Cisco TelePresence MCU Series 4.4(3.49) Software Maintenance Release Notes April 2013 Contents Product documentation New features in 4.4 Resolved issues Open issues Limitations Interoperability Updating to 4.4 Using the Bug Search Tool Getting help Appendix: Mutual authentication connections and certificate identity requirements Appendix: Transitioning to certificate-based security Document revision history 1 2 6 9 10 13 18 21 21 22 24 25 Product documentation Version 4.4(3.
New features in 4.4 n Cisco TelePresence MCU MSE 8420 Getting started n Cisco TelePresence MCU MSE 8510 Getting started New features in 4.4 Version 4.4 introduces a number of new security measures such as better password management, mutual authentication, certificate-based login, and optional Online Certificate Status Protocol (OCSP) validation of client certificates for HTTPS connections.
New features in 4.4 the client to authenticate with the certificate. In all other cases, the MCU will reject the certificate and prevent authentication. The MCU always uses its known OCSP server and does not check any OCSP servers specified by the client certificate. The feature is configurable to include a nonce. Static Certificate Revocation Lists are not supported.
New features in 4.4 Effect of certificate-based authentication on the API If certificate-based authentication is allowed (option 3 above), the standard authentication parameters (authenticationUser and authenticationPassword) are required in API messages only if the client certificate is insufficient for login purposes.
New features in 4.4 Video to use by default You can now configure a participant to display a different participant's video source by default. The MCU shows the replacement video by default whenever the original participant's video would previously have been shown. For example, if the original participant becomes the active speaker, then by default the replacement video becomes the most prominent pane in the layout.
Resolved issues Additional QoS (quality of service) functionality The MCU can now tag all outgoing traffic with configurable QoS (quality of service) information. This applies to both Ethernet ports on the MCU, whether on IPv4 or IPv6 networks.
Resolved issues Identifier Description CSCue03922 In previous releases, when the MCU received invalid RTCP messages, it would print error messages at a very high rate in the event/serial log which added extra load to the host processor. In this release, the error messages are rate limited so that the MCU host processor is not overwhelmed with printing hundreds of error messages. CSCue08737 In previous releases, a customer MCU 4500 experienced an unexpected restart when encoding an H.
Resolved issues Resolved since 4.3(2.32) Identifier Description CSCud59266 In previous releases, in rare circumstances the MCU could experience an unexpected restart if invalid bitstream was sent to the DSP and the exit message would show an sse validate failure error. This is resolved in this release. CSCtz69347 In previous releases, MCU 4200 Series models could experience an unexpected restart when the maximum MTU size was set to 400 bytes or lower. This is resolved in this release.
Open issues Identifier Description CSCty77949 In previous releases, when attempts were made to overwrite a valid auto attendant banner image with an invalid image, the MCU might not subsequently have been able to delete the valid banner image when a user deleted the associated auto attendant. This led to a situation where all the auto attendant banner storage space was used, but the images could not be deleted – preventing further banner image uploads. This is resolved in this release.
Limitations Identifier Description CSCuc41501 MCU 4500 Series and MCU 4200 Series models are unable to register with their internal gatekeepers using their global IPv6 addresses. The workaround for this issue is to use an IPv6 loopback address [::1] rather than the global IPv6 address. Limitations Downgrade without restore causes username inconsistency after upgrade When you downgrade from MCU 4.4 to MCU 4.3 or earlier, change a username, then upgrade to 4.4 again, that username's original 4.
Limitations Issues when removing the CompactFlash™ during operation Removing the CompactFlash card while the MCU is in operation has been known to cause a restart. Windows Media Player Streaming a conference with Windows Media Player in multiple windows or tabs on the same browser will crash the browser. This is a known issue with Windows Media Player. If you need to stream more than one conference simultaneously, use a different player such as QuickTime or Real Player.
Limitations of the raw IPv6 address. This issue is being tracked by Mozilla as bug 633001. Automatic link-local IPv6 assignment on disabled interface When you enable IPv6 on any of the device's Ethernet ports (Network > Port A or Network > Port B), the device automatically assigns a link-local IPv6 address to each Ethernet port, even if the port is disabled. An IP address that is assigned to a disabled Ethernet port may not be apparent on the web interface.
Interoperability Interoperability We endeavor to make the MCU interoperable with all relevant standards-based equipment. While it is not possible to test all scenarios, the testing that the data below is based on covers all the most common functions of the listed endpoints and infrastructure. Version 4.4 of the MCU software was used for this interoperability testing. Note: Unless otherwise stated, Cisco Unified Communications Manager (CUCM) version 9.0.
Interoperability Cisco TelePresence System 1300 Series 1.9.2(19) Cisco TelePresence System 500-37 1.9.2(19) Cisco TelePresence System 500-32 Tested CUCM to VCS and CUCM to MCU. n 1.9.2(19) Cisco Unified Video Advantage 2.2(2) Cisco Jabber Video for TelePresence (Windows) 4.5(16582) Cisco Jabber Video for TelePresence (Mac OSX) 4.5(16582) The CTS 1300-47 endpoint does not respond properly to commands to mute/unmute audio/video from MCU.
Interoperability Cisco UC Integration (TM) for Microsoft Lync 8.5 (229.20137) Tested CUCM to VCS and CUCM to MCU. Cisco Unified Personal Communicator 8.6.3.20802-1.2.148 Cisco Jabber for Windows 9.0.5 (11368) Tested CUCM to VCS and CUCM to MCU. Cisco Jabber for iPad 9.1 (20014) Tested SIP and SIP to H.323 interworking. Cisco Unified IP Phone 9971 9-3-1-33 Tested CUCM to VCS and CUCM to MCU. n Pressing hold resume on the endpoint may result in lower resolution video transmission from the MCU.
Interoperability PCS-G50 PCS-XG80 2.72 2.36 Tested H.323 and H.323 to SIP interworking. n At low bandwidths this endpoint may not handle audio properly. You can mitigate this by disabling AAC codec for this endpoint. n The endpoint does not correctly signal a deliberate disconnection, so the MCU treats it as an unexpected disconnection and may redial if configured to redial on unexpected disconnections. Tested H.323 and SIP. n An H.
Interoperability VVX 1500 4.0.2.11307 Tested H.323 and SIP. n Due to inaccurate timestamps sent by this endpoint, lip synchronization cannot be guaranteed. n When calling over SIP, this endpoint only supports the first audio and video codecs that it advertises. If the MCU chooses a different audio or video codec from the advertised set, the endpoint may not be able to decode the audio or video from the MCU. n The endpoint does not respond properly to commands to mute/unmute audio/video from MCU.
Updating to 4.4 Cisco Unified Communications Manager Cisco TelePresence Content Server 9.0.1 S5.3 n Calls from Cisco Unified IP Phone 9971 via the CUCM to VCS path result in no audio/video from the endpoint. (CSCub97604). n 60fps capable endpoints may not be able to negotiate 60fps with the MCU when the call is made via the CUCM to VCS path. n CUCM may not correctly respond to mid-call renegotiation from the MXP on a call to the MCU via the CUCM to MCU path (CSCtx16122). Tested H.323 and SIP.
Updating to 4.4 n The administrator user name and password for the backup file. n If your deployment uses CDR data, make sure that all CDR data has been downloaded and saved. CAUTION: You must back up the MCU configuration (the configuration.xml file) before you upgrade the software. This release reformats the configuration file in a way that is not compatible with earlier software versions, including changes to all existing user IDs.
Updating to 4.4 6. Click Upload software image. A progress bar is displayed in a separate pop-up window while the web browser uploads the file to the MCU. This takes some time – dependent on your network connection. Do not navigate away from or refresh the Upgrade software page during the upload process; otherwise, it will abort. After a number of minutes, the web browser refreshes automatically and displays “Main image upload completed successfully”. 7. Click Close Status window. 8.
Using the Bug Search Tool 1. Go to Settings > Upgrade. 2. In the Restore configuration area, locate a configuration.xml file that is compatible with the release to which you want to downgrade. 3. Check the User settings check box. 4. If required, check the Network settings check box. 5. Click Restore backup file. 6. When the configuration has been restored, follow the instructions as detailed in Upgrade instructions [p.19].
Appendix: Mutual authentication connections and certificate identity requirements Appendix: Mutual authentication connections and certificate identity requirements Local certificate The MCU can only have one local certificate. In all cases where the MCU needs to present a certificate to another party, the MCU uses the certificate listed in the Local certificate section of the Network > SSL certificates page.
Appendix: Mutual authentication connections and certificate identity requirements Incoming SIP calls (MCU acting as a server) The MCU performs a SIP TLS handshake with the calling party, and the parties must be able to verify each other's certificates. The MCU verifies that the received certificate is trusted by checking against its SIP trust store. The certificate must be signed by an authority that is in the MCU's SIP trust store.
Appendix: Transitioning to certificate-based security Appendix: Transitioning to certificate-based security Certificate-based security methods carry a risk of inadvertently blocking all login access to the MCU. (If problems occur with the client certificate or the trust store, you will need to fall back to HTTP. If you cannot fall back—because HTTP is disabled or because HTTP to HTTPS redirection is set—then all access methods will be blocked.
Document revision history 1. Ensure that an appropriate HTTPS trust store has been installed on the MCU (Network > SSL certificates). 2. Go to Network > Services and enable both HTTP and HTTPS. 3. Go to Settings > Security and disable Redirect HTTP requests to HTTPS. This ensures that you can fall back to HTTP if problems occur. 4. Go to Network > SSL certificates. a. Scroll to the Online certificate status protocol (OCSP) section. b. Set Certificate to check to HTTPS client certificates. c.
Document revision history Date Revision Description April 2013 17 Maintenance release version. Cisco TelePresence MCU 4.4(3.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
