Professional Documents
Culture Documents
Brkcol 2021
Brkcol 2021
Collaboration Edge
Mobile and Remote
Access
Philip Smeuninx
Technical Leader Services
psmeunin@cisco.com
BRKCOL-2021
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction
• Mobile and Remote Access Deployment
• Mobile and Remote Access Monitoring
• Mobile and Remote Access Tool Demo
• Mobile and Remote Access Jabber Registration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mobile and
Remote Access
Deployment
Topology
CUCM
Unified CM
Expressway-C Expressway-E
Internet
IM&P
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Mobile and Remote Access - Versions
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Mobile and Remote Access
Configuration and Troubleshooting
• System configuration
• Firewall configuration
• Certificate configuration and deployment
• Traversal zone configuration
• UC server discovery
• DNS and domain configuration/deployment
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Mobile and Remote access
System Configuration
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
System Configuration
• Set Unified Communications mode to ‘Mobile and remote access’ on E and C
• Check the Administrator guide for more help on system configuration topics
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
System Configuration - NTP
• When NTP is not configured and synchronized on ExpressWay-C and
ExpressWay-E, Jabber Telephony registration to CUCM may not succeed.
• Security mechanism based on SIP SERVICE messages.
1. Expressway-E time-stamps a SERVICE message
2. Expressway-E sends the SERVICE message to Expressway-C
3. Expressway-C verifies the SERVICE is received within 60 secs error margin
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
System Configuration - DNS
• With X8.8+ : Expressway E must have forward and reverse DNS entries.
• Certificate CN validation through DNS reverse lookup.
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
System Configuration - DNS
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Dual NIC Recommended Deployment
• Cons for Single NIC :
- NAT Reflection X8.5+
- Higher Bandwidth usage Requires NAT
reflection
May require
static routes
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Expressway Clustering - Primary
Primary Peer
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Expressway Clustering - Secondary
ClusterName
Primary Peer
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
X8.9
Requires Restart
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Expressway Service Setup
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Expressway Service Setup
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Mobile and Remote access
Firewall Configuration
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Firewall Configuration
• What traffic does the firewall need to pass?
• HTTPS proxy for secure provisioning of endpoints
• SIP/TLS, RTP/SRTP for audio/video media
• XCP/XMPP for IM&P
• HTTPS Services
• Traversal Connection between ExpressWay-C and E
• SSH Tunnel : ClusterDB change notifications and HTTPS reverse proxy traffic
Internet
Unified Unified
CUP CM Expressway- Expressway-E
C
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Firewall Configuration
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Expressway E – Demultiplexing media ports
• Small/medium deployment
36000-36001
or
36000-59999 2776-2777
ExpressWay C ExpressWay E
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Expressway E – Demultiplexing media ports
• For large systems new install
36000-59999 36000-36011
ExpressWay C ExpressWay E
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Firewall Setup
Port Status and Configuration
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Expressway E Local Inbound Ports
Clustering
SIP Line
Traversal
Provisioning
XMPP Ext
XMPP Int
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Expressway E Local Outbound Ports
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Expressway E Remote Listening Ports
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Expressway C Local Inbound Ports
Clustering
SIP Trunk
XMPP Int
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Expressway C Local Outbound Ports
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Expressway C Remote listening Ports
SIP Line
Traversal
XMPP
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Mobile and Remote Access
Certificates
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
DX650/70/80 and 88XX/78XX
‘Certificate Authority Trust List’
• Pre-installed CA Trust list
• CA-Trust-List.docx
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
TFTP encrypted configuration file
• Jabber, DX, 78XX/88XX Out-of-the-box enrolment over MRA not supported.
• Requires CAPF operation
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Expressway Certificates
• > Maintenance
> Security Certificate
> Server Certificate
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Expressway Certificates
• > Maintenance > Security Certificate > Trusted CA Certificate
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Expressway-C Certificate
Where is it used?
CUCM
Unified CM
SIP MTLS
Expressway-C Expressway-E
Internet
SIP MTLS
Clustering
IM&P
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Extended Key Usage
Expressway-C Certificate 1. TLS Web Server Authentication
Requirements 2. TLS Web Client Authentication
SIP MTLS
Clustering MTLS
IM&P
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Expressway-C Certificate
Additional Requirements
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
ExpressWay-C Certificate Requirements
Expressway C CUP
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
ExpressWay-C Certificate Requirements
Expressway C CUCM
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Troubleshooting
CA Root not uploaded on ExpressWay E
• Traversal Zone State Failed
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Troubleshooting
CA Root not uploaded on CUCM
• Softphone Registration fails (other will work) when endpoint security settings are
authenticated or encrypted
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Troubleshooting
CA Root not uploaded on CUCM
• ExpressWay-C diagnostic logs
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Troubleshooting
Security Profile added as SAN (CUCM trace)
• SIPTcp - Connection Indication - Listen Port = 5061, Peer Port = 25002
SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.48.55.98 on port 25002 index 10 with 2994
bytes:[53,NET]
REGISTER sip:COLCM9PUB SIP/2.0…
…
//SIP/SIPHandler/ccbId=0/scbId=0/wait_SIPCertificateInd: could not find a trunk device using address or
x509SubjectName calling findSIPStationInit
//SIP/SIPHandler/ccbId=0/scbId=0/findDeviceByX509Subject: x509Subject:xwayc.coluc.com, port:5061
//SIP/SIPHandler/ccbId=25/scbId=0/findDevicePID: Routed to SIPStationInit
…
SIPStationInit: connId=10, CSFEWAYJ, 10.48.55.98:5061, Incoming register request received over TLS.
Subject=[/C=BE/ST=BRABANT/L=DIEGEM/O=CISCO/OU=TAC/CN=xwayc.coluc.com]
…
SIPStationD(9) - validTLSConnection:TLS InvalidX509NameInCertificate, Rcvd=xwayc.coluc.com,
Expected=CSFEWAYJ. Will check SAN the next
…
SIPStationD(9) - validTLSConnection: Found matching SAN, SAN Rcvd=xwayc.coluc.com;conference-2-
ecup9.coluc.com;csf-secure, Expected=csf-secure
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Troubleshooting
Security Profile not added as SAN (CUCM trace)
• SIPTcp - Connection Indication - Listen Port = 5061, Peer Port = 25004
SIPTcp - wait_SdlReadRsp: Incoming SIP TCP message from 10.48.55.98 on port 25004 index 10 with 2994
bytes:[53,NET]
REGISTER sip:COLCM9PUB SIP/2.0…
…
//SIP/SIPHandler/ccbId=0/scbId=0/wait_SIPCertificateInd: could not find a trunk device using address or
x509SubjectName calling findSIPStationInit
//SIP/SIPHandler/ccbId=0/scbId=0/findDeviceByX509Subject: x509Subject:xwayc.coluc.com, port:5061
//SIP/SIPHandler/ccbId=25/scbId=0/findDevicePID: Routed to SIPStationInit
…
SIPStationInit: connId=10, CSFEWAYJ, 10.48.55.98:5061, Incoming register request received over TLS.
Subject=[/C=BE/ST=BRABANT/L=DIEGEM/O=CISCO/OU=TAC/CN=xwayc.coluc.com]
…
SIPStationD(3) - validTLSConnection:TLS InvalidX509NameInCertificate, Rcvd=xwayc.coluc.com,
Expected=CSFEWAYJ. Will check SAN the next
…
SIPStationD(3) - validTLSConnection:TLS InvalidX509NameInCertificate Error , did not find matching SAN either,
Rcvd=xwayc.coluc.com;conference-2-ecup9.coluc.com, Expected=csf-secure
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Expressway-E Certificate
Where is it used?
Domain XMPP
CUCM
XMPP TLS
Unified CM HTTPS
SIP TLS
Expressway-C Expressway-E
Internet
SIP TLS
SIP MTLS
Clustering MTLS XMPP TLS
XMPP TLS
HTTPS
IM&P
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Extended Key Usage
Expressway-E Certificate 1. TLS Web Server Authentication
Requirements 2. TLS Web Client Authentication
Internet
SIP TLS
SIP MTLS
Clustering XMPP TLS
HTTPS
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Expressway-E Certificate
Additional Requirements
• Must be CA Signed
• Public CA
• CA Root which issued the certificate must be appended to
“Trusted CA certificate” on both ExpressWay’s
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
ExpressWay-E Certificate Requirements
Expressway E Expressway C
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Troubleshooting Certificates – Wireshark
decode as
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Troubleshooting Certificates – Wireshark
decode as
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Troubleshooting Certificates – Wireshark
TLS Handshake failure
• TCP Handshake
Client Hello
Server Hello, Server Certificate
Client Certificate
Server does not trust CA that signed client certificate
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Troubleshooting Certificates – Wireshark
Certificate Export
Server cert.
Intermediate cert.
Root cert.
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Troubleshooting Certificates – Wireshark
Certificate Export
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Mobile and Remote Access
Unified Communications Traversal Zone
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Unified Communications Traversal Zone
• Expressway-E is traversal server in DMZ
• Expressway-C is traversal client inside the network
• Establish traversal link between both using traversal zone configuration
CUCM
Internet
Expressway-C Expressway-E Endpoint
Traversal Client Traversal Server B
Traversal Link Management
Signal
Media Payload
Endpoint
A
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
UC Traversal Zone
ExpressWay E – Traversal Server
» Select Type : Unified Communications traversal
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
UC Traversal Zone
ExpressWay E – Traversal Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
UC Traversal Zone
ExpressWay C – Traversal Client
Select ‘Unified Communications Traversal’ as Type
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
UC Traversal Zone
ExpressWay C – Traversal Client
Must resolve to Public IP address
Expressway E when
single NIC deployment
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
UC Traversal Zone
ExpressWay C – Traversal Client
Zone Status
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
UC Traversal Zone
ExpressWay – SSH Tunnel
• SSH Tunnel – From Status > Unified Communications
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Troubleshooting
Peer Address not matching CN
• Peer Address configured as IP address
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Troubleshooting
Peer Address not matching CN
• Peer Address/FQDN not matching CN
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Troubleshooting Traversal Zone
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Troubleshooting
Password incorrect
• Traversal Client will show for this zone
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Password incorrect (contd.)
• ExpressWay C diagnostics logs
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Troubleshooting
Password incorrect
• ExpressWay E diagnostic logs
Module="network.ldap" Level="INFO": Detail="Authentication credential found in directory for identity: xway”
…
Module="developer.nomodule" Level="WARN" CodeLocation="ppcmains/sip/sipproxy/SipProxyAuthentication.cpp(686)"
Method="SipProxyAuthentication::checkDigestSAResponse" Thread="0x7f2485cb0700":
calculated response does not match supplied response,
calculatedResponse=769c8f488f71eebdf28b61ab1dc9f5e9,
response=319a0bb365decf98c1bb7b3ce350f6ec
…
Event="Authentication Failed" Service="SIP" Src-ip="10.48.55.98" Src-port="25723"
Detail="Incorrect authentication credential for user" Protocol="TLS" Method="OPTIONS" Level="1”
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Mobile and Remote Access
UC Server Discovery
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
UC Server Discovery
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
CUCM Server Discovery
• Discovers hostname (processnodetable)
• Discovers version
• Discovers Cluster Security mode (Transport Protocols)
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
CUCM Server Discovery – TLS verify mode
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
CUCM Server Discovery – TLS verify mode
OR (*)
Publisher address = FQDN MUST match SAN TOMCAT Certificate Publisher
(*) Only valid statement RFC 6125
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
CUCM Server Discovery – TLS verify mode
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
CUCM Server Discovery – TLS verify mode
No requirements for
TOMCAT Certificate Publisher
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
CUCM Server Discovery – Zone Configuration
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
CUCM Server Discovery – Zone Configuration
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
CUCM Server Discovery – Zone Configuration
TLS verify mode = On
‘CEtls-<UCMName>’ Zone:
- TLS Verify mode = On
- Peer Address must match CN or SAN
from Callmanager certificate
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
CUCM Server Discovery – Zone Configuration
• CA or Expressway C certificate must be uploaded to Callmanager-trust store
• Verifies SIP TLS during discovery
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
CUCM Server Discovery – Zone Configuration
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
CUCM Server Discovery – Search Rule
Configuration
• 1 Search Rule per node per transport protocol
• Pattern matching for header
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Troubleshooting - Search Rule matching for
Edge/MRA calls
|INVITE sip:2000@cucm10p.coluc.com;user=phone SIP/2.0
Via: SIP/2.0/TLS 10.48.55.93:7001;egress-zone=TraversalUC;branch=…
Via: SIP/2.0/TLS 10.48.55.106:52008;branch=z9hG4bK000073dc;received=10.48.55.106;ingress-zone=CollaborationEdgeZone Set by client based on :
Call-ID: 0050568a-003a0004-0000592c-00003095@10.48.55.106
CSeq: 101 INVITE • Device Pool
Remote-Party-ID: "5445" <sip:5445@cucm10p.coluc.com>;party=calling;id-type=subscriber;privacy=off;screen=yes
Contact: <sip:1622b86e-bc3b-fa8c-66d3-2d7a96c892bf@10.48.55.106:52008;transport=tls>;video;bfcp
From: "5445" <sip:5445@cucm10p.coluc.com>;tag=0050568a003a000800006fdd-00006fe8
• Device Security mode
To: <sip:2000@cucm10p.coluc.com>
Max-Forwards: 10
Route: <sip:cucm10p.coluc.com;transport=tls;lr>
Record-Route: <sip:proxy-call-id=a8c00915-9391-463a-a99d-fd511ca1ed85@10.48.55.93:7001;transport=tls;lr;zone-id=1>
Record-Route: <sip:proxy-call-id=a8c00915-9391-463a-a99d-fd511ca1ed85@10.48.55.93:5061;transport=tls;lr>
Allow: ACK,BYE,CANCEL,INVITE,NOTIFY,OPTIONS,REFER,REGISTER,UPDATE,SUBSCRIBE,INFO
User-Agent: Cisco-CSF
….
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Troubleshooting - Different server Domain
expwayC.edge1.com colcm9pub.coluc.com
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Recommended
Here colcm9pub.coluc.com
and colcm9sub1.coluc.com
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Troubleshooting - Different server Domain
No DNS query is required as IP
address is used.
Will always show Active
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Troubleshooting - Self Signed Certificates
• TLS verify + Self Signed CCM/Tomcat certificate
Either discovery will fail or TLS connections with CUCM will fail
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Mobile and Remote Access
DNS and Domain
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Domain Configuration
DNS Configuration
• System > DNS
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Domain Configuration
ExpressWay C – Domain Configuration
• Configurations > Domains
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
ExpressWay – Mobile and Remote Access
Domain and DNS configuration
• Scenario 1
- Flat domain structure
- ExpressWay Servers : domain1.com
- UC servers : domain1.com
- IM&P domain : domain1.com
cup.domain1.com
IM&P Domain =
domain1.com
Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
ExpressWay – Scenario 1
Domain and DNS configuration
Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
ExpressWay – Scenario 1
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
ExpressWay – Scenario 1
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
ExpressWay – Scenario 1
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
Answer:
> System > DNS >
- System host name ‘xwayC’
- Domain name ‘domain1.com’
> Configuration > Domains >
- Domain ‘domain1.com’ enabled for:
‘UCM registrations’ and ‘IM and Presence’
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
ExpressWay
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
Expressway E
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
ExpressWay
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
ExpressWay
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
ExpressWay – Scenario 1
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
ExpressWay – Scenario 1
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
ExpressWay – Scenario 1
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
ExpressWay – Mobile and Remote Access
Domain and DNS configuration
• Scenario 2
- Mixed domain structure
- Expressway servers : domain2.com
- UC and CUP servers : domain1.com
- IM&P domain : domain1.com (internal) cup.domain1.com
IM&P Domain =
domain1.com
Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
ExpressWay – Scenario 2
Domain and DNS configuration
Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
ExpressWay – Scenario 2
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
ExpressWay – Scenario 2
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
ExpressWay
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
Expressway E
HTTPMSG:
|GET https:///ZG9tYWluMi5jb20=/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin HTTP/1.1
Host: eft-xwye-b.external.com:8443
Authorization: xxxxx
Accept: */*
User-Agent: Jabber-Win-462
Decodes to
domain2.com
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
ExpressWay – Scenario 2
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
Answer:
> System > DNS >
- System host name ‘xwayC’
- Domain name ‘domain2.com’
> Configuration > Domains >
- Domain ‘domain1.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’
- Domain ‘domain2.com’ enabled for ‘UCM registrations’ and ‘IM and Presence’
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
ExpressWay – Scenario 2
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
ExpressWay – Scenario 2
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
ExpressWay – Scenario 2
Domain and DNS configuration
Jabber Client External DNS Expressway E ExpressWay C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
ExpressWay (scenario 1&2)
cup.domain1.com
Certificate Considerations IM&P Domain =
domain1.com
Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
ExpressWay (scenario 1&2) cup.domain1.com
Certificate Considerations IM&P Domain =
domain1.com
Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM&P Server
Prompt user
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
ExpressWay (scenario 1&2) cup.domain1.com
IM&P Domain =
Certificate Considerations domain1.com
Jabber Client External DNS Expressway E Expressway C Internal DNS CUCM Home UDS IM&P Server
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
SRV : _collab-edge._tls.cisco.com
Target : expresswaye.cisco.com
https://expresswaye.edge.cisco.com:8443/Y29sdWMuY29t/get_edge_config
-> Cookie domain : cisco.com
https://expresswaye.cisco.com:8443/Y29sdWMuY29t/get_edge_config
-> Cookie domain : ms.com
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Mobile and
Remote Access
Monitoring & Tools
Unified Communications Status – Expressway E
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Unified Communications Status – Expressway C
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Unified Communications Status
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Unified Communications Status (example1)
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Unified Communications Status (example1)
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Unified Communications Status (example1)
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Unified Communications Status (example1)
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Unified Communications Status (example1)
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Alarms
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
DNS Lookup
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Expressway Diagnostic Logs
• Diagnostics logs
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Mobile and
Remote Access
Tool Demo
Mobile Remote Access
Jabber Registration
Jabber Diagnostics
Jabber Diagnostics - CTRL-SHIFT-D
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Jabber Diagnostics – Edge Configuration
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Which Expressway?
Which CUCM? ucm-pub1
Which CUP?
ucm-sub1
…. eft-xwye-a.coluc.com eft-xwyc-a.coluc.com
CUP
eft-xwye-b.coluc.com eft-xwyc-b.coluc.com
CUC
Service Configuration
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
SIP REGISTER
Jabber exp-e-1.dcloud.cisco.com
198.18.2.37 198.18.2.152 (external)
REGISTER sip:ucm-sub1.dcloud.cisco.com SIP/2.0
Via: SIP/2.0/TLS 198.18.2.37:51172;branch=z9hG4bK00001055
Call-ID: 005056b8-21130003-000062b1-000035fd@198.18.2.37
Path for SIP responds to
CSeq: 102 REGISTER REGISTER request
Contact: <sip:509764ed-5917-eb59-0bca-413a773223c9@198.18.2.37:51172;transport=tls>;+sip.instance="<urn:uuid:00000000-0000-0000-0000-
005056b82113>";+u.sip!devicename.ccm.cisco.com="cholland";+u.sip!model.ccm.cisco.com="503";video
From: <sip:+19725555018@ucm-sub1.dcloud.cisco.com>;tag=005056b82113000200001174-0000712a
Contact = Jabber IP
To: <sip:+19725555018@ucm-sub1.dcloud.cisco.com>
Max-Forwards: 70
Route: <sip:exp-e-1.dcloud.cisco.com;transport=tls;lr>,<sip:198.18.133.152:5061;transport=tls;zone-id=1;directed;lr>,<sip:ucm-
sub1.dcloud.cisco.com;transport=tcp;lr>
User-Agent: Cisco-CSF
Route for SIP REGISTER
Expires: 3600
Date: Wed, 20 Apr 2016 10:00:24 GMT
Proxy-Authorization: Digest username="cholland", realm="exp-e-1.dcloud.cisco.com", uri="sip:ucm-sub1.dcloud.cisco.com",
response="d8ad62d5f7555cd944f464b5d8f2a869", nonce="bc9fde6c224d6617f6dc4a6f8ae59a369c5f9ebcecb20220091dbf27ea75",
opaque="AQAAAEXd5mTRpkTDUddWM/ttJLnZZuOd", cnonce="0000654b", qop=auth, nc=00000001, algorithm=MD5
Supported: replaces,join,sdp-anat,norefersub,resource-priority,extended-refer,…
Reason: SIP ;cause=200;text="cisco-alarm:25 Name=cholland ActiveLoad=Jabber_for_Windows-10.6.2 InactiveLoad=Jabber_for_Windows-10.6.2 Last=initialized"
Mime-Version: 1.0
Content-Type: multipart/mixed;boundary=uniqueBoundary After ‘SIP 407 Proxy Authentication Required
Content-Length: 1271
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
SIP REGISTER
exp-e-1.dcloud.cisco.com exp-c-1.dcloud.cisco.com
198.18.1.152 (internal) 198.18.133.152
Module="network.search" Level="DEBUG": Detail="Search rule 'LocalZoneMatch' ignored due to system generated search rule filtering"
Module="network.search" Level="DEBUG": Detail="Search rule 'CEtcp-ucm-pub.dcloud.cisco.com' did not match destination alias 'ucm-
sub1.dcloud.cisco.com;transport=tcp;lr'"
Module="network.search" Level="DEBUG": Detail="Search rule 'B2B-to-external' ignored due to system generated search rule filtering"
Module="network.search" Level="DEBUG": Detail="Search rule 'B2B-from-external' did not match destination alias 'ucm-
sub1.dcloud.cisco.com;transport=tcp;lr'"
Module="network.search" Level="DEBUG": Detail="Considering search rule 'CEtcp-ucm-sub1.dcloud.cisco.com' towards target 'CEtcp-
ucm-sub1.dcloud.cisco.com' at priority '45' with alias 'ucm-sub1.dcloud.cisco.com;transport=tcp;lr'"
Route: <sip:ucm-sub1.dcloud.cisco.com;transport=tcp;lr>
Route header matches
search rule on Expressway C
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
SIP REGISTER
exp-c-1.dcloud.cisco.com ucm-sub1.dcloud.cisco.com
198.18.133.152
198.18.133.219
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
How to validate the registration?
Expressway
CUCM Registration
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
How to validate the registration?
CUCM
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
SIP Registration – SIP Path Headers Support
• Expressway X8.9
• CUCM 11.5(1)SU2
• Provides feature support for :
• Shared line features 78XX and 88XX
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
SIP REGISTER
exp-c-1.dcloud.cisco.com ucm-sub1.dcloud.cisco.com
198.18.133.152
198.18.133.219
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
How to validate Calls? Expressway
Bandwidth Allocated
Zones route
Media Stats
See Next Slide
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
How to validate Calls? Expressway
Channel1:
Audio Channel2:
DTMF Video (main)
Channel3:
Video (content)
Channel4: Channel5:
BFCP FarEnd
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
How to validate Calls? Expressway
• Event Logs
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
How to validate Calls? Expressway
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Thank you
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Collaboration Cisco Education Offerings
Course Description Cisco Certification
CCIE Collaboration Advanced Workshop (CIEC) Gain expert-level skills to integrate, configure, and troubleshoot complex CCIE® Collaboration
collaboration networks
Implementing Cisco Collaboration Applications Understand how to implement the full suite of Cisco collaboration CCNP® Collaboration
(CAPPS) applications including Jabber, Cisco Unified IM and Presence, and Cisco
Unity Connection.
Implementing Cisco IP Telephony and Video Learn how to implement Cisco Unified Communications Manager, CUBE, CCNP® Collaboration
Part 1 (CIPTV1) and audio and videoconferences in a single-site voice and video network.
Implementing Cisco IP Telephony and Video Obtain the skills to implement Cisco Unified Communications Manager in a
Part 2 (CIPTV2) modern, multisite collaboration environment.
Troubleshooting Cisco IP Telephony and Video Troubleshoot complex integrated voice and video infrastructures
(CTCOLLAB)
Implementing Cisco Collaboration Devices Acquire a basic understanding of collaboration technologies like Cisco Call CCNA® Collaboration
(CICD) Manager and Cisco Unified Communications Manager.
Implementing Cisco Video Network Devices Learn how to evaluate requirements for video deployments, and implement
(CIVND) Cisco Collaboration endpoints in converged Cisco infrastructures.
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Cybersecurity Cisco Education Offerings
Course Description Cisco Certification
Understanding Cisco Cybersecurity The SECFND course provides understanding of CCNA® Cyber Ops
Fundamentals (SFUND) cybersecurity’s basic principles, foundational knowledge, and
core skills needed to build a foundation for understanding
more advanced cybersecurity material & skills.
Implementing Cisco Cybersecurity This course prepares candidates to begin a career within a CCNA® Cyber Ops
Operations (SECOPS) Security Operations Center (SOC), working with
Cybersecurity Analysts at the associate level.
Securing Cisco Networks with Threat Designed for security analysts who work in a Security Cisco Cybersecurity
Detection and Analysis (SCYBER) Operations Center, the course covers essential areas of Specialist
security operations competency, including SIEM, Event
monitoring, security event/alarm/traffic analysis (detection),
and incident response
Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s
latest security products, including NGFW, ASA, NGIPS,
AMP, Identity Services Engine, Email and Web Security
Appliances, and more.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Cybersecurity Cisco Education Offerings
Course Description Cisco Certification
New! CCIE Security 5.0 CCIE® Security
Implementing Cisco Edge Network Security Configure Cisco perimeter edge security solutions utilizing Cisco CCNP® Security
Solutions (SENSS) Switches, Cisco Routers, and Cisco Adaptive Security Appliance
(ASA) Firewalls
Implementing Cisco Threat Control
Solutions (SITCS) v1.5 Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER
NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware
Protection), as well as Web Security, Email Security and Cloud
Implementing Cisco Secure Access Web Security
Solutions (SISAS)
Deploy Cisco’s Identity Services Engine and 802.1X secure
Implementing Cisco Secure Mobility network access
Solutions (SIMOS)
Protect data traversing a public or shared infrastructure such as the
Internet by implementing and maintaining Cisco VPN solutions
Implementing Cisco Network Security Focuses on the design, implementation, and monitoring of a CCNA® Security
(IINS 3.0) comprehensive security policy, using Cisco IOS security features
BRKCOL-2021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 151