Media Encryption Policy - Cisco TelePresence Administrator's Manual
Video communication server
Hide thumbs
Also See for TelePresence:
- Administrator's manual (507 pages) ,
- Manual (24 pages) ,
- Specifications (7 pages)
Table of Contents
Advertisement
Media encryption policy
The media encryption policy settings allow you to selectively add or remove media encryption capabilities for
SIP calls flowing through the VCS. This allows you to configure your system so that, for example, all traffic
arriving or leaving a VCS Expressway from the public internet is encrypted, but is unencrypted when in your
private network. The policy:
is configured on a per zone/subzone basis and applies only to that leg of the call in/out of that
n
zone/subzone
applies to the SIP leg of the call, even if other legs are H.323
n
Media encryption policy is configured through the Media encryption mode setting on each zone and
subzone, however the resulting encryption status of the call is also dependent on the encryption policy
settings of the target system (such as an endpoint or another VCS).
The encryption mode options are:
Force encrypted: all media to and from the zone/subzone must be encrypted. If the target system/endpoint
n
is configured to not use encryption, then the call will be dropped.
Force unencrypted: all media must be unencrypted. If the target system/endpoint is configured to use
n
encryption, then the call may be dropped; if it is configured to use Best effort then the call will fall back to
unencrypted media.
Best effort: use encryption if available, otherwise fall back to unencrypted media.
n
Auto: no specific media encryption policy is applied by the VCS. Media encryption is purely dependent on
n
the target system/endpoint requests. This is the default behavior and is equivalent to how the VCS
operated before this feature was introduced.
When configuring your system to use media encryption you should note that:
any zone with an encryption mode of Force encrypted or Force unencrypted must be configured as a SIP-
n
only zone (H.323 must be disabled on that zone)
TLS transport must be enabled if an encryption mode of Force encrypted or Best effort is required
n
encryption policy (any encryption setting other than Auto) is applied to a call by routing it through the
n
B2BUA hosted on the VCS:
as the B2BUA must take the media, each call is classified as a traversal call and thus consumes a
l
traversal call license
there is a limit per VCS of 100 simultaneous calls that can have a media encryption policy applied
l
the call component that is routed through the B2BUA can be identified in the call history details as
l
having a component type of Encryption B2BUA
the B2BUA runs as internal application within the VCS and does not require any manual configuration
l
Cisco VCS Administrator Guide (X7.2)
Zones and neighbors
Page 131 of 498
Hide quick links:
Advertisement
Table of Contents
