Samstag, 16. Oktober 2010

Auto Configuration for SCCP VGs

a lot of people don't know you can autoconfigure vg202s (and 204s and 224s) not only when using mgcp but also when using sccp.
Unfortunately it is not zero touch, so you need to put some commands in before deploying the device.

1.)Put the device into the ccm. Otherwise there won't be a config file on the TFTP to download for the device :-)

2.)device needs an ip, either via dhcp or statically. let's assume dhcp

3.)If you have set option 150 for the dhcp pool in quedtion you just need the following comminds
sccp local <interface>, e.g. sccp local fas 0/0
ccm-manager sccp

4.)if you don't have option 150 set or no dhcp you need to tell the box where the ccm is:
ccm-manager sccp
ccm-manager config server <tftp server>
that's it
works like a charm.
Eingestellt von um Keine Kommentare:

Sonntag, 10. Oktober 2010

CIsco umi, what to think of it

Last week cisco announced Cisco umi, a home "telepresence" system. There is a lot of discussion about wether the system will take off or not. This is mostly focussing on price (600$ for HW, 25$ a month for the service plan).
These are definitely valid points. Unfortunately the info on the product is still quite light at this point but the following interview with Martin de Beer is the best info I found:
http://techcrunch.com/2010/10/07/cisco-umi-korea/
The interview touches some interesting topics (healthcare services via umi, interesting for rural areas) and shows some more strategy for the product ( a consumer device beachead for cisco). The Korea tie in is also of interest.

Still, as a voice and video professional i feel i need to point one thing out:

umi is a 600$ (if factoring in 1 year of service 900$) 1080p videoconferencing endpoint.

Let me repeat this:
A 1080p capable videoconferencing endpoint for under 1000$.

Crazy
I would love to see how much the unit actually costs from a manufacturing standpoint.
Eingestellt von um Keine Kommentare:

Samstag, 9. Oktober 2010

CIsco UCM Encryption: Scared of unplugging that USB Token?

So there are some ucm issues that pop up again and again.
One of those is a misunderstanding with regard to the Cisco Site Administrator Security Tokens (SAST) which is used to enable authentication and encryption for signalling and media on a cisco communications manager.
People tend to think you need to have those plugged into one of the UCMs (e.g. the publisher) to have encryption working. This is not the case.

The SAS tokens are actually just cisco branded aladdin security tokens which contain a security certificate rooted by a cisco manufacturing CA. You use the tokens with the Certificate Trust List Client (CTL Client) which can be downloaded from the Application, Plugin pages on the UCM Web interface.
The Cisco CTL Client has to be installed on a windows PC(!) which has access to the callmanager servers (!, notice the plural here).
Once you have installed the client you can switch the cluster to mixed mode, therefore allowing  both encrypted connection as well as unencrypted connections.

When you do this you will be prompted to a.)Enter a UCM Administrator password and b.)to insert 2 security tokens during the install.
The role of the tokens is quite clear once one understands what the CTL Client does. The CTL clients generates the certificate trust list (CTL) that is downloaded by phones. The CTL specifies all the certificates, that the IP phone trusts and will accept for connections.
So this means callmanager service certificates and tftp server certificates. If you are using TLS proxy you would also add the certs of the firewalls acting as TLS proxies.

When a "virgin" IP phones connects to a cluster it will at first accept any CTL. But once it has downloaded a CTL it will only accept a CTL that was signed by a certificate that is contained in the already installed CTL of the phone.

So this is what the tokens are atually for:
1.)One of the Security Tokens signs the CTL
2.)The phone will only accept a CTL that was signed by a token that it already knows (meaning it is part of the CTL)

So by adding 2 or more (I use 4 tokens for large installations) to the CTL you ensure that you have a token with which you can generate a new CTL that will be accepted by the rolled out phones. If you lose one of those tokens it is not a big deal since you can use another one and add a new token to the CTL.

When you finished the process of uploading the new CTL your job is done, the Callmanagers will be able to hand out certificates via CAPF and CTLs via the CTL providers without needed the tokens during normal operations.
You don't need the tokens in the servers. Actually they don't serve any purpose there (you can't even enter the security pw for the token on ucm).

Where does the misunderstand about the tokens then come from?
2 Sources:
1.)When we originally got the encryption feature it was on UCM 4.0. Everyone was running the CTL client directly on the windows based server. Therefore it seemed kind of logical to just leave the token plugged into the server...
2.)This: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d1c31.html
the advisory says: "Cisco recommends that you store the security tokens in a location that you will remember. If you want to do so, keep one security token in the USB port at all times."
So it seems someone just thought the usb port of the server is a good place to store the tokens. 
Eingestellt von um Keine Kommentare:

What a stupid idea

Now where am I going to take the time for filling this blog?
Eingestellt von um Keine Kommentare:
Abonnieren Posts (Atom)