08-23-2012 05:50 AM - edited 03-17-2019 11:39 PM
Hi,
We have a VCS Control cluster which is AD Integrated and accounts are managed by TMS through Provisioning Extension syncing with an AD group. Both peer with a single Expressway.
From previous posts I have read that that the zone authentication policies should be as follows:
VCSc
TZ: Check
DSZ: Treat as auth
VCSe:
DSZ: Do not check
TZ: Do not check
The flaw here is that any non-provisioned devices would be allowed to register to the Expressway. I would be looking to utilise the Local Database on the Expressway so externally registered devices atleast must provide a valid user-name and password.
Are there any options that would allow this? Without trying to do direct AD Integration on the Expressway.
Much appreciated.
Raj
08-23-2012 07:29 AM
Hi Raju,
I would say there are lots of ways thorugh which provisioning can be done...first lets talk only on VCS control..for TMSPEkeep the following settings on control..
Default zone == check credentials
default subzone == check credentials or treat as authenticated (both possible)
traversal zone == check credentials.
now we come to expressway..
here keep the
default zone & traversal zone == "do not check credentials"
default subzone == "check credentials"
i hope you must be doing a proxy authentication and i am also considering that you have configured a SIP domain on the expressway!!
now here you should first put a Registration allow list and define the Regex or patterns or ip's which are going to register..
after that create multiple subzones..and subzone member ship rule...
for e.g. for Movi/Jabber windows/jabber tablet create a separate subzone and keep the sub zone as "treat as authenticated"..this way the MOVI/Jabber will be registering to specific subzone..
for rest all registration you can have another subzone and keep it as "check credentials"..configure a user in local database on the expressway..this users can be used multiple times for registration. this way any registration apart from the Jabber will be challenged by expressway and would be checked under its local database..for Jabber the challenge would be done through the VCS control...
i hope it clarifies..check the device authentication document and VCS admin guide for more details..
Thanks
Alok
08-23-2012 07:58 AM
here is the link for admin guide.check page 218..
you can have subzone member ship rule as a regex..so for jabber it would be based on the device uri you have configure under provisioning directory..
for challenging everything apart from jabber..for e.g. if your domain is abc.com
subzone membership rule regex can be
(.*)@abc.com
traget subzone
priority would be higher than the subzone membership rule for jabber clients..any registration going in this subzone would be challenged for authentication.
Thanks
Alok
08-23-2012 08:06 AM
Thanks Alok,
So if I create a SZ for 'MoviUsers' (excuse the legacy name), set this to 'treat as authenticated' and create a SZ Membership rule based on .*\.movi@video.company.com...wouldn't this mean I could register any endpoint to the expressway providing the H323/SIP alias had .movi@video.company.com in it? All without providing credentials.
Any more granunarly defined membership rules/allow list and I would need to define every user explicitely :-s
(We also have provisioned Ex90 devices so would need to uniquely differentiate these too)
Raj
08-23-2012 08:47 AM
That's right Raju..But if you do not want this then proxy all the registration request to control...
this way the registration will also be challenged using the traversal zone and every registration would be on control..expressway won't be having any registration..
Thanks
Alok
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: