Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VCS Expressway security best practices

I'm looking for some best practices for hardening the VCS expressway from a security stand point. Feel free to pass along any and all tips.



Everyone's tags (1)
Cisco Employee

Re: VCS Expressway security best practices


If I understand you right from a security point in terms of deploying the VCSe then static NAT and dual interface architecture in DMZ zone would be relatively more secure.

Please refer the section Static NAT and Dual interface architecture in the document :

Hope this helps.



New Member

VCS Expressway security best practices


Dual Interfaces and static NAT are certainly one of the items, for securing and hardening the VCS, but I'm looking beyond that and hoping the "old school" Tandberg folks have some additional best practices.

Such as:

Disabling Telnet

Disabling Http

Locking out the front panel LCD

Using allow/deny lists

Using device Authentication

Using Certificates


etc, etc...

Also, does anybody have any practical experience using the Advanced Account Security option? Any white papers floating around on this?


VCS Expressway security best practices

Hi Robert,

there isn't one single document which will cover all of these areas.

There are however documents which cover specific areas which you will probably find useful (All of these documents are available at


Basic VCS Control/Expressway configuration guide (Mentioned earlier by Sudheer):

Device authentication:

Using certificates:

Regarding the use of allow/deny lists for registrations (Which really is not a proper security measure but rather obfuscation, and could be used in combination with authentication) and the use of CPL for preventing unauthorised access to specific resources such as ISDN gateways, please refer to the VCS Admin guide for X7.1.

The admin guide as well as the VCS Control/Expressway Basic Configuration guide has a set of example CPL scripts which should be useful.

As far as Telnet and SNMP goes, these are disabled by default on an X7.1 VCS (Since they are considered "unsecure" protocols).

Advanced Account Security (AAS) mode is also described in the VCS admin guide.

Hope this helps,


CreatePlease login to create content