114
D14049.04
JULY 2008
Grey Headline (continued)
TANDBERG VIDEO COMMUNICATIONS SERVER
ADMINISTRATOR GUIDE
Introduction Getting Started
Overview and
Status
System
Conguration
VCS
Conguration
Zones and
Neighbors
Call
Processing
Bandwidth
Control
Firewall
Traversal
Appendices
Applications Maintenance
Call Policy
The VCS allows you to set up a set of rules to control which calls
are allowed, which calls are rejected, and which calls are to be
redirected to a different destination. These rules are known as
Call Policy, or Administrator Policy
If Administrator Policy is enabled and has been congured, each
time a call is made the VCS will execute the policy in order to
decide, based on the source and destination of the call, whether
to
proxy the call to its original destination
•
redirect the call to a different destination or set of
•
destinations
reject the call.
•
You can set up an Administrator Policy in either of two ways:
by
•
conguring basic administrator policy using the web
interface. (Note that this will only allow you to Allow or Reject
specied calls)
by
•
uploading a script written in the Call Processing Language
(CPL).
Administrator Policy uses the source and destination of a call to determine the action to be taken. Policy interacts with Authentication
when considering the source alias of the call. If your VCS is part of a secure environment, any policy decisions based on the source
of the call should only be made when that source can be authenticated. Whether or not the VCS considers an endpoint to be
authenticated depends on the Authentication Mode setting of the VCS.
Authentication Mode On
When Authentication Mode is set to On on the VCS, all endpoints and neighbors are required to authenticate with it before calls
will be accepted. If a call is received from an unauthenticated source (e.g. neighbor or endpoint) the call’s source aliases will
be removed from the call request and replaced with an empty eld before the Administrator Policy is executed. This is because
there is a possibility that the source aliases could be forged and therefore they should not be used for policy decisions in a secure
environment. This means that, when Authentication Mode is On and you congure policy based on the source alias, it will only apply to
authenticated sources.
The VCS determines whether or not an endpoint is authenticated as follows:
H.323
An H.323 endpoint is considered to be authenticated if either of the following conditions apply:
it is a locally registered endpoint. (Because Authentication Mode is On, the registration will have been accepted only after the
•
endpoint authenticated successfully with the VCS.)
it is a remote endpoint that is registered to and authenticated with a Neighbor VCS, and that Neighbor in turn has authenticated
•
with the local VCS.
An H.323 endpoint is considered to be unauthenticated when:
it is a remote endpoint registered to a neighbor and that neighbor has not authenticated with the VCS. This is regardless of
•
whether or not the endpoint authenticated with the neighbor.
SIP
A SIP endpoint is considered to be authenticated when:
it falls within one of the domains for which the VCS is authoritative and has successfully responded to an authentication challenge.
•
A SIP endpoint is considered to be unauthenticated if any of the following conditions apply:
it does not fall within one of the domains for which the VCS is authoritative, or
•
it has failed to successfully respond to an authentication challenge, or
•
it has successfully responded to an authentication challenge but its
•
From or Reply-To addresses are not compatible with the alias
origin settings.
Authentication Mode Off
When Authentication Mode is set to Off on the VCS, calls will be accepted from any endpoint or neighbor. The assumption is that the
source alias is trusted, so authentication is not required.
About Call Policy
Only one of these two methods can be used at any one
time to specify Administrator Policy. If a CPL script has
been uploaded, this will disable use of the web interface
to congure administrator policy. In order to use the web
interface, you must delete the CPL script that has been
uploaded.
Use Administrator Policy to determine which callers can
make or receive calls via the VCS. Use Allow and Deny
lists to determine which aliases can or cannot register
with the VCS.
When enabled, Administrator Policy is executed for all
calls going through the VCS.
Administrator Policy and Authentication