I have a basic VCS-E --- FW --- VCS-C setup. VCS-C is set up to do authentication on all zones and the Expressway does SIP proxying back to the VCS-C. Expressway does not authenticate anybody.
My problem is with proxying these authentication requests. I have H.323 - SIP interworking enabled on both VCS-E and -C and it seems like registration requests that Expressway forwards to the Control return "authentication required" and that causes the Expressway to convert those requests to H323 and forward it to the Control again, with a side effect being clients can register without authentication even though it is required.
My question is do I need H323-SIP interworking enabled on the Expressway if all clients can communicate through SIP.
And the second question is do I need H323 enabled at all? Are there any advantages in having both SIP and H323 enabled on an endpoint? Wouldn't one protocol be enough? What are the best current practices?
For a secure environment, you'd check credentials for all VCS Control zones: default, traversal, and all subzones, while for the Expressway you'll only do this on the subzones. You would need a username/password added to each of the VCS's local device database that the endpoints can use to authenticate and register with. For regular endpoints that aren't provisioned you'll add that username/password to each endpoint's H323 or SIP configuration so they can authenticate all there communication to the VCS with it. For provisioned devices such as Jabber Video, the users login account will be used for the subscribe messages, and then the VCS device account you created that you'll put into the TMSPE template, will be used for the actual registration.
I recently did this about two months ago myself. If you can provide more details of how your VCS's and endpoints are configured, we could help figure out what's happening. Cisco VCS Authenticating Devices Deployment Guide might help, and is a good place to start on understand endpoint authentication.
You don't need to have H323-SIP interworking enabled if all your endpoints are using the same protocol, ie: SIP. However, if you happen to get an H323 call from external of your network, you won't be able to connect, since interworking would be disabled, so I'd leave it enabled.
Have H323 or SIP both enabled is really personal preference, but most newer codecs are moving to SIP only, such as the SX10.
You have reached the Cisco Logistics Support Center.. To Check Status of
your RMA, visit Product Returns & Replacements (RMA). Need help? Contact
us by Phone or Email. North Americas Phone: 1800 553 2447 Option 4
Email: firstname.lastname@example.org Europe Phone: +3...
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...