Cisco TelePresence Administrator's Manual page 71

Unified Communications
If the IM&P server is using CA-signed certificates, the VCS Control's trusted CA list must include
o
the root CA of the issuer of the tomcat certificate.
d. Click Add address.
The system then attempts to contact the publisher and retrieve details of its associated nodes.
Note that the status of the IM&P server will show as Inactive until a valid traversal zone connection
between the VCS Control and the VCS Expressway has been established (this is configured later in
this process).
3. Repeat for every IM&P cluster.
After configuring multiple publisher addresses, you can click Refresh servers to refresh the details of the
nodes associated with selected addresses.
Configuring Unified CM servers
To configure the Unified CM servers used for remote access:
1. On VCS Control, go to
The resulting page displays any existing servers that have been configured.
2. Add the details of a Unified CM publisher:
a. Click New.
b. Enter the Unified CM publisher address and the Username and Password credentials of an
application user account that can access the server. The address can be specified as an FQDN or as
an IP address; we recommend using FQDNs when TLS verify mode is On.
Note that these credentials are stored permanently in the VCS database. The Unified CM user must
have the Standard AXL API Access role.
c. We recommend leaving TLS verify mode set to On to ensure VCS verifies the certificates presented
by the Unified CM server (its tomcat certificate for AXL and UDS queries, and its CallManager
certificate for subsequent SIP traffic).
If the Unified CM server is using self-signed certificates, the VCS Control's trusted CA list must
o
include a copy of the tomcat certificate and the CallManager certificate from every Unified CM
server.
If the Unified CM server is using CA-signed certificates, the VCS Control's trusted CA list must
o
include the root CA of the issuer of the tomcat certificate and the CallManager certificate.
d. Click Add address.
The system then attempts to contact the publisher and retrieve details of its associated nodes.
3. Repeat for every Unified CM cluster.
After configuring multiple publisher addresses, you can click Refresh servers to refresh the details of the
nodes associated with selected addresses.
Automatically generated zones and search rules
VCS Control automatically generates non-configurable neighbor zones between itself and each discovered
Unified CM node. A TCP zone is always created, and a TLS zone is created also if the Unified CM node is
configured with a Cluster Security Mode
(Mixed) (so that it can support devices provisioned with secure profiles). The TLS zone is configured with its
TLS verify mode set to On if the Unified CM discovery had TLS verify mode enabled. This means that the
VCS Control will verify the CallManager certificate for subsequent SIP communications. Each zone is
created with a name in the format 'CEtcp-<node name>' or 'CEtls-<node name>'.
A non-configurable search rule, following the same naming convention, is also created automatically for each
zone. The rules are created with a priority of 45. If the Unified CM node that is targeted by the search rule has
a long name, the search rule will use a regex for its address pattern match.
Cisco VCS Administrator Guide (X8.1.1)
Configuration > Unified Communications > Unified CM
(System > Enterprise Parameters > Security
Configuring mobile and remote access on VCS
servers.
Parameters) of 1
Page 71 of 507