Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

H.323 - SIP interworking and authentication

I have a basic VCS-E --- FW --- VCS-C setup. VCS-C is set up to do authentication on all zones and the Expressway does SIP proxying back to the VCS-C.  Expressway does not authenticate anybody.

My problem is with proxying these authentication requests. I have H.323 - SIP interworking enabled on both VCS-E and -C and it seems like registration requests that Expressway forwards to the Control return "authentication required" and that causes the Expressway to convert those requests to H323 and forward it to the Control again, with a side effect being clients can register without authentication even though it is required. 

My question is do I need H323-SIP interworking enabled on the Expressway if all clients can communicate through SIP.

And the second question is do I need H323 enabled at all?  Are there any advantages in having both SIP and H323 enabled on an endpoint? Wouldn't one protocol be enough? What are the best current practices?






VIP Purple

For a secure environment, you

For a secure environment, you'd check credentials for all VCS Control zones: default, traversal, and all subzones, while for the Expressway you'll only do this on the subzones.  You would need a username/password added to each of the VCS's local device database that the endpoints can use to authenticate and register with.  For regular endpoints that aren't provisioned you'll add that username/password to each endpoint's H323 or SIP configuration so they can authenticate all there communication to the VCS with it.  For provisioned devices such as Jabber Video, the users login account will be used for the subscribe messages, and then the VCS device account you created that you'll put into the TMSPE template, will be used for the actual registration.

I recently did this about two months ago myself.  If you can provide more details of how your VCS's and endpoints are configured, we could help figure out what's happening.  Cisco VCS Authenticating Devices Deployment Guide might help, and is a good place to start on understand endpoint authentication.

You don't need to have H323-SIP interworking enabled if all your endpoints are using the same protocol, ie: SIP.  However, if you happen to get an H323 call from external of your network, you won't be able to connect, since interworking would be disabled, so I'd leave it enabled.

Have H323 or SIP both enabled is really personal preference, but most newer codecs are moving to SIP only, such as the SX10.

VIP Green

"Have H323 or SIP both

"Have H323 or SIP both enabled is really personal preference, but most newer codecs are moving to SIP only, such as the SX10."

And don't forget the SX80 which can be one, or the other, but not both/dual registered as most of the older endpoints can.

H.323 will be going the way of H.320 - and slowly disappearing - this has been publicly acknowledged by Cisco as their future direction - making things SIP only in the future.

Please remember to rate responses and to mark your question as answered if appropriate.
CreatePlease to create content