So what is a VCS traversal zone?
A VCS traversal zone is pretty much a connection between a VCS control (VCS-c) and a VCS expressway (VCS-e). where the VCS-c is located on the inside (trusted) part of your network and the VCS-e is situated in your DMZ. The VCS-e is pretty much the point of entry into your network, for external users to connect or make calls to your company's endpoints, for Business to Business calls, using URI dialing. The word "traversal" is a term used to indicate that the connection between the two VCS's traverses a firewall.
A traversal zone is also a requirement if you want to deploy Mobile and Remote Jabber (MRA).
First of all, this post will discuss SIP only, because who in the right frame of mind would use H323, right!?
First, start by opening the required ports on your Firewall to allow the required communication between the two VCS's. Cisco has an excellent document that describes this in detail:
In order for a VCS-c (traversal client) and a VCS-e (traversal server, to communicate by means of a traversal zone, the VCS-e listens to TCP port 7001 and pretty much sits and waits for the VCS-c to talk to it on that port. 9 out of 10 times this means zero configuration on the firewall because the traffic is initiated on the inside on the VCS-c and the VCS-e just responds.
Certificates for TLS
It is important that you get this step right. A lot of issues with traversal zones not establishing and calls not working across them are caused by incorrect certs or certs not being uploaded completely or properly. So create the following certs"
VCS-c: internal cert (Cert A), signed by your internal CA (cert B, CA self signed cert)
VCS-e: external cert (Cert C, signed by the likes of Rapid SSL, containing the FQDN of the VCS-e server), and all CA's and intermediate CA's (certs D).
- Upload certs B and D onto your VCS-e cert store (Maintenance > Security Certificate > Trusted CA certificate ) . Cert C, the public CA signed cert for the VCS-e gets uploaded into: Maintenance > Security > server certificate > upload server certificate
- Upload certs D and B onto your VCS-c cert store (Maintenance > Security Certificate > Trusted CA certificate ). Cert C, the internal CA signed cert for the VCS-c gets uploaded into: Maintenance > Security > server certificate > upload server certificate
I can't stress this enough, take your time doing this, as not doing it can cause a lot of post implementation troubleshooting time if it fails. (believe me I've been there). if you do run into issues, use the client certificate testing tool under Maintenance > Security Certificates > Client certificate testing tool
So now back to the actual config of the traversal zone, the previous steps were just prep work.
I prefer to configure the VCS-e (traversal server) side of the traversal zone first
Firstly, log on to your VCS-e and create a user ID and password that the VCS-c can authenticate its traversal zone agains, go to Configuration > Authentication > Devices > local DB. Create a user ID and password and make sure you take a note of it, because you will need the creds later on on the VCS-c.
Now go to Configuration > Zone > Create new zone and choose Type= Traversal server
fill out the username that you created in the previous step. port is 7001 transport is TLS (which is the default)
The TLS verify subject name is the FQDN and is the verify Subject name that is in the X.509 certificate of your VCS-e (make sure you have all your certs uploaded)
|Fig.,1 VCS-e traversal zone config|
So go to your VCS-c: Configuration> Zones > create new zone and choose Type=Traversal Client.
|Fig.2 VCS-e traversal zone config|
Once you have configured both ends of the traversal zone, on the VCS-c your VCS-e should be shown as GREEN and connected to port 7001 (see Fig.2)
Of course the traversal zone is no go is nothing points to it, so you will need to point a search rule to it, to actually direct calls to use the traversal zone.
On your VCS-control you need a search rule that point all call directed to external URI;s (pretty much everything that is not withing one of your company's domain names). (Its very much like a default route to towards the internet). As per below:
So in the reverse on the VCS-e you need to create a search rule pointing across the traversal zone to for instance *@domainname.com