Setting up secure VCS traversal zones
To support Unified Communications features such as mobile and remote access, there must be a secure
traversal zone connection between the VCS Control and the VCS Expressway:
n The traversal client zone and the traversal server zone must be configured to use SIP TLS with TLS verify
mode set to On, and Media encryption mode must be Force encrypted.
n Both VCSs must trust each other's server certificate. As each VCS acts both as a client and as a server
you must ensure that each VCS’s certificate is valid both as a client and as a server.
n If a H.323 or a non-encrypted connection is required, a separate pair of traversal zones must be configured.
To set up a secure traversal zone, configure your VCS Control and VCS Expressway as follows:
1. Go to Configuration > Zones > Zones.
2. Click New.
3. Configure the fields as follows (leave all other fields with default values):
VCS Control VCS Expressway
Name "Traversal zone" for example "Traversal zone" for example
Type Traversal client Traversal server
Username "exampleauth" for example "exampleauth" for example
Password "ex4mpl3.c0m" for example Click Add/Edit local authentication database,
then in the popup dialog click New and enter
the Name ("exampleauth") and Password
("ex4mpl3.c0m") and click Create credential.
H.323 Mode Off Off
SIP section
Mode On On
Port
7001 7001
Transport TLS TLS
Unified
Communications
services
Yes Yes
TLS verify mode On On
TLS verify subject
name
Not applicable Enter the name to look for in the traversal
client's certificate (must be in either the Subject
Common Name or the Subject Alternative
Name attributes). If there is a cluster of traversal
clients, specify the cluster name here and
ensure that it is included in each client's
certificate.
Media encryption
mode
Force encrypted Force encrypted
Authentication section
Cisco VCS Administrator Guide (X8.1.1) Page 74 of 507
Unified Communications
Configuring mobile and remote access on VCS
To Next Page
Loading...
