Configuring media encryption policy
The media encryption policy settings allow you to selectively add or remove media encryption capabilities for
SIP calls flowing through the VCS. This allows you to configure your system so that, for example, all traffic
arriving or leaving a VCS Expressway from the public internet is encrypted, but is unencrypted when in your
private network.
n
The policy is configured on a per zone/subzone basis and applies only to that leg of the call in/out of that
zone/subzone.
n
Encryption is applied to the SIP leg of the call, even if other legs are H.323.
Media encryption policy is configured through the
Media encryption mode
setting on each zone and
subzone, however the resulting encryption status of the call is also dependent on the encryption policy
settings of the target system (such as an endpoint or another VCS).
The encryption mode options are:
n
Force encrypted
: all media to and from the zone/subzone must be encrypted. If the target system/endpoint
is configured to not use encryption, then the call will be dropped.
n
Force unencrypted
: all media must be unencrypted. If the target system/endpoint is configured to use
encryption, then the call may be dropped; if it is configured to use
Best effort
then the call will fall back to
unencrypted media.
n
Best effort
: use encryption if available, otherwise fall back to unencrypted media.
n
Auto
: no specific media encryption policy is applied by the VCS. Media encryption is purely dependent on
the target system/endpoint requests. This is the default behavior and is equivalent to how the VCS
operated before this feature was introduced.
Encryption policy (any encryption setting other than
Auto
) is applied to a call by routing it through a back-to-
back user agent (B2BUA) hosted on the VCS.
When configuring your system to use media encryption you should note that:
n
Any zone with an encryption mode of
Force encrypted
or
Force unencrypted
must be configured as a SIP-
only zone (H.323 must be disabled on that zone).
n
TLS transport must be enabled if an encryption mode of
Force encrypted
or
Best effort
is required.
n
The call component routed through the B2BUA can be identified in the call history details as having a
component type of
Encryption B2BUA
.
n
As the B2BUA must take the media, each call is classified as a traversal call and thus consumes a
traversal call license.
n
There is a limit per VCS of 100 simultaneous calls (500 calls on Large VM servers) that can have a media
encryption policy applied.
n
The B2BUA can also be invoked when
ICE messaging support
is enabled.
n
You should not configure a VCS for SIP media encryption if that same VCS is also configured for static
NAT. If you do so, the private IP address will be sent in the SDP rather than the static NAT address and
this will cause calls to fail.
Note that the recommended configuration for VCS Control with VCS Expressway deployments is to:
l
configure the same media encryption policy setting on the traversal client zone on VCS Control, the
traversal server zone on VCS Expressway, and every zone and subzone on VCS Expressway
l
use static NAT on the VCS Expressway only
With this configuration the encryption B2BUA will be enabled on the VCS Control only.
Cisco VCS Administrator Guide (X8.1.1)
Page 135 of 507
Zones and neighbors
Configuring media encryption policy