Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VCS Expressway CPL rules and AD authentication

Hi to All,

I have some problem with writting CPL script.

I've succesfully setup AD direct authentication deployment "VCS Control and VCS Expressway with Active Directory (direct) authentication on VCS Control". Now I've faced with the next task. There is necessary to adjust external registration requests and calls via VCS E. There are two requrements:

  1. to allow all registration requests from external Movi clients with SIP domain "vc.met.com" (for corporate domain users). These authentication requests should be checked via AD domain controllers. Those users, who pass the authentication process, will be allowed all local and external calls.
  2. for external (guest) call requests I want to restrict access to one destination (E.164 alias "7089" or SIP URI "7089@vc.met.com"). All other requests should be denied.

What I've already done:


<taa:routed>

<address-switch field="unauthenticated-origin" subfield="host">

   <address subdomain-of="vc.met.com">

    <proxy/>

   </address>

     <otherwise>

      <reject status="403" reason="Denied by policy"/>

     </otherwise>

  </address-switch>

</taa:routed>

This script allows to pass Movi registration requests with sip domain "vc.met.com" as I need.


But how can I modify the rule for the second requirement ?

I would appreciate any help.

Thanks in advance!

Maksim.

  • TelePresence
Everyone's tags (5)
7 REPLIES
New Member

VCS Expressway CPL rules and AD authentication

Dear colleages and experts,

does anyone have any thoughts about CPL scripting for that task? or another way to solve?

New Member

Replace VCSzoneName with the

Replace VCSzoneName with the exact name of your VCS control zone

Replace ExpresswaysIPaddress with the external IP of your expressway

Set your expressways default zone to "Do Not check credentials", set whichever zone jabbers register on your VCS control to "Check credentials", Set your VCS control to accept proxied registrations.

If you don't already have a transform or a search rule that strips part of the regex or suffix, you'll need to strip the IP address off of the E164@expresswaysipaddress

 

<?xml version="1.0" encoding="UTF-8"?>
<cpl xmlns="urn:ietf:params:xml:ns:cpl" 
  xmlns:taa="http://www.tandberg.net/cpl-extensions" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
  xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">
 <taa:routed>
  <taa:rule-switch>

    <!-- allow calls originating from endpoints registered to VCS Control -->
    <taa:rule originating-zone="VCSzoneName" destination=".*">
      <proxy />
    </taa:rule> 

    <!-- allow jabber user registration User ID-->
    <taa:rule unauthenticated-origin="(.*)@vc.met.com" destination=".*">
      <proxy />
    </taa:rule>

    <!-- MCU External VC RM SIP -->
    <taa:rule origin=".*" destination="7089@vc.met.com">
      <proxy />
    </taa:rule>

    <!-- MCU External VC RM H323 pre-transform -->
    <taa:rule origin=".*" destination="7089@ExpresswaysIPaddress">
      <proxy />
    </taa:rule>

    <!-- MCU External VC RM H323 post-transform -->
    <taa:rule origin=".*" destination="7089">
      <proxy />
    </taa:rule>

    <!-- reject calls from all other sources -->
    <taa:rule origin=".*" destination=".*">
      <reject status="403" reason="Incoming Calls Rejected"/>
    </taa:rule>

  </taa:rule-switch>
 </taa:routed>
</cpl>

New Member

Hi Derek, Could this script

Hi Derek,

 

Could this script be used for ISDN?

 

Regards,

Emma

New Member

For an ISDN GW? or do you

For an ISDN GW? or do you mean, to stop dial through fraud where someone is bouncing in via the expressway to your ISDN GW or phone network?

New Member

Thanks for your reply Derek,

Thanks for your reply Derek,

 

Yes, I mean hairpin dialing.

 

Emma

New Member

something like the following

something like the following should work, dunno the exact requirements of your environment, change the 9(.*) to whatever your prefix to dial outbound is 8(.*) or 064(.*) or whatever. and add whatever other rules above and below. rules run in order, so specific match rules need to be higher than generic catch all rules which should be at the bottom.

 

<?xml version="1.0" encoding="UTF-8"?>
<cpl xmlns="urn:ietf:params:xml:ns:cpl" 
  xmlns:taa="http://www.tandberg.net/cpl-extensions" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
  xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">
 <taa:routed>
  <taa:rule-switch>

    <!-- Block ISDN GW DTF dialing -->
    <taa:rule origin=".*" destination="9(.*)">
      <reject status="403" reason="Incoming Calls Rejected"/>
    </taa:rule>

  </taa:rule-switch>
 </taa:routed>
</cpl>

New Member

Thank you Derek, I will test

Thank you Derek, I will test that today.

 

Emma

841
Views
0
Helpful
7
Replies
This widget could not be displayed.