Manual
Appendix 13 – Cisco VCS and hardware load balancers in front of a bank of FEPs
If Host Authorization is set to IP, the FEP checks that the source IP address of any incoming
messages match an authorized IP address, if not they are rejected.
If Host Authorization is set to FQDN, then the connection to OCS must be TLS, and that link must
have certificates that authenticates that the connection comes from the stated FQDN. (A certificate
can be generated on the OCS system, or can be created externally. It must then be processed and
loaded onto Cisco VCS – see “Cisco VCS deployment guide - Certificate creation and use with Cisco
VCS”).
For outbound messaging from OCS (to non registered devices) a static route needs to be set up.
If TLS is chosen the destination must be specified as an FQDN.
If the link is set up as TCP the destination must be specified as an IP address.
In SIP signaling, the messaging from endpoints registered to Cisco VCS communicating with OCS
contains route headers that direct responses to the Cisco VCS – bypassing the HLB. If the Cisco VCS
is in the same subnet as the FEPs and the HLB, the FEPs route the SIP messages directly back to the
Cisco VCS rather than through the HLB.
TLS connection
When a TLS connection is made through the load balancer, the load balancer routes the whole TLS
stream through to the same destination device (FEP). If the FEP were to fail then the load balancer
would route the TLS traffic to an alternative FEP. Having all traffic routed to the same FEP is not a
disadvantage in that the majority of traffic into OCS is from MOC clients, and it is these that need to be
balanced across FEPs. The HLB provides the resilience required for the Cisco VCS such that if an
FEP fails, Cisco VCS will be routed to another FEP, and in fact all traffic going through a single FEP
makes following the signaling path easier in case debugging is required.
Cisco VCS Deployment Guide: Microsoft OCS 2007 R1 and R2 and Cisco VCS X5.2 Page 87 of 92