We have deployed VCS Control with VCS Expressway for firewall traversal and encountered issue. On the VCSe call status, it says 403 forbidden
when an external endpoint registered as SIP on the VCSe will initiate a call to an internal endpoint registered as SIP to VCSc.
Here are some of the test scenarios we conducted and results:
1. Internal endpoints SIP registration to VCSc - OK
2. External endpoint SIP registartion to VCSe - OK
3. Internal endpoint to internal endpoint SIP calls via VCSc - OK
4. External endpoint to external endpoint SIP calls via VCSe - OK
5. Internal endpoint to external endpoint SIP call via VCSc and VCSe - OK
6. External endpoint to internal endpoint SIP call via VCSc and VCSe - Failed (403 forbidden)
On item 6, that's the only problem we are trying to resolve.
What are needed to check?
Acevirgil de Ocampo
I definitely recommend creating a subzone for Movi, as you can also control bandwidth also. I never register anything to the default subzone on the Expressway and disable registration for security purposes. Movi clients register to their own subzone
nes along with subzones for other specific things.
For security sake, I don't like not checking for credentials on the Expressway, especially if you have a ISDN gateway or perhaps the Control has a route out to the PSTN. Toll fraud is not sweet.
I always have deployed SSO via LDAP vs local authentication. It gets tricky when you can't join the Expressway to the domain but still want to authenticate and check credentials. The trick is you need to create a local user on Expressway, then actually create the same identical username and password in active directory. Then in TMS, push out these credentials using the configuration template for the version / device of MOVI.