Re: [cisco-voip] webkit via expressway

2018-09-13 Thread Lelio Fulgenzi 

I hear ya. I’ll probably take the external DNS approach to be safe. From 
everything I read, it didn’t seem to hurt if you had the _collab-edge SRV 
record in the internal database, but I could have missed something.

By ‘connect directly’ I was wondering whether or not the roomkit would try to 
resolve the _cisco-uds SRV records and connect directly to cucm without going 
through expressway. Same way Jabber behaves.

I’ll start with enduser and test with appuser. But you’re likely right.

-sent from mobile device-

Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 
2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

On Sep 13, 2018, at 8:32 PM, Matthew Loraditch 
mailto:mloradi...@heliontechnologies.com>> 
wrote:

_cisco-uds is for internal dns only, _collab-edge is for external only you 
don’t want either in the other. If you have Jabber MRA working, this should 
work and no changes needed that I can recall. You will want it to have external 
dns servers. It sounds like you are testing in some sort of DMZ outside but not 
totally outside your network.

Not sure what you mean by try to connect directly, it only knows what to try 
once you put the domain in. Jabber only knows because you put in your username 
at some point.

The user needs to be an end-user I’m pretty certain.



Matthew Loraditch​
Sr. Network Engineer

p: 443.541.1518


w: www.heliontechnologies.com|  
e: mloradi...@heliontechnologies.com

















From: cisco-voip 
mailto:cisco-voip-boun...@puck.nether.net>> 
On Behalf Of Lelio Fulgenzi
Sent: Thursday, September 13, 2018 8:25 PM
To: Erick Wellnitz mailto:ewellnitzv...@gmail.com>>
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] webkit via expressway


Ok. Great. Thanks. I’ll likely setup some application users to test this out 
(hopefully they don’t have to be end users).

Do we know if it works like Jabber such that if 
_cisco-uds._tcp.acme.com resolves, it will try to connect 
directly?

My hope is I can just add _collab-edge._tls to the internal dns tables as well. 
Can’t imagine that would hurt.

Alternative would be to program dns servers to 8.8.8.8 as I mentioned earlier.

There are a lot of settings controlled by cucm (or at least appear on the 
config page). Interested to find out what they all do.

I’m hoping we’re not back to the old, “those are ignored and configure directly 
on device” game.

-sent from mobile device-


Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 
2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

On Sep 13, 2018, at 8:07 PM, Erick Wellnitz 
mailto:ewellnitzv...@gmail.com>> wrote:
You are correct.  It's similar to registering an 8800 series phone via 
expressway.  Username and passpharase (password) are the user you have the 
device assigned to as a controlled device.  Domain is your service domain, 
acme.com in your example.  It will look for 
_collab-edge._tls.acme.com, for example.

On Thu, Sep 13, 2018 at 4:22 PM Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:

So, I'd like to try out registering this RoomKit via Expressway for a couple of 
reasons.

Not much in the admin guide about getting this to work. When I reset the box 
and select UCM via Expressway, I'm prompted with username, passphrase and 
domain. Now, in my experience "passphrase" is not the same as password. Is it 
in this case? Do I need to be configuring this thing like I would an MRA client 
like Jabber? If it's going to be doing service discovery, I'll have to point 
it's DNS servers to google so it gets the 
_collab-edge._tls.acme.com results appropriately.

I'm hoping that once this is done, I can get proximity working - but one thing 
at a time I guess.

Lelio

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca

Re: [cisco-voip] webkit via expressway

2018-09-13 Thread Matthew Loraditch 
_cisco-uds is for internal dns only, _collab-edge is for external only you 
don’t want either in the other. If you have Jabber MRA working, this should 
work and no changes needed that I can recall. You will want it to have external 
dns servers. It sounds like you are testing in some sort of DMZ outside but not 
totally outside your network.

Not sure what you mean by try to connect directly, it only knows what to try 
once you put the domain in. Jabber only knows because you put in your username 
at some point.

The user needs to be an end-user I’m pretty certain.



Matthew Loraditch
Sr. Network Engineer
p: 443.541.1518
w: www.heliontechnologies.com | e: mloradi...@heliontechnologies.com
From: cisco-voip  On Behalf Of Lelio 
Fulgenzi
Sent: Thursday, September 13, 2018 8:25 PM
To: Erick Wellnitz 
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] webkit via expressway


Ok. Great. Thanks. I’ll likely setup some application users to test this out 
(hopefully they don’t have to be end users).

Do we know if it works like Jabber such that if 
_cisco-uds._tcp.acme.com resolves, it will try to connect 
directly?

My hope is I can just add _collab-edge._tls to the internal dns tables as well. 
Can’t imagine that would hurt.

Alternative would be to program dns servers to 8.8.8.8 as I mentioned earlier.

There are a lot of settings controlled by cucm (or at least appear on the 
config page). Interested to find out what they all do.

I’m hoping we’re not back to the old, “those are ignored and configure directly 
on device” game.

-sent from mobile device-


Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 
2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

On Sep 13, 2018, at 8:07 PM, Erick Wellnitz 
mailto:ewellnitzv...@gmail.com>> wrote:
You are correct.  It's similar to registering an 8800 series phone via 
expressway.  Username and passpharase (password) are the user you have the 
device assigned to as a controlled device.  Domain is your service domain, 
acme.com in your example.  It will look for 
_collab-edge._tls.acme.com, for example.

On Thu, Sep 13, 2018 at 4:22 PM Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:

So, I'd like to try out registering this RoomKit via Expressway for a couple of 
reasons.

Not much in the admin guide about getting this to work. When I reset the box 
and select UCM via Expressway, I'm prompted with username, passphrase and 
domain. Now, in my experience "passphrase" is not the same as password. Is it 
in this case? Do I need to be configuring this thing like I would an MRA client 
like Jabber? If it's going to be doing service discovery, I'll have to point 
it's DNS servers to google so it gets the 
_collab-edge._tls.acme.com results appropriately.

I'm hoping that once this is done, I can get proximity working - but one thing 
at a time I guess.

Lelio

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca>

www.uoguelph.ca/ccs | 
@UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] webkit via expressway

2018-09-13 Thread Lelio Fulgenzi 

Ok. Great. Thanks. I’ll likely setup some application users to test this out 
(hopefully they don’t have to be end users).

Do we know if it works like Jabber such that if 
_cisco-uds._tcp.acme.com resolves, it will try to connect 
directly?

My hope is I can just add _collab-edge._tls to the internal dns tables as well. 
Can’t imagine that would hurt.

Alternative would be to program dns servers to 8.8.8.8 as I mentioned earlier.

There are a lot of settings controlled by cucm (or at least appear on the 
config page). Interested to find out what they all do.

I’m hoping we’re not back to the old, “those are ignored and configure directly 
on device” game.

-sent from mobile device-

Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 
2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

On Sep 13, 2018, at 8:07 PM, Erick Wellnitz 
mailto:ewellnitzv...@gmail.com>> wrote:

You are correct.  It's similar to registering an 8800 series phone via 
expressway.  Username and passpharase (password) are the user you have the 
device assigned to as a controlled device.  Domain is your service domain, 
acme.com in your example.  It will look for 
_collab-edge._tls.acme.com, for example.

On Thu, Sep 13, 2018 at 4:22 PM Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:

So, I'd like to try out registering this RoomKit via Expressway for a couple of 
reasons.

Not much in the admin guide about getting this to work. When I reset the box 
and select UCM via Expressway, I'm prompted with username, passphrase and 
domain. Now, in my experience "passphrase" is not the same as password. Is it 
in this case? Do I need to be configuring this thing like I would an MRA client 
like Jabber? If it's going to be doing service discovery, I'll have to point 
it's DNS servers to google so it gets the 
_collab-edge._tls.acme.com results appropriately.

I'm hoping that once this is done, I can get proximity working - but one thing 
at a time I guess.

Lelio

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | 
le...@uoguelph.ca>

www.uoguelph.ca/ccs | 
@UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] webkit via expressway

2018-09-13 Thread Erick Wellnitz 
You are correct.  It's similar to registering an 8800 series phone via
expressway.  Username and passpharase (password) are the user you have the
device assigned to as a controlled device.  Domain is your service domain,
acme.com in your example.  It will look for _collab-edge._tls.acme.com, for
example.

On Thu, Sep 13, 2018 at 4:22 PM Lelio Fulgenzi  wrote:

>
> So, I'd like to try out registering this RoomKit via Expressway for a
> couple of reasons.
>
> Not much in the admin guide about getting this to work. When I reset the
> box and select UCM via Expressway, I'm prompted with username, passphrase
> and domain. Now, in my experience "passphrase" is not the same as password.
> Is it in this case? Do I need to be configuring this thing like I would an
> MRA client like Jabber? If it's going to be doing service discovery, I'll
> have to point it's DNS servers to google so it gets the _collab-edge._
> tls.acme.com results appropriately.
>
> I'm hoping that once this is done, I can get proximity working - but one
> thing at a time I guess.
>
> Lelio
>
> ---
> Lelio Fulgenzi, B.A. | Senior Analyst
> Computing and Communications Services | University of Guelph
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
> 519-824-4120 Ext. 56354 | le...@uoguelph.ca
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram,
> Twitter and Facebook
>
> [University of Guelph Cornerstone with Improve Life tagline]
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Centralized CER with Session Manager?

2018-09-13 Thread Erick Wellnitz 
In case anyone out there ever runs into this situation, I have an answer.

In our case each of the leaf clusters will have it's own CER group.  These
two CER groups will be clustered together.  There was a bug around
overlapping IP subnets but that has been resolved.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd51691/?rfs=iqvred

On Thu, Sep 13, 2018 at 11:59 AM Erick Wellnitz 
wrote:

> Let's reframe this a little as it doesn't appear CER can be centralized
> with SME.
>
> CER can be set up into two CER groups and the two groups clustered, per
> the admin guide.  Does anyone know if overlapping IP subnets is an issue
> with clustering CER groups?  It's a Brocade switching environment so
> identifying by switchport is off the table.
>
> On Fri, Aug 31, 2018 at 8:49 AM Erick Wellnitz 
> wrote:
>
>> Hey everyone!  It's been a bit too long since I have been active here.
>>
>> I have a situation where I have an SME cluster and 2 leaf clusters. Both
>> leaf clusters need to have telephones discovered and located by CER.
>>
>> Is there a way to have all of the CTI functionality of CER residing on
>> the SME and only have SNMP discovery to the leaf clusters?  I can't find
>> anything like that in the SRND.
>>
>> Any insights would be much appreciated!
>>
>> -E
>>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] webkit via expressway

2018-09-13 Thread Lelio Fulgenzi 

So, I'd like to try out registering this RoomKit via Expressway for a couple of 
reasons.

Not much in the admin guide about getting this to work. When I reset the box 
and select UCM via Expressway, I'm prompted with username, passphrase and 
domain. Now, in my experience "passphrase" is not the same as password. Is it 
in this case? Do I need to be configuring this thing like I would an MRA client 
like Jabber? If it's going to be doing service discovery, I'll have to point 
it's DNS servers to google so it gets the _collab-edge._tls.acme.com results 
appropriately.

I'm hoping that once this is done, I can get proximity working - but one thing 
at a time I guess.

Lelio

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

<>___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Centralized CER with Session Manager?

2018-09-13 Thread Erick Wellnitz 
Let's reframe this a little as it doesn't appear CER can be centralized
with SME.

CER can be set up into two CER groups and the two groups clustered, per the
admin guide.  Does anyone know if overlapping IP subnets is an issue with
clustering CER groups?  It's a Brocade switching environment so identifying
by switchport is off the table.

On Fri, Aug 31, 2018 at 8:49 AM Erick Wellnitz 
wrote:

> Hey everyone!  It's been a bit too long since I have been active here.
>
> I have a situation where I have an SME cluster and 2 leaf clusters. Both
> leaf clusters need to have telephones discovered and located by CER.
>
> Is there a way to have all of the CTI functionality of CER residing on the
> SME and only have SNMP discovery to the leaf clusters?  I can't find
> anything like that in the SRND.
>
> Any insights would be much appreciated!
>
> -E
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Expressway Search Rules - Source:Any -or- Source-Named Zone

2018-09-13 Thread Lelio Fulgenzi 
Thanks Ryan…

I will be enabling call policies on the E, so allowing calls only from 
*.webex.com (regex simplified) from the Any source, and, I found that I needed 
a rule to allow outbound calls as well – this I made a named source, so calls 
from the traversal zone I established with the C. In this case, I’m letting 
that call anything. I’ve also got a deny at the bottom.

As I move to allowing B2B calls, I will add the appropriate rules here to say 
allow inbound calls from ford.com and bigcompanyx.com as required.

If we look at my search rules on C, say those accepting inbound calls from CUCM 
neighbor zone and sending them to the E for processing, I want to configure 
those rules so they only apply to a named zone, the neighbor zone. And for 
those rules that are taking calls from E and sending them off to the neighbor 
zone, I want those rules to apply only to the named zone, the traversal zone. 
Instead of those rules having ANY in the source.



---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Ryan Huff 
Sent: Thursday, September 13, 2018 11:55 AM
To: Lelio Fulgenzi 
Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net) 

Subject: Re: [cisco-voip] Expressway Search Rules - Source:Any -or- 
Source-Named Zone

Pardon ... “the E’s search rule” ... I said traversal zone. Email needs a 
delete like WebEx Teams ...
Sent from my iPhone

On Sep 13, 2018, at 11:53, Ryan Huff 
mailto:ryanh...@outlook.com>> wrote:
The source for the E’s traversal zone only needs to be ‘ANY’, if it truly needs 
to be. I’ve deployed several scenarios where the business only wanted to 
receive B2B calls from other things on it’s own domain (or a few domains strung 
together in Regex).

Also, using the Call Policy engine (under the Configuration menu) or the more 
in depth CPL (Call Processing Language) is a great way to block obviously 
fraudulent dials by source, target or zone (Ex. source URI: deny 
cl...@nose.com).

I prefer to use the standard Call Policy rules in the GUI  which is more 
akin to a prioritized Allow / Deny ACL.

CPL on the other hand (located in the same GUI menu section) is a more robust 
way of using call policies and is really only needed for advanced Call handling.

Call Processing Language is referenced on page 324: 
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf

Call Policy is referenced on page 168: 
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf

The Firewall rules are useful for only allowing  administrative services to a 
particular subnet (System / Protection / Firewall Rules) if you need to leave 
HTTPS and SSH exposed to a non secure network (this is less about toll fraud 
than it is general security).

The firewall rules are referenced on page 28: 
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf

As with any system exposed to the Internet, turn off any services and protocols 
not in use (Ex. Turn off UDP support if you’re not using it ... etc).
Thanks,

Ryan

On Sep 13, 2018, at 11:12, Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:

Curious – what are people doing with their search rules? I’ve got a search rule 
for calls coming from the ‘net into E and then to C all good, but just 
wondering, I know the search rule on E has to be source:A

Re: [cisco-voip] Expressway Search Rules - Source:Any -or- Source-Named Zone

2018-09-13 Thread Ryan Huff 
Pardon ... “the E’s search rule” ... I said traversal zone. Email needs a 
delete like WebEx Teams ...

Sent from my iPhone

On Sep 13, 2018, at 11:53, Ryan Huff 
mailto:ryanh...@outlook.com>> wrote:

The source for the E’s traversal zone only needs to be ‘ANY’, if it truly needs 
to be. I’ve deployed several scenarios where the business only wanted to 
receive B2B calls from other things on it’s own domain (or a few domains strung 
together in Regex).

Also, using the Call Policy engine (under the Configuration menu) or the more 
in depth CPL (Call Processing Language) is a great way to block obviously 
fraudulent dials by source, target or zone (Ex. source URI: deny 
cl...@nose.com).

I prefer to use the standard Call Policy rules in the GUI  which is more 
akin to a prioritized Allow / Deny ACL.

CPL on the other hand (located in the same GUI menu section) is a more robust 
way of using call policies and is really only needed for advanced Call handling.

Call Processing Language is referenced on page 324: 
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf

Call Policy is referenced on page 168: 
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf

The Firewall rules are useful for only allowing  administrative services to a 
particular subnet (System / Protection / Firewall Rules) if you need to leave 
HTTPS and SSH exposed to a non secure network (this is less about toll fraud 
than it is general security).

The firewall rules are referenced on page 28: 
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf

As with any system exposed to the Internet, turn off any services and protocols 
not in use (Ex. Turn off UDP support if you’re not using it ... etc).

Thanks,

Ryan

On Sep 13, 2018, at 11:12, Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:


Curious – what are people doing with their search rules? I’ve got a search rule 
for calls coming from the ‘net into E and then to C all good, but just 
wondering, I know the search rule on E has to be source:ANY because it’s coming 
from the net, but what about the search rule on C? Shouldn’t it be source:named 
zone (and pick C-to-E traversal zone) to be sure that nothing else hits it?

Same goes for say rules that I use to send calls all the way from CUCM to C to 
E to DNS Zone. Shouldn’t my rules be as specifically configured as possible? 
Including the source zone?

I understand that if I start registering devices on either the C or E I will 
need to create additional rules, but I’m fine with that, that way I know 
exactly what’s going to hit.

What are others doing? What’s the best practice?


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | le...@uoguelph.ca

www.uoguelph.ca/ccs
 | @UofGCCS on Instagram, Twitter and Facebook



___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7C%7C308d306aa7304a99862d08d6198b5f80%7C84df9e7fe9f640afb435%7C1%7C0%7C636724483721747900&sdata=xBfVzgyQ2V610hNW94%2BivvkD7BWXVdzEElfon

Re: [cisco-voip] Expressway Search Rules - Source:Any -or- Source-Named Zone

2018-09-13 Thread Ryan Huff 
The source for the E’s traversal zone only needs to be ‘ANY’, if it truly needs 
to be. I’ve deployed several scenarios where the business only wanted to 
receive B2B calls from other things on it’s own domain (or a few domains strung 
together in Regex).

Also, using the Call Policy engine (under the Configuration menu) or the more 
in depth CPL (Call Processing Language) is a great way to block obviously 
fraudulent dials by source, target or zone (Ex. source URI: deny 
cl...@nose.com).

I prefer to use the standard Call Policy rules in the GUI  which is more 
akin to a prioritized Allow / Deny ACL.

CPL on the other hand (located in the same GUI menu section) is a more robust 
way of using call policies and is really only needed for advanced Call handling.

Call Processing Language is referenced on page 324: 
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf

Call Policy is referenced on page 168: 
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf

The Firewall rules are useful for only allowing  administrative services to a 
particular subnet (System / Protection / Firewall Rules) if you need to leave 
HTTPS and SSH exposed to a non secure network (this is less about toll fraud 
than it is general security).

The firewall rules are referenced on page 28: 
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf

As with any system exposed to the Internet, turn off any services and protocols 
not in use (Ex. Turn off UDP support if you’re not using it ... etc).

Thanks,

Ryan

On Sep 13, 2018, at 11:12, Lelio Fulgenzi 
mailto:le...@uoguelph.ca>> wrote:


Curious – what are people doing with their search rules? I’ve got a search rule 
for calls coming from the ‘net into E and then to C all good, but just 
wondering, I know the search rule on E has to be source:ANY because it’s coming 
from the net, but what about the search rule on C? Shouldn’t it be source:named 
zone (and pick C-to-E traversal zone) to be sure that nothing else hits it?

Same goes for say rules that I use to send calls all the way from CUCM to C to 
E to DNS Zone. Shouldn’t my rules be as specifically configured as possible? 
Including the source zone?

I understand that if I start registering devices on either the C or E I will 
need to create additional rules, but I’m fine with that, that way I know 
exactly what’s going to hit.

What are others doing? What’s the best practice?


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | le...@uoguelph.ca

www.uoguelph.ca/ccs
 | @UofGCCS on Instagram, Twitter and Facebook



___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7C%7C308d306aa7304a99862d08d6198b5f80%7C84df9e7fe9f640afb435%7C1%7C0%7C636724483721747900&sdata=xBfVzgyQ2V610hNW94%2BivvkD7BWXVdzEElfonKucDaU%3D&reserved=0
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] Expressway Search Rules - Source:Any -or- Source-Named Zone

2018-09-13 Thread Lelio Fulgenzi 

Curious - what are people doing with their search rules? I've got a search rule 
for calls coming from the 'net into E and then to C all good, but just 
wondering, I know the search rule on E has to be source:ANY because it's coming 
from the net, but what about the search rule on C? Shouldn't it be source:named 
zone (and pick C-to-E traversal zone) to be sure that nothing else hits it?

Same goes for say rules that I use to send calls all the way from CUCM to C to 
E to DNS Zone. Shouldn't my rules be as specifically configured as possible? 
Including the source zone?

I understand that if I start registering devices on either the C or E I will 
need to create additional rules, but I'm fine with that, that way I know 
exactly what's going to hit.

What are others doing? What's the best practice?


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | le...@uoguelph.ca

www.uoguelph.ca/ccs | @UofGCCS on Instagram, 
Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

<>___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] CUBE setup to Centurylink SIP Trunk

2018-09-13 Thread Brian Meade 
This is probably their Level3 SIP Service they bought out which is much
better.

On Wed, Sep 12, 2018 at 8:51 PM Anthony Holloway <
avholloway+cisco-v...@gmail.com> wrote:

> That's interesting, I just performed the turn up of some CL SIP trunks
> this month, and it was multi-tenant registrations on my CUBE with all the
> SIP profile and config bloat.  Lucky you.
>
> On Wed, Sep 12, 2018 at 7:38 PM Jason Aarons (Americas) <
> jason.aar...@dimensiondata.com> wrote:
>
>>
>>
>> I have a new CenturyLink SIP Service.  CenturyLink said it is new and
>> doesn't match the Cisco guides.  (No more of the funky registrar and fixup
>> headers via SIP profiles!)
>>
>>
>>
>> In short in CUBE they want me to send calls to them per these settings;
>>
>> SIP Signaling IP 6.6.156.245:5060
>>
>> RTP IP 6.6.156.244
>>
>> I'm just drawing a blank on how to setup CUBE to send SIP signaling
>> requests to CenturyLink with different Signaling and RTP destination
>> addresses.  Don't I just send session target ipv4:X.X.156.245:5060 and the
>> SDP takes care of the RTP negotiation part?  Do I really care in my CUBE
>> what their RTP address is?
>>
>>
>>
>>
>>
>> -jason
>>
>>
>>
>>
>> This email and all contents are subject to the following disclaimer:
>> "http://www.dimensiondata.com/emaildisclaimer";
>> 
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] TMS Phonebooks and Spark Room Kit Plus on CUCM

2018-09-13 Thread Ryan Ratliff (rratliff) via cisco-voip 
Please open a TAC SR.

That bug wasn’t able to be reproduced so your info could help get it resolved.

Thanks,

-Ryan

On Sep 13, 2018, at 2:30 AM, Dana Tong 
mailto:dana.t...@yellit.com.au>> wrote:

Hi all,


My Room Kit Plus isn’t getting it’s TMS Phonebook (I have a bunch of custom 
lists) and I found the following:

I have set the option to NO (which is the workaround) but the problem still 
exists. The software is TMS 15.7 and the CUCM is 12.x
I’ve reset the endpoint and the TMS server but its still not putting to the 
endpoint.

Cheers
Dana



https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf53020

Cisco Bug: CSCvf53020 - TMS doesn't push phonebook to spark room kit
Last Modified
Feb 25, 2018
Products (1)
• Cisco TelePresence Management Server
Known Affected Releases
15.5
Description (partial)
Symptom:
When route phone book entries is set to yes, TMS doesn't send SIP phone book 
entries to spark room kit endpoint.

If route phone book entries is set to no, then all phonebook entries are 
populated (SIP and H323 entries).

Conditions:
TMS 15.5.0
Spark room kit registered to CUCM

TMS Route phone book entries is set to yes

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip