telepresence vcs x7.2 - cisco support community - cisco .2013-09-10 · cisco telepresence video

Download TelePresence VCS X7.2 - Cisco Support Community - Cisco .2013-09-10 · Cisco TelePresence Video

Post on 14-Jun-2018

219 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 2011 Cisco and/or its affiliates. All rights reserved. 111 2011 Cisco and/or its affiliates. All rights reserved.

    Cisco TelePresenceVideo Communication ServerX7.2 Introduction

  • 2011 Cisco and/or its affiliates. All rights reserved. 2

    Intelligent Conference Control and Management

    Flexible and Scalable to suit any Environment

    Standards-based, industry leading Interoperability

    Communicating across the Firewall

    Seamless interworking with Microsoft Lync/OCS and VoIP

    Enhanced Solution for New and Existing Customers

  • 2011 Cisco and/or its affiliates. All rights reserved. 3

    Greater Flexibility, Scalability and ResilienceMedia encryption policyNew filter mechanism for call and registration management

    Secure System ManagementAccount Security EnhancementFirewall rule system access control

    Simpler DeploymentCertificate request generator

    Enhancement and usability ImprovementEnhanced DiagnosticsEnhanced Search rules

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 2011 Cisco and/or its affiliates. All rights reserved.

    System Feature Enhancement and Improvement

    Account Security Enhancement

    Enhanced Diagnostics

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55 2011 Cisco and/or its affiliates. All rights reserved.

    System Feature Enhancement and Improvement

    Account Security Enhancement

    Enhanced Diagnostics

  • 2011 Cisco and/or its affiliates. All rights reserved. 6

    Controls the media encryption policy applied by the VCS for SIP calls (including H.323 to SIP interworked calls) to and from this zone (SIP on the Zone). Media encryption can be:

    Only allow encrypted media (configured on SIP-only zone) Only allow unencrypted media (configured on SIP-only zone) Force best effort encryption Allow endpoints to decide (same as pre X7.2)IMPORTANT SIP & Interworked call feature only (not H323 native)

    Interworking function keeps encryption state the same H.323 same as SIP

    TLS needed for media encryption VCS will strip crypto a=crypto encryption key line(s) if transport protocol not TLS

  • 2011 Cisco and/or its affiliates. All rights reserved. 7

    Controls the media encryption policy applied by the VCS for SIP calls (including H.323 to SIP interworked calls) to and from this zone.

    Parameter DefinitionOn All media must be encrypted

    Off All media must be unencrypted

    Best effort Use encryption if available, otherwise fall back to unencrypted media.

    Auto no specific media encryption policy is applied by the VCS. Media encryption is purely dependent on endpoint requests.

  • 2011 Cisco and/or its affiliates. All rights reserved. 8

    Controls the media encryption policy applied by the VCS for SIP calls (including H.323 to SIP interworked calls) to and from this zone. Uses B2BUA functionality

    Any encryption setting other than Auto will force call through B2BUA 100 calls limit

    Encryption can be different on each side of B2BUA

    Encryption Media Mode: OnEncryption: Off Encryption: AutoEncryption Media Mode: AutoChannels 1 (type=Incoming):

    Rate: 512Restrict: OffIPLR: OffEncryption (status=On):

    Type: AES-128CheckCode: "FB58AE4309657BEA"

    Channels 2 (type=Outgoing):Rate: 512Restrict: OffIPLR: OffEncryption (status=On):

    Type: AES-128CheckCode: "FB58AE4309657BEA"

    Channels 1 (type=Incoming):Rate: 512Restrict: OffIPLR: OffEncryption (status=Off): /

    Channels 2 (type=Outgoing):Rate: 512Restrict: OffIPLR: OffEncryption (status=Off): /

    Non EncryptionCall

    EncryptionCall

  • 2011 Cisco and/or its affiliates. All rights reserved. 9

    Controls the media encryption policy applied by the VCS for SIP calls (including H.323 to SIP interworked calls) to and from this zone. Configure on a per zone/subzone basis & available on Expressway & Control

    Including DNS zone for calls to internet Including Default zone and default subzone for incoming calls

  • 2011 Cisco and/or its affiliates. All rights reserved. 10

    Controls the media encryption policy applied by the VCS for SIP calls (including H.323 to SIP interworked calls) to and from this zone. Diagnostic:

    SIP-SIP call: Debug level logging on Network log and B2BUA calls log SIP-H323 call: Debug level logging on Network log, Interworking log and

    B2BUA calls log

  • 2011 Cisco and/or its affiliates. All rights reserved. 11

    Controls the media encryption policy applied by the VCS for SIP calls (including H.323 to SIP interworked calls) to and from this zone. SIP-UA1 registered on VCS-C making non-encrypt call to SIP UA-2 on public

    network VCS-E force for encrypt call on public SIP UA

    Encryption Media Mode: Off Encryption: AutoEncryption Media Mode: Auto

    Non EncryptionCall

    Non-EncryptionCall

    Non EncryptionCall

    EncryptionCall

    Encryption: Off

  • 2011 Cisco and/or its affiliates. All rights reserved. 12

    Default traversal media port range update The default Traversal Subzone media port range is now 50000 - 54999

    (previously 50000 - 52399), In order to support the new media encryption policy feature.

    To reflect this change, system administrators may need to modify the rules configured in their firewall devices.

  • 2011 Cisco and/or its affiliates. All rights reserved. 13

    Control whether the certificate should be checked when TLS connection is made to the Default Zone of a VCS. If enabled, the certificate hostname (also known as the Common Name) is

    checked against the patterns specified in the Default Zone access rules.

    Checking of certificates for incoming TLS connection Note: this setting does not affect (VCS will not check) other connections to the

    Default Zone (H.323 and SIP UDP/TCP).IMPORTANT: This feature works for SIP-TLS signal only

  • 2011 Cisco and/or its affiliates. All rights reserved. 14

    Checking of certificates for incoming TLS connection Following alarm will raise when enable this feature:

    Either disable UDP and TCP on the SIP configuration page to enforce certificate identity checking using TLS, or disable the access rules for the Default Zone.

    Define rules identifying what certificate hostnames should be allowed / denied. Configure who is allowed to connect to the Default Zone via regex matching

    on certificate C Name / Alt names Support up to a maximum of 10,000 regex's on the default zone

  • 2011 Cisco and/or its affiliates. All rights reserved. 15

    Ability to specify a TLS verify subject name to use when verifying the destination system server's certificate. The certificate holder's name to look for in the destination system server's

    X.509 certificate

  • 2011 Cisco and/or its affiliates. All rights reserved. 16

    DNS queries can now be configured to use the ephemeral port range or to use a customized range

  • 2011 Cisco and/or its affiliates. All rights reserved. 17

    VCS now supports UPDATE message before answer During the set-up phase of a call, devices (like CUCM) may send SIP

    UPDATE messages containing information relating to the remote device, for example

    routing a call to an alternative location to the original request providing far end destination ID Note:

    CUCM zone has updated and SIP UPDATE strip mode is Off

  • 2011 Cisco and/or its affiliates. All rights reserved. 18

    Ability to interwork between H.323 flowControlCommandmessages into TMMBR TMMBR: RFC5104 Temporary Maximum Media Stream Bit Rate Request This provides the ability to stem the flow of data from a remote participant

    which provides a better user experience when a call participant wishes to rate limit a particular media stream.

    Note: SIP: Client (Endpoint/MCU) needs to support TMMBR to work Look for it being negotiated in the SDP offer answer. The SIP negotiation must have the following attribute in the

    sdp: a=rtcp-fb:* ccm tmmbr

  • 2011 Cisco and/or its affiliates. All rights reserved. 19

    Sample SDP with TMMBR capability (from VCS)2012-04-09T11:48:39+09:00 tkyvcs30 tvcs: UTCTime="2012-04-09 02:48:39,876" Module="developer.iwf" Level="DEBUG" CodeLocation="ppcmains/oak/calls/iwf/IIWFTarget.cpp(327)" Method="IIWFTarget::sendSipRequestToLeg" Thread="0x7f0a87ffd700": State="IWFConnectingSipOutLegState" Global-CallId="823d53e4-81ee-11e1-b4c3-0010f31fa8f4" Local-CallId="823ed5de-81ee-11e1-baa8-000c29ef4dd3" rRequest="ACK sip:8000@ciscotp.com;gr=urn:uuid:aa0deab8-d842-5307-a336-a0f7a221cb79 SIP/2.0Via: SIP/2.0/TCP 127.0.0.1;branch=z9hG4bKd7f3b0ed98a0069e1deb0ea384b402181794Call-ID: 0493aae26f5ba5d8@127.0.0.1CSeq: 30620 ACKFrom: ;tag=a6dbc21c60ceb4eaTo: ;tag=F6C3AB40C0020001Max-Forwards: 70Route: User-Agent: TANDBERG/4120 (X7.2PreAlpha6)Content-Type: application/sdpContent-Length: 974v=0

    o=tandberg 0 1 IN IP4 127.0.0.1s=-c=IN IP4 127.0.0.1b=AS:512t=0 0m=audio 1024 RTP/AVP 9 8 0 101b=TIAS:64000a=rtpmap:9 G722/8000a=rtpmap:8 PCMA/8000a=rtpmap:0 PCMU/8000a=rtpmap:101 telephone-event/8000a=fmtp:101 0-15a=sendrecv

    a=rtcp:1024 IN IP4 127.0.0.1m=video 1024 RTP/AVP 97 98 34 31b=TIAS:512000a=rtpmap:97 H264/90000a=fmtp:97 profile-level-id=42800c;max-br=425;max-mbps=12000;max-fs=768;max-smbps=36000a=rtpmap:98 H263-1998/90000a=fmtp:98

    custom=1024,768,4

Recommended

View more >