control -->
    <taa:rule originating-zone="VCSzoneName" destination=".*">
      <proxy />
    </taa:rule> 

    <!-- allow jabber user registration User ID-->
    <taa:rule unauthenticated-origin="(.*)@vc.met.com" destination=".*">
      <proxy />
    </taa:rule>

    <!-- MCU External VC RM SIP -->
    <taa:rule origin=".*" destination="7089@vc.met.com">
      <proxy />
    </taa:rule>

    <!-- MCU External VC RM H323 pre-transform -->
    <taa:rule origin=".*" destination="7089@ExpresswaysIPaddress">
      <proxy />
    </taa:rule>

    <!-- MCU External VC RM H323 post-transform -->
    <taa:rule origin=".*" destination="7089">
      <proxy />
    </taa:rule>

    <!-- reject calls from all other sources -->
    <taa:rule origin=".*" destination=".*">
      <reject status="403" reason="Incoming Calls Rejected"/>
    </taa:rule>

  </taa:rule-switch>
 </taa:routed>
</cpl>

0 Helpful

emmatodd1
Level 1
Level 1
In response to Derek Ody

‎02-25-2015 09:37 AM

Hi Derek,

 

Could this script be used for ISDN?

 

Regards,

Emma

0 Helpful

Derek Ody
Level 1
Level 1
In response to emmatodd1

‎02-25-2015 09:52 AM

For an ISDN GW? or do you mean, to stop dial through fraud where someone is bouncing in via the expressway to your ISDN GW or phone network?

0 Helpful

emmatodd1
Level 1
Level 1
In response to Derek Ody

‎02-25-2015 09:59 AM

Thanks for your reply Derek,

 

Yes, I mean hairpin dialing.

 

Emma

0 Helpful

Derek Ody
Level 1
Level 1
In response to emmatodd1

‎02-25-2015 10:22 AM

something like the following should work, dunno the exact requirements of your environment, change the 9(.*) to whatever your prefix to dial outbound is 8(.*) or 064(.*) or whatever. and add whatever other rules above and below. rules run in order, so specific match rules need to be higher than generic catch all rules which should be at the bottom.

 

<?xml version="1.0" encoding="UTF-8"?>
<cpl xmlns="urn:ietf:params:xml:ns:cpl" 
  xmlns:taa="http://www.tandberg.net/cpl-extensions" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
  xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">
 <taa:routed>
  <taa:rule-switch>

    <!-- Block ISDN GW DTF dialing -->
    <taa:rule origin=".*" destination="9(.*)">
      <reject status="403" reason="Incoming Calls Rejected"/>
    </taa:rule>

  </taa:rule-switch>
 </taa:routed>
</cpl>

0 Helpful

emmatodd1
Level 1
Level 1
In response to Derek Ody

‎02-26-2015 01:13 AM

Thank you Derek, I will test that today.

 

Emma

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents