I'm trying to forbid some probing attacks on a VCS Expressway.
The calls come in from unknown@(various IP addresses), and go to either sip:(string of 12-17 numbers)@(ip address of VCS express), or the same thing without the SIP: prefix (as an H323 setup request), or the latter prefixed with a '+'.
I thought that putting in a Local CPL to reject calls from unknown@.* going to .* would work. The Locate tool on the VCS indicates that it does; it comes back with a Forbidden response. Yet, in practice, these call attempts are not Rejected. They are passed to the Control and back, when the are stopped as a Loop.
Does anyone know why my CPL isn't working, and how to make it work?
are you writing your own CPL or are you using the CPL rule generator page on the VCS?
Assuming that these probing calls are coming in on the DefaultZone on the VCS, and that the DefaultZone is set to 'Do not check credentials', these incoming calls will be non-authenticated.
In order to use CPL to match non-authenticated calls, you have to use the 'unauthenticated-origin' CPL parameter rather than 'origin', and this can not be achieved by using the CPL rule generator page (Which only creates 'origin'-based CPL statements.
For a non-authenticated call, 'origin' will be an empty string, while 'unauthenticated-origin' will be a string containing the source alias of the call. This is described in more detail in the CPL reference section of the VCS Admin guide.
If you could paste the CPL snippets which you are using and which you think should be matching these incoming calls, it would probably be easier to assist you.
I am using the CPL rule generator page on the VCS, and thus I now understand why it's not working. The DefaultZone is set to 'Do not check credentials'.
So, it looks like I either manually write the CPL, or potentially I change the Authentication Policy on the Default Zone.
If I change it to 'Treat as authenticated', does that change it so that the origin string has the source alias? What other ramifications of doing this would there be? This VCS Express is currently used for registrations for Movi/Jabber and a few endpoints. I expect that Movi would still work since it is already an authenticated endpoint, but that authentication credentials would have to be added to endpoints for them to continue working.
I wouldn't recommend setting the DefaultZone to 'Treat as authenticated' as that would automatically authenticate all incoming provisioning requests (SUBSCRIBE messages) without validating the username and password.
A better approach would probably be to set the DefaultZone to 'Do not check credentials' or 'Check credentials', depending on how and where you authenticate your provisioning users, and use 'unauthenticated-origin' in your CPL instead or in addition to your existing CPL, to catch the incoming unauthenticated calls.
SIP traces provide key information in troubleshooting SIP Trunks, SIP
endpoints and other SIP related issues. Even though these traces are in
clear text, these texts can be gibberish unless you understand fully
what they mean. This document attempts to br...
Please find the attached HTML document, download and open it on your PC.
This provides an easy to use form where you simply answer a few
questions and it will render the proper jabber-config.xml file for you
to copy/paste. There is built in logic to verif...
[toc:faq]CUCM Database Replication is an area in which Cisco customers
and partners have asked for more in-depth training in being able to
properly assess a replication problem and potentially resolve an issue
without involving TAC. This document discusse...